feat(webauthn): authenticatorLargeBlobs + LargeBlobStorage trait

[AlfioEmanueleFresta]

Implements the read half of the WebAuthn L3 largeBlob extension end-to-end. Stacked on top of #198 (the safe-drop fix); read this PR's diff against that branch.

Why

largeBlob lets a relying party read or write a small per-credential payload that lives on the authenticator. The CTAP 2.1 authenticatorLargeBlobs command (0x0C) exposes a single device-wide serialized array; per-credential entries within that array are encrypted under the largeBlobKey returned by authenticatorGetAssertion. Until this PR, libwebauthn could only ask the authenticator to surface a largeBlobKey; we had no way to actually fetch and decrypt the blob, so the WebAuthn unsigned_extensions_output.large_blob.blob field stayed None.

What this PR does

• CTAP wire layer (src/proto/ctap2/model/large_blobs.rs, src/proto/ctap2/protocol.rs): adds Ctap2CommandCode::AuthenticatorLargeBlobs = 0x0C, request/response models, and a ctap2_large_blobs method on the Ctap2 trait.
• Public LargeBlobStorage trait (src/ops/webauthn/large_blob.rs): async read / write, so callers can plug in alternative backends. Two backends ship:
  • MemoryLargeBlobStorage: in-memory HashMap, useful for tests.
  • AuthenticatorLargeBlobStorage<'_, C>: drives paginated authenticatorLargeBlobs(get), AES-256-GCM-authenticates each entry under the supplied largeBlobKey, and RFC 1951 raw-deflate-decompresses the plaintext.
• Read-path wire-up (src/webauthn.rs): after _webauthn_get_assertion_fido2 collects assertions, if largeBlob.read = true was requested and the device returned a largeBlobKey, libwebauthn now runs the CTAP fetch-and-decrypt and populates unsigned_extensions_output.large_blob.blob. Failures here are non-fatal: per WebAuthn L3 §10.1.5 the blob field is absent when the read cannot complete.

What is deferred

The write half is intentionally a follow-up PR. It will:

• Implement chunked authenticatorLargeBlobs(set) with pinUvAuthParam binding per CTAP 2.1 §6.10.2 / §6.10.5 (compute the SHA-256 trailer, paginate the upload, sign each chunk with the platform-derived pinUvAuthParam).
• Wire LargeBlobStorage::write on AuthenticatorLargeBlobStorage (currently LargeBlobError::Unsupported).
• Add the WebAuthn largeBlob.write extension behaviour on top of webauthn_make_credential / webauthn_get_assertion.
• Once both halves land, end-to-end roundtrip tests will be added in the integration-test surface (e.g. a future libwebauthn-tests crate).

Tests

The PR adds 16 unit tests, including a MockChannel-driven end-to-end test of webauthn_get_assertion with largeBlob.read = true: the test builds a real serialized largeBlobArray (AES-256-GCM ciphertext + nonce + origSize + SHA-256 trailer), responds to the GetInfo / GetAssertion / authenticatorLargeBlobs(get) sequence, calls webauthn_get_assertion, and asserts that the returned unsigned_extensions_output.large_blob.blob matches the original plaintext. That covers the entire read pipeline: CTAP exchange, array parsing, AES-256-GCM decrypt, deflate decompress, trait surface, and WebAuthn JSON output.

Other tests cover: MemoryLargeBlobStorage round-trip / missing-credential / multi-credential; AES-256-GCM round-trip and wrong-key skip; multi-entry array selection; corrupted-trailer and truncated-array rejection; empty-array handling; Ctap2LargeBlobsRequest canonical CBOR encoding; an AuthenticatorLargeBlobStorage::read integration test against a hand-crafted ciphertext via MockChannel; and AuthenticatorLargeBlobStorage::write returning Unsupported.

Dependencies

• aes-gcm = "0.10" (AES-256-GCM AEAD)
• flate2 = "1.0" (RFC 1951 raw deflate)

Spec references

• WebAuthn Level 3 §10.1.5 (largeBlob extension): https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension
• CTAP 2.1 §6.10 (authenticatorLargeBlobs): https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorLargeBlobs
• RFC 1951 (DEFLATE): https://www.rfc-editor.org/rfc/rfc1951