Separate signed/unsigned extensions for MakeCredential

Author: msirringhaus

libwebauthn/src/fido.rs

@@ -2,20 +2,22 @@ use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
 use cosey::PublicKey;
 use serde::{
     de::{DeserializeOwned, Error as DesError, Visitor},
-    ser::Error as SerError,
-    Deserialize, Deserializer, Serialize, Serializer,
+    Deserialize, Deserializer, Serialize,
 };
 use serde_bytes::ByteBuf;
 use std::{
     fmt,
     io::{Cursor, Read},
     marker::PhantomData,
 };
-use tracing::warn;
-
-use crate::proto::{
-    ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialType},
-    CtapError,
+use tracing::{error, warn};
+
+use crate::{
+    proto::{
+        ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialType},
+        CtapError,
+    },
+    webauthn::{Error, PlatformError},
 };
 
 #[derive(Debug, PartialEq, Eq)]
@@ -62,28 +64,6 @@ pub struct AttestedCredentialData {
     pub credential_public_key: PublicKey,
 }
 
-impl Serialize for AttestedCredentialData {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
-        // Name                 | Length
-        // --------------------------------
-        //  aaguid              | 16
-        //  credentialIdLenght  | 2
-        //  credentialId        | L
-        //  credentialPublicKey | variable
-        let mut res = self.aaguid.to_vec();
-        res.write_u16::<BigEndian>(self.credential_id.len() as u16)
-            .map_err(SerError::custom)?;
-        res.extend(&self.credential_id);
-        let cose_encoded_public_key =
-            serde_cbor::to_vec(&self.credential_public_key).map_err(SerError::custom)?;
-        res.extend(cose_encoded_public_key);
-        serializer.serialize_bytes(&res)
-    }
-}
-
 impl From<&AttestedCredentialData> for Ctap2PublicKeyCredentialDescriptor {
     fn from(data: &AttestedCredentialData) -> Self {
         Self {
@@ -103,14 +83,11 @@ pub struct AuthenticatorData<T> {
     pub extensions: Option<T>,
 }
 
-impl<T> Serialize for AuthenticatorData<T>
+impl<T> AuthenticatorData<T>
 where
     T: Clone + Serialize,
 {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
+    pub fn to_output(&self) -> Result<Vec<u8>, Error> {
         // Name                    | Length
         // -----------------------------------
         // rpIdHash                | 32
@@ -121,14 +98,46 @@ where
         let mut res = self.rp_id_hash.to_vec();
         res.push(self.flags.bits());
         res.write_u32::<BigEndian>(self.signature_count)
-            .map_err(SerError::custom)?;
+            .map_err(|e| {
+                error!("Failed to create AuthenticatorData output vec at signature_count: {e:?}");
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+
         if let Some(att_data) = &self.attested_credential {
-            res.extend(serde_cbor::to_vec(att_data).map_err(SerError::custom)?);
+            // Name                 | Length
+            // --------------------------------
+            //  aaguid              | 16
+            //  credentialIdLenght  | 2
+            //  credentialId        | L
+            //  credentialPublicKey | variable
+            res.extend(att_data.aaguid);
+            res.write_u16::<BigEndian>(att_data.credential_id.len() as u16)
+            .map_err(|e| {
+                error!(
+                    "Failed to create AuthenticatorData output vec at attested_credential.credential_id: {e:?}"
+                );
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+            res.extend(&att_data.credential_id);
+            let cose_encoded_public_key =
+                serde_cbor::to_vec(&att_data.credential_public_key)
+            .map_err(|e| {
+                error!(
+                    "Failed to create AuthenticatorData output vec at attested_credential.credential_public_key: {e:?}"
+                );
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+            res.extend(cose_encoded_public_key);
         }
-        if let Some(extensions) = &self.extensions {
-            res.extend(serde_cbor::to_vec(extensions).map_err(SerError::custom)?);
+
+        if self.extensions.is_some() || self.flags.contains(AuthenticatorDataFlags::EXTENSION_DATA)
+        {
+            res.extend(serde_cbor::to_vec(&self.extensions).map_err(|e| {
+                error!("Failed to create AuthenticatorData output vec at extensions: {e:?}");
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?);
         }
-        serializer.serialize_bytes(&res)
+        Ok(res)
     }
 }
 

libwebauthn/src/ops/u2f.rs

@@ -148,7 +148,6 @@ impl UpgradableResponse<MakeCredentialResponse, MakeCredentialRequest> for Regis
             attestation_statement,
             enterprise_attestation: None,
             large_blob_key: None,
-            unsigned_extension_output: None,
         };
         Ok(resp.into_make_credential_output(request, None))
     }

libwebauthn/src/ops/webauthn.rs

@@ -16,8 +16,8 @@ use crate::{
         ctap1::{Ctap1RegisteredKey, Ctap1Version},
         ctap2::{
             Ctap2AttestationStatement, Ctap2COSEAlgorithmIdentifier, Ctap2CredentialType,
-            Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
-            Ctap2PublicKeyCredentialUserEntity,
+            Ctap2MakeCredentialsResponseExtensions, Ctap2PublicKeyCredentialDescriptor,
+            Ctap2PublicKeyCredentialRpEntity, Ctap2PublicKeyCredentialUserEntity,
         },
     },
     webauthn::CtapError,
@@ -57,7 +57,23 @@ pub struct MakeCredentialResponse {
     pub attestation_statement: Ctap2AttestationStatement,
     pub enterprise_attestation: Option<bool>,
     pub large_blob_key: Option<Vec<u8>>,
-    pub unsigned_extension_output: Option<BTreeMap<Value, Value>>,
+    pub unsigned_extensions_output: Option<MakeCredentialsResponseUnsignedExtensions>,
+}
+
+#[derive(Debug, Default, Clone, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct MakeCredentialsResponseUnsignedExtensions {
+    // pub app_id: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cred_props: Option<CredentialPropsExtension>,
+    // #[serde(skip_serializing_if = "Option::is_none")]
+    // pub cred_blob: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub hmac_create_secret: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob: Option<MakeCredentialLargeBlobExtensionOutput>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub prf: Option<MakeCredentialPrfOutput>,
 }
 
 #[derive(Debug, Clone)]
@@ -79,7 +95,7 @@ pub struct MakeCredentialRequest {
     pub timeout: Duration,
 }
 
-#[derive(Debug, Default, Clone)]
+#[derive(Debug, Default, Clone, Serialize)]
 pub struct PRFValue {
     pub first: [u8; 32],
     pub second: Option<[u8; 32]>,
@@ -103,14 +119,10 @@ pub enum MakeCredentialHmacOrPrfInput {
     // },
 }
 
-#[derive(Debug, Default, Clone)]
-pub enum MakeCredentialHmacOrPrfOutput {
-    #[default]
-    None,
-    HmacGetSecret(bool),
-    Prf {
-        enabled: bool,
-    },
+#[derive(Debug, Default, Clone, Serialize)]
+pub struct MakeCredentialPrfOutput {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub enabled: Option<bool>,
 }
 
 #[derive(Debug, Clone)]
@@ -159,6 +171,13 @@ impl From<Ctap2CredentialProtectionPolicy> for CredentialProtectionPolicy {
     }
 }
 
+#[derive(Debug, Default, Clone, Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct CredentialPropsExtension {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub rk: Option<bool>,
+}
+
 #[derive(Debug, Default, Clone, Deserialize, Serialize, PartialEq, Eq)]
 #[serde(rename_all = "camelCase")]
 pub enum MakeCredentialLargeBlobExtension {
@@ -168,6 +187,12 @@ pub enum MakeCredentialLargeBlobExtension {
     Required,
 }
 
+#[derive(Debug, Default, Clone, PartialEq, Eq, Serialize)]
+pub struct MakeCredentialLargeBlobExtensionOutput {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub supported: Option<bool>,
+}
+
 #[derive(Debug, Default, Clone)]
 pub struct MakeCredentialsRequestExtensions {
     pub cred_props: Option<bool>,
@@ -178,21 +203,9 @@ pub struct MakeCredentialsRequestExtensions {
     pub hmac_or_prf: MakeCredentialHmacOrPrfInput,
 }
 
-#[derive(Debug, Default, Clone)]
-pub struct MakeCredentialsResponseExtensions {
-    pub cred_protect: Option<CredentialProtectionPolicy>,
-    /// If storing credBlob was successful
-    pub cred_blob: Option<bool>,
-    /// Current min PIN lenght
-    pub min_pin_length: Option<u32>,
-    pub hmac_or_prf: MakeCredentialHmacOrPrfOutput,
-    // Currently, credProps only returns one value: rk = bool
-    // If these get more in the future, we can use a struct here.
-    pub cred_props_rk: Option<bool>,
-}
+pub type MakeCredentialsResponseExtensions = Ctap2MakeCredentialsResponseExtensions;
 
 impl MakeCredentialRequest {
-    #[cfg(test)]
     pub fn dummy() -> Self {
         Self {
             hash: vec![0; 32],
@@ -203,7 +216,7 @@ impl MakeCredentialRequest {
             extensions: None,
             origin: "example.org".to_owned(),
             require_resident_key: false,
-            user_verification: UserVerificationRequirement::Preferred,
+            user_verification: UserVerificationRequirement::Discouraged,
             timeout: Duration::from_secs(10),
         }
     }
@@ -265,9 +278,11 @@ pub struct GetAssertionRequestExtensions {
     pub large_blob: GetAssertionLargeBlobExtension,
 }
 
-#[derive(Clone, Debug, Default)]
+#[derive(Clone, Debug, Default, Serialize)]
+#[serde(rename_all = "camelCase")]
 pub struct HMACGetSecretOutput {
     pub output1: [u8; 32],
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub output2: Option<[u8; 32]>,
 }
 

libwebauthn/src/proto/ctap2/mod.rs

@@ -26,6 +26,8 @@ pub use model::{
     Ctap2CredentialManagementResponse, Ctap2RPData,
 };
 pub use model::{Ctap2GetAssertionRequest, Ctap2GetAssertionResponse};
-pub use model::{Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse};
+pub use model::{
+    Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse, Ctap2MakeCredentialsResponseExtensions,
+};
 pub mod preflight;
 pub use protocol::Ctap2;

libwebauthn/src/proto/ctap2/model.rs

@@ -25,6 +25,7 @@ pub use client_pin::{
 mod make_credential;
 pub use make_credential::{
     Ctap2MakeCredentialOptions, Ctap2MakeCredentialRequest, Ctap2MakeCredentialResponse,
+    Ctap2MakeCredentialsResponseExtensions,
 };
 mod get_assertion;
 pub use get_assertion::{