libfido2: tweak credential to read fido2 PIN from

Querying a fido2 PIN via askpw for enrolling is currently used in two places: cryptenroll and homectl. So far we sloppily used the same fixed credential name "fido2-pin" in both cases. Let's tweak that and make the credential name match the other credentials cryptenroll or home query, i.e. using the cryptenroll.* and home.* namespaces. This is particular done in light of #31370, which wants to make the credential name public. We really should get the name in order before making it public.
2025-01-10 05:18:17 +03:00 · 2024-02-19 17:30:56 +01:00 · 2024-02-19 17:30:56 +01:00 · 251c71b62b
commit 251c71b62b
parent 09eed3bf8c
4 changed files with 8 additions and 4 deletions
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@ -97,6 +97,7 @@ int enroll_fido2(
                        /* user_display_name= */ node,
                        /* user_icon_name= */ NULL,
                        /* askpw_icon_name= */ "drive-harddisk",
+                        /* askpw_credential= */ "cryptenroll.fido2-pin",
                        lock_with,
                        cred_alg,
                        &cid, &cid_size,
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@ -167,6 +167,7 @@ int identity_add_fido2_parameters(
                        /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                        /* user_icon_name= */ NULL,
                        /* askpw_icon_name= */ "user-home",
+                        /* askpw_credential= */ "home.token-pin",
                        lock_with,
                        cred_alg,
                        &cid, &cid_size,
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@ -686,7 +686,8 @@ int fido2_generate_hmac_hash(
                const char *user_name,
                const char *user_display_name,
                const char *user_icon,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                Fido2EnrollFlags lock_with,
                int cred_alg,
                void **ret_cid, size_t *ret_cid_size,
@ -840,9 +841,9 @@ int fido2_generate_hmac_hash(
                        _cleanup_strv_free_erase_ char **pin = NULL;
                        AskPasswordRequest req = {
                                .message = "Please enter security token PIN:",
-                                .icon = askpw_icon_name,
+                                .icon = askpw_icon,
                                .keyring = "fido2-pin",
-                                .credential = "fido2-pin",
+                                .credential = askpw_credential,
                        };

                        r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &pin);
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@ -109,7 +109,8 @@ int fido2_generate_hmac_hash(
                const char *user_name,
                const char *user_display_name,
                const char *user_icon,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                Fido2EnrollFlags lock_with,
                int cred_alg,
                void **ret_cid, size_t *ret_cid_size,