feat(webauthn): PRF with hybrid authenticators via the prf extension (#267)

Closes #266. Closes #168.

WebAuthn L3 defines prf as a client extension. Security keys do not
implement it directly. The client maps the PRF inputs onto the CTAP
hmac-secret extension, encrypting the salts with a shared secret
negotiated over the PIN/UV protocol, and the outputs come back encrypted
inside the signed authenticator data. This is the path libwebauthn
already implements.

Phone authenticators reached over hybrid (caBLE) take a different
approach. They advertise a prf extension in getInfo and consume the
WebAuthn-shaped prf input directly at the CTAP level, with the salts
pre-hashed (WebAuthn L3 §10.1.4) and sent in the clear, since the hybrid
tunnel already provides an encrypted and authenticated channel. There is
no shared secret involved, which matters because these authenticators
expose no PIN/UV auth protocol at all. Outputs come back in
unsignedExtensionOutputs (CTAP 2.3 §6.1 and §6.2) rather than in the
signed authenticator data. This CTAP-level prf extension is not part of
the published extension registry, but it is what Chromium implements and
what Google Password Manager phones expect, and WebAuthn L3 explicitly
allows PRF to be implemented by means other than hmac-secret.

This change makes the two mechanisms co-exist behind the same
WebAuthn-level prf extension. When the authenticator advertises prf in
getInfo, the input is sent as a CTAP prf extension and results are read
from unsignedExtensionOutputs. Otherwise the existing hmac-secret
mapping is used, unchanged. Callers see the same client extension output
either way.

Also adds a webauthn_prf_cable example covering registration and
assertion. Verified end to end against a Google Password Manager phone
over caBLE: registration returns enabled true together with create-time
results, and assertion returns both PRF outputs.

Stacked on #260.

Author: AlfioEmanueleFresta

libwebauthn/Cargo.toml

@@ -175,6 +175,10 @@ path = "examples/features/webauthn_preflight_hid.rs"
 name = "webauthn_prf_hid"
 path = "examples/features/webauthn_prf_hid.rs"
 
+[[example]]
+name = "webauthn_prf_cable"
+path = "examples/features/webauthn_prf_cable.rs"
+
 [[example]]
 name = "webauthn_related_origins_hid"
 path = "examples/features/webauthn_related_origins_hid.rs"

libwebauthn/examples/features/webauthn_prf_cable.rs

@@ -0,0 +1,199 @@
+//! PRF extension over caBLE/hybrid, against a phone authenticator that
+//! advertises the `prf` extension in getInfo.
+//!
+//!   cargo run --example webauthn_prf_cable -- create
+//!   cargo run --example webauthn_prf_cable -- get [credential-id]
+//!
+//! `create` registers a discoverable credential with PRF enabled and an eval
+//! at creation, then prints the credential ID. `get` asserts with PRF eval
+//! salts. When a credential ID is given, it is added to the allow list with an
+//! evalByCredential entry.
+
+use std::collections::HashMap;
+use std::error::Error;
+use std::time::Duration;
+
+use libwebauthn::ops::webauthn::{
+    GetAssertionRequest, GetAssertionRequestExtensions, JsonFormat, MakeCredentialPrfInput,
+    MakeCredentialRequest, MakeCredentialsRequestExtensions, PrfInput, PrfInputValue,
+    ResidentKeyRequirement, UserVerificationRequirement, WebAuthnIDLResponse as _,
+};
+use libwebauthn::proto::ctap2::{
+    Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
+    Ctap2PublicKeyCredentialType, Ctap2PublicKeyCredentialUserEntity,
+};
+use libwebauthn::transport::cable::channel::CableChannel;
+use libwebauthn::transport::cable::is_available;
+use libwebauthn::transport::cable::qr_code_device::{
+    CableQrCodeDevice, CableTransports, QrCodeOperationHint,
+};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
+use libwebauthn::webauthn::WebAuthn;
+use qrcode::render::unicode;
+use qrcode::QrCode;
+use serde_bytes::ByteBuf;
+
+#[path = "../common/mod.rs"]
+mod common;
+
+const TIMEOUT: Duration = Duration::from_secs(120);
+const RP_ID: &str = "example.org";
+const ORIGIN: &str = "https://example.org";
+
+// Deterministic PRF inputs, so results can be cross-checked against another
+// client holding the same credential.
+const CREATE_EVAL_FIRST: &[u8] = b"example-prf-create-first";
+const CREATE_EVAL_SECOND: &[u8] = b"example-prf-create-second";
+const GET_EVAL_FIRST: &[u8] = b"example-prf-get-first";
+const GET_EVAL_SECOND: &[u8] = b"example-prf-get-second";
+const BY_CRED_FIRST: &[u8] = b"example-prf-bycred-first";
+const BY_CRED_SECOND: &[u8] = b"example-prf-bycred-second";
+
+#[tokio::main]
+pub async fn main() -> Result<(), Box<dyn Error>> {
+    common::setup_logging();
+
+    let args: Vec<String> = std::env::args().collect();
+    let mode = args.get(1).map(String::as_str);
+
+    if !is_available().await {
+        eprintln!("No Bluetooth adapter found. Cable/Hybrid transport is unavailable.");
+        return Err("Cable transport not available".into());
+    }
+
+    match mode {
+        Some("create") => create().await,
+        Some("get") => get(args.get(2).map(String::as_str)).await,
+        _ => {
+            eprintln!("Usage: webauthn_prf_cable <create | get [credential-id-base64url]>");
+            Err("missing or unknown subcommand".into())
+        }
+    }
+}
+
+async fn connect(
+    hint: QrCodeOperationHint,
+) -> Result<(CableQrCodeDevice, CableChannel), Box<dyn Error>> {
+    let mut device: CableQrCodeDevice =
+        CableQrCodeDevice::new_transient(hint, CableTransports::CloudAssistedOrLocal)?;
+
+    println!("Created QR code, awaiting advertisement.");
+    let qr_code = QrCode::new(device.qr_code.to_string()).unwrap();
+    let image = qr_code
+        .render::<unicode::Dense1x2>()
+        .dark_color(unicode::Dense1x2::Light)
+        .light_color(unicode::Dense1x2::Dark)
+        .build();
+    println!("{}", image);
+
+    let channel = device.channel(ChannelSettings::default()).await?;
+    println!("Channel established {:?}", channel);
+
+    let state_recv = channel.get_ux_update_receiver();
+    tokio::spawn(common::handle_cable_updates(state_recv));
+    Ok((device, channel))
+}
+
+async fn create() -> Result<(), Box<dyn Error>> {
+    let (_device, mut channel) = connect(QrCodeOperationHint::MakeCredential).await?;
+
+    let extensions = MakeCredentialsRequestExtensions {
+        prf: Some(MakeCredentialPrfInput {
+            eval: Some(PrfInputValue {
+                first: CREATE_EVAL_FIRST.to_vec(),
+                second: Some(CREATE_EVAL_SECOND.to_vec()),
+            }),
+        }),
+        ..Default::default()
+    };
+
+    let request = MakeCredentialRequest {
+        challenge: vec![0x11; 32],
+        origin: ORIGIN.to_owned(),
+        top_origin: None,
+        relying_party: Ctap2PublicKeyCredentialRpEntity::new(RP_ID, "Example Relying Party"),
+        user: Ctap2PublicKeyCredentialUserEntity::new(&[0x42; 16], "alice", "Alice"),
+        resident_key: Some(ResidentKeyRequirement::Required),
+        user_verification: UserVerificationRequirement::Preferred,
+        algorithms: vec![Ctap2CredentialType::default()],
+        exclude: None,
+        extensions: Some(extensions),
+        timeout: TIMEOUT,
+    };
+
+    let response = retry_user_errors!(channel.webauthn_make_credential(&request)).unwrap();
+
+    let response_json = response
+        .to_json_string(&request, JsonFormat::Prettified)
+        .expect("Failed to serialize MakeCredential response");
+    println!("WebAuthn MakeCredential response (JSON):\n{response_json}");
+
+    let credential: Ctap2PublicKeyCredentialDescriptor =
+        (&response.authenticator_data).try_into().unwrap();
+    println!(
+        "\nCredential ID (base64url): {}",
+        base64_url::encode(&credential.id)
+    );
+    println!("Next: run the `get` leg, e.g.");
+    println!(
+        "cargo run --example webauthn_prf_cable -- get {}",
+        base64_url::encode(&credential.id)
+    );
+    Ok(())
+}
+
+async fn get(credential_id: Option<&str>) -> Result<(), Box<dyn Error>> {
+    let (_device, mut channel) = connect(QrCodeOperationHint::GetAssertionRequest).await?;
+
+    let mut eval_by_credential = HashMap::new();
+    let allow = match credential_id {
+        Some(encoded) => {
+            eval_by_credential.insert(
+                encoded.to_owned(),
+                PrfInputValue {
+                    first: BY_CRED_FIRST.to_vec(),
+                    second: Some(BY_CRED_SECOND.to_vec()),
+                },
+            );
+            vec![Ctap2PublicKeyCredentialDescriptor {
+                r#type: Ctap2PublicKeyCredentialType::PublicKey,
+                id: ByteBuf::from(
+                    base64_url::decode(encoded)
+                        .map_err(|e| format!("invalid credential id: {e}"))?,
+                ),
+                transports: None,
+            }]
+        }
+        None => vec![],
+    };
+
+    let request = GetAssertionRequest {
+        relying_party_id: RP_ID.to_owned(),
+        challenge: vec![0x22; 32],
+        origin: ORIGIN.to_owned(),
+        top_origin: None,
+        allow,
+        user_verification: UserVerificationRequirement::Preferred,
+        extensions: Some(GetAssertionRequestExtensions {
+            prf: Some(PrfInput {
+                eval: Some(PrfInputValue {
+                    first: GET_EVAL_FIRST.to_vec(),
+                    second: Some(GET_EVAL_SECOND.to_vec()),
+                }),
+                eval_by_credential,
+            }),
+            ..Default::default()
+        }),
+        timeout: TIMEOUT,
+    };
+
+    let response = retry_user_errors!(channel.webauthn_get_assertion(&request)).unwrap();
+
+    for (num, assertion) in response.assertions.iter().enumerate() {
+        let assertion_json = assertion
+            .to_json_string(&request, JsonFormat::Prettified)
+            .expect("Failed to serialize GetAssertion response");
+        println!("Assertion {num} (JSON):\n{assertion_json}");
+    }
+    Ok(())
+}

libwebauthn/src/ops/u2f.rs

@@ -168,6 +168,7 @@ impl UpgradableResponse<MakeCredentialResponse, MakeCredentialRequest> for Regis
             attestation_statement,
             enterprise_attestation: None,
             large_blob_key: None,
+            unsigned_extension_outputs: None,
         };
         Ok(resp.into_make_credential_output(request, None, None))
     }

libwebauthn/src/ops/webauthn/make_credential.rs

@@ -1,3 +1,4 @@
+use std::collections::BTreeMap;
 use std::time::Duration;
 
 use async_trait::async_trait;
@@ -25,10 +26,11 @@ use crate::{
     proto::{
         ctap1::{Ctap1RegisteredKey, Ctap1Version},
         ctap2::{
-            cbor, cose, Ctap2AttestationStatement, Ctap2COSEAlgorithmIdentifier,
-            Ctap2CredentialType, Ctap2GetInfoResponse, Ctap2MakeCredentialsResponseExtensions,
-            Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
-            Ctap2PublicKeyCredentialUserEntity,
+            cbor, cbor::Value, cose, parse_unsigned_prf, Ctap2AttestationStatement,
+            Ctap2COSEAlgorithmIdentifier, Ctap2CredentialType, Ctap2GetInfoResponse,
+            Ctap2MakeCredentialsResponseExtensions, Ctap2PublicKeyCredentialDescriptor,
+            Ctap2PublicKeyCredentialRpEntity, Ctap2PublicKeyCredentialUserEntity,
+            UnsignedPrfOutput,
         },
     },
     transport::AuthTokenData,
@@ -203,35 +205,44 @@ impl MakeCredentialsResponseUnsignedExtensions {
 
     pub fn from_signed_extensions(
         signed_extensions: &Option<Ctap2MakeCredentialsResponseExtensions>,
+        unsigned_outputs: Option<&BTreeMap<Value, Value>>,
         request: &MakeCredentialRequest,
         info: Option<&Ctap2GetInfoResponse>,
         auth_data: Option<&AuthTokenData>,
     ) -> MakeCredentialsResponseUnsignedExtensions {
         let mut hmac_create_secret = None;
         let mut prf = None;
-        if let Some(signed_extensions) = signed_extensions {
-            if let Some(incoming_ext) = &request.extensions {
-                if incoming_ext.hmac_create_secret.is_some() {
-                    hmac_create_secret = signed_extensions.hmac_secret;
-                }
-                if incoming_ext.prf.is_some() {
-                    let results = signed_extensions
-                        .hmac_secret_mc
-                        .as_ref()
-                        .zip(auth_data)
-                        .and_then(|(out, auth)| {
-                            let uv_proto = auth.protocol_version.create_protocol_object();
-                            out.decrypt_output(&auth.shared_secret, uv_proto.as_ref())
-                        })
-                        .map(|decrypted| PrfOutputValue {
-                            first: decrypted.output1,
-                            second: decrypted.output2,
-                        });
-                    prf = Some(MakeCredentialPrfOutput {
-                        enabled: signed_extensions.hmac_secret,
-                        results,
+        // Native `prf` outputs arrive in unsignedExtensionOutputs, not authData.
+        let unsigned_prf = unsigned_outputs.and_then(parse_unsigned_prf);
+        if let Some(incoming_ext) = &request.extensions {
+            if incoming_ext.hmac_create_secret.is_some() {
+                hmac_create_secret = signed_extensions.as_ref().and_then(|s| s.hmac_secret);
+            }
+            if incoming_ext.prf.is_some() && (signed_extensions.is_some() || unsigned_prf.is_some())
+            {
+                let decrypted_results = signed_extensions
+                    .as_ref()
+                    .and_then(|s| s.hmac_secret_mc.as_ref())
+                    .zip(auth_data)
+                    .and_then(|(out, auth)| {
+                        let uv_proto = auth.protocol_version.create_protocol_object();
+                        out.decrypt_output(&auth.shared_secret, uv_proto.as_ref())
+                    })
+                    .map(|decrypted| PrfOutputValue {
+                        first: decrypted.output1,
+                        second: decrypted.output2,
                     });
-                }
+                let UnsignedPrfOutput {
+                    enabled: unsigned_enabled,
+                    results: unsigned_results,
+                } = unsigned_prf.unwrap_or_default();
+                prf = Some(MakeCredentialPrfOutput {
+                    enabled: signed_extensions
+                        .as_ref()
+                        .and_then(|s| s.hmac_secret)
+                        .or(unsigned_enabled),
+                    results: decrypted_results.or(unsigned_results),
+                });
             }
         }
 
@@ -1448,6 +1459,32 @@ mod tests {
         );
     }
 
+    #[test]
+    fn prf_output_serialized_into_client_extension_results() {
+        let mut response = create_test_response();
+        response.unsigned_extensions_output = MakeCredentialsResponseUnsignedExtensions {
+            prf: Some(MakeCredentialPrfOutput {
+                enabled: Some(true),
+                results: Some(PrfOutputValue {
+                    first: [0xAB; 32],
+                    second: Some([0xCD; 32]),
+                }),
+            }),
+            ..Default::default()
+        };
+
+        let results = serde_json::to_value(response.build_client_extension_results()).unwrap();
+        assert_eq!(results["prf"]["enabled"], serde_json::json!(true));
+        assert_eq!(
+            results["prf"]["results"]["first"],
+            serde_json::json!(base64_url::encode(&[0xAB; 32]))
+        );
+        assert_eq!(
+            results["prf"]["results"]["second"],
+            serde_json::json!(base64_url::encode(&[0xCD; 32]))
+        );
+    }
+
     #[test]
     fn test_response_to_idl_model() {
         let response = create_test_response();

libwebauthn/src/proto/ctap2/mod.rs

@@ -20,6 +20,7 @@ pub use model::{
     Ctap2UserVerificationOperation, FidoU2fAttestationStmt,
 };
 
+pub(crate) use model::{parse_unsigned_prf, UnsignedPrfOutput};
 pub use model::{
     Ctap2AuthenticatorConfigCommand, Ctap2AuthenticatorConfigParams,
     Ctap2AuthenticatorConfigRequest,
@@ -34,10 +35,12 @@ pub use model::{
 };
 pub use model::{
     Ctap2GetAssertionRequest, Ctap2GetAssertionResponse, Ctap2GetAssertionResponseExtensions,
+    Ctap2PrfGetAssertionInput, Ctap2PrfSalts,
 };
 pub use model::{Ctap2LargeBlobsRequest, Ctap2LargeBlobsResponse};
 pub use model::{
-    Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse, Ctap2MakeCredentialsResponseExtensions,
+    Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse,
+    Ctap2MakeCredentialsResponseExtensions, Ctap2PrfMakeCredentialInput,
 };
 pub mod preflight;
 pub use protocol::Ctap2;

libwebauthn/src/proto/ctap2/model.rs

@@ -32,12 +32,14 @@ pub use client_pin::{
 mod make_credential;
 pub use make_credential::{
     Ctap2MakeCredentialOptions, Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse,
-    Ctap2MakeCredentialsResponseExtensions,
+    Ctap2MakeCredentialsResponseExtensions, Ctap2PrfMakeCredentialInput,
 };
 mod get_assertion;
+pub(crate) use get_assertion::{parse_unsigned_prf, UnsignedPrfOutput};
 pub use get_assertion::{
     Ctap2AttestationStatement, Ctap2GetAssertionOptions, Ctap2GetAssertionRequest,
-    Ctap2GetAssertionResponse, Ctap2GetAssertionResponseExtensions, FidoU2fAttestationStmt,
+    Ctap2GetAssertionResponse, Ctap2GetAssertionResponseExtensions, Ctap2PrfGetAssertionInput,
+    Ctap2PrfSalts, FidoU2fAttestationStmt,
 };
 mod credential_management;
 pub use credential_management::{