Skip to content

WIP: Use libwebauthn for JSON response serialization #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AlfioEmanueleFresta wants to merge 1 commit into
base: libwebauthn-json
Choose a base branch
from
Open

WIP: Use libwebauthn for JSON response serialization #117

AlfioEmanueleFresta wants to merge 1 commit into from
+69 −855

Conversation

@AlfioEmanueleFresta
Copy link
Member

@AlfioEmanueleFresta AlfioEmanueleFresta commented Dec 26, 2025
edited
Loading

This PR migrates from custom JSON response serialization to libwebauthn's WebAuthnIDLResponse::to_inner_model() for both create credential (MakeCredential) and get credential (GetAssertion) responses.

Stacked on: #116

Changes

  • Response Serialization
    • Use libwebauthn's to_inner_model() to serialize responses
    • Temporarily modify the result to add transports and authenticator_attachment (see libwebauthn#159)
  • Request Parsing Functions
    • Remove client_data_json from return value (now extracted by libwebauthn)
    • Clone the request for response serialization (needed as context for to_inner_model())
  • Removed Code (~800 lines)

Behavioral Changes

New fields in response (WebAuthn Level 3 enhancements):

  • response.authenticatorData - authenticator data separately encoded
  • response.publicKey - public key in COSE format
  • response.publicKeyAlgorithm - COSE algorithm identifier
  • type - credential type field ("public-key")

TODOs from Deleted Code

The old code had one TODO that should be implemented in libwebauthn:

I believe this optional since authenticators may omit sending the credential ID if it was unambiguously specified in the request. As a convenience, we should always return a credential ID, even if the authenticator doesn't. This means we'll have to remember the ID on the request if the allow-list has exactly one credential descriptor. This should probably be done in libwebauthn.

Created linux-credentials/libwebauthn#161.

Related Issues

@AlfioEmanueleFresta AlfioEmanueleFresta force-pushed the libwebauthn-json-2 branch 2 times, most recently from 7c84e5d to 41945cd Compare December 26, 2025 23:21
@AlfioEmanueleFresta AlfioEmanueleFresta changed the title Use libwebauthn for JSON response serialization WIP: Use libwebauthn for JSON response serialization Dec 26, 2025
@AlfioEmanueleFresta
Use libwebauthn for JSON response serialization
82aefc6 
This commit migrates from custom JSON response serialization to
libwebauthn's WebAuthnIDLResponse::to_inner_model() for both
create credential (MakeCredential) and get credential (GetAssertion)
responses.

Changes:
- Use libwebauthn's to_inner_model() to serialize responses, then
  modify the result to add transport and authenticator_attachment
  information that is known at the credential service level
- Remove create_credential_request_try_into_ctap2's client_data_json
  return value (now extracted from the request by libwebauthn)
- Remove get_credential_request_try_into_ctap2's client_data_json
  return value
- Update gateway.rs to clone the request for response serialization
- Remove unused modules: cbor.rs, cose.rs, serde/mod.rs
- Simplify webauthn.rs to just re-exports from libwebauthn

This removes ~800 lines of custom serialization code including:
- CreatePublicKeyCredentialResponse and GetPublicKeyCredentialResponse
- AttestationStatement enum and create_attestation_object function
- All the extension output types (CredentialPropertiesOutput, etc.)
- Custom CBOR writer for attestation object serialization
- COSE key type helpers

The response serialization now uses libwebauthn's implementation which:
- Handles attestation object CBOR encoding
- Handles all extension output serialization
- Handles base64url encoding of binary fields
- Produces WebAuthn Level 3 compliant JSON responses
msirringhaus
msirringhaus requested changes Jan 8, 2026
View reviewed changes
Copy link
Collaborator

@msirringhaus msirringhaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor questions

credentialsd/src/webauthn.rs
use tracing::debug;

use crate::cose::CoseKeyAlgorithmIdentifier;
//! WebAuthn types re-exported from libwebauthn.
Copy link
Collaborator

@msirringhaus msirringhaus Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this file at all now? Is it used anywhere else except in dbus/model.rs?

credentialsd/src/dbus/model.rs
.authenticator_data
.to_response_bytes()
.map_err(|err| format!("Failed to parse authenticator data: {err}"))?;
.to_inner_model(request)
Copy link
Collaborator

@msirringhaus msirringhaus Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this function get a different name? to_inner_model() isn't really intuitive from a user-perspective. Same for MakeCredential.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msirringhaus msirringhaus msirringhaus requested changes

@iinuwa iinuwa Awaiting requested review from iinuwa

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlfioEmanueleFresta @msirringhaus