feat(pin): add pcmr permission and rename ephemeral token source (1/5)

libwebauthn/src/proto/ctap2/model/client_pin.rs

@@ -189,6 +189,7 @@ bitflags! {
         const BIO_ENROLLMENT = 0x08;
         const LARGE_BLOB_WRITE = 0x10;
         const AUTHENTICATOR_CONFIGURATION = 0x20;
+        const PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY = 0x40;
     }
 }
 
@@ -249,3 +250,17 @@ pub struct Ctap2ClientPinResponse {
     #[serde(index = 0x05)]
     pub uv_retries: Option<u32>,
 }
+
+#[cfg(test)]
+mod test {
+    use super::Ctap2AuthTokenPermissionRole;
+
+    #[test]
+    fn pcmr_permission_bit() {
+        let pcmr = Ctap2AuthTokenPermissionRole::PERSISTENT_CREDENTIAL_MANAGEMENT_READ_ONLY;
+        // CTAP 2.3-PS section 6.5.5.7: pcmr is 0x40.
+        assert_eq!(pcmr.bits(), 0x40);
+        // Disjoint from every other permission, so the existing subset test isolates it.
+        assert!(!pcmr.intersects(Ctap2AuthTokenPermissionRole::all().difference(pcmr)));
+    }
+}

libwebauthn/src/proto/ctap2/model/get_info.rs

@@ -188,6 +188,11 @@ impl Ctap2GetInfoResponse {
         self.option_enabled("credMgmt") || self.option_enabled("credentialMgmtPreview")
     }
 
+    /// CTAP 2.2+ persistent pinUvAuthToken for read-only credential management (pcmr).
+    pub fn supports_persistent_credential_management_read_only(&self) -> bool {
+        self.option_enabled("perCredMgmtRO")
+    }
+
     pub fn supports_bio_enrollment(&self) -> bool {
         if let Some(options) = &self.options {
             return options.get("bioEnroll").is_some()
@@ -318,6 +323,18 @@ mod test {
         assert_eq!(info.uv_operation(true), None);
     }
 
+    #[test]
+    fn per_cred_mgmt_ro_detection() {
+        assert!(
+            !Ctap2GetInfoResponse::default().supports_persistent_credential_management_read_only()
+        );
+        assert!(!create_info(&[]).supports_persistent_credential_management_read_only());
+        assert!(!create_info(&[("perCredMgmtRO", false)])
+            .supports_persistent_credential_management_read_only());
+        assert!(create_info(&[("perCredMgmtRO", true)])
+            .supports_persistent_credential_management_read_only());
+    }
+
     #[test]
     fn device_legacy_uv() {
         // Support legacy UV of CTAP2.0

libwebauthn/src/webauthn.rs

@@ -47,7 +47,7 @@ macro_rules! handle_errors {
     ($channel: expr, $resp: expr, $uv_auth_used: expr, $timeout: expr) => {
         match $resp {
             Err(Error::Ctap(CtapError::PINAuthInvalid))
-                if $uv_auth_used == UsedPinUvAuthToken::FromStorage =>
+                if $uv_auth_used == UsedPinUvAuthToken::FromEphemeralStorage =>
             {
                 info!("PINAuthInvalid: Clearing auth token storage and trying again.");
                 $channel.clear_uv_auth_token_store();

libwebauthn/src/webauthn/pin_uv_auth_token.rs

@@ -22,7 +22,7 @@ use crate::{PinNotSetUpdate, PinRequiredUpdate, UvUpdate};
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
 
 pub(crate) enum UsedPinUvAuthToken {
-    FromStorage,
+    FromEphemeralStorage,
     NewlyCalculated(Ctap2UserVerificationOperation),
     LegacyUV,
     SharedSecretOnly,
@@ -84,7 +84,7 @@ where
         );
         if let Some(uv_auth_token) = channel.get_uv_auth_token(&token_identifier) {
             ctap2_request.calculate_and_set_uv_auth(uv_proto.as_ref(), uv_auth_token)?;
-            return Ok(UsedPinUvAuthToken::FromStorage);
+            return Ok(UsedPinUvAuthToken::FromEphemeralStorage);
         }
     }