More extensions (#93)

1. Credential protection policy: 
a) Stop exposing `ctap_types` in our API and use our own implementation
for the webauthn-layer (the CTAP layer still uses `ctap_types`)
b) Also support `enforce_policy`, which we can only do from the inside,
as we need `Ctap2GetInfoResponse` for that. Error out, if it can't be
enforced.

2. Support `credProps` extension. 
a) Pretty straight forward, except that CTAP 2.0 devices are allowed to
create discoverable credentials even if they are not requested. CTAP 2.1
devices are not allowed to do that anymore. So we need
`Ctap2GetInfoResponse` once again to decide

3. Switch from LargeBlobKeys extension to LargeBlob extension.
a) LargeBlob extension has "Preferred"-mode as well, so we need
`Ctap2GetInfoResponse` again for deciding, if we can request it or not.
b) LargeBlobKey-requests can easily be mapped into LargeBlob requests,
by simply using LargeBlob `support = "required"`, so I'm not supporting
both in the API.
c) `GetAssertionLargeBlobExtension::Write()` is not yet supported, as we
need the corresponding CTAP commands to store large blobs for that,
which we don't have yet.

Author: msirringhaus

libwebauthn/examples/prf_test.rs

@@ -154,8 +154,8 @@ async fn run_success_test(
         allow: vec![credential.clone()],
         user_verification: UserVerificationRequirement::Preferred,
         extensions: Some(GetAssertionRequestExtensions {
-            cred_blob: None,
             hmac_or_prf,
+            ..Default::default()
         }),
         timeout: TIMEOUT,
     };

libwebauthn/examples/webauthn_extensions_hid.rs

@@ -3,16 +3,16 @@ use std::error::Error;
 use std::io::{self, Write};
 use std::time::Duration;
 
-use ctap_types::ctap2::credential_management::CredentialProtectionPolicy;
 use libwebauthn::UxUpdate;
 use rand::{thread_rng, Rng};
 use text_io::read;
 use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionHmacOrPrfInput, GetAssertionRequest, GetAssertionRequestExtensions,
-    HMACGetSecretInput, MakeCredentialHmacOrPrfInput, MakeCredentialRequest,
+    CredentialProtectionExtension, CredentialProtectionPolicy, GetAssertionHmacOrPrfInput,
+    GetAssertionRequest, GetAssertionRequestExtensions, HMACGetSecretInput,
+    MakeCredentialHmacOrPrfInput, MakeCredentialLargeBlobExtension, MakeCredentialRequest,
     MakeCredentialsRequestExtensions, UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
@@ -84,11 +84,15 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let challenge: [u8; 32] = thread_rng().gen();
 
     let extensions = MakeCredentialsRequestExtensions {
-        cred_protect: Some(CredentialProtectionPolicy::Required),
+        cred_protect: Some(CredentialProtectionExtension {
+            policy: CredentialProtectionPolicy::UserVerificationRequired,
+            enforce_policy: true,
+        }),
         cred_blob: Some(r"My own little blob".into()),
-        large_blob_key: None,
+        large_blob: MakeCredentialLargeBlobExtension::None,
         min_pin_length: Some(true),
         hmac_or_prf: MakeCredentialHmacOrPrfInput::HmacGetSecret,
+        cred_props: Some(true),
     };
 
     for mut device in devices {
@@ -148,6 +152,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                     salt1: [1; 32],
                     salt2: None,
                 }),
+                ..Default::default()
             }),
             timeout: TIMEOUT,
         };

libwebauthn/examples/webauthn_prf_hid.rs

@@ -85,11 +85,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let challenge: [u8; 32] = thread_rng().gen();
 
     let extensions = MakeCredentialsRequestExtensions {
-        cred_protect: None,
-        cred_blob: None,
-        large_blob_key: None,
-        min_pin_length: None,
         hmac_or_prf: MakeCredentialHmacOrPrfInput::Prf,
+        ..Default::default()
     };
 
     for mut device in devices {
@@ -429,8 +426,8 @@ async fn run_success_test(
         allow: vec![credential.clone()],
         user_verification: UserVerificationRequirement::Discouraged,
         extensions: Some(GetAssertionRequestExtensions {
-            cred_blob: None,
             hmac_or_prf,
+            ..Default::default()
         }),
         timeout: TIMEOUT,
     };
@@ -471,8 +468,8 @@ async fn run_failed_test(
         allow: credential.map(|x| vec![x.clone()]).unwrap_or_default(),
         user_verification: UserVerificationRequirement::Discouraged,
         extensions: Some(GetAssertionRequestExtensions {
-            cred_blob: None,
             hmac_or_prf,
+            ..Default::default()
         }),
         timeout: TIMEOUT,
     };

libwebauthn/src/ops/webauthn.rs

@@ -3,8 +3,8 @@ use std::{
     time::Duration,
 };
 
-use ctap_types::ctap2::credential_management::CredentialProtectionPolicy;
-use serde::Deserialize;
+use ctap_types::ctap2::credential_management::CredentialProtectionPolicy as Ctap2CredentialProtectionPolicy;
+use serde::{Deserialize, Serialize};
 use serde_cbor::Value;
 use sha2::{Digest, Sha256};
 use tracing::{debug, error, instrument, trace};
@@ -113,11 +113,67 @@ pub enum MakeCredentialHmacOrPrfOutput {
     },
 }
 
+#[derive(Debug, Clone)]
+pub struct CredentialProtectionExtension {
+    pub policy: CredentialProtectionPolicy,
+    pub enforce_policy: bool,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub enum CredentialProtectionPolicy {
+    UserVerificationOptional = 1,
+    UserVerificationOptionalWithCredentialIdList = 2,
+    UserVerificationRequired = 3,
+}
+
+impl From<CredentialProtectionPolicy> for Ctap2CredentialProtectionPolicy {
+    fn from(value: CredentialProtectionPolicy) -> Self {
+        match value {
+            CredentialProtectionPolicy::UserVerificationOptional => {
+                Ctap2CredentialProtectionPolicy::Optional
+            }
+            CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList => {
+                Ctap2CredentialProtectionPolicy::OptionalWithCredentialIdList
+            }
+            CredentialProtectionPolicy::UserVerificationRequired => {
+                Ctap2CredentialProtectionPolicy::Required
+            }
+        }
+    }
+}
+
+impl From<Ctap2CredentialProtectionPolicy> for CredentialProtectionPolicy {
+    fn from(value: Ctap2CredentialProtectionPolicy) -> Self {
+        match value {
+            Ctap2CredentialProtectionPolicy::Optional => {
+                CredentialProtectionPolicy::UserVerificationOptional
+            }
+            Ctap2CredentialProtectionPolicy::OptionalWithCredentialIdList => {
+                CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList
+            }
+            Ctap2CredentialProtectionPolicy::Required => {
+                CredentialProtectionPolicy::UserVerificationRequired
+            }
+        }
+    }
+}
+
+#[derive(Debug, Default, Clone, Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub enum MakeCredentialLargeBlobExtension {
+    #[default]
+    None,
+    Preferred,
+    Required,
+}
+
 #[derive(Debug, Default, Clone)]
 pub struct MakeCredentialsRequestExtensions {
-    pub cred_protect: Option<CredentialProtectionPolicy>,
+    pub cred_props: Option<bool>,
+    pub cred_protect: Option<CredentialProtectionExtension>,
     pub cred_blob: Option<Vec<u8>>,
-    pub large_blob_key: Option<bool>,
+    pub large_blob: MakeCredentialLargeBlobExtension,
     pub min_pin_length: Option<bool>,
     pub hmac_or_prf: MakeCredentialHmacOrPrfInput,
 }
@@ -130,6 +186,9 @@ pub struct MakeCredentialsResponseExtensions {
     /// Current min PIN lenght
     pub min_pin_length: Option<u32>,
     pub hmac_or_prf: MakeCredentialHmacOrPrfOutput,
+    // Currently, credProps only returns one value: rk = bool
+    // If these get more in the future, we can use a struct here.
+    pub cred_props_rk: Option<bool>,
 }
 
 impl MakeCredentialRequest {
@@ -190,10 +249,20 @@ pub struct HMACGetSecretInput {
     pub salt2: Option<[u8; 32]>,
 }
 
+#[derive(Debug, Default, Clone, PartialEq, Eq)]
+pub enum GetAssertionLargeBlobExtension {
+    #[default]
+    None,
+    Read,
+    // Not yet supported
+    // Write(Vec<u8>),
+}
+
 #[derive(Debug, Default, Clone)]
 pub struct GetAssertionRequestExtensions {
     pub cred_blob: Option<bool>,
     pub hmac_or_prf: GetAssertionHmacOrPrfInput,
+    pub large_blob: GetAssertionLargeBlobExtension,
 }
 
 #[derive(Clone, Debug, Default)]

libwebauthn/src/proto/ctap2/model/get_assertion.rs

@@ -2,8 +2,9 @@ use crate::{
     fido::AuthenticatorData,
     ops::webauthn::{
         Assertion, Ctap2HMACGetSecretOutput, GetAssertionHmacOrPrfInput,
-        GetAssertionHmacOrPrfOutput, GetAssertionRequest, GetAssertionRequestExtensions,
-        GetAssertionResponseExtensions, HMACGetSecretInput, PRFValue,
+        GetAssertionHmacOrPrfOutput, GetAssertionLargeBlobExtension, GetAssertionRequest,
+        GetAssertionRequestExtensions, GetAssertionResponseExtensions, HMACGetSecretInput,
+        PRFValue,
     },
     pin::PinUvAuthProtocol,
     transport::AuthTokenData,
@@ -141,15 +142,36 @@ impl Ctap2GetAssertionRequest {
             .as_ref()
             .map_or(true, |extensions| extensions.skip_serializing())
     }
+
+    pub(crate) fn from_webauthn_request(
+        req: &GetAssertionRequest,
+        info: &Ctap2GetInfoResponse,
+    ) -> Result<Self, Error> {
+        // Cloning it, so we can modify it
+        let mut req = req.clone();
+        if let Some(ext) = req.extensions.as_mut() {
+            // LargeBlob (NOTE: Not to be confused with LargeBlobKey)
+            // https://w3c.github.io/webauthn/#sctn-large-blob-extension
+            // If read is present and has the value true:
+            // [..]
+            // 3. If successful, set blob to the result.
+            //
+            // So we silently drop the extension if the device does not support it.
+            if !info.option_enabled("largeBlobs") {
+                ext.large_blob = GetAssertionLargeBlobExtension::None;
+            }
+        }
+        Ok(Ctap2GetAssertionRequest::from(req))
+    }
 }
 
-impl From<&GetAssertionRequest> for Ctap2GetAssertionRequest {
-    fn from(op: &GetAssertionRequest) -> Self {
+impl From<GetAssertionRequest> for Ctap2GetAssertionRequest {
+    fn from(op: GetAssertionRequest) -> Self {
         Self {
-            relying_party_id: op.relying_party_id.clone(),
-            client_data_hash: ByteBuf::from(op.hash.clone()),
-            allow: op.allow.clone(),
-            extensions: op.extensions.as_ref().map(|x| x.clone().into()),
+            relying_party_id: op.relying_party_id,
+            client_data_hash: ByteBuf::from(op.hash),
+            allow: op.allow,
+            extensions: op.extensions.map(|x| x.into()),
             options: Some(Ctap2GetAssertionOptions {
                 require_user_presence: true,
                 require_user_verification: op.user_verification.is_required(),
@@ -169,6 +191,8 @@ pub struct Ctap2GetAssertionRequestExtensions {
     #[serde(rename = "hmac-secret", skip_serializing_if = "Option::is_none")]
     pub hmac_secret: Option<CalculatedHMACGetSecretInput>,
     // From which we calculate hmac_secret
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob_key: Option<bool>,
     #[serde(skip)]
     pub hmac_or_prf: GetAssertionHmacOrPrfInput,
 }
@@ -179,6 +203,11 @@ impl From<GetAssertionRequestExtensions> for Ctap2GetAssertionRequestExtensions
             cred_blob: other.cred_blob,
             hmac_secret: None, // Get's calculated later
             hmac_or_prf: other.hmac_or_prf,
+            large_blob_key: if other.large_blob == GetAssertionLargeBlobExtension::Read {
+                Some(true)
+            } else {
+                None
+            },
         }
     }
 }