feat(pin): add pcmr permission and perCredMgmtRO detection

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 6f08e12bb4ac · 2026-05-31T22:06:50.000+01:00
diff --git a/libwebauthn/src/proto/ctap2/model/client_pin.rs b/libwebauthn/src/proto/ctap2/model/client_pin.rs
@@ -189,6 +189,7 @@ bitflags! {
         const BIO_ENROLLMENT = 0x08;
         const LARGE_BLOB_WRITE = 0x10;
         const AUTHENTICATOR_CONFIGURATION = 0x20;
+        const PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY = 0x40;
     }
 }
 
@@ -249,3 +250,17 @@ pub struct Ctap2ClientPinResponse {
     #[serde(index = 0x05)]
     pub uv_retries: Option<u32>,
 }
+
+#[cfg(test)]
+mod test {
+    use super::Ctap2AuthTokenPermissionRole;
+
+    #[test]
+    fn pcmr_permission_bit() {
+        let pcmr = Ctap2AuthTokenPermissionRole::PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY;
+        // CTAP 2.3-PS section 6.5.5.7: pcmr is 0x40.
+        assert_eq!(pcmr.bits(), 0x40);
+        // Disjoint from every other permission, so the existing subset test isolates it.
+        assert!(!pcmr.intersects(Ctap2AuthTokenPermissionRole::all().difference(pcmr)));
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/model/get_info.rs b/libwebauthn/src/proto/ctap2/model/get_info.rs
@@ -188,6 +188,11 @@ impl Ctap2GetInfoResponse {
         self.option_enabled("credMgmt") || self.option_enabled("credentialMgmtPreview")
     }
 
+    /// CTAP 2.2+ persistent pinUvAuthToken for read-only credential management (pcmr).
+    pub fn supports_persistent_credential_management_read_only(&self) -> bool {
+        self.option_enabled("perCredMgmtRO")
+    }
+
     pub fn supports_bio_enrollment(&self) -> bool {
         if let Some(options) = &self.options {
             return options.get("bioEnroll").is_some()
@@ -318,6 +323,18 @@ mod test {
         assert_eq!(info.uv_operation(true), None);
     }
 
+    #[test]
+    fn per_cred_mgmt_ro_detection() {
+        assert!(
+            !Ctap2GetInfoResponse::default().supports_persistent_credential_management_read_only()
+        );
+        assert!(!create_info(&[]).supports_persistent_credential_management_read_only());
+        assert!(!create_info(&[("perCredMgmtRO", false)])
+            .supports_persistent_credential_management_read_only());
+        assert!(create_info(&[("perCredMgmtRO", true)])
+            .supports_persistent_credential_management_read_only());
+    }
+
     #[test]
     fn device_legacy_uv() {
         // Support legacy UV of CTAP2.0
