Add possibility to cache pinUvAuthToken in PinProvider

Author: msirringhaus

libwebauthn/examples/authenticator_config_hid.rs

@@ -78,7 +78,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     let devices = list_devices().await.unwrap();
     println!("Devices found: {:?}", devices);
-    let pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
+    let mut pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
 
     for mut device in devices {
         println!("Selected HID authenticator: {}", &device);
@@ -139,23 +139,23 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         loop {
             let action = match options[idx] {
-                Operation::ToggleAlwaysUv => channel.toggle_always_uv(&pin_provider, TIMEOUT),
+                Operation::ToggleAlwaysUv => channel.toggle_always_uv(&mut pin_provider, TIMEOUT),
                 Operation::SetMinPinLengthRpids => channel.set_min_pin_length_rpids(
                     min_pin_length_rpids.clone(),
-                    &pin_provider,
+                    &mut pin_provider,
                     TIMEOUT,
                 ),
                 Operation::SetMinPinLength(..) => {
-                    channel.set_min_pin_length(new_pin_length, &pin_provider, TIMEOUT)
+                    channel.set_min_pin_length(new_pin_length, &mut pin_provider, TIMEOUT)
                 }
                 Operation::EnableEnterpriseAttestation => {
-                    channel.enable_enterprise_attestation(&pin_provider, TIMEOUT)
+                    channel.enable_enterprise_attestation(&mut pin_provider, TIMEOUT)
                 }
                 Operation::EnableForceChangePin => {
-                    channel.force_change_pin(true, &pin_provider, TIMEOUT)
+                    channel.force_change_pin(true, &mut pin_provider, TIMEOUT)
                 }
                 Operation::DisableForceChangePin => {
-                    channel.force_change_pin(false, &pin_provider, TIMEOUT)
+                    channel.force_change_pin(false, &mut pin_provider, TIMEOUT)
                 }
             };
             match action.await {

libwebauthn/examples/change_pin_hid.rs

@@ -25,7 +25,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     let devices = list_devices().await.unwrap();
     println!("Devices found: {:?}", devices);
-    let pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
+    let mut pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
 
     for mut device in devices {
         println!("Selected HID authenticator: {}", &device);
@@ -44,7 +44,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         let response = loop {
             match channel
-                .change_pin(&pin_provider, new_pin.clone(), TIMEOUT)
+                .change_pin(&mut pin_provider, new_pin.clone(), TIMEOUT)
                 .await
             {
                 Ok(response) => break Ok(response),

libwebauthn/examples/webauthn_hid.rs

@@ -2,6 +2,7 @@ use std::convert::TryInto;
 use std::error::Error;
 use std::time::Duration;
 
+use libwebauthn::proto::CtapError;
 use rand::{thread_rng, Rng};
 use tracing_subscriber::{self, EnvFilter};
 
@@ -10,8 +11,8 @@ use libwebauthn::ops::webauthn::{
 };
 use libwebauthn::pin::{PinProvider, StdinPromptPinProvider};
 use libwebauthn::proto::ctap2::{
-    Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
-    Ctap2PublicKeyCredentialUserEntity,
+    Ctap2CredentialType, Ctap2PinUvAuthProtocol, Ctap2PublicKeyCredentialDescriptor,
+    Ctap2PublicKeyCredentialRpEntity, Ctap2PublicKeyCredentialUserEntity,
 };
 use libwebauthn::transport::hid::list_devices;
 use libwebauthn::transport::Device;
@@ -36,7 +37,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let user_id: [u8; 32] = thread_rng().gen();
     let challenge: [u8; 32] = thread_rng().gen();
 
-    let pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
+    let mut pin_provider: Box<dyn PinProvider> = Box::new(StdinPromptPinProvider::new());
 
     for mut device in devices {
         println!("Selected HID authenticator: {}", &device);
@@ -60,7 +61,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         let response = loop {
             match channel
-                .webauthn_make_credential(&make_credentials_request, &pin_provider)
+                .webauthn_make_credential(&make_credentials_request, &mut pin_provider)
                 .await
             {
                 Ok(response) => break Ok(response),
@@ -77,6 +78,14 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         .unwrap();
         println!("WebAuthn MakeCredential response: {:?}", response);
 
+        // PUAP-version 2 has random IV, so the auth_token isn't reusable
+        if matches!(
+            pin_provider.get_uv_auth_token(),
+            Some((_, Ctap2PinUvAuthProtocol::Two))
+        ) {
+            pin_provider.set_uv_auth_token(None);
+        }
+
         let credential: Ctap2PublicKeyCredentialDescriptor = (&response).try_into().unwrap();
         let get_assertion = GetAssertionRequest {
             relying_party_id: "example.org".to_owned(),
@@ -89,10 +98,13 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         let response = loop {
             match channel
-                .webauthn_get_assertion(&get_assertion, &pin_provider)
+                .webauthn_get_assertion(&get_assertion, &mut pin_provider)
                 .await
             {
                 Ok(response) => break Ok(response),
+                Err(WebAuthnError::Ctap(CtapError::PINAuthInvalid)) => {
+                    pin_provider.set_uv_auth_token(None);
+                }
                 Err(WebAuthnError::Ctap(ctap_error)) => {
                     if ctap_error.is_retryable_user_error() {
                         println!("Oops, try again! Error: {}", ctap_error);

libwebauthn/src/management.rs

@@ -20,34 +20,34 @@ use serde_bytes::ByteBuf;
 pub trait AuthenticatorConfig {
     async fn toggle_always_uv(
         &mut self,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error>;
 
     async fn enable_enterprise_attestation(
         &mut self,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error>;
 
     async fn set_min_pin_length(
         &mut self,
         new_pin_length: u64,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error>;
 
     async fn force_change_pin(
         &mut self,
         force: bool,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error>;
 
     async fn set_min_pin_length_rpids(
         &mut self,
         rpids: Vec<String>,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error>;
 }
@@ -59,7 +59,7 @@ where
 {
     async fn toggle_always_uv(
         &mut self,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_toggle_always_uv();
@@ -79,7 +79,7 @@ where
 
     async fn enable_enterprise_attestation(
         &mut self,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_enable_enterprise_attestation();
@@ -100,7 +100,7 @@ where
     async fn set_min_pin_length(
         &mut self,
         new_pin_length: u64,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_set_min_pin_length(new_pin_length);
@@ -121,7 +121,7 @@ where
     async fn force_change_pin(
         &mut self,
         force: bool,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_force_change_pin(force);
@@ -142,7 +142,7 @@ where
     async fn set_min_pin_length_rpids(
         &mut self,
         rpids: Vec<String>,
-        pin_provider: &Box<dyn PinProvider>,
+        pin_provider: &mut Box<dyn PinProvider>,
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_set_min_pin_length_rpids(rpids);

libwebauthn/src/pin.rs

@@ -49,6 +49,8 @@ impl Default for PinUvAuthToken {
 #[async_trait]
 pub trait PinProvider: Send + Sync {
     async fn provide_pin(&self, attempts_left: Option<u32>) -> Option<String>;
+    fn set_uv_auth_token(&mut self, uv_auth_token: Option<(&[u8], Ctap2PinUvAuthProtocol)>);
+    fn get_uv_auth_token(&self) -> Option<(&[u8], Ctap2PinUvAuthProtocol)>;
 }
 
 #[derive(Debug, Clone)]
@@ -78,13 +80,21 @@ impl PinProvider for StaticPinProvider {
         info!({ pin = %self.pin, ?attempts_left }, "Providing static PIN");
         Some(self.pin.clone())
     }
+    fn set_uv_auth_token(&mut self, _uv_auth_token: Option<(&[u8], Ctap2PinUvAuthProtocol)>) {}
+    fn get_uv_auth_token(&self) -> Option<(&[u8], Ctap2PinUvAuthProtocol)> {
+        None
+    }
 }
 
-pub struct StdinPromptPinProvider {}
+pub struct StdinPromptPinProvider {
+    uv_auth_token: Option<(Vec<u8>, Ctap2PinUvAuthProtocol)>,
+}
 
 impl StdinPromptPinProvider {
     pub fn new() -> Self {
-        Self {}
+        Self {
+            uv_auth_token: None,
+        }
     }
 }
 
@@ -108,6 +118,14 @@ impl PinProvider for StdinPromptPinProvider {
 
         return Some(pin_raw);
     }
+    fn set_uv_auth_token(&mut self, uv_auth_token: Option<(&[u8], Ctap2PinUvAuthProtocol)>) {
+        self.uv_auth_token = uv_auth_token.map(|(token, version)| (token.to_vec(), version));
+    }
+    fn get_uv_auth_token(&self) -> Option<(&[u8], Ctap2PinUvAuthProtocol)> {
+        self.uv_auth_token
+            .as_ref()
+            .map(|(token, version)| (token.as_slice(), *version))
+    }
 }
 
 pub trait PinUvAuthProtocol: Send + Sync {

libwebauthn/src/proto/ctap2/model.rs

@@ -850,6 +850,7 @@ impl Ctap2ClientPinRequest {
 }
 
 bitflags! {
+    #[derive(Debug)]
     pub struct ClientPinRequestPermissions: u32 {
         const MAKE_CREDENTIAL = 0x01;
         const GET_ASSERTION = 0x02;

libwebauthn/src/proto/ctap2/protocol.rs

@@ -97,6 +97,10 @@ where
         trace!(?request);
         self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
         let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        match cbor_response.status_code {
+            CtapError::Ok => (),
+            error => return Err(Error::Ctap(error)),
+        };
         let ctap_response: Ctap2GetAssertionResponse =
             from_slice(&cbor_response.data.unwrap()).unwrap();
         debug!("CTAP2 GetAssertion successful");