Allow for shared secret to be created even if no PIN is set on the device (#146)

This is to support HMAC/PRF on such devices, which currently only worked
for devices with PIN or UV set (i.e. devices that could negotiate a
`pinUvAuthToken`).

Things of note:
- The requests now have a `needs_shared_secret()` function that is only
returning true for GetAssertion at the moment. I have not checked all
the other commands in detail, if they could potentially also require
this. If so, it would be easy to fill in (e.g. for Ctap2.2 where
MakeCredential could also do HMAC).
- In the `AuthTokenData`-store, `pinUvAuthToken` (and associated
permissions) are now optional. Luckily all this is hidden from the rest
of the library, as we already had an accessor-function for this that
returned an Option.
- The `user_verification_helper()` function is getting a bit more
complex, sadly. But I hope with all my comments, it's not too bad.
Making the naming of `Ctap2UserVerificationOperation`-variations more
explicit should also help.

Author: msirringhaus

libwebauthn/src/management/authenticator_config.rs

@@ -199,4 +199,8 @@ impl Ctap2UserVerifiableRequest for Ctap2AuthenticatorConfigRequest {
     fn handle_legacy_preview(&mut self, _info: &Ctap2GetInfoResponse) {
         // No-op
     }
+
+    fn needs_shared_secret(&self, _get_info_response: &Ctap2GetInfoResponse) -> bool {
+        false
+    }
 }

libwebauthn/src/management/bio_enrollment.rs

@@ -335,4 +335,8 @@ impl Ctap2UserVerifiableRequest for Ctap2BioEnrollmentRequest {
             }
         }
     }
+
+    fn needs_shared_secret(&self, _get_info_response: &Ctap2GetInfoResponse) -> bool {
+        false
+    }
 }

libwebauthn/src/management/credential_management.rs

@@ -318,4 +318,8 @@ impl Ctap2UserVerifiableRequest for Ctap2CredentialManagementRequest {
             }
         }
     }
+
+    fn needs_shared_secret(&self, _get_info_response: &Ctap2GetInfoResponse) -> bool {
+        false
+    }
 }

libwebauthn/src/ops/webauthn/make_credential.rs

@@ -193,7 +193,7 @@ pub enum MakeCredentialHmacOrPrfInput {
     // },
 }
 
-#[derive(Debug, Default, Clone, Serialize)]
+#[derive(Debug, Default, Clone, Serialize, PartialEq)]
 pub struct MakeCredentialPrfOutput {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub enabled: Option<bool>,
@@ -315,10 +315,7 @@ impl DowngradableRequest<RegisterRequest> for MakeCredentialRequest {
         }
 
         // Options must not include "rk" set to true.
-        if matches!(
-            self.resident_key,
-            Some(ResidentKeyRequirement::Required)
-        ) {
+        if matches!(self.resident_key, Some(ResidentKeyRequirement::Required)) {
             debug!("Not downgradable: request requires resident key");
             return false;
         }

libwebauthn/src/proto/ctap2/model.rs

@@ -209,14 +209,17 @@ pub trait Ctap2UserVerifiableRequest {
     fn permissions_rpid(&self) -> Option<&str>;
     fn can_use_uv(&self, info: &Ctap2GetInfoResponse) -> bool;
     fn handle_legacy_preview(&mut self, info: &Ctap2GetInfoResponse);
+    /// We need to establish a shared secret, even if no PIN or UV is set on the device
+    fn needs_shared_secret(&self, info: &Ctap2GetInfoResponse) -> bool;
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum Ctap2UserVerificationOperation {
     GetPinUvAuthTokenUsingUvWithPermissions,
     GetPinUvAuthTokenUsingPinWithPermissions,
     GetPinToken,
-    None,
+    ClientPinOnlyForSharedSecret,
+    LegacyUv,
 }
 
 #[cfg(test)]

libwebauthn/src/proto/ctap2/model/get_assertion.rs

@@ -441,6 +441,20 @@ impl Ctap2UserVerifiableRequest for Ctap2GetAssertionRequest {
     fn handle_legacy_preview(&mut self, _info: &Ctap2GetInfoResponse) {
         // No-op
     }
+
+    fn needs_shared_secret(&self, get_info_response: &Ctap2GetInfoResponse) -> bool {
+        let hmac_supported = get_info_response
+            .extensions
+            .as_ref()
+            .map(|e| e.contains(&String::from("hmac-secret")))
+            .unwrap_or_default();
+        let hmac_requested = self
+            .extensions
+            .as_ref()
+            .map(|e| !matches!(e.hmac_or_prf, GetAssertionHmacOrPrfInput::None))
+            .unwrap_or_default();
+        hmac_requested && hmac_supported
+    }
 }
 
 impl Ctap2GetAssertionResponse {