You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, AuthenticatorData was just a ByteBuf. I added it as a struct with de/serialize-functions.
Input and Output of the extensions vary for given commands, so I made AuthenticatorData generic over that, and specify which extension-struct it will contain inside MakeCredential or GetAssertion. This should be totally invisible to the end-user, who will just get 'the right thing'. It does, however, make the de/serialize-code a bit messy.
hmac-secret extension needs more work, but this PR was already getting quite big, so I figured, this would be better in a follow-up PR.
Tested credBlob, minPinLength and credProtect extension with my Yubikey Bio successfully.
Thank you @msirringhaus! This is good work and a great start for extension processing.
Dumping all my notes and ideas on extension processing here - would love to hear your thoughts:
I think it may make sense to define a traits for client extension processing, where each extension implements the trait including at least two methods - equivalent to create() and get() from the CTAP 2.2 spec, for processing on MakeCredential and GetAssertion respectively. In turn, this could be generic over the respective extension's client extension input, eg.
In addition to taking any action above, extension processing also alter platform behaviour. As an example 12.1. Credential Protection (credProtect) may require performing additional authenticator checks, in certain circumstances. The need for these checks may be represented in a new ClientBehaviour struct, to be potentially altered during extension processing:
traitClientExtensionProcessing<G,C>{
fun get(&self, input:&G,&mut clientBehaviour:ClientBehaviour):ExtensionResult<CborMap>
fun create(&self, input:&C,&mut clientBehaviour:ClientBehaviour):ExtensionResult<CborMap>
}
Extensions unknown to the client should be passed through as CBOR. Maybe the trait itself could expose the expected input key, and if no extension is found, the extension data can be passed as-is?
As we need to represent both pre-client processing and post-client processing extension payloads, IMO it may make sense to begin differentiating WebAuthn requests from CTAP2 request models - by removing the alias. Conversion will no longer be a TryFrom affair.
WebAuthn request would then need to represent pre-client processing requests.
CTAP2 models could directly use a CBOR Map. This could allow modelling both (a) known extensions' client processing outputs, and (b) passthrough extensions unknown to the client.
Ideally, if we fail to parse input for an extension, we should ignore the individual extension - but continue with the rest of the request. Maybe the trait for each extension could be generic over its input type, and perform parsing, with a Result so the caller can handle these errors appropriately?
We should also process WebAuthn extensions. These are defined as client extensions, so they should fit right in - we can possibly prefix these with WebAuthn (eg. WebAuthnPRFExtension for my favourite extension, Pseudo-random function extension (prf).
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A few things going on here:
AuthenticatorDatawas just a ByteBuf. I added it as a struct with de/serialize-functions.AuthenticatorDatageneric over that, and specify which extension-struct it will contain insideMakeCredentialorGetAssertion. This should be totally invisible to the end-user, who will just get 'the right thing'. It does, however, make the de/serialize-code a bit messy.hmac-secretextension needs more work, but this PR was already getting quite big, so I figured, this would be better in a follow-up PR.Tested credBlob, minPinLength and credProtect extension with my Yubikey Bio successfully.