* Add support for WebAuthn PRF extension
Original context: https://bugzilla.mozilla.org/show_bug.cgi?id=1863819
* Send correct PIN protocol ID in hmac-secret
Before this change, OpenSK (tag 2.1, commit
893faa5113f47457337ddb826b1a58870f00bc78) returns CTAP2_ERR_INVALID_PARAMETER in
response to attempts to use the WebAuthn PRF extension.
Original context: https://bugzilla.mozilla.org/show_bug.cgi?id=1863819
* Extract function HmacSecretResponse::decrypt_secrets
* Clarify and correct hmac-secret and PRF client outputs in makeCredential
* Delete unnecessary impl Default
* Rename HmacSecretFromHmacSecretOrPrf to HmacCreateSecretOrPrf
* Use HmacGetSecretOrPrf data model in getAssertion too
* Add examples/prf.rs
* Construct channels outside loop
* Remove unused loop
* Add tests for HmacSecretResponse::decrypt_secrets
* Extract function AuthenticationExtensionsPRFInputs::eval_to_salt
* Extract AuthenticationExtensionsPRFInputs::select_eval and ::select_credential
* Add doc comment to AuthenticationExtensionsPRFInputs::calculate
* Fix clippy lint
* Return empty prf output if no eval or evalByCredential entry matched
* Extract function HmacGetSecretOrPrf::calculate
* Add tests of calculating hmac-secret/PRF inputs
* Fix outdated error messages
* Separate hmac_secret tests that require a crypto backend
* Add debug output to error paths of HmacSecretResponse::decrypt_secrets
* Fix a typo and a cryptic comment
* Eliminate unnecessary sha256 function
* Simplify to Sha256::digest where possible
* Derive PartialEq always, not just in cfg(test)
* Document generation of hmac_secret test data
* Remove unnecessary comma
* Tweak imports per review
* Take PinUvAuthToken as reference in HmacSecretExtension::calculate
* Deduplicate decrypt_pin_token code in tests
* Extract function GetAssertion::process_hmac_secret_and_prf_extension
* Move allow_list assignment to top level scope
* Add tests of hmac-secret and prf processing in GetAssertion::finalize_result
* Fail hmac-secret salt calculation if input salts are too long
This is prescribed by the [CTAP spec][ctap]:
>**Client extension processing**
>1. [...]
>2. If present in a get():
> 1. Verify that salt1 is a 32-byte ArrayBuffer.
> 2. If salt2 is present, verify that it is a 32-byte ArrayBuffer.
> [...]
[ctap]: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-hmac-secret-extension
* Add tests of GetAssertion::process_hmac_secret_and_prf_extension
* Propagate WrongSaltLength as InvalidRelyingPartyInput in GetAssertion::process_hmac_secret_and_prf_extension
* Return PrfUnmatched instead of None when shared secret is not available
This is needed because the PRF extension should return an empty extension output
`prf: {}` when the extension is processed but no eligible authenticator is
found. Thus we need to differentiate these cases so that
`GetAssertion::finalize_result` can match on `PrfUnmatched` and generate the
empty output.
* Add debug logging when no shared secret is available
* Add debug logging when hmac-secret output decryption fails
* Add test of serializing uninitialized and unmatched PRF inputs
* Add missing test of serializing hmac-secret with PIN protocol 2
Extend the mock device to be able to skip the low-level byte-by-byte
comparison of incoming and outgoing data, and instead use CTAP requests
and responses directly, for higher-level business-logic testing.
Add tests for preflighting.
John M. Schanck
Emil Lundberg
Martin Sirringhaus