Changes the Env API to late choice of template ID (#746)

* Changes the Env API to late choice of template ID

Before, a fingerprint sensor had to choose a template ID at the start of
the enrollment process. Not all sensors assign one immediately, and it
conceptually makes more sense to expect an ID after a successful
enrollment.

We introduce a state that tracks whether

- The fingerprint sensor chose a template ID already,
- and we sent a random template ID over CTAP until then.

We also add tests for the introduced state. Since the command is not
considered stateful by CTAP, it means that enrollment can interleave
with other CTAP commands. And the state is not part of
`StatefulCommand`.

* Fixes incorrect documentation

Author: kaczmarczyck

libraries/opensk/src/api/fingerprint.rs

@@ -45,9 +45,7 @@ impl From<Ctap2EnrollFeedback> for cbor::Value {
 
 pub trait Fingerprint {
     /// Starts the fingerprint enrollment process.
-    ///
-    /// Returns the newly assigned template ID.
-    fn prepare_enrollment(&mut self) -> CtapResult<Vec<u8>>;
+    fn prepare_enrollment(&mut self) -> CtapResult<()>;
 
     /// Captures a fingerprint image.
     ///
@@ -56,14 +54,22 @@ pub trait Fingerprint {
     /// `prepare_enrollment` must be called first.
     /// A returned `Ctap2StatusCode` indicates an unexpected failure processing
     /// the command.
-    /// The `Ctap2EnrollFeedback` contains expected errors from the fingerprint
-    /// capture process.
-    /// Also returns the expected number of remaining samples.
+    ///
+    /// This function returns:
+    /// - The `Ctap2EnrollFeedback` contains expected errors from the
+    /// fingerprint capture process.
+    /// - The expected number of remaining samples.
+    /// If the sensor finished template creation, return a hardware ID for this
+    /// template. This ID is different from the FIDO template ID, but they are
+    /// mapped to each other in OpenSK. This should happen exactly when the
+    /// returned number of `remainingSamples` is 0.
+    ///
+    /// There is always only one fingerprint enrollment in progress, and the
+    /// capture implicitly refers to that.
     fn capture_sample(
         &mut self,
-        template_id: &[u8],
         timeout_ms: Option<usize>,
-    ) -> CtapResult<(Ctap2EnrollFeedback, usize)>;
+    ) -> CtapResult<(Ctap2EnrollFeedback, usize, Option<Vec<u8>>)>;
 
     /// Cancel a fingerprint enrollment.
     fn cancel_enrollment(&mut self) -> CtapResult<()>;

libraries/opensk/src/ctap/client_pin.rs

@@ -700,8 +700,6 @@ mod test {
     use super::super::pin_protocol::authenticate_pin_uv_auth_token;
     use super::*;
     use crate::api::crypto::HASH_SIZE;
-    #[cfg(feature = "fingerprint")]
-    use crate::api::fingerprint::Fingerprint;
     use crate::env::test::TestEnv;
     use crate::env::EcdhSk;
     use alloc::vec;
@@ -1181,8 +1179,7 @@ mod test {
             .unwrap();
         let mut env = TestEnv::default();
         set_standard_pin(&mut env);
-        let template_id = env.fingerprint().prepare_enrollment().unwrap();
-        let _ = env.fingerprint().capture_sample(&template_id, Some(30_000));
+        assert!(env.create_fingerprint().is_ok());
 
         let response = client_pin
             .process_command(&mut env, params.clone(), DUMMY_CHANNEL)