Map PRF output from authenticator

1Password · Jul 11, 2024 · 996d176 · 996d176
1 parent cfa6d52
commit 996d176
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 9 deletions.
diff --git a/passkey-client/src/extensions.rs b/passkey-client/src/extensions.rs
@@ -46,6 +46,7 @@ where
         &self,
         request: Option<&AuthenticationExtensionsClientInputs>,
         rk: bool,
+        authenticator_response: Option<make_credential::UnsignedExtensionOutputs>,
     ) -> AuthenticationExtensionsClientOutputs {
         let cred_props = if let Some(true) = request.and_then(|ext| ext.cred_props) {
             Some(CredentialPropertiesOutput {
@@ -56,10 +57,12 @@ where
             None
         };
 
-        AuthenticationExtensionsClientOutputs {
-            cred_props,
-            prf: None,
-        }
+        // Handling the prf extension outputs.
+        let prf = authenticator_response
+            .and_then(|ext_out| ext_out.prf)
+            .map(Into::into);
+
+        AuthenticationExtensionsClientOutputs { cred_props, prf }
     }
 
     /// Create the extension inputs to be passed to an authenticator over CTAP2
@@ -71,4 +74,23 @@ where
     ) -> Result<Option<get_assertion::ExtensionInputs>, WebauthnError> {
         prf::auth_prf_to_ctap2_input(request, supported_extensions)
     }
+
+    /// Build the extension outputs for the WebAuthn client in an authentication request.
+    pub(super) fn auth_extension_outputs(
+        &self,
+        authenticator_response: Option<get_assertion::UnsignedExtensionOutputs>,
+    ) -> AuthenticationExtensionsClientOutputs {
+        // Handling the prf extension output.
+        // NOTE: currently very simple because prf is the only
+        // extension that we support for ctap2. When adding new extensions,
+        // take care to properly unpack all outputs to Options.
+        let prf = authenticator_response
+            .and_then(|ext_out| ext_out.prf)
+            .map(Into::into);
+
+        AuthenticationExtensionsClientOutputs {
+            prf,
+            ..Default::default()
+        }
+    }
 }
diff --git a/passkey-client/src/lib.rs b/passkey-client/src/lib.rs
@@ -23,8 +23,7 @@ use passkey_types::{
     crypto::sha256,
     ctap2, encoding,
     webauthn::{
-        self, AuthenticationExtensionsClientOutputs, AuthenticatorSelectionCriteria,
-        ResidentKeyRequirement, UserVerificationRequirement,
+        self, AuthenticatorSelectionCriteria, ResidentKeyRequirement, UserVerificationRequirement,
     },
     Passkey,
 };
@@ -322,8 +321,11 @@ where
                 .map_err(|e| WebauthnError::AuthenticatorError(e.into()))?,
         );
 
-        let client_extension_results =
-            self.registration_extension_outputs(extension_request.as_ref(), rk);
+        let client_extension_results = self.registration_extension_outputs(
+            extension_request.as_ref(),
+            rk,
+            ctap2_response.unsigned_extension_outputs,
+        );
 
         let response = webauthn::CreatedPublicKeyCredential {
             id: encoding::base64url(credential_id.credential_id()),
@@ -408,6 +410,9 @@ where
             .await
             .map_err(Into::<WebauthnError>::into)?;
 
+        let client_extension_results =
+            self.auth_extension_outputs(ctap2_response.unsigned_extension_outputs);
+
         // SAFETY: This unwrap is safe because ctap2_response was created immedately
         // above and the postcondition of that function is that response.credential
         // will yield a credential. If none was found, we will have already returned
@@ -425,7 +430,7 @@ where
                 attestation_object: None,
             },
             authenticator_attachment: Some(self.authenticator().attachment_type()),
-            client_extension_results: AuthenticationExtensionsClientOutputs::default(),
+            client_extension_results,
         })
     }