Do not fail on unknown algorithms (fix #66) (#111)

AlfioEmanueleFresta · web-flow · commit 528af8de3adf · 2025-06-02T22:33:23.000+01:00
Allows parsing unknown algorithm types without failing.

Only ES256 is every used for requests, and it's guaranteed to be
supported by the spec, so checking the value is not necessary for now.
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -116,6 +116,9 @@ impl Ctap2PublicKeyCredentialUserEntity {
 pub enum Ctap2PublicKeyCredentialType {
     #[serde(rename = "public-key")]
     PublicKey,
+
+    #[serde(other)]
+    Unknown,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Serialize, Deserialize)]
@@ -154,9 +157,11 @@ pub enum Ctap2COSEAlgorithmIdentifier {
     ES256 = -7,
     EDDSA = -8,
     TOPT = -9,
+    #[serde(other)]
+    Unknown = -999,
 }
 
-#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq)]
 pub struct Ctap2CredentialType {
     #[serde(rename = "alg")]
     pub algorithm: Ctap2COSEAlgorithmIdentifier,
@@ -184,6 +189,11 @@ impl Ctap2CredentialType {
             algorithm,
         }
     }
+
+    pub fn is_known(&self) -> bool {
+        self.algorithm != Ctap2COSEAlgorithmIdentifier::Unknown
+            && self.public_key_type != Ctap2PublicKeyCredentialType::Unknown
+    }
 }
 
 pub trait Ctap2UserVerifiableRequest {
@@ -243,4 +253,44 @@ mod tests {
         let expected = hex::decode("a2626964414264747970656a7075626c69632d6b6579").unwrap();
         assert_eq!(serialized, expected);
     }
+
+    #[test]
+    pub fn deserialize_known_credential_type() {
+        // python $ cbor2.dumps({"alg":-7,"type":"public-key"}).hex()
+        let serialized: Vec<u8> =
+            hex::decode("a263616c672664747970656a7075626c69632d6b6579").unwrap();
+        let credential_type: Ctap2CredentialType = serde_cbor::from_slice(&serialized).unwrap();
+        assert_eq!(
+            credential_type,
+            Ctap2CredentialType {
+                algorithm: Ctap2COSEAlgorithmIdentifier::ES256,
+                public_key_type: Ctap2PublicKeyCredentialType::PublicKey,
+            }
+        );
+        assert!(credential_type.is_known());
+    }
+
+    #[test]
+    pub fn deserialize_unknown_credential_type_algorithm() {
+        // python $ cbor2.dumps({"alg":-42,"type":"public-key"}).hex()
+        let serialized: Vec<u8> =
+            hex::decode("a263616c67382964747970656a7075626c69632d6b6579").unwrap();
+        let credential_type: Ctap2CredentialType = serde_cbor::from_slice(&serialized).unwrap();
+        assert_eq!(
+            credential_type,
+            Ctap2CredentialType {
+                algorithm: Ctap2COSEAlgorithmIdentifier::Unknown,
+                public_key_type: Ctap2PublicKeyCredentialType::PublicKey,
+            }
+        );
+        assert!(!credential_type.is_known());
+    }
+
+    #[test]
+    pub fn deserialize_unknown_credential_type() {
+        // python $ cbor2.dumps({"alg":-7,"type":"unknown"}).hex()
+        let serialized: Vec<u8> = hex::decode("a263616c6726647479706567756e6b6e6f776e").unwrap();
+        let credential_type: Ctap2CredentialType = serde_cbor::from_slice(&serialized).unwrap();
+        assert!(!credential_type.is_known());
+    }
 }
