fix(get_info): graceful early-return in Ctap2GetInfoResponse::uv_operation

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 6a562185f35d · 2026-05-14T19:04:31.000+01:00
A malicious or buggy authenticator can advertise `pinUvAuthToken=true`
without `clientPin` set (or supported). CTAP 2.2 §6.4 makes these
options independent and the platform must tolerate any combination.
The current `assert!(self.option_enabled("clientPin"))` panics on this
path, taking down the host process via every `make_credential` /
`get_assertion` / `change_pin` flow that calls into `select_uv_proto`.

Replace the assertion with a debug log + early return of
`Ctap2UserVerificationOperation::OnlyForSharedSecret`, matching the
existing handling for "pinUvAuthToken supported but PIN not set".
The caller can still establish a shared secret (e.g., for hmac-secret),
while not attempting a PIN-token ceremony that the device cannot
service. Add a regression test.
diff --git a/libwebauthn/src/proto/ctap2/model/get_info.rs b/libwebauthn/src/proto/ctap2/model/get_info.rs
@@ -246,7 +246,16 @@ impl Ctap2GetInfoResponse {
 
             // If we do have a PIN, check if we need to use legacy getPinToken or new getPinUvAuthToken..-command
             if self.option_enabled("pinUvAuthToken") {
-                assert!(self.option_enabled("clientPin"));
+                // `pinUvAuthToken` and `clientPin` are independent options
+                // (CTAP 2.2 §6.4). Tolerate the combination without `clientPin`
+                // and fall back to a shared-secret-only flow.
+                if !self.option_enabled("clientPin") {
+                    debug!(
+                        "Device advertises pinUvAuthToken without clientPin; \
+                         falling back to OnlyForSharedSecret"
+                    );
+                    return Some(Ctap2UserVerificationOperation::OnlyForSharedSecret);
+                }
                 debug!("getPinUvAuthTokenUsingPinWithPermissions");
                 Some(Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions)
             } else if self.option_enabled("clientPin") {
@@ -574,4 +583,17 @@ mod test {
             Some(Ctap2UserVerificationOperation::OnlyForSharedSecret)
         );
     }
+
+    #[test]
+    fn device_pin_uv_auth_token_without_client_pin_does_not_panic() {
+        let info = create_info(&[("pinUvAuthToken", true)]);
+        assert_eq!(
+            info.uv_operation(false),
+            Some(Ctap2UserVerificationOperation::OnlyForSharedSecret)
+        );
+        assert_eq!(
+            info.uv_operation(true),
+            Some(Ctap2UserVerificationOperation::OnlyForSharedSecret)
+        );
+    }
 }
