fix(webauthn): largeBlob.read no longer leaks largeBlobKey to RP

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 4f484fb09858 · 2026-05-10T20:58:32.000+01:00
When the RP requests `largeBlob: { read: true }`, libwebauthn was populating
the WebAuthn response's `blob` field with the per-credential `largeBlobKey`
(a 32-byte AES-256-GCM key) instead of the decrypted blob payload. The CTAP
2.1 `authenticatorLargeBlobs` command is not yet implemented; until it is,
the safe behaviour is to drop the key from the WebAuthn response.

The CTAP-level `Ctap2GetAssertionResponse.large_blob_key` field is unchanged
so the next PR can wire up the proper flow.

Adds a regression test asserting the WebAuthn-facing
`Assertion.unsigned_extensions_output.large_blob.blob` is `None` even when
the device returned a `largeBlobKey`.

Refs: WebAuthn L3 §10.5, CTAP 2.2 §6.10 / §11.4.
diff --git a/libwebauthn/src/proto/ctap2/model/get_assertion.rs b/libwebauthn/src/proto/ctap2/model/get_assertion.rs
@@ -521,7 +521,11 @@ impl Ctap2GetAssertionResponseExtensions {
     pub(crate) fn to_unsigned_extensions(
         &self,
         request: &GetAssertionRequest,
-        response: &Ctap2GetAssertionResponse,
+        // Not used while authenticatorLargeBlobs is unimplemented; see comment below
+        // (the `large_blob_key` was previously routed to the WebAuthn response, which
+        // is a key-disclosure bug). The follow-up PR that implements
+        // `authenticatorLargeBlobs` will use this field again.
+        _response: &Ctap2GetAssertionResponse,
         auth_data: Option<&AuthTokenData>,
     ) -> GetAssertionResponseUnsignedExtensions {
         let decrypted_hmac = self.hmac_secret.as_ref().and_then(|x| {
@@ -548,16 +552,25 @@ impl Ctap2GetAssertionResponseExtensions {
                 })
         });
 
-        // LargeBlobs was requested
+        // LargeBlobs was requested.
+        //
+        // The CTAP-level `largeBlobKey` (32-byte AES-256-GCM key) MUST NOT be returned
+        // to the RP as the WebAuthn `large_blob.blob` value. Returning it would both
+        // (a) fail to deliver the actual blob (the RP expects the decrypted payload),
+        // and (b) disclose key material that is meant to stay platform-side.
+        //
+        // The proper flow is for the platform to invoke CTAP 2.1
+        // `authenticatorLargeBlobs(get)`, locate the credential's entry in the
+        // largeBlobArray, and decrypt it under `largeBlobKey`. That flow is not yet
+        // implemented; until it is, we expose no blob to the RP. The
+        // `Ctap2GetAssertionResponse.large_blob_key` field is preserved so the
+        // upcoming implementation can use it.
         let large_blob = request
             .extensions
             .as_ref()
             .and_then(|ext| ext.large_blob.as_ref())
             .map(|_| GetAssertionLargeBlobExtensionOutput {
-                blob: response
-                    .large_blob_key
-                    .as_ref()
-                    .map(|x| x.clone().into_vec()),
+                blob: None,
                 // Not yet supported
                 // written: None,
             });
@@ -658,4 +671,58 @@ mod tests {
         let assertion = response.into_assertion_output(&request, None);
         assert_eq!(assertion.credential_id, None);
     }
+
+    /// Regression test for the largeBlob key-disclosure bug.
+    ///
+    /// When the RP requests `largeBlob: { read: true }`, libwebauthn must NOT
+    /// populate the WebAuthn `large_blob.blob` field with the CTAP-level
+    /// `largeBlobKey` (a 32-byte AES-256-GCM key). The proper CTAP 2.1
+    /// `authenticatorLargeBlobs(get)` flow is not yet implemented; the safe
+    /// behaviour is to drop the key from the WebAuthn response.
+    ///
+    /// The CTAP-level `large_blob_key` field on the response is preserved so
+    /// the upcoming implementation can use it internally.
+    #[test]
+    fn large_blob_read_does_not_leak_key_into_webauthn_response() {
+        let cred = make_credential(b"cred-1");
+        // Simulate an authenticator that returns a (32-byte) largeBlobKey.
+        let device_returned_key = vec![0xAAu8; 32];
+        let mut response = make_response(Some(cred.clone()));
+        response.large_blob_key = Some(ByteBuf::from(device_returned_key.clone()));
+        // Attach extension data so `to_unsigned_extensions` is invoked.
+        response.authenticator_data.extensions = Some(Ctap2GetAssertionResponseExtensions {
+            cred_blob: None,
+            hmac_secret: None,
+        });
+
+        // The RP requested largeBlob.read.
+        let mut request = make_request(vec![cred]);
+        request.extensions = Some(GetAssertionRequestExtensions {
+            cred_blob: false,
+            prf: None,
+            large_blob: Some(GetAssertionLargeBlobExtension::Read),
+        });
+
+        let assertion = response.into_assertion_output(&request, None);
+        let unsigned = assertion
+            .unsigned_extensions_output
+            .expect("unsigned extensions should be present when the response has extensions");
+        let large_blob = unsigned
+            .large_blob
+            .expect("largeBlob extension output should be present when requested");
+
+        // The WebAuthn-facing blob MUST NOT contain the largeBlobKey.
+        assert!(
+            large_blob.blob.is_none(),
+            "WebAuthn large_blob.blob must not be populated until authenticatorLargeBlobs is implemented; got {:?}",
+            large_blob.blob
+        );
+
+        // The CTAP-level largeBlobKey is still preserved on the Assertion model
+        // for use by the upcoming implementation.
+        assert_eq!(
+            assertion.large_blob_key.as_deref(),
+            Some(&device_returned_key[..])
+        );
+    }
 }
