Catch UvBlocked and have way to fall back to PIN internally

msirringhaus · msirringhaus · commit a0768a45be46 · 2025-01-27T10:22:45.000+01:00
diff --git a/libwebauthn/src/proto/ctap2/model.rs b/libwebauthn/src/proto/ctap2/model.rs
@@ -644,26 +644,32 @@ impl Ctap2GetInfoResponse {
             (self.option_enabled("pinUvAuthToken") && self.option_enabled("uv"))
     }
 
-    pub fn uv_operation(&self) -> Ctap2UserVerificationOperation {
-        if self.option_enabled("uv") {
+    pub fn uv_operation(&self, uv_blocked: bool) -> Option<Ctap2UserVerificationOperation> {
+        if self.option_enabled("uv") && !uv_blocked {
             if self.option_enabled("pinUvAuthToken") {
                 debug!("getPinUvAuthTokenUsingUvWithPermissions");
-                return Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions;
+                return Some(
+                    Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions,
+                );
             } else {
                 debug!("Deprecated FIDO 2.0 behaviour: populating 'uv' flag");
-                return Ctap2UserVerificationOperation::None;
+                return Some(Ctap2UserVerificationOperation::None);
             }
         } else {
             // !uv
             if self.option_enabled("pinUvAuthToken") {
                 assert!(self.option_enabled("clientPin"));
                 debug!("getPinUvAuthTokenUsingPinWithPermissions");
-                return Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions;
-            } else {
+                return Some(
+                    Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions,
+                );
+            } else if self.option_enabled("clientPin") {
                 // !pinUvAuthToken
-                assert!(self.option_enabled("clientPin"));
                 debug!("getPinToken");
-                return Ctap2UserVerificationOperation::GetPinToken;
+                return Some(Ctap2UserVerificationOperation::GetPinToken);
+            } else {
+                debug!("No UV and no PIN (e.g. maybe UV was blocked and no PIN available)");
+                return None;
             }
         }
     }
diff --git a/libwebauthn/src/proto/error.rs b/libwebauthn/src/proto/error.rs
@@ -7,49 +7,53 @@ use crate::proto::ctap1::apdu::ApduResponseStatus;
 #[derive(Debug, IntoPrimitive, TryFromPrimitive, Copy, Clone, PartialEq)]
 #[repr(u8)]
 pub enum CtapError {
-    Ok = 0x00,                   // CTAP1_ERR_SUCCESS, CTAP2_OK
-    InvalidCommand = 0x01,       // CTAP1_ERR_INVALID_COMMAND
-    InvalidParameter = 0x02,     // CTAP1_ERR_INVALID_PARAMETER
-    InvalidLength = 0x03,        // CTAP1_ERR_INVALID_LENGTH
-    InvalidSeq = 0x04,           // CTAP1_ERR_INVALID_SEQ
-    Timeout = 0x05,              // CTAP1_ERR_TIMEOUT
-    ChannelBusy = 0x06,          // CTAP1_ERR_CHANNEL_BUSY
-    LockRequired = 0x0A,         // CTAP1_ERR_LOCK_REQUIRED
-    InvalidChannel = 0x0B,       // CTAP1_ERR_INVALID_CHANNEL
-    InvalidCborType = 0x11,      // CTAP2_ERR_CBOR_UNEXPECTED_TYPE
-    InvalidCbor = 0x12,          // CTAP2_ERR_INVALID_CBOR
-    MissingParameter = 0x14,     // CTAP2_ERR_MISSING_PARAMETER
-    LimitExceeded = 0x15,        // CTAP2_ERR_LIMIT_EXCEEDED,
-    UnsupportedExtension = 0x16, // CTAP2_ERR_UNSUPPORTED_EXTENSION
-    CredentialExcluded = 0x19,   // CTAP2_ERR_CREDENTIAL_EXCLUDED
-    Processing = 0x21,           // CTAP2_ERR_PROCESSING
-    InvalidCredential = 0x22,    // CTAP2_ERR_INVALID_CREDENTIAL
-    UserActionPending = 0x23,    // CTAP2_ERR_USER_ACTION_PENDING
-    OperationPending = 0x24,     // CTAP2_ERR_OPERATION_PENDING
-    NoOperations = 0x25,         // CTAP2_ERR_NO_OPERATIONS
-    UnsupportedAlgorithm = 0x26, // CTAP2_ERR_UNSUPPORTED_ALGORITHM
-    OperationDenied = 0x27,      // CTAP2_ERR_OPERATION_DENIED
-    KeyStoreFull = 0x28,         // CTAP2_ERR_KEY_STORE_FULL
-    NoOperationPending = 0x2A,   // CTAP2_ERR_NO_OPERATION_PENDING
-    UnsupportedOption = 0x2B,    // CTAP2_ERR_UNSUPPORTED_OPTION
-    InvalidOption = 0x2C,        // CTAP2_ERR_INVALID_OPTION
-    KeepAliveCancel = 0x2D,      // CTAP2_ERR_KEEPALIVE_CANCEL
-    NoCredentials = 0x2E,        // CTAP2_ERR_NO_CREDENTIALS
-    UserActionTimeout = 0x2F,    // CTAP2_ERR_USER_ACTION_TIMEOUT
-    NotAllowed = 0x30,           // CTAP2_ERR_NOT_ALLOWED
-    PINInvalid = 0x31,           // CTAP2_ERR_PIN_INVALID
-    PINBlocked = 0x32,           // CTAP2_ERR_PIN_BLOCKED
-    PINAuthInvalid = 0x33,       // CTAP2_ERR_PIN_AUTH_INVALID
-    PINAuthBlocked = 0x34,       // CTAP2_ERR_PIN_AUTH_BLOCKED
-    PINNotSet = 0x35,            // CTAP2_ERR_PIN_NOT_SET
-    PINRequired = 0x36,          // CTAP2_ERR_PIN_REQUIRED
-    PINPolicyViolation = 0x37,   // CTAP2_ERR_PIN_POLICY_VIOLATION
-    PINTokenExpired = 0x38,      // CTAP2_ERR_PIN_TOKEN_EXPIRED
-    RequestTooLarge = 0x39,      // CTAP2_ERR_REQUEST_TOO_LARGE
-    ActionTimeout = 0x3A,        // CTAP2_ERR_ACTION_TIMEOUT
-    UserPresenceRequired = 0x3B, // CTAP2_ERR_UP_REQUIRED
-    UVInvalid = 0x3F,            // CTAP2_ERR_UV_INVALID
-    Other = 0x7F,                // CTAP1_ERR_OTHER
+    Ok = 0x00,                     // CTAP1_ERR_SUCCESS, CTAP2_OK
+    InvalidCommand = 0x01,         // CTAP1_ERR_INVALID_COMMAND
+    InvalidParameter = 0x02,       // CTAP1_ERR_INVALID_PARAMETER
+    InvalidLength = 0x03,          // CTAP1_ERR_INVALID_LENGTH
+    InvalidSeq = 0x04,             // CTAP1_ERR_INVALID_SEQ
+    Timeout = 0x05,                // CTAP1_ERR_TIMEOUT
+    ChannelBusy = 0x06,            // CTAP1_ERR_CHANNEL_BUSY
+    LockRequired = 0x0A,           // CTAP1_ERR_LOCK_REQUIRED
+    InvalidChannel = 0x0B,         // CTAP1_ERR_INVALID_CHANNEL
+    InvalidCborType = 0x11,        // CTAP2_ERR_CBOR_UNEXPECTED_TYPE
+    InvalidCbor = 0x12,            // CTAP2_ERR_INVALID_CBOR
+    MissingParameter = 0x14,       // CTAP2_ERR_MISSING_PARAMETER
+    LimitExceeded = 0x15,          // CTAP2_ERR_LIMIT_EXCEEDED,
+    UnsupportedExtension = 0x16,   // CTAP2_ERR_UNSUPPORTED_EXTENSION
+    CredentialExcluded = 0x19,     // CTAP2_ERR_CREDENTIAL_EXCLUDED
+    Processing = 0x21,             // CTAP2_ERR_PROCESSING
+    InvalidCredential = 0x22,      // CTAP2_ERR_INVALID_CREDENTIAL
+    UserActionPending = 0x23,      // CTAP2_ERR_USER_ACTION_PENDING
+    OperationPending = 0x24,       // CTAP2_ERR_OPERATION_PENDING
+    NoOperations = 0x25,           // CTAP2_ERR_NO_OPERATIONS
+    UnsupportedAlgorithm = 0x26,   // CTAP2_ERR_UNSUPPORTED_ALGORITHM
+    OperationDenied = 0x27,        // CTAP2_ERR_OPERATION_DENIED
+    KeyStoreFull = 0x28,           // CTAP2_ERR_KEY_STORE_FULL
+    NoOperationPending = 0x2A,     // CTAP2_ERR_NO_OPERATION_PENDING
+    UnsupportedOption = 0x2B,      // CTAP2_ERR_UNSUPPORTED_OPTION
+    InvalidOption = 0x2C,          // CTAP2_ERR_INVALID_OPTION
+    KeepAliveCancel = 0x2D,        // CTAP2_ERR_KEEPALIVE_CANCEL
+    NoCredentials = 0x2E,          // CTAP2_ERR_NO_CREDENTIALS
+    UserActionTimeout = 0x2F,      // CTAP2_ERR_USER_ACTION_TIMEOUT
+    NotAllowed = 0x30,             // CTAP2_ERR_NOT_ALLOWED
+    PINInvalid = 0x31,             // CTAP2_ERR_PIN_INVALID
+    PINBlocked = 0x32,             // CTAP2_ERR_PIN_BLOCKED
+    PINAuthInvalid = 0x33,         // CTAP2_ERR_PIN_AUTH_INVALID
+    PINAuthBlocked = 0x34,         // CTAP2_ERR_PIN_AUTH_BLOCKED
+    PINNotSet = 0x35,              // CTAP2_ERR_PIN_NOT_SET
+    PINRequired = 0x36,            // CTAP2_ERR_PIN_REQUIRED
+    PINPolicyViolation = 0x37,     // CTAP2_ERR_PIN_POLICY_VIOLATION
+    PINTokenExpired = 0x38,        // CTAP2_ERR_PIN_TOKEN_EXPIRED
+    RequestTooLarge = 0x39,        // CTAP2_ERR_REQUEST_TOO_LARGE
+    ActionTimeout = 0x3A,          // CTAP2_ERR_ACTION_TIMEOUT
+    UserPresenceRequired = 0x3B,   // CTAP2_ERR_UP_REQUIRED
+    UvBlocked = 0x3C,              // CTAP2_ERR_UV_BLOCKED
+    IntegrityFailure = 0x3D,       // CTAP2_ERR_INTEGRITY_FAILURE
+    InvalidSubcommand = 0x3E,      // CTAP2_ERR_INVALID_SUBCOMMAND
+    UVInvalid = 0x3F,              // CTAP2_ERR_UV_INVALID
+    UnauthorizedPermission = 0x40, // CTAP2_ERR_UNAUTHORIZED_PERMISSION
+    Other = 0x7F,                  // CTAP1_ERR_OTHER
 }
 
 impl CtapError {
diff --git a/libwebauthn/src/transport/error.rs b/libwebauthn/src/transport/error.rs
@@ -5,6 +5,7 @@ pub enum PlatformError {
     PinTooShort,
     PinTooLong,
     PinNotSupported,
+    NoUvAvailable,
 }
 
 impl std::error::Error for PlatformError {}
diff --git a/libwebauthn/src/webauthn.rs b/libwebauthn/src/webauthn.rs
@@ -19,7 +19,7 @@ use crate::proto::ctap2::{
     Ctap2, Ctap2ClientPinRequest, Ctap2GetAssertionRequest, Ctap2GetInfoResponse,
     Ctap2MakeCredentialRequest, Ctap2UserVerifiableRequest, Ctap2UserVerificationOperation,
 };
-pub use crate::transport::error::{CtapError, Error, TransportError};
+pub use crate::transport::error::{CtapError, Error, PlatformError, TransportError};
 use crate::transport::Channel;
 
 #[async_trait]
@@ -248,60 +248,85 @@ where
         return Ok(());
     }
 
-    let uv_operation = get_info_response.uv_operation();
-    if let Ctap2UserVerificationOperation::None = uv_operation {
-        debug!("No client operation. Setting deprecated request options.uv flag to true.");
-        ctap2_request.ensure_uv_set();
-        return Ok(());
-    }
-
-    // For operations that include a PIN, we want to fetch one before obtaining a shared secret.
-    // This prevents the shared secret from expiring whilst we wait for the user to enter a PIN.
-    let pin = match uv_operation {
-        Ctap2UserVerificationOperation::None => unreachable!(),
-        Ctap2UserVerificationOperation::GetPinToken
-        | Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions => {
-            Some(obtain_pin(channel, pin_provider, timeout).await?)
-        }
-        Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions => {
-            None // TODO probably?
+    let mut uv_blocked = false;
+    let (uv_proto, token_response, shared_secret) = loop {
+        let uv_operation = get_info_response.uv_operation(uv_blocked).ok_or_else(|| {
+            if uv_blocked {
+                Error::Ctap(CtapError::UvBlocked)
+            } else {
+                Error::Platform(PlatformError::NoUvAvailable)
+            }
+        })?;
+        if let Ctap2UserVerificationOperation::None = uv_operation {
+            debug!("No client operation. Setting deprecated request options.uv flag to true.");
+            ctap2_request.ensure_uv_set();
+            return Ok(());
         }
-    };
 
-    // In preparation for obtaining pinUvAuthToken, the platform:
-    // * Obtains a shared secret.
-    let uv_proto = select_uv_proto(&get_info_response).await?;
-    let (public_key, shared_secret) = obtain_shared_secret(channel, &uv_proto, timeout).await?;
-
-    // Then the platform obtains a pinUvAuthToken from the authenticator, with the mc (and likely also with the ga)
-    // permission (see "pre-flight", mentioned above), using the selected operation.
-    let token_request = match uv_operation {
-        Ctap2UserVerificationOperation::None => unreachable!(),
-        Ctap2UserVerificationOperation::GetPinToken => Ctap2ClientPinRequest::new_get_pin_token(
-            uv_proto.version(),
-            public_key,
-            &uv_proto.encrypt(&shared_secret, &pin_hash(&pin.unwrap()))?,
-        ),
-        Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions => {
-            Ctap2ClientPinRequest::new_get_pin_token_with_perm(
-                uv_proto.version(),
-                public_key,
-                &uv_proto.encrypt(&shared_secret, &pin_hash(&pin.unwrap()))?,
-                ctap2_request.permissions(),
-                ctap2_request.permissions_rpid(),
-            )
-        }
-        Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions => {
-            Ctap2ClientPinRequest::new_get_uv_token_with_perm(
-                uv_proto.version(),
-                public_key,
-                ctap2_request.permissions(),
-                ctap2_request.permissions_rpid(),
-            )
+        // For operations that include a PIN, we want to fetch one before obtaining a shared secret.
+        // This prevents the shared secret from expiring whilst we wait for the user to enter a PIN.
+        let pin = match uv_operation {
+            Ctap2UserVerificationOperation::None => unreachable!(),
+            Ctap2UserVerificationOperation::GetPinToken
+            | Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions => {
+                Some(obtain_pin(channel, pin_provider, timeout).await?)
+            }
+            Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions => {
+                None // TODO probably?
+            }
+        };
+
+        // In preparation for obtaining pinUvAuthToken, the platform:
+        // * Obtains a shared secret.
+        let uv_proto = select_uv_proto(&get_info_response).await?;
+        let (public_key, shared_secret) = obtain_shared_secret(channel, &uv_proto, timeout).await?;
+
+        // Then the platform obtains a pinUvAuthToken from the authenticator, with the mc (and likely also with the ga)
+        // permission (see "pre-flight", mentioned above), using the selected operation.
+        let token_request = match uv_operation {
+            Ctap2UserVerificationOperation::None => unreachable!(),
+            Ctap2UserVerificationOperation::GetPinToken => {
+                Ctap2ClientPinRequest::new_get_pin_token(
+                    uv_proto.version(),
+                    public_key,
+                    &uv_proto.encrypt(&shared_secret, &pin_hash(&pin.unwrap()))?,
+                )
+            }
+            Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingPinWithPermissions => {
+                Ctap2ClientPinRequest::new_get_pin_token_with_perm(
+                    uv_proto.version(),
+                    public_key,
+                    &uv_proto.encrypt(&shared_secret, &pin_hash(&pin.unwrap()))?,
+                    ctap2_request.permissions(),
+                    ctap2_request.permissions_rpid(),
+                )
+            }
+            Ctap2UserVerificationOperation::GetPinUvAuthTokenUsingUvWithPermissions => {
+                Ctap2ClientPinRequest::new_get_uv_token_with_perm(
+                    uv_proto.version(),
+                    public_key,
+                    ctap2_request.permissions(),
+                    ctap2_request.permissions_rpid(),
+                )
+            }
+        };
+
+        match channel.ctap2_client_pin(&token_request, timeout).await {
+            Ok(t) => {
+                break (uv_proto, t, shared_secret);
+            }
+            // Internal retry, because we otherwise can't fall back to PIN, if the UV is blocked
+            Err(Error::Ctap(CtapError::UvBlocked)) => {
+                warn!("UV failed too many times and is now blocked. Trying to fall back to PIN.");
+                uv_blocked = true;
+                continue;
+            }
+            Err(x) => {
+                return Err(x);
+            }
         }
     };
 
-    let token_response = channel.ctap2_client_pin(&token_request, timeout).await?;
     let Some(encrypted_pin_uv_auth_token) = token_response.pin_uv_auth_token else {
         error!("Client PIN response did not include a PIN UV auth token");
         return Err(Error::Ctap(CtapError::Other));

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ pub enum PlatformError {`
`5`	`5`	`PinTooShort,`
`6`	`6`	`PinTooLong,`
`7`	`7`	`PinNotSupported,`
	`8`	`+ NoUvAvailable,`
`8`	`9`	`}`
`9`	`10`
`10`	`11`	`impl std::error::Error for PlatformError {}`