Make Credential parsing seems working; added example

AlfioEmanueleFresta · AlfioEmanueleFresta · commit db62257ecabf · 2025-08-15T11:42:06.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/libwebauthn/examples/webauthn_json_hid.rs b/libwebauthn/examples/webauthn_json_hid.rs
@@ -0,0 +1,175 @@
+use std::convert::TryInto;
+use std::error::Error;
+use std::io::{self, Write};
+use std::time::Duration;
+
+use ctap_types::ctap2::make_credential;
+use libwebauthn::UvUpdate;
+use rand::{thread_rng, Rng};
+use text_io::read;
+use tokio::sync::broadcast::Receiver;
+use tracing_subscriber::{self, EnvFilter};
+
+use libwebauthn::ops::webauthn::{
+    GetAssertionRequest, MakeCredentialRequest, RelyingPartyId, ResidentKeyRequirement,
+    UserVerificationRequirement, WebAuthnIDL as _,
+};
+use libwebauthn::pin::PinRequestReason;
+use libwebauthn::proto::ctap2::{
+    Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
+    Ctap2PublicKeyCredentialUserEntity,
+};
+use libwebauthn::transport::hid::list_devices;
+use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::webauthn::{Error as WebAuthnError, WebAuthn};
+
+const TIMEOUT: Duration = Duration::from_secs(10);
+
+fn setup_logging() {
+    tracing_subscriber::fmt()
+        .with_env_filter(EnvFilter::from_default_env())
+        .without_time()
+        .init();
+}
+
+async fn handle_updates(mut state_recv: Receiver<UvUpdate>) {
+    while let Ok(update) = state_recv.recv().await {
+        match update {
+            UvUpdate::PresenceRequired => println!("Please touch your device!"),
+            UvUpdate::UvRetry { attempts_left } => {
+                print!("UV failed.");
+                if let Some(attempts_left) = attempts_left {
+                    print!(" You have {attempts_left} attempts left.");
+                }
+            }
+            UvUpdate::PinRequired(update) => {
+                let mut attempts_str = String::new();
+                if let Some(attempts) = update.attempts_left {
+                    attempts_str = format!(". You have {attempts} attempts left!");
+                };
+
+                match update.reason {
+                    PinRequestReason::RelyingPartyRequest => println!("RP required a PIN."),
+                    PinRequestReason::AuthenticatorPolicy => {
+                        println!("Your device requires a PIN.")
+                    }
+                    PinRequestReason::FallbackFromUV => {
+                        println!("UV failed too often and is blocked. Falling back to PIN.")
+                    }
+                }
+                print!("PIN: Please enter the PIN for your authenticator{attempts_str}: ");
+                io::stdout().flush().unwrap();
+                let pin_raw: String = read!("{}\n");
+
+                if pin_raw.is_empty() {
+                    println!("PIN: No PIN provided, cancelling operation.");
+                    update.cancel();
+                } else {
+                    let _ = update.send_pin(&pin_raw);
+                }
+            }
+        }
+    }
+}
+
+#[tokio::main]
+pub async fn main() -> Result<(), Box<dyn Error>> {
+    setup_logging();
+
+    let devices = list_devices().await.unwrap();
+    println!("Devices found: {:?}", devices);
+
+    let user_id: [u8; 32] = thread_rng().gen();
+    let challenge: [u8; 32] = thread_rng().gen();
+
+    for mut device in devices {
+        println!("Selected HID authenticator: {}", &device);
+        let mut channel = device.channel().await?;
+        channel.wink(TIMEOUT).await?;
+
+        // Relying
+        let rpid = RelyingPartyId("example.org".to_owned());
+        let request_json = r#"
+                {
+                    "rp": {
+                        "id": "example.org",
+                        "name": "Example Relying Party"
+                    },
+                    "user": {
+                        "id": "MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg",
+                        "name": "Mario Rossi",
+                        "displayName": "Mario Rossi"
+                    },
+                    "challenge": "MTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2Nzg",
+                    "pubKeyCredParams": [
+                        {"type": "public-key", "alg": -7}
+                    ],
+                    "timeout": 60000,
+                    "excludeCredentials": [],
+                    "authenticatorSelection": {
+                        "residentKey": "discouraged",
+                        "userVerification": "preferred"
+                    },
+                    "attestation": "none"
+                }
+                "#;
+        let make_credentials_request: MakeCredentialRequest =
+            MakeCredentialRequest::from_json(&rpid, request_json)
+                .expect("Failed to parse request JSON");
+        println!(
+            "WebAuthn MakeCredential request: {:?}",
+            make_credentials_request
+        );
+
+        let state_recv = channel.get_ux_update_receiver();
+        tokio::spawn(handle_updates(state_recv));
+
+        let response = loop {
+            match channel
+                .webauthn_make_credential(&make_credentials_request)
+                .await
+            {
+                Ok(response) => break Ok(response),
+                Err(WebAuthnError::Ctap(ctap_error)) => {
+                    if ctap_error.is_retryable_user_error() {
+                        println!("Oops, try again! Error: {}", ctap_error);
+                        continue;
+                    }
+                    break Err(WebAuthnError::Ctap(ctap_error));
+                }
+                Err(err) => break Err(err),
+            };
+        }
+        .unwrap();
+        println!("WebAuthn MakeCredential response: {:?}", response);
+
+        let credential: Ctap2PublicKeyCredentialDescriptor =
+            (&response.authenticator_data).try_into().unwrap();
+        let get_assertion = GetAssertionRequest {
+            relying_party_id: "example.org".to_owned(),
+            hash: Vec::from(challenge),
+            allow: vec![credential],
+            user_verification: UserVerificationRequirement::Discouraged,
+            extensions: None,
+            timeout: TIMEOUT,
+        };
+
+        let response = loop {
+            match channel.webauthn_get_assertion(&get_assertion).await {
+                Ok(response) => break Ok(response),
+                Err(WebAuthnError::Ctap(ctap_error)) => {
+                    if ctap_error.is_retryable_user_error() {
+                        println!("Oops, try again! Error: {}", ctap_error);
+                        continue;
+                    }
+                    break Err(WebAuthnError::Ctap(ctap_error));
+                }
+                Err(err) => break Err(err),
+            };
+        }
+        .unwrap();
+        println!("WebAuthn GetAssertion response: {:?}", response);
+    }
+
+    Ok(())
+}
diff --git a/libwebauthn/src/ops/webauthn/create.rs b/libwebauthn/src/ops/webauthn/create.rs
@@ -16,19 +16,6 @@ use serde_json::{Map as JsonMap, Value as JsonValue};
  * https://www.w3.org/TR/webauthn-3/#sctn-parseCreationOptionsFromJSON
  */
 
-#[derive(Debug, Clone, Deserialize)]
-pub struct PublicKeyCredentialDescriptorJSON {
-    pub r#type: String,
-    pub id: Base64UrlString,
-    pub transports: Vec<String>,
-}
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct PublicKeyCredentialParameters {
-    pub r#type: String,
-    pub alg: i32,
-}
-
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthenticatorSelectionCriteria {
     #[serde(rename = "authenticatorAttachment")]
@@ -61,9 +48,9 @@ pub struct PublicKeyCredentialCreationOptionsJSON {
     pub exclude_credentials: Vec<Ctap2PublicKeyCredentialDescriptor>,
     #[serde(rename = "authenticatorSelection")]
     pub authenticator_selection: Option<AuthenticatorSelectionCriteria>,
-    pub hints: Vec<String>,
-    pub attestation: String,
+    pub hints: Option<Vec<String>>,
+    pub attestation: Option<String>,
     #[serde(rename = "attestationFormats")]
-    pub attestation_formats: Vec<String>,
-    pub extensions: MakeCredentialsRequestExtensions,
+    pub attestation_formats: Option<Vec<String>>,
+    pub extensions: Option<MakeCredentialsRequestExtensions>,
 }
diff --git a/libwebauthn/src/ops/webauthn/idl.rs b/libwebauthn/src/ops/webauthn/idl.rs
@@ -58,6 +58,12 @@ impl Deref for Base64UrlString {
     }
 }
 
+impl AsRef<[u8]> for Base64UrlString {
+    fn as_ref(&self) -> &[u8] {
+        &self.0
+    }
+}
+
 impl<'de> Deserialize<'de> for Base64UrlString {
     fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
     where
diff --git a/libwebauthn/src/ops/webauthn/make_credential.rs b/libwebauthn/src/ops/webauthn/make_credential.rs
@@ -231,7 +231,7 @@ impl FromInnerModel<PublicKeyCredentialCreationOptionsJSON, MakeCredentialReques
             user_verification,
             algorithms: inner.params,
             exclude,
-            extensions: Some(inner.extensions),
+            extensions: inner.extensions,
             timeout: Duration::from_secs(inner.timeout.into()),
         })
     }
@@ -242,9 +242,6 @@ pub enum MakeCredentialRequestParsingError {
     /// The client must throw an "EncodingError" DOMException.
     #[error("Invalid JSON format: {0}")]
     EncodingError(#[from] JsonError),
-
-    #[error("Invalid extension: {0}")]
-    ExtensionError(JsonError),
 }
 
 impl WebAuthnIDL<MakeCredentialRequestParsingError> for MakeCredentialRequest {
diff --git a/libwebauthn/src/ops/webauthn/mod.rs b/libwebauthn/src/ops/webauthn/mod.rs
@@ -13,14 +13,15 @@ pub use get_assertion::{
     GetAssertionResponseExtensions, GetAssertionResponseUnsignedExtensions, HMACGetSecretInput,
     HMACGetSecretOutput, PRFValue,
 };
-pub use idl::Base64UrlString;
+pub use idl::{Base64UrlString, WebAuthnIDL};
 pub use make_credential::{
     CredentialPropsExtension, CredentialProtectionExtension, CredentialProtectionPolicy,
     MakeCredentialLargeBlobExtension, MakeCredentialLargeBlobExtensionOutput,
     MakeCredentialPrfInput, MakeCredentialPrfOutput, MakeCredentialRequest, MakeCredentialResponse,
     MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
     MakeCredentialsResponseUnsignedExtensions, ResidentKeyRequirement,
 };
+pub use rpid::RelyingPartyId;
 use serde::Deserialize;
 
 #[derive(Debug, Clone, Copy, Deserialize)]

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,12 @@ impl Deref for Base64UrlString {`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
	`61`	`+impl AsRef<[u8]> for Base64UrlString {`
	`62`	`+ fn as_ref(&self) -> &[u8] {`
	`63`	`+ &self.0`
	`64`	`+ }`
	`65`	`+}`
	`66`	`+`
`61`	`67`	`impl<'de> Deserialize<'de> for Base64UrlString {`
`62`	`68`	`fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>`
`63`	`69`	`where`