feat(webauthn): force UV=required when PRF extension is requested (fix #183)#213
Open
AlfioEmanueleFresta wants to merge 1 commit into
Open
feat(webauthn): force UV=required when PRF extension is requested (fix #183)#213AlfioEmanueleFresta wants to merge 1 commit into
AlfioEmanueleFresta wants to merge 1 commit into
Conversation
…#183) WebAuthn PRF outputs are sensitive key material. Per the spec direction in w3c/webauthn#2337, callers requesting the PRF extension must have userVerification upgraded to "required" before the request reaches the authenticator. This applies regardless of whether PRF eval values are populated -- presence of the extension is the trigger. The upgrade happens at the public WebAuthn API entry (webauthn.rs), so both JSON-IDL and direct-struct callers are covered. The CTAP2-level hmac-secret extension keeps its existing separate UV / non-UV seed behaviour and is not affected. Notable behaviour changes for callers: - Discouraged or Preferred + PRF now triggers UV (PIN setup if no PIN). - U2F-only devices were already incapable of PRF; PRF-bearing requests now error with NegotiationFailed instead of silently dropping PRF.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #183. Implements the W3C direction in w3c/webauthn#2337: presence of the PRF extension on
create()orget()transparently forcesuserVerification = "required"before the request reaches the authenticator. The CTAP2-levelhmac-secretextension is unchanged.Behaviour changes for callers
Discouraged/Preferred+ PRF now triggers UV. On no-PIN devices this enters the interactive PIN-setup flow (PinNotSet).NegotiationFailedinstead of silently dropping PRF (U2F has no PRF).Notes
webauthn.rs), so both JSON-IDL and direct-struct callers are covered.clear_uv_auth_token_store()to force fresh UV), and a negative case proving the upgrade does not fire without PRF.