* Do not error out if the token returns options unknown to us
This might happen, if the token is very new and supports a newer CTAP-specification.
In that case, we simply don't support it, but shouldn't error out.
* Device selection (#163)
* Add cancel-function to HIDs, which can cancel blocking reads
* Add function to clone a (Linux) device in write-only mode
* First implementation of DeviceSelector
For selecting multiple devices, if those are present.
A few lints need to be fixed and it doesn't work with PIN-tokens yet.
* Fix stupid typo in function name
* Move PIN into StatusUpdate as a callback (discoverable_creds not yet working)
* Move workaround for unsetting uv to accomodate the new PIN-retrieval process
* Fix warnings
* Send DeviceSelectionNotice on Status channel, when devices blink
Also remove the unneccessary Mutex around the status-sender, since
we have to clone it anyways into Transaction. Then we can just clone
and hand it into each device-thread.
* Trying to add latest features to mac and win
Untested, so compilation might be broken.
netbsd is only partly done and broken anyways at the moment
* Simplify HIDDevice vs. FidoDevice traits
Instead of implementing FidoDevice for each HIDDevice and implementing a bunch
of duplicate functions, that call through to HIDDevice, just extend HIDDevice
with FidoDevice.
This _might_ become a problem once we introduce NFC or such, but it is unclear
at the moment, how this is going to look like, anyways.
* Add impl FidoDevice for Windows and Mac
* Reduce number of arguments to new-device callback function
Also move functions needed by statemachine or device_selector into the
HIDDevice trait
* Make tests compile again
* Add authenticatorSelection command (CTAP2.1 only)
* Blink only when at least one token has a PIN (or UV)
With this, we can skip the "blinking"-phase if multiple tokens are there,
because we only need to blink, if at least one of them has a PIN (otherwise
we get a PIN-prompt, even though no token has been selected yet).
For tokens with no PIN (or CTAP1 tokens) we can send the normal request right
away. That will blink anyways.
* Make only tokens with some UV blink
Only let tokens with some UV (e.g. Password) blink, the others
can get the request straight away. This way, they will also blink,
but execute the request right away and cancel all other devices.
Only UV-devices would trigger callbacks, so they have to be sent a
selection-command.
* Make the is_u2f-function part of the HIDDevice trait as every device needs to have that function currently
* Move the TestDevice into its own platform and implement tests for DeviceSelector
Mostly copy&paste, plus minor adjustments to existing tests.
For the DeviceSelector-Tests, some extensions to the device have been made
(adding Sender and Receiver, giving it a function for it).
* Some AuthenticatorOptions need a default value according to spec
* Revert f3718a3: Blink for all devices, not just those with PIN
We can't let the non-UV devices continue with the regular request, because in the error-case
we can't differentiate if it is due to a bad request or something the user did (e.g. pull the
token out, or decline the request on the token, etc.).
Some errors should lead to cancelling the request altogether, the other just means "not with
this device". With our own Blink-command, we know that it works in principle. If there is an
error then it must be because of user-actions and should lead to skipping that device.
* Add status callbacks to C-API (for ctap2)
* Don't just borrow the status result, but 'forget' it on the Rust side
If we don't do this, the callback-function on C++ side can't keep a
reference to the result, which it needs for later sending a Pin back.
* Add "DeviceSelected" status update plus tests
Also moved the "DeviceUnavailable" to DeviceSelector (and send it upon removal of the token)
* First test of multi-platform CI (excluding crypto)
* Fix builds on Mac and Windows
* Add option for PinError-callback to 'say' the error is not recoverable
We use the property of channel() here, that recv will error out if the Sender is dropped.
So the status-callback can now drop the Sender without replying first, to trigger
the code to error out the 'normal' way.
This helps us to show a popup-dialog, but also cancel the current transaction cleanly.
For this, NSS-errors needed to be made cloneable, so we replaced them with their String-representation.
* Fix typo
* Implement serializing of crypto backend errors
* Add 2 more CI pipelines for building with all crypto-backends on Linux
* Change status update C-API to combined buffer+length-interface
* Revert "Change status update C-API to combined buffer+length-interface"
This reverts commit b4342e90b6.
Co-authored-by: Martin Sirringhaus <>
* First test without actions-rs and manual install
* Fix typo for windows
* Condense CI script using build matrix
Co-authored-by: Martin Sirringhaus <>
* Add cancel-function to HIDs, which can cancel blocking reads
* Add function to clone a (Linux) device in write-only mode
* First implementation of DeviceSelector
For selecting multiple devices, if those are present.
A few lints need to be fixed and it doesn't work with PIN-tokens yet.
* Fix stupid typo in function name
* Move PIN into StatusUpdate as a callback (discoverable_creds not yet working)
* Move workaround for unsetting uv to accomodate the new PIN-retrieval process
* Fix warnings
* Send DeviceSelectionNotice on Status channel, when devices blink
Also remove the unneccessary Mutex around the status-sender, since
we have to clone it anyways into Transaction. Then we can just clone
and hand it into each device-thread.
* Trying to add latest features to mac and win
Untested, so compilation might be broken.
netbsd is only partly done and broken anyways at the moment
* Simplify HIDDevice vs. FidoDevice traits
Instead of implementing FidoDevice for each HIDDevice and implementing a bunch
of duplicate functions, that call through to HIDDevice, just extend HIDDevice
with FidoDevice.
This _might_ become a problem once we introduce NFC or such, but it is unclear
at the moment, how this is going to look like, anyways.
* Add impl FidoDevice for Windows and Mac
* Reduce number of arguments to new-device callback function
Also move functions needed by statemachine or device_selector into the
HIDDevice trait
* Make tests compile again
* Add authenticatorSelection command (CTAP2.1 only)
* Blink only when at least one token has a PIN (or UV)
With this, we can skip the "blinking"-phase if multiple tokens are there,
because we only need to blink, if at least one of them has a PIN (otherwise
we get a PIN-prompt, even though no token has been selected yet).
For tokens with no PIN (or CTAP1 tokens) we can send the normal request right
away. That will blink anyways.
* Make only tokens with some UV blink
Only let tokens with some UV (e.g. Password) blink, the others
can get the request straight away. This way, they will also blink,
but execute the request right away and cancel all other devices.
Only UV-devices would trigger callbacks, so they have to be sent a
selection-command.
* Make the is_u2f-function part of the HIDDevice trait as every device needs to have that function currently
* Move the TestDevice into its own platform and implement tests for DeviceSelector
Mostly copy&paste, plus minor adjustments to existing tests.
For the DeviceSelector-Tests, some extensions to the device have been made
(adding Sender and Receiver, giving it a function for it).
* Some AuthenticatorOptions need a default value according to spec
* Revert f3718a3: Blink for all devices, not just those with PIN
We can't let the non-UV devices continue with the regular request, because in the error-case
we can't differentiate if it is due to a bad request or something the user did (e.g. pull the
token out, or decline the request on the token, etc.).
Some errors should lead to cancelling the request altogether, the other just means "not with
this device". With our own Blink-command, we know that it works in principle. If there is an
error then it must be because of user-actions and should lead to skipping that device.
* Add status callbacks to C-API (for ctap2)
* Don't just borrow the status result, but 'forget' it on the Rust side
If we don't do this, the callback-function on C++ side can't keep a
reference to the result, which it needs for later sending a Pin back.
* Add "DeviceSelected" status update plus tests
Also moved the "DeviceUnavailable" to DeviceSelector (and send it upon removal of the token)
* First test of multi-platform CI (excluding crypto)
* Fix builds on Mac and Windows
* Add option for PinError-callback to 'say' the error is not recoverable
We use the property of channel() here, that recv will error out if the Sender is dropped.
So the status-callback can now drop the Sender without replying first, to trigger
the code to error out the 'normal' way.
This helps us to show a popup-dialog, but also cancel the current transaction cleanly.
For this, NSS-errors needed to be made cloneable, so we replaced them with their String-representation.
* Fix typo
* Implement serializing of crypto backend errors
* Add 2 more CI pipelines for building with all crypto-backends on Linux
* Change status update C-API to combined buffer+length-interface
* Revert "Change status update C-API to combined buffer+length-interface"
This reverts commit b4342e90b6.
Co-authored-by: Martin Sirringhaus <>
Martin Sirringhaus
John M. Schanck
msirringhaus