feat(ctap2): add authenticatorLargeBlobs command (0x0C)

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 0a719ceba4a0 · 2026-05-10T21:11:10.000+01:00
Implements the wire-level model and protocol method for CTAP 2.1
`authenticatorLargeBlobs` (command code 0x0C, spec §6.10). This is the
device-side primitive the platform uses to fetch and update the
authenticator's serialized largeBlobArray.

Includes only the `get` request shape so far; `set` is reserved for a
follow-up that will also handle the pinUvAuthParam binding required for
writes.

Refs: CTAP 2.2 §6.10.
diff --git a/libwebauthn/src/proto/ctap2/cbor/request.rs b/libwebauthn/src/proto/ctap2/cbor/request.rs
@@ -8,6 +8,7 @@ use crate::proto::ctap2::model::Ctap2MakeCredentialRequest;
 use crate::proto::ctap2::Ctap2AuthenticatorConfigRequest;
 use crate::proto::ctap2::Ctap2BioEnrollmentRequest;
 use crate::proto::ctap2::Ctap2CredentialManagementRequest;
+use crate::proto::ctap2::Ctap2LargeBlobsRequest;
 use crate::webauthn::Error;
 
 #[derive(Debug, Clone, PartialEq)]
@@ -106,3 +107,13 @@ impl TryFrom<&Ctap2CredentialManagementRequest> for CborRequest {
         })
     }
 }
+
+impl TryFrom<&Ctap2LargeBlobsRequest> for CborRequest {
+    type Error = Error;
+    fn try_from(request: &Ctap2LargeBlobsRequest) -> Result<CborRequest, Error> {
+        Ok(CborRequest {
+            command: Ctap2CommandCode::AuthenticatorLargeBlobs,
+            encoded_data: cbor::to_vec(&request)?,
+        })
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/mod.rs b/libwebauthn/src/proto/ctap2/mod.rs
@@ -32,6 +32,7 @@ pub use model::{
 pub use model::{
     Ctap2GetAssertionRequest, Ctap2GetAssertionResponse, Ctap2GetAssertionResponseExtensions,
 };
+pub use model::{Ctap2LargeBlobsRequest, Ctap2LargeBlobsResponse};
 pub use model::{
     Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse, Ctap2MakeCredentialsResponseExtensions,
 };
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -44,6 +44,8 @@ pub use credential_management::{
     Ctap2CredentialData, Ctap2CredentialManagementMetadata, Ctap2CredentialManagementRequest,
     Ctap2CredentialManagementResponse, Ctap2RPData,
 };
+mod large_blobs;
+pub use large_blobs::{Ctap2LargeBlobsRequest, Ctap2LargeBlobsResponse};
 
 #[derive(Debug, IntoPrimitive, TryFromPrimitive, Copy, Clone, PartialEq, Serialize_repr)]
 #[repr(u8)]
@@ -58,6 +60,7 @@ pub enum Ctap2CommandCode {
     AuthenticatorCredentialManagement = 0x0A,
     AuthenticatorCredentialManagementPreview = 0x41,
     AuthenticatorSelection = 0x0B,
+    AuthenticatorLargeBlobs = 0x0C,
     AuthenticatorConfig = 0x0D,
 }
 
diff --git a/libwebauthn/src/proto/ctap2/model/large_blobs.rs b/libwebauthn/src/proto/ctap2/model/large_blobs.rs
@@ -0,0 +1,106 @@
+//! CTAP 2.1 `authenticatorLargeBlobs` command (cmd `0x0C`).
+//!
+//! Spec: CTAP 2.2 §6.10. The command provides paginated read/write access to a
+//! single authenticator-stored byte array (the "serialized largeBlobArray"),
+//! which is shared across all credentials on the device. Individual blobs are
+//! encrypted with the per-credential `largeBlobKey`.
+//!
+//! This module implements the wire-level request/response model. Higher-level
+//! helpers that drive paginated reads (and, in the future, writes) live in the
+//! `ops::webauthn::large_blob` module.
+
+use serde_bytes::ByteBuf;
+use serde_indexed::{DeserializeIndexed, SerializeIndexed};
+
+/// `authenticatorLargeBlobs` request parameters. The map shape is defined in
+/// CTAP 2.2 §6.10.1. Per the spec the platform sends EITHER `get` (read path)
+/// OR `set` (write path) per request; the unused field MUST be absent.
+#[derive(Debug, Clone, SerializeIndexed)]
+pub struct Ctap2LargeBlobsRequest {
+    /// `get` (0x01): when present, requests up to this many bytes starting at
+    /// `offset`. Mutually exclusive with `set`.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x01)]
+    pub get: Option<u32>,
+
+    /// `set` (0x02): when present, this chunk of the serialized largeBlobArray
+    /// is written at `offset`. Mutually exclusive with `get`.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x02)]
+    pub set: Option<ByteBuf>,
+
+    /// `offset` (0x03): byte offset for the read/write window. Required.
+    #[serde(index = 0x03)]
+    pub offset: u32,
+
+    /// `length` (0x04): on the first `set` request only, the total length of
+    /// the serialized array being written.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x04)]
+    pub length: Option<u32>,
+
+    /// `pinUvAuthParam` (0x05): required for `set`; absent for `get` unless
+    /// the device requires it.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x05)]
+    pub pin_uv_auth_param: Option<ByteBuf>,
+
+    /// `pinUvAuthProtocol` (0x06): version selected by the platform.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x06)]
+    pub pin_uv_auth_protocol: Option<u32>,
+}
+
+impl Ctap2LargeBlobsRequest {
+    /// Build a `get` request for `length` bytes at `offset`.
+    pub fn new_get(offset: u32, length: u32) -> Self {
+        Self {
+            get: Some(length),
+            set: None,
+            offset,
+            length: None,
+            pin_uv_auth_param: None,
+            pin_uv_auth_protocol: None,
+        }
+    }
+}
+
+/// `authenticatorLargeBlobs` response. The map carries a single optional
+/// `config` field (CTAP 2.2 §6.10.2), which holds the requested slice of the
+/// serialized largeBlobArray on the read path. Empty on the write path.
+#[cfg_attr(test, derive(SerializeIndexed))]
+#[derive(Debug, Default, Clone, DeserializeIndexed)]
+pub struct Ctap2LargeBlobsResponse {
+    /// `config` (0x01): the partial blob array. None on write responses, or on
+    /// devices that omit the field for an empty array.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x01)]
+    pub config: Option<ByteBuf>,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::proto::ctap2::cbor;
+
+    #[test]
+    fn get_request_round_trips_through_cbor() {
+        let req = Ctap2LargeBlobsRequest::new_get(0, 1024);
+        let bytes = cbor::to_vec(&req).expect("serialize");
+        // CTAP 2.2 §6.10.1 mandates an integer-keyed map; verify that our
+        // encoding produces one. Tag 0xa3 = map of 3 items (get=1, offset=3,
+        // implicit absence of set/length/pinUvAuthParam/pinUvAuthProtocol).
+        assert_eq!(
+            bytes[0], 0xa2,
+            "expected CBOR map of two items, got {:#x}",
+            bytes[0]
+        );
+        // Sanity: re-decoding via the loose Value parser should yield the same
+        // logical content.
+        let value: cbor::Value = cbor::from_slice(&bytes).expect("deserialize");
+        let cbor::Value::Map(map) = value else {
+            panic!("expected map");
+        };
+        assert_eq!(map.len(), 2);
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/protocol.rs b/libwebauthn/src/proto/ctap2/protocol.rs
@@ -13,8 +13,8 @@ use super::model::Ctap2ClientPinResponse;
 use super::{
     Ctap2AuthenticatorConfigRequest, Ctap2BioEnrollmentRequest, Ctap2ClientPinRequest,
     Ctap2CredentialManagementRequest, Ctap2CredentialManagementResponse, Ctap2GetAssertionRequest,
-    Ctap2GetAssertionResponse, Ctap2GetInfoResponse, Ctap2MakeCredentialRequest,
-    Ctap2MakeCredentialResponse,
+    Ctap2GetAssertionResponse, Ctap2GetInfoResponse, Ctap2LargeBlobsRequest,
+    Ctap2LargeBlobsResponse, Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse,
 };
 
 const TIMEOUT_GET_INFO: Duration = Duration::from_millis(250);
@@ -73,6 +73,11 @@ pub trait Ctap2 {
         request: &Ctap2CredentialManagementRequest,
         timeout: Duration,
     ) -> Result<Ctap2CredentialManagementResponse, Error>;
+    async fn ctap2_large_blobs(
+        &mut self,
+        request: &Ctap2LargeBlobsRequest,
+        timeout: Duration,
+    ) -> Result<Ctap2LargeBlobsResponse, Error>;
 }
 
 #[async_trait]
@@ -272,4 +277,29 @@ where
             Ok(Ctap2CredentialManagementResponse::default())
         }
     }
+
+    #[instrument(skip_all)]
+    async fn ctap2_large_blobs(
+        &mut self,
+        request: &Ctap2LargeBlobsRequest,
+        timeout: Duration,
+    ) -> Result<Ctap2LargeBlobsResponse, Error> {
+        trace!(?request);
+        self.cbor_send(&request.try_into()?, timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
+        match cbor_response.status_code {
+            CtapError::Ok => (),
+            error => return Err(Error::Ctap(error)),
+        };
+        if let Some(data) = cbor_response.data {
+            let ctap_response = parse_cbor!(Ctap2LargeBlobsResponse, &data);
+            debug!("CTAP2 LargeBlobs successful");
+            trace!(?ctap_response);
+            Ok(ctap_response)
+        } else {
+            // Write responses have no body. Same serde_indexed workaround as
+            // credential_management above.
+            Ok(Ctap2LargeBlobsResponse::default())
+        }
+    }
 }
