feat(webauthn): largeBlob write and delete

Implements WebAuthn L3 §10.1.5 write and a libwebauthn-side delete
on top of CTAP 2.2 §6.10.6 update-or-erase. The platform fetches the
existing large-blob array, drops any entry that decrypts under the
credential's largeBlobKey, optionally appends a fresh encrypted entry,
and re-uploads the canonical CBOR array with a fresh SHA-256 trailer.
Foreign entries (different key, malformed, unknown fields) are
preserved byte-for-byte per the §6.10.2 platform contract.

Upload is chunked per maxFragmentLength with pinUvAuthParam computed
as authenticate(token, 32*0xff || 0x0c 0x00 || u32_le(offset)
|| SHA-256(set)) per §6.10.2. The Ctap2GetAssertionRequest now ORs
LARGE_BLOB_WRITE into its permissions when write or delete is
requested so user_verification negotiates a token covering the lbw
permission.

To keep PIN-protected devices working under UV=Discouraged, the
Ctap2UserVerifiableRequest trait gains needs_pin_uv_auth_token,
which suppresses the OnlyForSharedSecret downgrade in
user_verification. Unprotected authenticators continue to accept the
write without auth params per spec line 137.

Delete with no matching entry returns LargeBlobError::NoMatch
(written=false), matching the strict §6.10.6 'Return an error' branch
at line 303.

Author: AlfioEmanueleFresta

libwebauthn/src/ops/webauthn/get_assertion.rs

@@ -336,9 +336,12 @@ impl TryFrom<HmacGetSecretInputJson> for HMACGetSecretInput {
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum GetAssertionLargeBlobExtension {
+    /// Per WebAuthn L3 §10.1.5 (read=true): fetch the credential's blob.
     Read,
-    // Not yet supported
-    // Write(Vec<u8>),
+    /// Per WebAuthn L3 §10.1.5 (write=ArrayBuffer): store this blob against the credential.
+    Write(Vec<u8>),
+    /// CTAP 2.2 §6.10.6 erase branch. Not exposed via WebAuthn L3 JSON IDL.
+    Delete,
 }
 
 impl TryFrom<LargeBlobInputJson> for GetAssertionLargeBlobExtension {
@@ -350,13 +353,19 @@ impl TryFrom<LargeBlobInputJson> for GetAssertionLargeBlobExtension {
                 "largeBlob.support is only valid at registration".to_string(),
             ));
         }
+        // WebAuthn L3 §10.1.5: read and write are mutually exclusive.
+        if value.read == Some(true) && value.write.is_some() {
+            return Err(GetAssertionPrepareError::NotSupported(
+                "largeBlob.read and largeBlob.write are mutually exclusive".to_string(),
+            ));
+        }
+        if let Some(write) = value.write {
+            return Ok(GetAssertionLargeBlobExtension::Write(write.to_vec()));
+        }
         match value.read {
             Some(true) => Ok(GetAssertionLargeBlobExtension::Read),
-            Some(false) => Err(GetAssertionPrepareError::NotSupported(
-                "largeBlob writes not supported".to_string(),
-            )),
-            None => Err(GetAssertionPrepareError::NotSupported(
-                "largeBlob read not requested".to_string(),
+            _ => Err(GetAssertionPrepareError::NotSupported(
+                "largeBlob input must set read=true or write".to_string(),
             )),
         }
     }
@@ -366,9 +375,8 @@ impl TryFrom<LargeBlobInputJson> for GetAssertionLargeBlobExtension {
 pub struct GetAssertionLargeBlobExtensionOutput {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub blob: Option<Vec<u8>>,
-    // Not yet supported
-    // #[serde(skip_serializing_if = "Option::is_none")]
-    // pub written: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub written: Option<bool>,
 }
 
 #[derive(Debug, Default, Clone, PartialEq)]
@@ -543,7 +551,7 @@ impl Assertion {
                         .blob
                         .as_ref()
                         .map(|b| Base64UrlString::from(b.as_slice())),
-                    written: None, // Write not yet supported
+                    written: large_blob.written,
                 });
             }
 

libwebauthn/src/ops/webauthn/idl/get.rs

@@ -63,6 +63,7 @@ pub struct GetAssertionRequestExtensionsJSON {
 pub struct LargeBlobInputJson {
     pub support: Option<String>,
     pub read: Option<bool>,
+    pub write: Option<Base64UrlString>,
 }
 
 #[derive(Debug, Clone, Deserialize)]