feat(webauthn): perform largeBlob.read via authenticatorLargeBlobs

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 5a508798d7bd · 2026-05-10T21:42:30.000+01:00
When the WebAuthn `largeBlob: { read: true }` extension is requested and
the authenticator returns a per-credential `largeBlobKey`, libwebauthn
now runs `authenticatorLargeBlobs(get)` to fetch the on-device serialized
array, decrypts the matching entry, and exposes the plaintext via the
WebAuthn response's `unsigned_extensions_output.large_blob.blob` field.

The read flow uses a per-assertion `AuthenticatorLargeBlobStorage` handle
(introduced in the previous commit), so each credential is read against
its own `largeBlobKey`. Failures are non-fatal: per WebAuthn L3 §10.5 the
`blob` output is optional on success.

Combined with the earlier fix that removed the key-disclosure bug, this
completes the read half of the WebAuthn `largeBlob` extension.

Refs: WebAuthn L3 §10.5, CTAP 2.2 §6.10.
diff --git a/libwebauthn/src/ops/webauthn/large_blob.rs b/libwebauthn/src/ops/webauthn/large_blob.rs
@@ -685,4 +685,138 @@ mod tests {
         let got = storage.read(b"cred-A").await.expect("read");
         assert!(got.is_none());
     }
+
+    /// End-to-end check of the read path through `webauthn_get_assertion`:
+    /// drives the CTAP exchange, array parsing, AES-256-GCM decrypt, deflate
+    /// decompress, and surfaces the plaintext as the WebAuthn JSON output.
+    #[tokio::test]
+    async fn webauthn_get_assertion_returns_decrypted_large_blob() {
+        use crate::ops::webauthn::{
+            GetAssertionLargeBlobExtension, GetAssertionRequest, GetAssertionRequestExtensions,
+            UserVerificationRequirement,
+        };
+        use crate::proto::ctap2::cbor::{to_vec, CborRequest, CborResponse, Value};
+        use crate::proto::ctap2::{
+            Ctap2CommandCode, Ctap2GetInfoResponse, Ctap2LargeBlobsResponse,
+        };
+        use crate::transport::mock::channel::MockChannel;
+        use crate::webauthn::WebAuthn;
+        use std::collections::{BTreeMap, HashMap};
+
+        let large_blob_key = [0x77u8; 32];
+        let nonce = [0x22u8; 12];
+        let plaintext = b"webauthn end-to-end largeBlob".to_vec();
+        let entry = encrypt_entry(&large_blob_key, &nonce, &plaintext).unwrap();
+        let serialized_array = build_serialized_array(&[entry]);
+
+        // Build the assertion-response CBOR by hand so we can populate field
+        // 0x07 (largeBlobKey) without adding a Serialize impl to the response
+        // model.
+        let credential_id = b"cred-id".to_vec();
+        let mut auth_data = vec![0u8; 37];
+        auth_data[32] = 0x01; // USER_PRESENT flag
+        let mut cred_id_map = BTreeMap::new();
+        cred_id_map.insert(Value::Text("type".into()), Value::Text("public-key".into()));
+        cred_id_map.insert(
+            Value::Text("id".into()),
+            Value::Bytes(credential_id.clone()),
+        );
+        let mut response_map = BTreeMap::new();
+        response_map.insert(Value::Integer(1), Value::Map(cred_id_map));
+        response_map.insert(Value::Integer(2), Value::Bytes(auth_data));
+        response_map.insert(Value::Integer(3), Value::Bytes(vec![0u8; 32]));
+        response_map.insert(Value::Integer(7), Value::Bytes(large_blob_key.to_vec()));
+        let assertion_resp_cbor = to_vec(&Value::Map(response_map)).unwrap();
+
+        // GetInfo response advertising support for largeBlobs.
+        let mut info = Ctap2GetInfoResponse {
+            versions: vec!["FIDO_2_1".into()],
+            ..Default::default()
+        };
+        let mut options = HashMap::new();
+        options.insert("largeBlobs".into(), true);
+        info.options = Some(options);
+        let info_cbor = to_vec(&info).unwrap();
+
+        let mut channel = MockChannel::new();
+
+        // 1. _webauthn_get_assertion_fido2 calls ctap2_get_info().
+        channel.push_command_pair(
+            CborRequest::new(Ctap2CommandCode::AuthenticatorGetInfo),
+            CborResponse::new_success_from_slice(&info_cbor),
+        );
+        // 2. user_verification calls ctap2_get_info() again.
+        channel.push_command_pair(
+            CborRequest::new(Ctap2CommandCode::AuthenticatorGetInfo),
+            CborResponse::new_success_from_slice(&info_cbor),
+        );
+        // 3. ctap2_get_assertion. The default From<GetAssertionRequest>
+        //    impl produces options { up: true, uv: false }, matching the
+        //    Discouraged UV path; that's what we exercise here.
+        let req = crate::proto::ctap2::Ctap2GetAssertionRequest::from(GetAssertionRequest {
+            relying_party_id: "example.com".into(),
+            challenge: vec![0u8; 32],
+            origin: "example.com".into(),
+            cross_origin: None,
+            allow: vec![],
+            extensions: Some(GetAssertionRequestExtensions {
+                cred_blob: false,
+                prf: None,
+                large_blob: Some(GetAssertionLargeBlobExtension::Read),
+            }),
+            user_verification: UserVerificationRequirement::Discouraged,
+            timeout: Duration::from_secs(5),
+        });
+        let assertion_req_cbor = crate::proto::ctap2::cbor::to_vec(&req).unwrap();
+        channel.push_command_pair(
+            CborRequest {
+                command: Ctap2CommandCode::AuthenticatorGetAssertion,
+                encoded_data: assertion_req_cbor,
+            },
+            CborResponse::new_success_from_slice(&assertion_resp_cbor),
+        );
+        // 4. authenticatorLargeBlobs(get).
+        let blobs_req = Ctap2LargeBlobsRequest::new_get(0, LARGE_BLOB_DEFAULT_CHUNK);
+        let blobs_resp = Ctap2LargeBlobsResponse {
+            config: Some(serde_bytes::ByteBuf::from(serialized_array)),
+        };
+        channel.push_command_pair(
+            CborRequest {
+                command: Ctap2CommandCode::AuthenticatorLargeBlobs,
+                encoded_data: crate::proto::ctap2::cbor::to_vec(&blobs_req).unwrap(),
+            },
+            CborResponse::new_success_from_slice(
+                &crate::proto::ctap2::cbor::to_vec(&blobs_resp).unwrap(),
+            ),
+        );
+
+        let request = GetAssertionRequest {
+            relying_party_id: "example.com".into(),
+            challenge: vec![0u8; 32],
+            origin: "example.com".into(),
+            cross_origin: None,
+            allow: vec![],
+            extensions: Some(GetAssertionRequestExtensions {
+                cred_blob: false,
+                prf: None,
+                large_blob: Some(GetAssertionLargeBlobExtension::Read),
+            }),
+            user_verification: UserVerificationRequirement::Discouraged,
+            timeout: Duration::from_secs(5),
+        };
+
+        let response = channel
+            .webauthn_get_assertion(&request)
+            .await
+            .expect("webauthn_get_assertion should succeed");
+        assert_eq!(response.assertions.len(), 1);
+        let large_blob = response.assertions[0]
+            .unsigned_extensions_output
+            .as_ref()
+            .expect("unsigned extensions present")
+            .large_blob
+            .as_ref()
+            .expect("largeBlob extension output present");
+        assert_eq!(large_blob.blob.as_deref(), Some(plaintext.as_slice()));
+    }
 }
diff --git a/libwebauthn/src/webauthn.rs b/libwebauthn/src/webauthn.rs
@@ -6,7 +6,11 @@ use tracing::{debug, error, info, instrument, trace, warn};
 
 use crate::fido::FidoProtocol;
 use crate::ops::u2f::{RegisterRequest, SignRequest, UpgradableResponse};
-use crate::ops::webauthn::{DowngradableRequest, GetAssertionRequest, GetAssertionResponse};
+use crate::ops::webauthn::{
+    AuthenticatorLargeBlobStorage, DowngradableRequest, GetAssertionLargeBlobExtension,
+    GetAssertionLargeBlobExtensionOutput, GetAssertionRequest, GetAssertionResponse,
+    GetAssertionResponseUnsignedExtensions, LargeBlobStorage,
+};
 use crate::ops::webauthn::{MakeCredentialRequest, MakeCredentialResponse};
 use crate::proto::ctap1::Ctap1;
 use crate::proto::ctap2::preflight::ctap2_preflight;
@@ -235,6 +239,57 @@ where
             let response = self.ctap2_get_next_assertion(op.timeout).await?;
             assertions.push(response.into_assertion_output(op, self.get_auth_data()));
         }
+
+        // largeBlob.read: fetch and decrypt the on-device blob via
+        // authenticatorLargeBlobs(get). Failures are non-fatal; per WebAuthn
+        // L3 §10.1.5 the `blob` field is absent when the read cannot complete.
+        let large_blob_read_requested = op.extensions.as_ref().and_then(|e| e.large_blob.as_ref())
+            == Some(&GetAssertionLargeBlobExtension::Read);
+        if large_blob_read_requested {
+            for assertion in assertions.iter_mut() {
+                let Some(key_vec) = assertion.large_blob_key.as_ref() else {
+                    continue;
+                };
+                let Ok(key) = <[u8; 32]>::try_from(key_vec.as_slice()) else {
+                    warn!(
+                        len = key_vec.len(),
+                        "largeBlobKey has unexpected length (expected 32); skipping fetch"
+                    );
+                    continue;
+                };
+                let credential_id = assertion
+                    .credential_id
+                    .as_ref()
+                    .map(|c| c.id.to_vec())
+                    .unwrap_or_default();
+                let storage = AuthenticatorLargeBlobStorage::new(
+                    self,
+                    credential_id.clone(),
+                    key,
+                    op.timeout,
+                );
+                let blob = match storage.read(&credential_id).await {
+                    Ok(b) => b,
+                    Err(e) => {
+                        warn!(?e, "authenticatorLargeBlobs(get) failed; no blob returned");
+                        None
+                    }
+                };
+                let entry = GetAssertionLargeBlobExtensionOutput { blob };
+                match assertion.unsigned_extensions_output.as_mut() {
+                    Some(unsigned) => unsigned.large_blob = Some(entry),
+                    None => {
+                        assertion.unsigned_extensions_output =
+                            Some(GetAssertionResponseUnsignedExtensions {
+                                hmac_get_secret: None,
+                                large_blob: Some(entry),
+                                prf: None,
+                            });
+                    }
+                }
+            }
+        }
+
         Ok(assertions.as_slice().into())
     }
 
