fix(pin): re-mint instead of reusing a rejected persistent token

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 2fc406fac24d · 2026-06-07T15:56:01.000+01:00
diff --git a/libwebauthn/src/management/credential_management.rs b/libwebauthn/src/management/credential_management.rs
@@ -77,7 +77,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         let metadata = Ctap2CredentialManagementMetadata::new(
@@ -106,7 +107,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         Ok((
@@ -134,7 +136,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         Ok(Ctap2RPData::new(
@@ -163,7 +166,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         let cred = Ctap2CredentialData::new(
@@ -196,7 +200,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         let cred = Ctap2CredentialData::new(
@@ -229,7 +234,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         Ok(())
@@ -262,7 +268,8 @@ where
                 self,
                 self.ctap2_credential_management(&req, timeout).await,
                 uv_auth_used,
-                timeout
+                timeout,
+                req
             )
         }?;
         Ok(())
@@ -339,4 +346,12 @@ impl Ctap2UserVerifiableRequest for Ctap2CredentialManagementRequest {
     fn wants_persistent_token(&self) -> bool {
         self.use_persistent_token
     }
+
+    fn note_persistent_token_rejected(&mut self) {
+        self.persistent_token_rejected = true;
+    }
+
+    fn persistent_token_rejected(&self) -> bool {
+        self.persistent_token_rejected
+    }
 }
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -322,6 +322,14 @@ pub trait Ctap2UserVerifiableRequest {
     fn wants_persistent_token(&self) -> bool {
         false
     }
+    /// Record that a reused persistent (pcmr) token was rejected by the authenticator, so
+    /// the retry stops reusing it and mints a fresh one instead. Default: no-op.
+    fn note_persistent_token_rejected(&mut self) {}
+    /// Whether a reused persistent token was already rejected during this ceremony, per
+    /// [`Self::note_persistent_token_rejected`]. Default false.
+    fn persistent_token_rejected(&self) -> bool {
+        false
+    }
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
diff --git a/libwebauthn/src/proto/ctap2/model/credential_management.rs b/libwebauthn/src/proto/ctap2/model/credential_management.rs
@@ -36,6 +36,11 @@ pub struct Ctap2CredentialManagementRequest {
     /// Set from getInfo and store availability before `permissions()` is read.
     #[serde(skip)]
     pub use_persistent_token: bool,
+
+    /// Set once a reused persistent token is rejected, so the retry skips recognition and
+    /// mints a fresh token instead of looping on the same stale record.
+    #[serde(skip)]
+    pub persistent_token_rejected: bool,
 }
 
 #[repr(u32)]
@@ -150,6 +155,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -161,6 +167,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -172,6 +179,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -187,6 +195,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -200,6 +209,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -215,6 +225,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 
@@ -233,6 +244,7 @@ impl Ctap2CredentialManagementRequest {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         }
     }
 }
diff --git a/libwebauthn/src/proto/ctap2/protocol.rs b/libwebauthn/src/proto/ctap2/protocol.rs
@@ -469,6 +469,7 @@ mod tests {
             uv_auth_param: None,
             use_legacy_preview: false,
             use_persistent_token: false,
+            persistent_token_rejected: false,
         };
         let expected_request: CborRequest = (&request).try_into().unwrap();
         channel.push_command_pair(expected_request, error_response(CtapError::PINRequired));
diff --git a/libwebauthn/src/webauthn.rs b/libwebauthn/src/webauthn.rs
@@ -44,7 +44,20 @@ fn prf_forces_uv_upgrade(prf_present: bool, uv: UserVerificationRequirement) ->
 }
 
 macro_rules! handle_errors {
+    // Callers that never reuse a persistent token (make-credential, get-assertion,
+    // authenticator-config, bio-enrollment): nothing to notify on a persistent rejection.
     ($channel: expr, $resp: expr, $uv_auth_used: expr, $timeout: expr) => {
+        handle_errors!(@inner $channel, $resp, $uv_auth_used, $timeout, {})
+    };
+    // Credential-management callers pass their request so a rejected persistent token is
+    // marked on it, forcing the retry to mint a fresh token instead of reusing the same
+    // stale record. This keeps loop termination independent of the best-effort store delete.
+    ($channel: expr, $resp: expr, $uv_auth_used: expr, $timeout: expr, $request: expr) => {
+        handle_errors!(@inner $channel, $resp, $uv_auth_used, $timeout, {
+            $request.note_persistent_token_rejected();
+        })
+    };
+    (@inner $channel: expr, $resp: expr, $uv_auth_used: expr, $timeout: expr, $on_persistent_reject: block) => {
         match $resp {
             Err(Error::Ctap(CtapError::PINAuthInvalid))
                 if $uv_auth_used == UsedPinUvAuthToken::FromEphemeralStorage =>
@@ -62,6 +75,7 @@ macro_rules! handle_errors {
                         store.delete(id).await;
                     }
                 }
+                $on_persistent_reject
                 continue;
             }
             Err(Error::Ctap(CtapError::UVInvalid)) => {
diff --git a/libwebauthn/src/webauthn/pin_uv_auth_token.rs b/libwebauthn/src/webauthn/pin_uv_auth_token.rs
@@ -77,10 +77,12 @@ where
     ctap2_request.handle_legacy_preview(&get_info_response);
 
     // Decide whether this request acquires a persistent (pcmr) token. A persistent token
-    // outranks a same-session ephemeral one, so try it first.
+    // outranks a same-session ephemeral one, so try it first. Skip reuse once a stored
+    // token has been rejected this ceremony, so the retry mints a fresh one rather than
+    // looping on the same stale record.
     let persistent_token_store = channel.persistent_token_store();
     ctap2_request.set_persistent_token_use(&get_info_response, persistent_token_store.is_some());
-    if ctap2_request.wants_persistent_token() {
+    if ctap2_request.wants_persistent_token() && !ctap2_request.persistent_token_rejected() {
         if let Some(store) = &persistent_token_store {
             if let Some((id, record)) =
                 recognize_authenticator(store.as_ref(), &get_info_response).await
@@ -1681,6 +1683,125 @@ mod test {
         assert!(recv.is_empty());
     }
 
+    // The spec-real foreign-invalidation path. A PIN change (or any out-of-band reset of the
+    // persistent token) regenerates the token bytes, so the stored token can no longer decrypt
+    // the new encIdentifier: recognition MISSES with no PINAuthInvalid round trip, a fresh pcmr
+    // token is minted, and reaping by the stable device identifier evicts the dead record.
+    // Complements persistent_token_self_heals_on_rejection, which covers the defensive
+    // recognized-but-rejected arm.
+    #[tokio::test]
+    async fn recognition_miss_remints_and_reaps() {
+        let mut channel = MockChannel::new();
+        let device_identifier = [0x42; 16];
+        let aaguid = [0x07; 16];
+        let minted_token = [0x05; 16];
+        let stale_token = vec![0x11; 32];
+
+        // A stale record for THIS device (same device identifier) holding the old token bytes.
+        let store = Arc::new(MemoryPersistentTokenStore::new());
+        store
+            .put(
+                &"stale".to_string(),
+                &PersistentTokenRecord {
+                    persistent_token: stale_token,
+                    pin_uv_auth_protocol: Ctap2PinUvAuthProtocol::One,
+                    device_identifier,
+                    aaguid,
+                },
+            )
+            .await;
+        channel.set_persistent_token_store(store.clone());
+
+        // encIdentifier is built under the NEW token, so the stale record fails recognition.
+        let info = pcmr_get_info(
+            &[
+                ("uv", true),
+                ("pinUvAuthToken", true),
+                ("perCredMgmtRO", true),
+            ],
+            &minted_token,
+            device_identifier,
+            aaguid,
+        );
+        channel.push_command_pair(
+            CborRequest::new(Ctap2CommandCode::AuthenticatorGetInfo),
+            CborResponse::new_success_from_slice(to_vec(&info).unwrap().as_slice()),
+        );
+
+        let key_agreement_req = CborRequest::try_from(
+            &Ctap2ClientPinRequest::new_get_key_agreement(Ctap2PinUvAuthProtocol::One),
+        )
+        .unwrap();
+        let key_agreement_resp = CborResponse::new_success_from_slice(
+            to_vec(&Ctap2ClientPinResponse {
+                key_agreement: Some(get_key_agreement()),
+                pin_uv_auth_token: None,
+                pin_retries: None,
+                power_cycle_state: None,
+                uv_retries: None,
+            })
+            .unwrap()
+            .as_slice(),
+        );
+        channel.push_command_pair(key_agreement_req, key_agreement_resp);
+
+        let pin_protocol = PinUvAuthProtocolOne::new();
+        let (public_key, shared_secret) = pin_protocol.encapsulate(&get_key_agreement()).unwrap();
+        let uv_token_req =
+            CborRequest::try_from(&Ctap2ClientPinRequest::new_get_uv_token_with_perm(
+                Ctap2PinUvAuthProtocol::One,
+                public_key,
+                Ctap2AuthTokenPermissionRole::PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY,
+                None,
+            ))
+            .unwrap();
+        let encrypted_token = pin_protocol.encrypt(&shared_secret, &minted_token).unwrap();
+        let uv_token_resp = CborResponse::new_success_from_slice(
+            to_vec(&Ctap2ClientPinResponse {
+                key_agreement: None,
+                pin_uv_auth_token: Some(ByteBuf::from(encrypted_token)),
+                pin_retries: None,
+                power_cycle_state: None,
+                uv_retries: None,
+            })
+            .unwrap()
+            .as_slice(),
+        );
+        channel.push_command_pair(uv_token_req, uv_token_resp);
+
+        let mut recv = channel.get_ux_update_receiver();
+        let recv_handle = tokio::task::spawn(async move {
+            assert_eq!(recv.recv().await, Ok(UvUpdate::PresenceRequired));
+            recv
+        });
+
+        let mut req = Ctap2CredentialManagementRequest::new_get_credential_metadata();
+        let result = user_verification(
+            &mut channel,
+            UserVerificationRequirement::Preferred,
+            &mut req,
+            TIMEOUT,
+        )
+        .await;
+
+        // Recognition missed, so the token was minted, not reused.
+        assert_eq!(
+            result,
+            Ok(UsedPinUvAuthToken::NewlyCalculated(
+                Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions
+            ))
+        );
+        // The stale record was reaped and replaced by exactly one fresh record.
+        let listed = store.list().await;
+        assert_eq!(listed.len(), 1);
+        assert!(listed.iter().all(|(id, _)| id != "stale"));
+        assert_eq!(listed[0].1.persistent_token, minted_token.to_vec());
+        assert_eq!(listed[0].1.device_identifier, device_identifier);
+
+        let recv = recv_handle.await.expect("Failed to join update thread");
+        assert!(recv.is_empty());
+    }
+
     #[tokio::test]
     async fn persistent_token_self_heals_on_rejection() {
         use crate::management::CredentialManagement;
@@ -1704,8 +1825,11 @@ mod test {
             .await;
         channel.set_persistent_token_store(store.clone());
 
-        // The device still computes encIdentifier under our token (a PIN change cleared the
-        // token's permissions, not its bytes), so recognition matches but the op is rejected.
+        // Defensive path: a recognized token is rejected by the device. The encIdentifier is
+        // built under our stored token so recognition matches, yet the op returns
+        // PINAuthInvalid; we evict and re-mint. (A real PIN change regenerates the token bytes,
+        // per resetPersistentPinUvAuthToken, so recognition would instead miss and re-mint
+        // without a rejection; that path is covered by recognition_miss_remints_and_reaps.)
         let info = pcmr_get_info(
             &[
                 ("uv", true),

Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,14 @@ pub trait Ctap2UserVerifiableRequest {`
`322`	`322`	`fn wants_persistent_token(&self) -> bool {`
`323`	`323`	`false`
`324`	`324`	`}`
	`325`	`+ /// Record that a reused persistent (pcmr) token was rejected by the authenticator, so`
	`326`	`+ /// the retry stops reusing it and mints a fresh one instead. Default: no-op.`
	`327`	`+ fn note_persistent_token_rejected(&mut self) {}`
	`328`	`+ /// Whether a reused persistent token was already rejected during this ceremony, per`
	`329`	+ /// [`Self::note_persistent_token_rejected`]. Default false.
	`330`	`+ fn persistent_token_rejected(&self) -> bool {`
	`331`	`+ false`
	`332`	`+ }`
`325`	`333`	`}`
`326`	`334`
`327`	`335`	`#[derive(Debug, Clone, Copy, PartialEq, Eq)]`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,11 @@ pub struct Ctap2CredentialManagementRequest {`
`36`	`36`	/// Set from getInfo and store availability before `permissions()` is read.
`37`	`37`	`#[serde(skip)]`
`38`	`38`	`pub use_persistent_token: bool,`
	`39`	`+`
	`40`	`+ /// Set once a reused persistent token is rejected, so the retry skips recognition and`
	`41`	`+ /// mints a fresh token instead of looping on the same stale record.`
	`42`	`+ #[serde(skip)]`
	`43`	`+ pub persistent_token_rejected: bool,`
`39`	`44`	`}`
`40`	`45`
`41`	`46`	`#[repr(u32)]`
`@@ -150,6 +155,7 @@ impl Ctap2CredentialManagementRequest {`
`150`	`155`	`uv_auth_param: None,`
`151`	`156`	`use_legacy_preview: false,`
`152`	`157`	`use_persistent_token: false,`
	`158`	`+ persistent_token_rejected: false,`
`153`	`159`	`}`
`154`	`160`	`}`
`155`	`161`
`@@ -161,6 +167,7 @@ impl Ctap2CredentialManagementRequest {`
`161`	`167`	`uv_auth_param: None,`
`162`	`168`	`use_legacy_preview: false,`
`163`	`169`	`use_persistent_token: false,`
	`170`	`+ persistent_token_rejected: false,`
`164`	`171`	`}`
`165`	`172`	`}`
`166`	`173`
`@@ -172,6 +179,7 @@ impl Ctap2CredentialManagementRequest {`
`172`	`179`	`uv_auth_param: None,`
`173`	`180`	`use_legacy_preview: false,`
`174`	`181`	`use_persistent_token: false,`
	`182`	`+ persistent_token_rejected: false,`
`175`	`183`	`}`
`176`	`184`	`}`
`177`	`185`
`@@ -187,6 +195,7 @@ impl Ctap2CredentialManagementRequest {`
`187`	`195`	`uv_auth_param: None,`
`188`	`196`	`use_legacy_preview: false,`
`189`	`197`	`use_persistent_token: false,`
	`198`	`+ persistent_token_rejected: false,`
`190`	`199`	`}`
`191`	`200`	`}`
`192`	`201`
`@@ -200,6 +209,7 @@ impl Ctap2CredentialManagementRequest {`
`200`	`209`	`uv_auth_param: None,`
`201`	`210`	`use_legacy_preview: false,`
`202`	`211`	`use_persistent_token: false,`
	`212`	`+ persistent_token_rejected: false,`
`203`	`213`	`}`
`204`	`214`	`}`
`205`	`215`
`@@ -215,6 +225,7 @@ impl Ctap2CredentialManagementRequest {`
`215`	`225`	`uv_auth_param: None,`
`216`	`226`	`use_legacy_preview: false,`
`217`	`227`	`use_persistent_token: false,`
	`228`	`+ persistent_token_rejected: false,`
`218`	`229`	`}`
`219`	`230`	`}`
`220`	`231`
`@@ -233,6 +244,7 @@ impl Ctap2CredentialManagementRequest {`
`233`	`244`	`uv_auth_param: None,`
`234`	`245`	`use_legacy_preview: false,`
`235`	`246`	`use_persistent_token: false,`
	`247`	`+ persistent_token_rejected: false,`
`236`	`248`	`}`
`237`	`249`	`}`
`238`	`250`	`}`