feat(webauthn): related-origins validation (WebAuthn L3 §5.11)

README.md

@@ -68,16 +68,18 @@ $ git submodule update --init
 The basic ceremony examples (register + authenticate) cover all transports. The
 WebAuthn examples consume and emit JSON per the [WebAuthn IDL][webauthn].
 
-| Transport             | FIDO U2F                                                                                                                 | WebAuthn (FIDO2)                                                                                                                   |
-| --------------------- | ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
-| **USB (HID)**         | `cargo run --example u2f_hid`                                                                                            | `cargo run --example webauthn_hid`                                                                                                 |
-| **Bluetooth (BLE)**   | `cargo run --example u2f_ble`                                                                                            | `cargo run --example webauthn_ble`                                                                                                 |
-| **NFC** [^nfc]        | `cargo run --features nfc-backend-pcsc --example u2f_nfc`<br>`cargo run --features nfc-backend-libnfc --example u2f_nfc` | `cargo run --features nfc-backend-pcsc --example webauthn_nfc`<br>`cargo run --features nfc-backend-libnfc --example webauthn_nfc` |
-| **Hybrid (caBLE v2 + CTAP 2.3)** | —                                                                                                             | `cargo run --example webauthn_cable`                                                                                               |
-| **Hybrid (caBLE v2)** | —                                                                                                                        | `cargo run --example webauthn_cable_wss`                                                                                           |
+| Transport                        | FIDO U2F                                                                                                                 | WebAuthn (FIDO2) [^ro]                                                                                                                                                          |
+| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **USB (HID)**                    | `cargo run --example u2f_hid`                                                                                            | `cargo run --features related-origins-client --example webauthn_hid`                                                                                                            |
+| **Bluetooth (BLE)**              | `cargo run --example u2f_ble`                                                                                            | `cargo run --features related-origins-client --example webauthn_ble`                                                                                                            |
+| **NFC** [^nfc]                   | `cargo run --features nfc-backend-pcsc --example u2f_nfc`<br>`cargo run --features nfc-backend-libnfc --example u2f_nfc` | `cargo run --features nfc-backend-pcsc,related-origins-client --example webauthn_nfc`<br>`cargo run --features nfc-backend-libnfc,related-origins-client --example webauthn_nfc` |
+| **Hybrid (caBLE v2 + CTAP 2.3)** | —                                                                                                                        | `cargo run --features related-origins-client --example webauthn_cable`                                                                                                          |
+| **Hybrid (caBLE v2)**            | —                                                                                                                        | `cargo run --features related-origins-client --example webauthn_cable_wss`                                                                                                      |
 
 [^nfc]: `nfc-backend-pcsc` is pure userspace and recommended on most systems. `nfc-backend-libnfc` requires the `libnfc` system library. Both can be enabled together; the first FIDO device found by either backend is used.
 
+[^ro]: The WebAuthn ceremony examples wire up the bundled reqwest-backed [related-origins](https://www.w3.org/TR/webauthn-3/#sctn-related-origins) client, which lives behind the optional `related-origins-client` feature. Consumers that already ship their own HTTP stack can implement `RelatedOriginsHttpClient` directly and omit the feature.
+
 Additional HID-only examples cover specific FIDO2 features and authenticator management:
 
 ```

libwebauthn/Cargo.toml

@@ -26,6 +26,10 @@ nfc-backend-libnfc = [
 # external crates (e.g. libwebauthn-tests) can plug in a virtual HID transport
 # for end-to-end tests.
 virt = []
+# Provides the reqwest-backed default RelatedOriginsHttpClient. Off by default so
+# the core crate stays HTTP-client-free; consumers that want the default impl
+# opt in, others bring their own client.
+related-origins-client = ["dep:reqwest"]
 
 [dependencies]
 base64-url = "3.0.0"
@@ -85,6 +89,12 @@ apdu = { version = "0.4.0", optional = true }
 pcsc = { version = "2.9.0", optional = true }
 nfc1 = { version = "=0.6.0", optional = true, default-features = false }
 nfc1-sys = { version = "0.3.9", optional = true, default-features = false }
+reqwest = { version = "0.12", default-features = false, features = [
+    "rustls-tls-native-roots",
+    "http2",
+    "stream",
+    "charset",
+], optional = true }
 
 [dev-dependencies]
 tracing-subscriber = { version = "0.3.3", features = ["env-filter"] }
@@ -116,23 +126,27 @@ required-features = ["nfc"]
 [[example]]
 name = "webauthn_hid"
 path = "examples/ceremony/webauthn_hid.rs"
+required-features = ["related-origins-client"]
 
 [[example]]
 name = "webauthn_ble"
 path = "examples/ceremony/webauthn_ble.rs"
+required-features = ["related-origins-client"]
 
 [[example]]
 name = "webauthn_nfc"
 path = "examples/ceremony/webauthn_nfc.rs"
-required-features = ["nfc"]
+required-features = ["nfc", "related-origins-client"]
 
 [[example]]
 name = "webauthn_cable"
 path = "examples/ceremony/webauthn_cable.rs"
+required-features = ["related-origins-client"]
 
 [[example]]
 name = "webauthn_cable_wss"
 path = "examples/ceremony/webauthn_cable_wss.rs"
+required-features = ["related-origins-client"]
 
 [[example]]
 name = "webauthn_extensions_hid"

libwebauthn/examples/ceremony/webauthn_ble.rs

@@ -2,7 +2,7 @@ use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
     DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
-    WebAuthnIDL as _, WebAuthnIDLResponse as _,
+    ReqwestRelatedOriginsClient, WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::ble::list_devices;
@@ -52,8 +52,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                     "attestation": "none"
                 }
                 "#;
+        let related_origins = ReqwestRelatedOriginsClient::new()?;
         let make_credentials_request: MakeCredentialRequest =
-            MakeCredentialRequest::from_json(&request_origin, &psl, request_json)
+            MakeCredentialRequest::from_json(&request_origin, &psl, &related_origins, request_json)
+                .await
                 .expect("Failed to parse request JSON");
         println!(
             "WebAuthn MakeCredential request: {:?}",
@@ -97,7 +99,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 "#
         );
         let get_assertion: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &psl, &request_json)
+            GetAssertionRequest::from_json(&request_origin, &psl, &related_origins, &request_json)
+                .await
                 .expect("Failed to parse request JSON");
         println!("WebAuthn GetAssertion request: {:?}", get_assertion);
 

libwebauthn/examples/ceremony/webauthn_cable.rs

@@ -11,8 +11,8 @@ use qrcode::render::unicode;
 use qrcode::QrCode;
 
 use libwebauthn::ops::webauthn::{
-    DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, RequestOrigin, WebAuthnIDL as _,
-    WebAuthnIDLResponse as _,
+    DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    ReqwestRelatedOriginsClient, WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::{Channel as _, Device};
 use libwebauthn::webauthn::WebAuthn;
@@ -58,6 +58,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let psl = DatFilePublicSuffixList::from_system_file().expect(
         "PSL not available; install the publicsuffix-list package or pass an explicit path",
     );
+    let related_origins = ReqwestRelatedOriginsClient::new()?;
 
     let mut device: CableQrCodeDevice = CableQrCodeDevice::new_transient(
         QrCodeOperationHint::MakeCredential,
@@ -79,8 +80,14 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let state_recv = channel.get_ux_update_receiver();
     tokio::spawn(common::handle_cable_updates(state_recv));
 
-    let request = MakeCredentialRequest::from_json(&request_origin, &psl, MAKE_CREDENTIAL_REQUEST)
-        .expect("Failed to parse request JSON");
+    let request = MakeCredentialRequest::from_json(
+        &request_origin,
+        &psl,
+        &related_origins,
+        MAKE_CREDENTIAL_REQUEST,
+    )
+    .await
+    .expect("Failed to parse request JSON");
 
     let response = retry_user_errors!(channel.webauthn_make_credential(&request)).unwrap();
     let response_json = response

libwebauthn/examples/ceremony/webauthn_cable_wss.rs

@@ -14,8 +14,8 @@ use qrcode::QrCode;
 use tokio::time::sleep;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
-    WebAuthnIDL as _, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, NoRelatedOriginsClient, RequestOrigin,
+    SystemPublicSuffixList, WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::cable::channel::CableChannel;
 use libwebauthn::transport::{Channel as _, Device};
@@ -95,9 +95,14 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let state_recv = channel.get_ux_update_receiver();
         tokio::spawn(common::handle_cable_updates(state_recv));
 
-        let request =
-            MakeCredentialRequest::from_json(&request_origin, &psl, MAKE_CREDENTIAL_REQUEST)
-                .expect("Failed to parse request JSON");
+        let request = MakeCredentialRequest::from_json(
+            &request_origin,
+            &psl,
+            &NoRelatedOriginsClient,
+            MAKE_CREDENTIAL_REQUEST,
+        )
+        .await
+        .expect("Failed to parse request JSON");
 
         let response = retry_user_errors!(channel.webauthn_make_credential(&request)).unwrap();
         let response_json = response
@@ -155,8 +160,14 @@ async fn run_get_assertion(
     let state_recv = channel.get_ux_update_receiver();
     tokio::spawn(common::handle_cable_updates(state_recv));
 
-    let request = GetAssertionRequest::from_json(request_origin, psl, GET_ASSERTION_REQUEST)
-        .expect("Failed to parse request JSON");
+    let request = GetAssertionRequest::from_json(
+        request_origin,
+        psl,
+        &NoRelatedOriginsClient,
+        GET_ASSERTION_REQUEST,
+    )
+    .await
+    .expect("Failed to parse request JSON");
     let response = retry_user_errors!(channel.webauthn_get_assertion(&request)).unwrap();
     for assertion in &response.assertions {
         let assertion_json = assertion

libwebauthn/examples/ceremony/webauthn_hid.rs

@@ -2,8 +2,9 @@ use std::error::Error;
 use std::time::Duration;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
-    WebAuthnIDL as _, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    ReqwestRelatedOriginsClient, SystemPublicSuffixList, WebAuthnIDL as _,
+    WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::hid::list_devices;
@@ -32,6 +33,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let psl = SystemPublicSuffixList::auto().expect(
             "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
         );
+        let related_origins = ReqwestRelatedOriginsClient::new()?;
         let request_json = r#"
                 {
                     "rp": {
@@ -57,7 +59,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 }
                 "#;
         let make_credentials_request: MakeCredentialRequest =
-            MakeCredentialRequest::from_json(&request_origin, &psl, request_json)
+            MakeCredentialRequest::from_json(&request_origin, &psl, &related_origins, request_json)
+                .await
                 .expect("Failed to parse request JSON");
         println!(
             "WebAuthn MakeCredential request: {:?}",
@@ -101,7 +104,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 "#
         );
         let get_assertion: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &psl, &request_json)
+            GetAssertionRequest::from_json(&request_origin, &psl, &related_origins, &request_json)
+                .await
                 .expect("Failed to parse request JSON");
         println!("WebAuthn GetAssertion request: {:?}", get_assertion);
 

libwebauthn/examples/ceremony/webauthn_nfc.rs

@@ -1,8 +1,9 @@
 use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
-    WebAuthnIDL as _, WebAuthnIDLResponse as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    ReqwestRelatedOriginsClient, SystemPublicSuffixList, WebAuthnIDL as _,
+    WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::nfc::{get_nfc_device, is_nfc_available};
 use libwebauthn::transport::{Channel as _, Device};
@@ -30,9 +31,11 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let psl = SystemPublicSuffixList::auto().expect(
         "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
     );
+    let related_origins = ReqwestRelatedOriginsClient::new()?;
     let make_credentials_request = MakeCredentialRequest::from_json(
         &request_origin,
         &psl,
+        &related_origins,
         r#"
         {
             "rp": {
@@ -58,6 +61,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         }
         "#,
     )
+    .await
     .expect("Failed to parse request JSON");
     println!(
         "WebAuthn MakeCredential request: {:?}",
@@ -77,6 +81,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let get_assertion = GetAssertionRequest::from_json(
         &request_origin,
         &psl,
+        &related_origins,
         r#"
         {
             "challenge": "Y3JlZGVudGlhbHMtZm9yLWxpbnV4L2xpYndlYmF1dGhu",
@@ -86,6 +91,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         }
         "#,
     )
+    .await
     .expect("Failed to parse request JSON");
     println!("WebAuthn GetAssertion request: {:?}", get_assertion);