Add DAFSA-format Public Suffix List reader

.github/workflows/rust.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Update apt cache
         run: sudo apt-get update
       - name: Install system dependencies
-        run: sudo apt-get install libudev-dev libdbus-1-dev libsodium-dev libnfc-dev libpcsclite-dev
+        run: sudo apt-get install libudev-dev libdbus-1-dev libsodium-dev libnfc-dev libpcsclite-dev publicsuffix
       - name: Clippy
         run: cargo clippy --workspace --all-targets --all-features -- -D warnings
       - name: Check formatting
@@ -27,5 +27,7 @@ jobs:
         run: cargo build -p libwebauthn --examples --features nfc-backend-libnfc
       - name: Run tests
         run: cargo test --workspace --verbose
+        env:
+          LIBWEBAUTHN_PSL_SYSTEM_TEST: "1"
       - name: Verify libwebauthn publishes cleanly
         run: cargo publish --dry-run -p libwebauthn

README.md

@@ -40,7 +40,7 @@ _Looking for the D-Bus API proposal?_ Check out [credentialsd][credentialsd].
 
 ## Runtime requirements
 
-Validating the relying party ID against the calling origin requires the [Public Suffix List][psl]. The built-in loader reads it from the standard system path. The `publicsuffix` package on Debian/Ubuntu or `publicsuffix-list` on Fedora and Arch installs it there, but these are not always present on minimal installs. Install explicitly if needed. Callers wiring their own list don't need a system package.
+Validating the relying party ID against the calling origin requires the [Public Suffix List][psl]. The built-in `SystemPublicSuffixList::auto()` loader reads it from the standard system path, probing the binary `.dafsa` format first and falling back to the text `.dat` format. The `publicsuffix` package on Debian/Ubuntu ships both. On Fedora the binary `.dafsa` file is shipped by `publicsuffix-list-dafsa` (a transitive dependency of `libpsl`, so usually already installed), while the text `.dat` file requires the optional `publicsuffix-list` package. On Arch only the text `.dat` format is packaged. Callers wiring their own list don't need a system package.
 
 ## Transports
 

libwebauthn/examples/ceremony/webauthn_cable.rs

@@ -12,7 +12,7 @@ use qrcode::QrCode;
 use tokio::time::sleep;
 
 use libwebauthn::ops::webauthn::{
-    DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
     WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::{Channel as _, Device};
@@ -66,8 +66,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     let device_info_store = Arc::new(EphemeralDeviceInfoStore::default());
     let request_origin: RequestOrigin = "https://example.org".try_into().expect("Invalid origin");
-    let psl = DatFilePublicSuffixList::from_system_file().expect(
-        "PSL not available; install the publicsuffix-list package or pass an explicit path",
+    let psl = SystemPublicSuffixList::auto().expect(
+        "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
     );
 
     {

libwebauthn/examples/ceremony/webauthn_hid.rs

@@ -2,7 +2,7 @@ use std::error::Error;
 use std::time::Duration;
 
 use libwebauthn::ops::webauthn::{
-    DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
     WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
@@ -29,8 +29,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         let request_origin: RequestOrigin =
             "https://example.org".try_into().expect("Invalid origin");
-        let psl = DatFilePublicSuffixList::from_system_file().expect(
-            "PSL not available; install the publicsuffix-list package or pass an explicit path",
+        let psl = SystemPublicSuffixList::auto().expect(
+            "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
         );
         let request_json = r#"
                 {

libwebauthn/examples/ceremony/webauthn_nfc.rs

@@ -1,7 +1,7 @@
 use std::error::Error;
 
 use libwebauthn::ops::webauthn::{
-    DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, SystemPublicSuffixList,
     WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::nfc::{get_nfc_device, is_nfc_available};
@@ -27,8 +27,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     let mut channel = device.channel().await?;
 
     let request_origin: RequestOrigin = "https://example.org".try_into().expect("Invalid origin");
-    let psl = DatFilePublicSuffixList::from_system_file().expect(
-        "PSL not available; install the publicsuffix-list package or pass an explicit path",
+    let psl = SystemPublicSuffixList::auto().expect(
+        "PSL not available; install the publicsuffix-list (or publicsuffix-list-dafsa) package, or pass an explicit path",
     );
     let make_credentials_request = MakeCredentialRequest::from_json(
         &request_origin,

libwebauthn/src/ops/webauthn/mod.rs

@@ -30,7 +30,11 @@ pub use make_credential::{
     MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
     MakeCredentialsResponseUnsignedExtensions, ResidentKeyRequirement,
 };
-pub use psl::{DatFileLoadError, DatFilePublicSuffixList, PublicSuffixList, SYSTEM_PSL_PATH};
+pub use psl::{
+    DafsaFileLoadError, DafsaFilePublicSuffixList, DatFileLoadError, DatFilePublicSuffixList,
+    PublicSuffixList, SystemLoadError, SystemPublicSuffixList, SYSTEM_PSL_DAFSA_PATH,
+    SYSTEM_PSL_PATH,
+};
 use serde::Deserialize;
 
 #[derive(Debug, Clone, Copy, Deserialize, PartialEq)]