Merge pull request #57 from msirringhaus/save_puat

* Add possibility to cache pinUvAuthToken in PinProvider
* Implement review feedback

Author: AlfioEmanueleFresta

libwebauthn/src/management.rs

@@ -1,15 +1,17 @@
 use serde_cbor::ser::to_vec;
 use std::time::Duration;
+use tracing::info;
 
 use crate::pin::{PinProvider, PinUvAuthProtocol};
 use crate::proto::ctap2::Ctap2AuthenticatorConfigCommand;
 pub use crate::transport::error::{CtapError, Error, TransportError};
 use crate::transport::Channel;
-use crate::webauthn::user_verification;
+use crate::webauthn::handle_errors;
+use crate::webauthn::{user_verification, UsedPinUvAuthToken};
 use crate::{
     ops::webauthn::UserVerificationRequirement,
     proto::ctap2::{
-        ClientPinRequestPermissions, Ctap2, Ctap2AuthenticatorConfigRequest,
+        Ctap2, Ctap2AuthTokenPermissionRole, Ctap2AuthenticatorConfigRequest,
         Ctap2UserVerifiableRequest,
     },
 };
@@ -64,17 +66,22 @@ where
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_toggle_always_uv();
 
-        user_verification(
-            self,
-            UserVerificationRequirement::Required,
-            &mut req,
-            pin_provider,
-            timeout,
-        )
-        .await?;
-
-        // On success, this is an all-empty Ctap2ClientPinResponse
-        self.ctap2_authenticator_config(&req, timeout).await
+        loop {
+            let uv_auth_used = user_verification(
+                self,
+                UserVerificationRequirement::Required,
+                &mut req,
+                pin_provider,
+                timeout,
+            )
+            .await?;
+            // On success, this is an all-empty Ctap2AuthenticatorConfigResponse
+            handle_errors!(
+                self,
+                self.ctap2_authenticator_config(&req, timeout).await,
+                uv_auth_used
+            )
+        }
     }
 
     async fn enable_enterprise_attestation(
@@ -84,17 +91,22 @@ where
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_enable_enterprise_attestation();
 
-        user_verification(
-            self,
-            UserVerificationRequirement::Required,
-            &mut req,
-            pin_provider,
-            timeout,
-        )
-        .await?;
-
-        // On success, this is an all-empty Ctap2ClientPinResponse
-        self.ctap2_authenticator_config(&req, timeout).await
+        loop {
+            let uv_auth_used = user_verification(
+                self,
+                UserVerificationRequirement::Required,
+                &mut req,
+                pin_provider,
+                timeout,
+            )
+            .await?;
+            // On success, this is an all-empty Ctap2AuthenticatorConfigResponse
+            handle_errors!(
+                self,
+                self.ctap2_authenticator_config(&req, timeout).await,
+                uv_auth_used
+            )
+        }
     }
 
     async fn set_min_pin_length(
@@ -105,17 +117,22 @@ where
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_set_min_pin_length(new_pin_length);
 
-        user_verification(
-            self,
-            UserVerificationRequirement::Required,
-            &mut req,
-            pin_provider,
-            timeout,
-        )
-        .await?;
-
-        // On success, this is an all-empty Ctap2ClientPinResponse
-        self.ctap2_authenticator_config(&req, timeout).await
+        loop {
+            let uv_auth_used = user_verification(
+                self,
+                UserVerificationRequirement::Required,
+                &mut req,
+                pin_provider,
+                timeout,
+            )
+            .await?;
+            // On success, this is an all-empty Ctap2AuthenticatorConfigResponse
+            handle_errors!(
+                self,
+                self.ctap2_authenticator_config(&req, timeout).await,
+                uv_auth_used
+            )
+        }
     }
 
     async fn force_change_pin(
@@ -126,17 +143,22 @@ where
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_force_change_pin(force);
 
-        user_verification(
-            self,
-            UserVerificationRequirement::Required,
-            &mut req,
-            pin_provider,
-            timeout,
-        )
-        .await?;
-
-        // On success, this is an all-empty Ctap2ClientPinResponse
-        self.ctap2_authenticator_config(&req, timeout).await
+        loop {
+            let uv_auth_used = user_verification(
+                self,
+                UserVerificationRequirement::Required,
+                &mut req,
+                pin_provider,
+                timeout,
+            )
+            .await?;
+            // On success, this is an all-empty Ctap2AuthenticatorConfigResponse
+            handle_errors!(
+                self,
+                self.ctap2_authenticator_config(&req, timeout).await,
+                uv_auth_used
+            )
+        }
     }
 
     async fn set_min_pin_length_rpids(
@@ -146,18 +168,22 @@ where
         timeout: Duration,
     ) -> Result<(), Error> {
         let mut req = Ctap2AuthenticatorConfigRequest::new_set_min_pin_length_rpids(rpids);
-
-        user_verification(
-            self,
-            UserVerificationRequirement::Required,
-            &mut req,
-            pin_provider,
-            timeout,
-        )
-        .await?;
-
-        // On success, this is an all-empty Ctap2ClientPinResponse
-        self.ctap2_authenticator_config(&req, timeout).await
+        loop {
+            let uv_auth_used = user_verification(
+                self,
+                UserVerificationRequirement::Required,
+                &mut req,
+                pin_provider,
+                timeout,
+            )
+            .await?;
+            // On success, this is an all-empty Ctap2AuthenticatorConfigResponse
+            handle_errors!(
+                self,
+                self.ctap2_authenticator_config(&req, timeout).await,
+                uv_auth_used
+            )
+        }
     }
 }
 
@@ -188,8 +214,8 @@ impl Ctap2UserVerifiableRequest for Ctap2AuthenticatorConfigRequest {
         unreachable!()
     }
 
-    fn permissions(&self) -> ClientPinRequestPermissions {
-        return ClientPinRequestPermissions::AUTHENTICATOR_CONFIGURATION;
+    fn permissions(&self) -> Ctap2AuthTokenPermissionRole {
+        return Ctap2AuthTokenPermissionRole::AUTHENTICATOR_CONFIGURATION;
     }
 
     fn permissions_rpid(&self) -> Option<&str> {

libwebauthn/src/proto/ctap2/mod.rs

@@ -7,7 +7,7 @@ mod protocol;
 
 pub use model::Ctap2GetInfoResponse;
 pub use model::{
-    ClientPinRequestPermissions, Ctap2AttestationStatement, Ctap2COSEAlgorithmIdentifier,
+    Ctap2AuthTokenPermissionRole, Ctap2AttestationStatement, Ctap2COSEAlgorithmIdentifier,
     Ctap2ClientPinRequest, Ctap2CommandCode, Ctap2CredentialType, Ctap2MakeCredentialOptions,
     Ctap2PinUvAuthProtocol, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
     Ctap2PublicKeyCredentialType, Ctap2PublicKeyCredentialUserEntity, Ctap2Transport,

libwebauthn/src/proto/ctap2/model.rs

@@ -478,7 +478,7 @@ pub trait Ctap2UserVerifiableRequest {
         uv_auth_token: &[u8],
     );
     fn client_data_hash(&self) -> &[u8];
-    fn permissions(&self) -> ClientPinRequestPermissions;
+    fn permissions(&self) -> Ctap2AuthTokenPermissionRole;
     fn permissions_rpid(&self) -> Option<&str>;
 }
 
@@ -506,10 +506,10 @@ impl Ctap2UserVerifiableRequest for Ctap2MakeCredentialRequest {
         self.hash.as_slice()
     }
 
-    fn permissions(&self) -> ClientPinRequestPermissions {
+    fn permissions(&self) -> Ctap2AuthTokenPermissionRole {
         // GET_ASSERTION needed for pre-flight requests
-        return ClientPinRequestPermissions::MAKE_CREDENTIAL
-            | ClientPinRequestPermissions::GET_ASSERTION;
+        return Ctap2AuthTokenPermissionRole::MAKE_CREDENTIAL
+            | Ctap2AuthTokenPermissionRole::GET_ASSERTION;
     }
 
     fn permissions_rpid(&self) -> Option<&str> {
@@ -539,8 +539,8 @@ impl Ctap2UserVerifiableRequest for Ctap2GetAssertionRequest {
         self.client_data_hash.as_slice()
     }
 
-    fn permissions(&self) -> ClientPinRequestPermissions {
-        return ClientPinRequestPermissions::GET_ASSERTION;
+    fn permissions(&self) -> Ctap2AuthTokenPermissionRole {
+        return Ctap2AuthTokenPermissionRole::GET_ASSERTION;
     }
 
     fn permissions_rpid(&self) -> Option<&str> {
@@ -801,7 +801,7 @@ impl Ctap2ClientPinRequest {
         protocol: Ctap2PinUvAuthProtocol,
         public_key: PublicKey,
         pin_hash_enc: &[u8],
-        permissions: ClientPinRequestPermissions,
+        permissions: Ctap2AuthTokenPermissionRole,
         permissions_rpid: Option<&str>,
     ) -> Self {
         Self {
@@ -821,7 +821,7 @@ impl Ctap2ClientPinRequest {
     pub fn new_get_uv_token_with_perm(
         protocol: Ctap2PinUvAuthProtocol,
         public_key: PublicKey,
-        permissions: ClientPinRequestPermissions,
+        permissions: Ctap2AuthTokenPermissionRole,
         permissions_rpid: Option<&str>,
     ) -> Self {
         Self {
@@ -881,7 +881,8 @@ impl Ctap2ClientPinRequest {
 }
 
 bitflags! {
-    pub struct ClientPinRequestPermissions: u32 {
+    #[derive(Debug, Clone, Copy, PartialEq, Eq)]
+    pub struct Ctap2AuthTokenPermissionRole: u32 {
         const MAKE_CREDENTIAL = 0x01;
         const GET_ASSERTION = 0x02;
         const CREDENTIAL_MANAGEMENT = 0x04;
@@ -892,7 +893,7 @@ bitflags! {
 }
 
 #[repr(u32)]
-#[derive(Debug, Clone, Copy, FromPrimitive, PartialEq, Serialize_repr, Deserialize_repr)]
+#[derive(Debug, Clone, Copy, FromPrimitive, PartialEq, Eq, Serialize_repr, Deserialize_repr)]
 pub enum Ctap2PinUvAuthProtocol {
     One = 1,
     Two = 2,

libwebauthn/src/proto/ctap2/protocol.rs

@@ -97,6 +97,10 @@ where
         trace!(?request);
         self.cbor_send(&request.into(), TIMEOUT_GET_INFO).await?;
         let cbor_response = self.cbor_recv(TIMEOUT_GET_INFO).await?;
+        match cbor_response.status_code {
+            CtapError::Ok => (),
+            error => return Err(Error::Ctap(error)),
+        };
         let ctap_response: Ctap2GetAssertionResponse =
             from_slice(&cbor_response.data.unwrap()).unwrap();
         debug!("CTAP2 GetAssertion successful");

libwebauthn/src/transport/ble/channel.rs

@@ -7,7 +7,9 @@ use crate::proto::ctap1::apdu::{ApduRequest, ApduResponse};
 use crate::proto::ctap2::cbor::{CborRequest, CborResponse};
 use crate::proto::CtapError;
 use crate::transport::ble::bluez;
-use crate::transport::channel::{Channel, ChannelStatus};
+use crate::transport::channel::{
+    Channel, ChannelStatus, Ctap2AuthTokenPermission, Ctap2AuthTokenStore,
+};
 use crate::transport::device::SupportedProtocols;
 use crate::transport::error::{Error, TransportError};
 
@@ -25,6 +27,7 @@ pub struct BleChannel<'a> {
     device: &'a BleDevice,
     connection: Connection,
     revision: FidoRevision,
+    auth_token: Option<(Ctap2AuthTokenPermission, Vec<u8>)>,
 }
 
 impl<'a> BleChannel<'a> {
@@ -43,6 +46,7 @@ impl<'a> BleChannel<'a> {
             device,
             connection,
             revision,
+            auth_token: None,
         };
         bluez::notify_start(&channel.connection)
             .await
@@ -153,3 +157,26 @@ impl<'a> Channel for BleChannel<'a> {
         Ok(cbor_response)
     }
 }
+
+impl Ctap2AuthTokenStore for BleChannel<'_> {
+    fn store_uv_auth_token(
+        &mut self,
+        permission: Ctap2AuthTokenPermission,
+        pin_uv_auth_token: &[u8],
+    ) {
+        self.auth_token = Some((permission, pin_uv_auth_token.to_vec()));
+    }
+
+    fn get_uv_auth_token(&self, requested_permission: &Ctap2AuthTokenPermission) -> Option<&[u8]> {
+        if let Some((stored_permission, stored_token)) = &self.auth_token {
+            if stored_permission.contains(requested_permission) {
+                return Some(stored_token);
+            }
+        }
+        None
+    }
+
+    fn clear_uv_auth_token_store(&mut self) {
+        self.auth_token = None;
+    }
+}

libwebauthn/src/transport/cable/channel.rs

@@ -11,7 +11,10 @@ use crate::proto::{
     ctap2::cbor::{CborRequest, CborResponse},
 };
 use crate::transport::error::{Error, TransportError};
-use crate::transport::{channel::ChannelStatus, device::SupportedProtocols, Channel};
+use crate::transport::{
+    channel::ChannelStatus, device::SupportedProtocols, Channel, Ctap2AuthTokenPermission,
+    Ctap2AuthTokenStore,
+};
 
 use super::known_devices::CableKnownDevice;
 use super::qr_code_device::CableQrCodeDevice;
@@ -85,3 +88,18 @@ impl<'d> Channel for CableChannel<'d> {
             .ok_or(Error::Transport(TransportError::TransportUnavailable))
     }
 }
+
+impl<'d> Ctap2AuthTokenStore for CableChannel<'d> {
+    fn store_uv_auth_token(
+        &mut self,
+        _permission: Ctap2AuthTokenPermission,
+        _pin_uv_auth_token: &[u8],
+    ) {
+    }
+
+    fn get_uv_auth_token(&self, _requested_permission: &Ctap2AuthTokenPermission) -> Option<&[u8]> {
+        None
+    }
+
+    fn clear_uv_auth_token_store(&mut self) {}
+}