Merge branch 'master' into even_more_extensions

Author: msirringhaus

README.md

@@ -35,15 +35,15 @@ _Looking for the D-Bus API proposal?_ Check out [platform-api][linux-credentials
   - 🟢 GetPinUvAuthTokenUsingUvWithPermissions
 - [Passkey Authentication][passkeys]
   - 🟢 Discoverable credentials (resident keys)
-  - 🟢 Hybrid transport (caBLE v2): QR-initiated transactions ([#52][#52]: iOS only)
+  - 🟢 Hybrid transport (caBLE v2): QR-initiated transactions
   - 🟠 Hybrid transport (caBLE v2): State-assisted transactions ([#31][#31]: planned)
 
 ## Transports
 
 |                      | USB (HID)                 | Bluetooth Low Energy (BLE) | NFC                   | TPM 2.0 (Platform)    | Hybrid (caBLEv2)                   |
 | -------------------- | ------------------------- | -------------------------- | --------------------- | --------------------- | ---------------------------------- |
-| **FIDO U2F**         | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez)   | 🟠 Planned ([#5](#5)) | 🟠 Planned ([#4][#4]) | N/A                                |
-| **WebAuthn (FIDO2)** | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez)   | 🟠 Planned ([#5](#5)) | 🟠 Planned ([#4][#4]) | 🟠 Partly implemented ([#31][#31]) |
+| **FIDO U2F**         | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez)   | 🟠 Planned ([#5][#5]) | 🟠 Planned ([#4][#4]) | N/A                                |
+| **WebAuthn (FIDO2)** | 🟢 Supported (via hidapi) | 🟢 Supported (via bluez)   | 🟠 Planned ([#5][#5]) | 🟠 Planned ([#4][#4]) | 🟠 Partly implemented ([#31][#31]) |
 
 ## Example programs
 

libwebauthn/Cargo.toml

@@ -41,7 +41,7 @@ num_enum = "0.7.1"
 x509-parser = "0.16.0"
 time = "0.3.35"
 curve25519-dalek = "4.1.3"
-hex = "0.4.2"
+hex = "0.4.3"
 mockall = "0.11.4"
 hidapi = { version = "2.4.1", default-features = false, features = [
     "linux-static-hidraw",

libwebauthn/examples/webauthn_cable.rs

@@ -25,7 +25,7 @@ use libwebauthn::proto::ctap2::{
 use libwebauthn::transport::Device;
 use libwebauthn::webauthn::{Error as WebAuthnError, WebAuthn};
 
-const TIMEOUT: Duration = Duration::from_secs(10);
+const TIMEOUT: Duration = Duration::from_secs(120);
 
 fn setup_logging() {
     tracing_subscriber::fmt()

libwebauthn/src/pin.rs

@@ -391,7 +391,10 @@ where
             return Err(Error::Platform(PlatformError::PinTooLong));
         }
 
-        let uv_proto = select_uv_proto(&get_info_response).await?;
+        let Some(uv_proto) = select_uv_proto(&get_info_response).await else {
+            error!("No supported PIN/UV auth protocols found");
+            return Err(Error::Ctap(CtapError::Other));
+        };
 
         let current_pin = match get_info_response.options.as_ref().unwrap().get("clientPin") {
             // Obtaining the current PIN, if one is set

libwebauthn/src/proto/ctap2/model.rs

@@ -140,8 +140,8 @@ impl From<&Ctap1Transport> for Ctap2Transport {
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Ctap2PublicKeyCredentialDescriptor {
-    pub r#type: Ctap2PublicKeyCredentialType,
     pub id: ByteBuf,
+    pub r#type: Ctap2PublicKeyCredentialType,
 
     #[serde(skip_serializing_if = "Option::is_none")]
     pub transports: Option<Vec<Ctap2Transport>>,
@@ -157,11 +157,11 @@ pub enum Ctap2COSEAlgorithmIdentifier {
 
 #[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 pub struct Ctap2CredentialType {
-    #[serde(rename = "type")]
-    pub public_key_type: Ctap2PublicKeyCredentialType,
-
     #[serde(rename = "alg")]
     pub algorithm: Ctap2COSEAlgorithmIdentifier,
+
+    #[serde(rename = "type")]
+    pub public_key_type: Ctap2PublicKeyCredentialType,
 }
 
 impl Default for Ctap2CredentialType {
@@ -206,3 +206,40 @@ pub enum Ctap2UserVerificationOperation {
     GetPinToken,
     None,
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
+
+    use super::{Ctap2CredentialType, Ctap2COSEAlgorithmIdentifier, Ctap2PublicKeyCredentialType};
+    use serde_bytes::ByteBuf;
+    use serde_cbor;
+    use hex;
+
+    #[test]
+    /// Verify CBOR serialization conforms to CTAP canonical standard, including ordering (see #95) 
+    pub fn credential_type_field_serialization() {
+        let credential_type = Ctap2CredentialType {
+            algorithm: Ctap2COSEAlgorithmIdentifier::ES256,
+            public_key_type: Ctap2PublicKeyCredentialType::PublicKey,
+        };
+        let serialized = serde_cbor::to_vec(&credential_type).unwrap();
+        // Known good, verified by hand with cbor.me playground
+        let expected = hex::decode("a263616c672664747970656a7075626c69632d6b6579").unwrap();
+        assert_eq!(serialized, expected);
+    }
+
+    #[test]
+    /// Verify CBOR serialization conforms to CTAP canonical standard, including ordering (see #95) 
+    pub fn credential_descriptor_serialization() {
+        let credential_descriptor = Ctap2PublicKeyCredentialDescriptor {
+            id: ByteBuf::from(vec![0x42]),
+            r#type: Ctap2PublicKeyCredentialType::PublicKey,
+            transports: None,
+        };
+        let serialized = serde_cbor::to_vec(&credential_descriptor).unwrap();
+        // Known good, verified by hand with cbor.me playground
+        let expected = hex::decode("a2626964414264747970656a7075626c69632d6b6579").unwrap();
+        assert_eq!(serialized, expected);
+    }
+}

libwebauthn/src/proto/ctap2/protocol.rs

@@ -101,11 +101,11 @@ where
     async fn ctap2_make_credential(
         &mut self,
         request: &Ctap2MakeCredentialRequest,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2MakeCredentialResponse, Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => (),
             error => return Err(Error::Ctap(error)),
@@ -121,11 +121,11 @@ where
     async fn ctap2_get_assertion(
         &mut self,
         request: &Ctap2GetAssertionRequest,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2GetAssertionResponse, Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => (),
             error => return Err(Error::Ctap(error)),
@@ -140,12 +140,12 @@ where
     #[instrument(skip_all)]
     async fn ctap2_get_next_assertion(
         &mut self,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2GetAssertionResponse, Error> {
         debug!("CTAP2 GetNextAssertion request");
         let cbor_request = CborRequest::new(Ctap2CommandCode::AuthenticatorGetNextAssertion);
-        self.cbor_send(&cbor_request, TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&cbor_request, timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         let data = unwrap_field!(cbor_response.data);
         let ctap_response = parse_cbor!(Ctap2GetAssertionResponse, &data);
         debug!("CTAP2 GetNextAssertion successful");
@@ -154,13 +154,13 @@ where
     }
 
     #[instrument(skip_all)]
-    async fn ctap2_selection(&mut self, _timeout: Duration) -> Result<(), Error> {
+    async fn ctap2_selection(&mut self, timeout: Duration) -> Result<(), Error> {
         debug!("CTAP2 Authenticator Selection request");
         let cbor_request = CborRequest::new(Ctap2CommandCode::AuthenticatorSelection);
 
         loop {
-            self.cbor_send(&cbor_request, TIMEOUT_GET_INFO).await?;
-            let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+            self.cbor_send(&cbor_request, timeout).await?;
+            let cbor_response = self.cbor_recv(timeout).await?;
             match cbor_response.status_code {
                 CtapError::Ok => {
                     return Ok(());
@@ -177,11 +177,11 @@ where
     async fn ctap2_client_pin(
         &mut self,
         request: &Ctap2ClientPinRequest,
-        _timeou: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2ClientPinResponse, Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => (),
             error => return Err(Error::Ctap(error)),
@@ -203,11 +203,11 @@ where
     async fn ctap2_authenticator_config(
         &mut self,
         request: &Ctap2AuthenticatorConfigRequest,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<(), Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => {
                 return Ok(());
@@ -226,11 +226,11 @@ where
     async fn ctap2_bio_enrollment(
         &mut self,
         request: &Ctap2BioEnrollmentRequest,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2BioEnrollmentResponse, Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => (),
             error => return Err(Error::Ctap(error)),
@@ -252,11 +252,11 @@ where
     async fn ctap2_credential_management(
         &mut self,
         request: &Ctap2CredentialManagementRequest,
-        _timeout: Duration,
+        timeout: Duration,
     ) -> Result<Ctap2CredentialManagementResponse, Error> {
         trace!(?request);
-        self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
-        let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        self.cbor_send(&request.into(), timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
         match cbor_response.status_code {
             CtapError::Ok => (),
             error => return Err(Error::Ctap(error)),

libwebauthn/src/transport/ble/btleplug/manager.rs

@@ -2,10 +2,11 @@ use std::collections::HashMap;
 
 use btleplug::api::bleuuid::uuid_from_u16;
 use btleplug::api::{
-    Central as _, Manager as _, Peripheral as _, PeripheralProperties, ScanFilter,
+    Central as _, CentralEvent, Manager as _, Peripheral as _, PeripheralProperties, ScanFilter,
 };
-use btleplug::platform::{Adapter, Manager, Peripheral};
-use tracing::{debug, info, instrument, Level};
+use btleplug::platform::{Adapter, Manager, Peripheral, PeripheralId};
+use futures::{Stream, StreamExt};
+use tracing::{debug, info, instrument, trace, warn, Level};
 use uuid::Uuid;
 
 use super::device::FidoEndpoints;
@@ -50,17 +51,64 @@ impl SupportedRevisions {
     }
 }
 
+async fn on_peripheral_service_data(
+    adapter: &Adapter,
+    id: &PeripheralId,
+    uuids: &[Uuid],
+    service_data: HashMap<Uuid, Vec<u8>>,
+) -> Option<(Peripheral, Vec<u8>)> {
+    for uuid in uuids {
+        if let Some(service_data) = service_data.get(uuid) {
+            trace!(?id, ?service_data, "Found service data");
+            let Ok(peripheral) = adapter.peripheral(id).await else {
+                warn!(?id, "Could not get peripheral");
+                return None;
+            };
+
+            debug!({ ?id, ?service_data }, "Found service data for peripheral");
+            return Some((peripheral, service_data.to_owned()));
+        }
+    }
+
+    trace!(
+        { ?id, ?service_data },
+        "Ignoring periperal as it doesn't have service data for desired UUID"
+    );
+    None
+}
+
 #[instrument(level = Level::DEBUG, skip_all)]
-pub async fn start_discovery(uuids: &[Uuid]) -> Result<(), Error> {
+/// Starts a discovery for devices advertising service data on any of the provided UUIDs
+pub async fn start_discovery_for_service_data(
+    uuids: &[Uuid],
+) -> Result<impl Stream<Item = (Peripheral, Vec<u8>)> + use<'_>, Error> {
     let adapter = get_adapter().await?;
-    let scan_filter = ScanFilter {
-        services: uuids.to_vec(),
-    };
+    let scan_filter = ScanFilter::default();
+
+    let events = adapter.events().await.or(Err(Error::Unavailable))?;
 
     adapter
         .start_scan(scan_filter)
         .await
-        .or(Err(Error::ConnectionFailed))
+        .or(Err(Error::ConnectionFailed))?;
+
+    let stream = events.filter_map({
+        move |event| {
+            let adapter = adapter.clone();
+            let uuids = uuids.to_vec();
+            async move {
+                // trace!(?event);
+                match event {
+                    CentralEvent::ServiceDataAdvertisement { id, service_data } => {
+                        on_peripheral_service_data(&adapter, &id, &uuids, service_data).await
+                    }
+                    _ => None,
+                }
+            }
+        }
+    });
+
+    Ok(stream)
 }
 
 /// TODO(#86): Support multiple adapters.
@@ -84,6 +132,7 @@ async fn discover_properties(
             .properties()
             .await
             .or(Err(Error::ConnectionFailed))?;
+        trace!({ ?peripheral, ?properties });
         if let Some(properties) = properties {
             result.push((peripheral, properties));
         }
@@ -117,38 +166,20 @@ pub async fn list_fido_devices() -> Result<Vec<FidoDevice>, Error> {
     Ok(with_properties)
 }
 
-#[instrument(level = Level::DEBUG, skip_all)]
-pub async fn list_devices_with_service_data(
-    service_uuid: Uuid,
-) -> Result<HashMap<FidoDevice, Vec<u8>>, Error> {
-    let adapter = get_adapter().await?;
-    let peripherals = adapter
-        .peripherals()
+pub async fn get_device(peripheral: Peripheral) -> Result<Option<FidoDevice>, Error> {
+    let Some(properties) = peripheral
+        .properties()
         .await
-        .or(Err(Error::ConnectionFailed))?;
-    for peripheral in &peripherals {
-        // TODO: parallelize this
-        peripheral
-            .discover_services()
-            .await
-            .or(Err(Error::ConnectionFailed))?;
-    }
-    let with_properties = discover_properties(peripherals).await?;
-    Ok(with_properties
-        .into_iter()
-        .filter_map(
-            |(peripheral, properties)| match properties.service_data.get(&service_uuid) {
-                Some(service_data) => {
-                    let device = FidoDevice {
-                        peripheral,
-                        properties: properties.to_owned(),
-                    };
-                    Some((device, service_data.to_owned()))
-                }
-                None => None,
-            },
-        )
-        .collect())
+        .or(Err(Error::ConnectionFailed))?
+    else {
+        return Ok(None);
+    };
+
+    let device = FidoDevice {
+        peripheral,
+        properties,
+    };
+    Ok(Some(device))
 }
 
 pub async fn supported_fido_revisions(

libwebauthn/src/transport/ble/btleplug/mod.rs

@@ -8,6 +8,5 @@ pub use connection::Connection;
 pub use device::FidoDevice;
 pub use error::Error;
 pub use manager::{
-    connect, list_devices_with_service_data, list_fido_devices, start_discovery,
-    supported_fido_revisions,
+    connect, list_fido_devices, start_discovery_for_service_data, supported_fido_revisions,
 };