Implement discoverable credential 'preferred'

Author: msirringhaus

libwebauthn/examples/webauthn_cable.rs

@@ -18,7 +18,8 @@ use tokio::time::sleep;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, MakeCredentialRequest, UserVerificationRequirement,
+    DiscoverableCredentialRequirement, GetAssertionRequest, MakeCredentialRequest,
+    UserVerificationRequirement,
 };
 use libwebauthn::proto::ctap2::{
     Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
@@ -112,7 +113,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             hash: Vec::from(challenge),
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-            require_resident_key: false,
+            discoverable_credential: Some(DiscoverableCredentialRequirement::Discouraged),
             user_verification: UserVerificationRequirement::Preferred,
             algorithms: vec![Ctap2CredentialType::default()],
             exclude: None,

libwebauthn/examples/webauthn_extensions_hid.rs

@@ -10,10 +10,10 @@ use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    CredentialProtectionExtension, CredentialProtectionPolicy, GetAssertionHmacOrPrfInput,
-    GetAssertionRequest, GetAssertionRequestExtensions, HMACGetSecretInput,
-    MakeCredentialHmacOrPrfInput, MakeCredentialLargeBlobExtension, MakeCredentialRequest,
-    MakeCredentialsRequestExtensions, UserVerificationRequirement,
+    CredentialProtectionExtension, CredentialProtectionPolicy, DiscoverableCredentialRequirement,
+    GetAssertionHmacOrPrfInput, GetAssertionRequest, GetAssertionRequestExtensions,
+    HMACGetSecretInput, MakeCredentialHmacOrPrfInput, MakeCredentialLargeBlobExtension,
+    MakeCredentialRequest, MakeCredentialsRequestExtensions, UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::proto::ctap2::{
@@ -108,7 +108,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             hash: Vec::from(challenge),
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-            require_resident_key: true,
+            discoverable_credential: Some(DiscoverableCredentialRequirement::Required),
             user_verification: UserVerificationRequirement::Preferred,
             algorithms: vec![Ctap2CredentialType::default()],
             exclude: None,

libwebauthn/examples/webauthn_hid.rs

@@ -10,7 +10,8 @@ use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, MakeCredentialRequest, UserVerificationRequirement,
+    DiscoverableCredentialRequirement, GetAssertionRequest, MakeCredentialRequest,
+    UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::proto::ctap2::{
@@ -91,7 +92,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             hash: Vec::from(challenge),
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-            require_resident_key: false,
+            discoverable_credential: Some(DiscoverableCredentialRequirement::Discouraged),
             user_verification: UserVerificationRequirement::Preferred,
             algorithms: vec![Ctap2CredentialType::default()],
             exclude: None,

libwebauthn/examples/webauthn_preflight_hid.rs

@@ -12,7 +12,8 @@ use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, GetAssertionResponse, MakeCredentialRequest, UserVerificationRequirement,
+    DiscoverableCredentialRequirement, GetAssertionRequest, GetAssertionResponse,
+    MakeCredentialRequest, UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::proto::ctap2::{
@@ -164,7 +165,7 @@ async fn make_credential_call(
         hash: Vec::from(challenge),
         relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
         user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-        require_resident_key: false,
+        discoverable_credential: Some(DiscoverableCredentialRequirement::Discouraged),
         user_verification: UserVerificationRequirement::Preferred,
         algorithms: vec![Ctap2CredentialType::default()],
         exclude: exclude_list,

libwebauthn/examples/webauthn_prf_hid.rs

@@ -12,9 +12,9 @@ use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionHmacOrPrfInput, GetAssertionRequest, GetAssertionRequestExtensions,
-    MakeCredentialHmacOrPrfInput, MakeCredentialRequest, MakeCredentialsRequestExtensions,
-    PRFValue, UserVerificationRequirement,
+    DiscoverableCredentialRequirement, GetAssertionHmacOrPrfInput, GetAssertionRequest,
+    GetAssertionRequestExtensions, MakeCredentialHmacOrPrfInput, MakeCredentialRequest,
+    MakeCredentialsRequestExtensions, PRFValue, UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::proto::ctap2::{
@@ -102,7 +102,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             hash: Vec::from(challenge),
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-            require_resident_key: true,
+            discoverable_credential: Some(DiscoverableCredentialRequirement::Required),
             user_verification: UserVerificationRequirement::Preferred,
             algorithms: vec![Ctap2CredentialType::default()],
             exclude: None,

libwebauthn/src/ops/webauthn.rs

@@ -12,9 +12,10 @@ pub use get_assertion::{
 };
 pub use make_credential::{
     CredentialPropsExtension, CredentialProtectionExtension, CredentialProtectionPolicy,
-    MakeCredentialHmacOrPrfInput, MakeCredentialLargeBlobExtension,
-    MakeCredentialLargeBlobExtensionOutput, MakeCredentialPrfOutput, MakeCredentialRequest,
-    MakeCredentialResponse, MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
+    DiscoverableCredentialRequirement, MakeCredentialHmacOrPrfInput,
+    MakeCredentialLargeBlobExtension, MakeCredentialLargeBlobExtensionOutput,
+    MakeCredentialPrfOutput, MakeCredentialRequest, MakeCredentialResponse,
+    MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
     MakeCredentialsResponseUnsignedExtensions,
 };
 
@@ -51,7 +52,8 @@ pub trait DowngradableRequest<T> {
 #[cfg(test)]
 mod tests {
     use crate::ops::webauthn::{
-        DowngradableRequest, MakeCredentialRequest, UserVerificationRequirement,
+        DiscoverableCredentialRequirement, DowngradableRequest, MakeCredentialRequest,
+        UserVerificationRequirement,
     };
     use crate::proto::ctap2::{
         Ctap2COSEAlgorithmIdentifier, Ctap2CredentialType, Ctap2PublicKeyCredentialType,
@@ -61,15 +63,15 @@ mod tests {
     fn ctap2_make_credential_downgradable() {
         let mut request = MakeCredentialRequest::dummy();
         request.algorithms = vec![Ctap2CredentialType::default()];
-        request.require_resident_key = false;
+        request.discoverable_credential = Some(DiscoverableCredentialRequirement::Discouraged);
         assert!(request.is_downgradable());
     }
 
     #[test]
     fn ctap2_make_credential_downgradable_unsupported_rk() {
         let mut request = MakeCredentialRequest::dummy();
         request.algorithms = vec![Ctap2CredentialType::default()];
-        request.require_resident_key = true;
+        request.discoverable_credential = Some(DiscoverableCredentialRequirement::Required);
         assert!(!request.is_downgradable());
     }
 

libwebauthn/src/ops/webauthn/make_credential.rs

@@ -98,9 +98,23 @@ impl MakeCredentialsResponseUnsignedExtensions {
                     // https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#op-makecred-step-rk
                     // if the "rk" option is false: the authenticator MUST create a non-discoverable credential.
                     // Note: This step is a change from CTAP2.0 where if the "rk" option is false the authenticator could optionally create a discoverable credential.
-                    Some(CredentialPropsExtension {
-                        rk: Some(request.require_resident_key),
-                    })
+                    match request.discoverable_credential {
+                        Some(DiscoverableCredentialRequirement::Discouraged) | None => {
+                            Some(CredentialPropsExtension { rk: Some(false) })
+                        }
+                        Some(DiscoverableCredentialRequirement::Preferred) => {
+                            if info.map(|i| i.option_enabled("rk")).unwrap_or_default() {
+                                Some(CredentialPropsExtension { rk: Some(true) })
+                            } else {
+                                // Default value in case "rk" is missing (which it is in this constellation) is "false"
+                                // https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#makecred-rk
+                                Some(CredentialPropsExtension { rk: Some(false) })
+                            }
+                        }
+                        Some(DiscoverableCredentialRequirement::Required) => {
+                            Some(CredentialPropsExtension { rk: Some(true) })
+                        }
+                    }
                 } else {
                     Some(CredentialPropsExtension {
                         // For CTAP 2.0, we can't say if "rk" is true or not.
@@ -135,6 +149,13 @@ impl MakeCredentialsResponseUnsignedExtensions {
     }
 }
 
+#[derive(Debug, Clone, Copy)]
+pub enum DiscoverableCredentialRequirement {
+    Required,
+    Preferred,
+    Discouraged,
+}
+
 #[derive(Debug, Clone)]
 pub struct MakeCredentialRequest {
     pub hash: Vec<u8>,
@@ -143,7 +164,7 @@ pub struct MakeCredentialRequest {
     pub relying_party: Ctap2PublicKeyCredentialRpEntity,
     /// userEntity
     pub user: Ctap2PublicKeyCredentialUserEntity,
-    pub require_resident_key: bool,
+    pub discoverable_credential: Option<DiscoverableCredentialRequirement>,
     pub user_verification: UserVerificationRequirement,
     /// credTypesAndPubKeyAlgs
     pub algorithms: Vec<Ctap2CredentialType>,
@@ -270,7 +291,7 @@ impl MakeCredentialRequest {
             exclude: None,
             extensions: None,
             origin: "example.org".to_owned(),
-            require_resident_key: false,
+            discoverable_credential: None,
             user_verification: UserVerificationRequirement::Discouraged,
             timeout: Duration::from_secs(10),
         }
@@ -294,7 +315,10 @@ impl DowngradableRequest<RegisterRequest> for MakeCredentialRequest {
         }
 
         // Options must not include "rk" set to true.
-        if self.require_resident_key {
+        if matches!(
+            self.discoverable_credential,
+            Some(DiscoverableCredentialRequirement::Required)
+        ) {
             debug!("Not downgradable: request requires resident key");
             return false;
         }