Skip to content

Commit b5aa969

Browse files
fix(webauthn): accept PRF evalByCredential member name and validate per-credential salts
The per-credential member deserialized as eval_by_credential instead of the spec name evalByCredential, so conformant JSON callers lost their per-credential salts and the spec validations never ran. Rename it via camelCase, and validate every key in prf_to_hmac_input so a later empty or non-base64url key is still rejected.
1 parent 958894a commit b5aa969

2 files changed

Lines changed: 4 additions & 7 deletions

File tree

libwebauthn/src/ops/webauthn/get_assertion.rs

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1246,13 +1246,9 @@ mod tests {
12461246

12471247
#[tokio::test]
12481248
async fn test_prf_eval_by_credential_variable_length() {
1249-
// NOTE: the IDL field is currently deserialized as `eval_by_credential`
1250-
// rather than the spec name `evalByCredential` — separate concern from
1251-
// #209. Use the field name the deserializer accepts.
1252-
let prf = parse_prf(
1253-
r#"{"prf":{"eval_by_credential":{"Y3JlZDE":{"first":"AQ","second":"AgIC"}}}}"#,
1254-
)
1255-
.await;
1249+
let prf =
1250+
parse_prf(r#"{"prf":{"evalByCredential":{"Y3JlZDE":{"first":"AQ","second":"AgIC"}}}}"#)
1251+
.await;
12561252
let v = prf.eval_by_credential.get("Y3JlZDE").expect("entry");
12571253
assert_eq!(v.first, vec![0x01]);
12581254
assert_eq!(v.second.as_deref(), Some(&[0x02u8, 0x02, 0x02][..]));

libwebauthn/src/ops/webauthn/idl/get.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ pub struct LargeBlobInputJson {
6767
}
6868

6969
#[derive(Debug, Clone, Deserialize)]
70+
#[serde(rename_all = "camelCase")]
7071
pub struct PrfInputJson {
7172
pub eval: Option<PrfValuesJson>,
7273
pub eval_by_credential: Option<HashMap<String, PrfValuesJson>>,

0 commit comments

Comments
 (0)