Split extensions into unsigned extensions and signed extensions inside AuthenticatorData

libwebauthn/examples/prf_test.rs

@@ -13,8 +13,8 @@ use tokio::sync::mpsc::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionHmacOrPrfInput, GetAssertionHmacOrPrfOutput, GetAssertionRequest,
-    GetAssertionRequestExtensions, PRFValue, UserVerificationRequirement,
+    GetAssertionHmacOrPrfInput, GetAssertionRequest, GetAssertionRequestExtensions, PRFValue,
+    UserVerificationRequirement,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::proto::ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialType};
@@ -178,15 +178,15 @@ async fn run_success_test(
         println!(
             "{num}. result of {printoutput}: {:?}",
             assertion
-                .authenticator_data
-                .extensions
+                .unsigned_extensions_output
                 .as_ref()
-                .map(|e| match &e.hmac_or_prf {
-                    GetAssertionHmacOrPrfOutput::None => String::from("ERROR: No PRF output"),
-                    GetAssertionHmacOrPrfOutput::HmacGetSecret(..) =>
-                        String::from("ERROR: Got HMAC instead of PRF output"),
-                    GetAssertionHmacOrPrfOutput::Prf { enabled: _, result } =>
-                        hex::encode(result.first),
+                .map(|e| if let Some(prf) = &e.prf {
+                    let results = prf.results.as_ref().map(|r| hex::encode(r.first)).unwrap();
+                    format!("Found PRF results: {}", results)
+                } else if e.hmac_get_secret.is_some() {
+                    String::from("ERROR: Got HMAC instead of PRF output")
+                } else {
+                    String::from("ERROR: No PRF output")
                 })
                 .unwrap_or(String::from("ERROR: No extensions returned"))
         );

libwebauthn/src/fido.rs

@@ -2,20 +2,22 @@ use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
 use cosey::PublicKey;
 use serde::{
     de::{DeserializeOwned, Error as DesError, Visitor},
-    ser::Error as SerError,
-    Deserialize, Deserializer, Serialize, Serializer,
+    Deserialize, Deserializer, Serialize,
 };
 use serde_bytes::ByteBuf;
 use std::{
     fmt,
     io::{Cursor, Read},
     marker::PhantomData,
 };
-use tracing::warn;
-
-use crate::proto::{
-    ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialType},
-    CtapError,
+use tracing::{error, warn};
+
+use crate::{
+    proto::{
+        ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialType},
+        CtapError,
+    },
+    webauthn::{Error, PlatformError},
 };
 
 #[derive(Debug, PartialEq, Eq)]
@@ -62,28 +64,6 @@ pub struct AttestedCredentialData {
     pub credential_public_key: PublicKey,
 }
 
-impl Serialize for AttestedCredentialData {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
-        // Name                 | Length
-        // --------------------------------
-        //  aaguid              | 16
-        //  credentialIdLenght  | 2
-        //  credentialId        | L
-        //  credentialPublicKey | variable
-        let mut res = self.aaguid.to_vec();
-        res.write_u16::<BigEndian>(self.credential_id.len() as u16)
-            .map_err(SerError::custom)?;
-        res.extend(&self.credential_id);
-        let cose_encoded_public_key =
-            serde_cbor::to_vec(&self.credential_public_key).map_err(SerError::custom)?;
-        res.extend(cose_encoded_public_key);
-        serializer.serialize_bytes(&res)
-    }
-}
-
 impl From<&AttestedCredentialData> for Ctap2PublicKeyCredentialDescriptor {
     fn from(data: &AttestedCredentialData) -> Self {
         Self {
@@ -103,14 +83,11 @@ pub struct AuthenticatorData<T> {
     pub extensions: Option<T>,
 }
 
-impl<T> Serialize for AuthenticatorData<T>
+impl<T> AuthenticatorData<T>
 where
     T: Clone + Serialize,
 {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: Serializer,
-    {
+    pub fn to_response_bytes(&self) -> Result<Vec<u8>, Error> {
         // Name                    | Length
         // -----------------------------------
         // rpIdHash                | 32
@@ -121,14 +98,46 @@ where
         let mut res = self.rp_id_hash.to_vec();
         res.push(self.flags.bits());
         res.write_u32::<BigEndian>(self.signature_count)
-            .map_err(SerError::custom)?;
+            .map_err(|e| {
+                error!("Failed to create AuthenticatorData output vec at signature_count: {e:?}");
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+
         if let Some(att_data) = &self.attested_credential {
-            res.extend(serde_cbor::to_vec(att_data).map_err(SerError::custom)?);
+            // Name                 | Length
+            // --------------------------------
+            //  aaguid              | 16
+            //  credentialIdLenght  | 2
+            //  credentialId        | L
+            //  credentialPublicKey | variable
+            res.extend(att_data.aaguid);
+            res.write_u16::<BigEndian>(att_data.credential_id.len() as u16)
+            .map_err(|e| {
+                error!(
+                    "Failed to create AuthenticatorData output vec at attested_credential.credential_id: {e:?}"
+                );
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+            res.extend(&att_data.credential_id);
+            let cose_encoded_public_key =
+                serde_cbor::to_vec(&att_data.credential_public_key)
+            .map_err(|e| {
+                error!(
+                    "Failed to create AuthenticatorData output vec at attested_credential.credential_public_key: {e:?}"
+                );
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?;
+            res.extend(cose_encoded_public_key);
         }
-        if let Some(extensions) = &self.extensions {
-            res.extend(serde_cbor::to_vec(extensions).map_err(SerError::custom)?);
+
+        if self.extensions.is_some() || self.flags.contains(AuthenticatorDataFlags::EXTENSION_DATA)
+        {
+            res.extend(serde_cbor::to_vec(&self.extensions).map_err(|e| {
+                error!("Failed to create AuthenticatorData output vec at extensions: {e:?}");
+                Error::Platform(PlatformError::InvalidDeviceResponse)
+            })?);
         }
-        serializer.serialize_bytes(&res)
+        Ok(res)
     }
 }
 

libwebauthn/src/ops/u2f.rs

@@ -148,7 +148,6 @@ impl UpgradableResponse<MakeCredentialResponse, MakeCredentialRequest> for Regis
             attestation_statement,
             enterprise_attestation: None,
             large_blob_key: None,
-            unsigned_extension_output: None,
         };
         Ok(resp.into_make_credential_output(request, None))
     }
@@ -195,7 +194,6 @@ impl UpgradableResponse<GetAssertionResponse, SignRequest> for SignResponse {
             credentials_count: None,
             user_selected: None,
             large_blob_key: None,
-            unsigned_extension_outputs: None,
             enterprise_attestation: None,
             attestation_statement: None,
         };