feat(credmgmt): request pcmr for read-only subcommands

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 5bb01a145e07 · 2026-05-30T12:24:46.000+01:00
diff --git a/libwebauthn/src/management/credential_management.rs b/libwebauthn/src/management/credential_management.rs
@@ -295,7 +295,12 @@ impl Ctap2UserVerifiableRequest for Ctap2CredentialManagementRequest {
     }
 
     fn permissions(&self) -> Ctap2AuthTokenPermissionRole {
-        Ctap2AuthTokenPermissionRole::CREDENTIAL_MANAGEMENT
+        if self.use_persistent_token {
+            // pcmr MUST be the sole permission requested (CTAP 2.3-PS 6.5.5.7).
+            Ctap2AuthTokenPermissionRole::PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY
+        } else {
+            Ctap2AuthTokenPermissionRole::CREDENTIAL_MANAGEMENT
+        }
     }
 
     fn permissions_rpid(&self) -> Option<&str> {
@@ -322,4 +327,16 @@ impl Ctap2UserVerifiableRequest for Ctap2CredentialManagementRequest {
     fn needs_shared_secret(&self, _get_info_response: &Ctap2GetInfoResponse) -> bool {
         false
     }
+
+    fn set_persistent_token_use(&mut self, info: &Ctap2GetInfoResponse, store_available: bool) {
+        self.use_persistent_token = store_available
+            && info.supports_persistent_credential_management_read_only()
+            && self
+                .subcommand
+                .is_some_and(|subcommand| subcommand.is_read_only());
+    }
+
+    fn wants_persistent_token(&self) -> bool {
+        self.use_persistent_token
+    }
 }
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -310,6 +310,15 @@ pub trait Ctap2UserVerifiableRequest {
     fn handle_legacy_preview(&mut self, info: &Ctap2GetInfoResponse);
     /// We need to establish a shared secret, even if no PIN or UV is set on the device
     fn needs_shared_secret(&self, info: &Ctap2GetInfoResponse) -> bool;
+    /// Decide, and cache on the request, whether to acquire a persistent (pcmr) token.
+    /// Called once from the UV flow with whether a persistent token store is available.
+    /// Default: never request one.
+    fn set_persistent_token_use(&mut self, _info: &Ctap2GetInfoResponse, _store_available: bool) {}
+    /// Whether this request will reuse or mint a persistent (pcmr) token, per the cached
+    /// decision from [`Self::set_persistent_token_use`]. Default false.
+    fn wants_persistent_token(&self) -> bool {
+        false
+    }
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
diff --git a/libwebauthn/src/proto/ctap2/model/credential_management.rs b/libwebauthn/src/proto/ctap2/model/credential_management.rs
@@ -31,6 +31,11 @@ pub struct Ctap2CredentialManagementRequest {
 
     #[serde(skip)]
     pub use_legacy_preview: bool,
+
+    /// Cached gate: request a persistent (pcmr) token instead of an ephemeral `cm` one.
+    /// Set from getInfo and store availability before `permissions()` is read.
+    #[serde(skip)]
+    pub use_persistent_token: bool,
 }
 
 #[repr(u32)]
@@ -45,6 +50,21 @@ pub enum Ctap2CredentialManagementSubcommand {
     UpdateUserInformation = 0x07,
 }
 
+impl Ctap2CredentialManagementSubcommand {
+    /// Read-only subcommands can be authorized by a persistent (pcmr) token; the write
+    /// subcommands (deleteCredential, updateUserInformation) cannot.
+    pub fn is_read_only(self) -> bool {
+        matches!(
+            self,
+            Self::GetCredsMetadata
+                | Self::EnumerateRPsBegin
+                | Self::EnumerateRPsGetNextRP
+                | Self::EnumerateCredentialsBegin
+                | Self::EnumerateCredentialsGetNextCredential
+        )
+    }
+}
+
 #[derive(Debug, Clone, SerializeIndexed)]
 pub struct Ctap2CredentialManagementParams {
     // rpIDHash (0x01) 	Byte String 	RP ID SHA-256 hash
@@ -129,6 +149,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -139,6 +160,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -149,6 +171,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -163,6 +186,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -175,6 +199,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -189,6 +214,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 
@@ -206,6 +232,7 @@ impl Ctap2CredentialManagementRequest {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         }
     }
 }
@@ -268,3 +295,32 @@ impl Ctap2RPData {
         Self { rp, rp_id_hash }
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::Ctap2CredentialManagementSubcommand as Sub;
+
+    #[test]
+    fn read_only_classification() {
+        // Read-only: authorizable by a pcmr token.
+        for subcommand in [
+            Sub::GetCredsMetadata,
+            Sub::EnumerateRPsBegin,
+            Sub::EnumerateRPsGetNextRP,
+            Sub::EnumerateCredentialsBegin,
+            Sub::EnumerateCredentialsGetNextCredential,
+        ] {
+            assert!(
+                subcommand.is_read_only(),
+                "{subcommand:?} should be read-only"
+            );
+        }
+        // Writes: never pcmr.
+        for subcommand in [Sub::DeleteCredential, Sub::UpdateUserInformation] {
+            assert!(
+                !subcommand.is_read_only(),
+                "{subcommand:?} should be a write"
+            );
+        }
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/protocol.rs b/libwebauthn/src/proto/ctap2/protocol.rs
@@ -468,6 +468,7 @@ mod tests {
             protocol: None,
             uv_auth_param: None,
             use_legacy_preview: false,
+            use_persistent_token: false,
         };
         let expected_request: CborRequest = (&request).try_into().unwrap();
         channel.push_command_pair(expected_request, error_response(CtapError::PINRequired));
