throw PinRequiredClientError if no PIN is provided

Yubico · Jan 16, 2024 · 1b7f50a · 1b7f50a
1 parent fe5ed9c
commit 1b7f50a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 9 deletions.
diff --git a/fido/src/main/java/com/yubico/yubikit/fido/client/BasicWebAuthnClient.java b/fido/src/main/java/com/yubico/yubikit/fido/client/BasicWebAuthnClient.java
@@ -19,7 +19,6 @@
 import com.yubico.yubikit.core.application.CommandException;
 import com.yubico.yubikit.core.application.CommandState;
 import com.yubico.yubikit.core.fido.CtapException;
-import com.yubico.yubikit.core.internal.Logger;
 import com.yubico.yubikit.fido.ctap.ClientPin;
 import com.yubico.yubikit.fido.ctap.CredentialManagement;
 import com.yubico.yubikit.fido.ctap.Ctap2Session;
@@ -188,7 +187,6 @@ public PublicKeyCredential makeCredential(
             if (e.getCtapError() == CtapException.ERR_PIN_INVALID) {
                 throw new PinInvalidClientError(e, clientPin.getPinRetries().getCount());
             }
-            Logger.debug(logger, "makeCredential CTAP error: {}", String.format("0x%02x", e.getCtapError()));
             throw ClientError.wrapCtapException(e);
         }
     }
@@ -432,9 +430,8 @@ protected Ctap2Session.CredentialData ctapMakeCredential(
                 pinToken = clientPin.getUvToken(ClientPin.PIN_PERMISSION_MC, rpId, null);
                 pinUvAuthParam = clientPin.getPinUvAuth().authenticate(pinToken, clientDataHash);
                 pinUvAuthProtocol = clientPin.getPinUvAuth().getVersion();
-            } else if (pinConfigured && Boolean.TRUE.equals(ctapOptions.get(OPTION_RESIDENT_KEY))) {
-                // the authenticator supports pin and a discoverable credential creation has been
-                // requested, but no PIN was provided
+            } else if (pinConfigured) {
+                // the authenticator supports pin but no PIN was provided
                 throw new PinRequiredClientError();
             }
 
@@ -555,7 +552,6 @@ protected List<Ctap2Session.AssertionData> ctapGetAssertions(
             if (e.getCtapError() == CtapException.ERR_PIN_INVALID) {
                 throw new PinInvalidClientError(e, clientPin.getPinRetries().getCount());
             }
-            Logger.debug(logger, "getAssertion CTAP error: {}", String.format("0x%02x", e.getCtapError()));
             throw ClientError.wrapCtapException(e);
         } finally {
             if (pinToken != null) {

diff --git a/.../src/androidTest/java/com/yubico/yubikit/testing/fido/UvDiscouragedInstrumentedTests.java b/.../src/androidTest/java/com/yubico/yubikit/testing/fido/UvDiscouragedInstrumentedTests.java
@@ -18,7 +18,7 @@
 
 import androidx.test.filters.LargeTest;
 
-import com.yubico.yubikit.fido.client.ClientError;
+import com.yubico.yubikit.fido.client.PinRequiredClientError;
 import com.yubico.yubikit.fido.ctap.Ctap2Session;
 import com.yubico.yubikit.testing.framework.FidoInstrumentedTests;
 
@@ -43,9 +43,9 @@ public void testMakeCredentialGetAssertion() throws Throwable {
 
     /**
      * Run this test only on devices with PIN set
-     * this is expected to fail with 0x36
+     * Expected to fail with PinRequiredClientError
      */
-    @Test(expected = ClientError.class)
+    @Test(expected = PinRequiredClientError.class)
     public void testMakeCredentialGetAssertionOnProtected() throws Throwable {
         withCtap2Session(
                 "This device has no PIN set",