feat(ctap2): add authenticatorLargeBlobs command (0x0C)

AlfioEmanueleFresta · AlfioEmanueleFresta · commit c6110f5d6df1 · 2026-05-19T18:59:19.000+01:00
Implements the wire-level model and protocol method for CTAP 2.1
`authenticatorLargeBlobs` (command code 0x0C, spec §6.10). This is the
device-side primitive the platform uses to fetch and update the
authenticator's serialized largeBlobArray.

Includes only the `get` request shape so far; `set` is reserved for a
follow-up that will also handle the pinUvAuthParam binding required for
writes.

Refs: CTAP 2.2 §6.10.
diff --git a/libwebauthn/src/proto/ctap2/cbor/request.rs b/libwebauthn/src/proto/ctap2/cbor/request.rs
@@ -8,6 +8,7 @@ use crate::proto::ctap2::model::Ctap2MakeCredentialRequest;
 use crate::proto::ctap2::Ctap2AuthenticatorConfigRequest;
 use crate::proto::ctap2::Ctap2BioEnrollmentRequest;
 use crate::proto::ctap2::Ctap2CredentialManagementRequest;
+use crate::proto::ctap2::Ctap2LargeBlobsRequest;
 use crate::webauthn::Error;
 
 #[derive(Debug, Clone, PartialEq)]
@@ -106,3 +107,13 @@ impl TryFrom<&Ctap2CredentialManagementRequest> for CborRequest {
         })
     }
 }
+
+impl TryFrom<&Ctap2LargeBlobsRequest> for CborRequest {
+    type Error = Error;
+    fn try_from(request: &Ctap2LargeBlobsRequest) -> Result<CborRequest, Error> {
+        Ok(CborRequest {
+            command: Ctap2CommandCode::AuthenticatorLargeBlobs,
+            encoded_data: cbor::to_vec(&request)?,
+        })
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/mod.rs b/libwebauthn/src/proto/ctap2/mod.rs
@@ -32,6 +32,7 @@ pub use model::{
 pub use model::{
     Ctap2GetAssertionRequest, Ctap2GetAssertionResponse, Ctap2GetAssertionResponseExtensions,
 };
+pub use model::{Ctap2LargeBlobsRequest, Ctap2LargeBlobsResponse};
 pub use model::{
     Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse, Ctap2MakeCredentialsResponseExtensions,
 };
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -44,6 +44,8 @@ pub use credential_management::{
     Ctap2CredentialData, Ctap2CredentialManagementMetadata, Ctap2CredentialManagementRequest,
     Ctap2CredentialManagementResponse, Ctap2RPData,
 };
+mod large_blobs;
+pub use large_blobs::{Ctap2LargeBlobsRequest, Ctap2LargeBlobsResponse};
 
 #[derive(Debug, IntoPrimitive, TryFromPrimitive, Copy, Clone, PartialEq, Serialize_repr)]
 #[repr(u8)]
@@ -58,6 +60,7 @@ pub enum Ctap2CommandCode {
     AuthenticatorCredentialManagement = 0x0A,
     AuthenticatorCredentialManagementPreview = 0x41,
     AuthenticatorSelection = 0x0B,
+    AuthenticatorLargeBlobs = 0x0C,
     AuthenticatorConfig = 0x0D,
 }
 
diff --git a/libwebauthn/src/proto/ctap2/model/large_blobs.rs b/libwebauthn/src/proto/ctap2/model/large_blobs.rs
@@ -0,0 +1,71 @@
+//! CTAP 2.1 `authenticatorLargeBlobs` command (`0x0C`). Wire-level model only;
+//! see [`crate::ops::webauthn::large_blob`] for the high-level read pipeline.
+
+use serde_bytes::ByteBuf;
+use serde_indexed::{DeserializeIndexed, SerializeIndexed};
+
+/// Request parameters. `get` (read) and `set` (write) are mutually exclusive.
+#[derive(Debug, Clone, SerializeIndexed)]
+pub struct Ctap2LargeBlobsRequest {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x01)]
+    pub get: Option<u32>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x02)]
+    pub set: Option<ByteBuf>,
+
+    #[serde(index = 0x03)]
+    pub offset: u32,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x04)]
+    pub length: Option<u32>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x05)]
+    pub pin_uv_auth_param: Option<ByteBuf>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x06)]
+    pub pin_uv_auth_protocol: Option<u32>,
+}
+
+impl Ctap2LargeBlobsRequest {
+    pub fn new_get(offset: u32, length: u32) -> Self {
+        Self {
+            get: Some(length),
+            set: None,
+            offset,
+            length: None,
+            pin_uv_auth_param: None,
+            pin_uv_auth_protocol: None,
+        }
+    }
+}
+
+#[cfg_attr(test, derive(SerializeIndexed))]
+#[derive(Debug, Default, Clone, DeserializeIndexed)]
+pub struct Ctap2LargeBlobsResponse {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(index = 0x01)]
+    pub config: Option<ByteBuf>,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::proto::ctap2::cbor;
+
+    #[test]
+    fn get_request_round_trips_through_cbor() {
+        let req = Ctap2LargeBlobsRequest::new_get(0, 1024);
+        let bytes = cbor::to_vec(&req).expect("serialize");
+        assert_eq!(bytes[0], 0xa2, "expected CBOR map of two items");
+        let value: cbor::Value = cbor::from_slice(&bytes).expect("deserialize");
+        let cbor::Value::Map(map) = value else {
+            panic!("expected map");
+        };
+        assert_eq!(map.len(), 2);
+    }
+}
diff --git a/libwebauthn/src/proto/ctap2/protocol.rs b/libwebauthn/src/proto/ctap2/protocol.rs
@@ -15,8 +15,8 @@ use super::model::Ctap2ClientPinResponse;
 use super::{
     Ctap2AuthenticatorConfigRequest, Ctap2BioEnrollmentRequest, Ctap2ClientPinRequest,
     Ctap2CredentialManagementRequest, Ctap2CredentialManagementResponse, Ctap2GetAssertionRequest,
-    Ctap2GetAssertionResponse, Ctap2GetInfoResponse, Ctap2MakeCredentialRequest,
-    Ctap2MakeCredentialResponse,
+    Ctap2GetAssertionResponse, Ctap2GetInfoResponse, Ctap2LargeBlobsRequest,
+    Ctap2LargeBlobsResponse, Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse,
 };
 
 const TIMEOUT_GET_INFO: Duration = Duration::from_millis(250);
@@ -90,6 +90,11 @@ pub trait Ctap2 {
         request: &Ctap2CredentialManagementRequest,
         timeout: Duration,
     ) -> Result<Ctap2CredentialManagementResponse, Error>;
+    async fn ctap2_large_blobs(
+        &mut self,
+        request: &Ctap2LargeBlobsRequest,
+        timeout: Duration,
+    ) -> Result<Ctap2LargeBlobsResponse, Error>;
 }
 
 #[async_trait]
@@ -284,6 +289,31 @@ where
             Ok(Ctap2CredentialManagementResponse::default())
         }
     }
+
+    #[instrument(skip_all)]
+    async fn ctap2_large_blobs(
+        &mut self,
+        request: &Ctap2LargeBlobsRequest,
+        timeout: Duration,
+    ) -> Result<Ctap2LargeBlobsResponse, Error> {
+        trace!(?request);
+        self.cbor_send(&request.try_into()?, timeout).await?;
+        let cbor_response = self.cbor_recv(timeout).await?;
+        match cbor_response.status_code {
+            CtapError::Ok => (),
+            error => return Err(Error::Ctap(error)),
+        };
+        if let Some(data) = cbor_response.data {
+            let ctap_response = parse_cbor!(Ctap2LargeBlobsResponse, &data);
+            debug!("CTAP2 LargeBlobs successful");
+            trace!(?ctap_response);
+            Ok(ctap_response)
+        } else {
+            // Write responses carry no body; same serde_indexed workaround as
+            // credential_management above.
+            Ok(Ctap2LargeBlobsResponse::default())
+        }
+    }
 }
 
 #[cfg(test)]
