Skip to content

Commit b298b78

Browse files
msirringhausmsirringhaus
committed
Bump to newer libwebauthn
- Add usage of resident key "Preferred" - Remove now unneeded error checking for U2F attestation
1 parent 9d0cbdf commit b298b78

4 files changed

Lines changed: 37 additions & 39 deletions

File tree

xyz-iinuwa-credential-manager-portal-gtk/Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

xyz-iinuwa-credential-manager-portal-gtk/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ serde_json = "1.0.140"
2020
tracing = "0.1.41"
2121
tracing-subscriber = "0.3"
2222
zbus = { version = "5.5.0", default-features = false, features = ["blocking-api", "tokio"] }
23-
libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn", rev = "21995110e729cb83f3cd5ff3ece4c42315fe8bd3" }
23+
libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn", rev = "e73c76b5826801907340396b0fd9bd7dfb0f5760" }
2424
async-trait = "0.1.88"
2525
tokio = { version = "1.45.0", features = ["rt-multi-thread"] }
2626
futures-lite = "2.6.0"

xyz-iinuwa-credential-manager-portal-gtk/src/dbus.rs

Lines changed: 30 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ use libwebauthn::ops::webauthn::{
99
Assertion, CredentialProtectionExtension, GetAssertionHmacOrPrfInput,
1010
GetAssertionLargeBlobExtension, GetAssertionRequest, GetAssertionRequestExtensions,
1111
MakeCredentialHmacOrPrfInput, MakeCredentialRequest, MakeCredentialResponse,
12-
MakeCredentialsRequestExtensions, UserVerificationRequirement,
12+
MakeCredentialsRequestExtensions, ResidentKeyRequirement, UserVerificationRequirement,
1313
};
1414
use libwebauthn::proto::ctap2::{
1515
Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
@@ -351,30 +351,34 @@ impl CreateCredentialRequest {
351351
let other_options =
352352
serde_json::from_str::<webauthn::MakeCredentialOptions>(&request_value.to_string())
353353
.map_err(|_| webauthn::Error::Internal("Invalid request JSON".to_string()))?;
354-
let (require_resident_key, user_verification) = if let Some(authenticator_selection) =
355-
other_options.authenticator_selection
356-
{
357-
let is_authenticator_storage_capable = true;
358-
let require_resident_key = authenticator_selection
359-
.resident_key
360-
.map(|r| r == "required" || (r == "preferred" && is_authenticator_storage_capable))
361-
.or(authenticator_selection.require_resident_key) // fallback to authenticator_selection.require_resident_key == true for WebAuthn Level 1
362-
.unwrap_or_default();
363-
364-
let user_verification = authenticator_selection
365-
.user_verification
366-
.map(|uv| match uv.as_ref() {
367-
"required" => UserVerificationRequirement::Required,
368-
"preferred" => UserVerificationRequirement::Preferred,
369-
"discouraged" => UserVerificationRequirement::Discouraged,
370-
_ => todo!("This should be fixed in the future"),
371-
})
372-
.unwrap_or(UserVerificationRequirement::Preferred);
373-
374-
(require_resident_key, user_verification)
375-
} else {
376-
(false, UserVerificationRequirement::Preferred)
377-
};
354+
let (resident_key, user_verification) =
355+
if let Some(authenticator_selection) = other_options.authenticator_selection {
356+
let resident_key = match authenticator_selection.resident_key.as_deref() {
357+
Some("required") => Some(ResidentKeyRequirement::Required),
358+
Some("preferred") => Some(ResidentKeyRequirement::Preferred),
359+
Some("discouraged") => Some(ResidentKeyRequirement::Discouraged),
360+
Some(_) => None,
361+
// legacy webauthn-1 member
362+
None if authenticator_selection.require_resident_key == Some(true) => {
363+
Some(ResidentKeyRequirement::Required)
364+
}
365+
None => None,
366+
};
367+
368+
let user_verification = authenticator_selection
369+
.user_verification
370+
.map(|uv| match uv.as_ref() {
371+
"required" => UserVerificationRequirement::Required,
372+
"preferred" => UserVerificationRequirement::Preferred,
373+
"discouraged" => UserVerificationRequirement::Discouraged,
374+
_ => todo!("This should be fixed in the future"),
375+
})
376+
.unwrap_or(UserVerificationRequirement::Preferred);
377+
378+
(resident_key, user_verification)
379+
} else {
380+
(None, UserVerificationRequirement::Preferred)
381+
};
378382
let extensions = if let Some(incoming_extensions) = other_options.extensions {
379383
let extensions = MakeCredentialsRequestExtensions {
380384
cred_props: incoming_extensions.cred_props,
@@ -465,7 +469,7 @@ impl CreateCredentialRequest {
465469

466470
relying_party: rp,
467471
user,
468-
require_resident_key,
472+
resident_key,
469473
user_verification,
470474
algorithms,
471475
exclude,

xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ use libwebauthn::{
1010
};
1111
use serde::{Deserialize, Serialize};
1212
use serde_json::json;
13-
use tracing::{debug, error};
13+
use tracing::debug;
1414

1515
use crate::cose::{CoseKeyAlgorithmIdentifier, CoseKeyType};
1616

@@ -363,16 +363,10 @@ impl TryFrom<&Ctap2AttestationStatement> for AttestationStatement {
363363
.collect(),
364364
})
365365
}
366-
Ctap2AttestationStatement::FidoU2F(att_stmt) => {
367-
if att_stmt.certificates.len() != 1 {
368-
error!("fido-u2f attestation statement has to have one certificate, but we received {}!", att_stmt.certificates.len());
369-
return Err(Error::InvalidState);
370-
}
371-
Ok(Self::U2F {
372-
signature: att_stmt.signature.as_ref().to_vec(),
373-
certificate: att_stmt.certificates[0].to_vec(),
374-
})
375-
}
366+
Ctap2AttestationStatement::FidoU2F(att_stmt) => Ok(Self::U2F {
367+
signature: att_stmt.signature.as_ref().to_vec(),
368+
certificate: att_stmt.certificate.to_vec(),
369+
}),
376370
_ => {
377371
debug!("Unsupported attestation type: {:?}", value);
378372
Err(Error::NotSupported)

0 commit comments

Comments
 (0)