feat(pin): add persistent token store trait and HID plumbing (2/5)

libwebauthn-tests/tests/basic_ctap1.rs

@@ -1,7 +1,7 @@
 use std::time::Duration;
 
 use libwebauthn::ops::u2f::{RegisterRequest, SignRequest};
-use libwebauthn::transport::{Channel, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::u2f::U2F;
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
@@ -21,7 +21,7 @@ async fn test_webauthn_basic_ctap1() {
     let mut device = get_virtual_device();
 
     println!("Selected HID authenticator: {}", &device);
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.wink(TIMEOUT).await.unwrap();
 
     const APP_ID: &str = "https://foo.example.org";

libwebauthn-tests/tests/basic_ctap2.rs

@@ -2,7 +2,7 @@ use std::time::Duration;
 
 use libwebauthn::ops::webauthn::{GetAssertionRequest, GetAssertionRequestExtensions};
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
-use libwebauthn::transport::{Channel, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::webauthn::WebAuthn;
 use libwebauthn::UvUpdate;
 use libwebauthn::{
@@ -33,7 +33,7 @@ async fn test_webauthn_basic_ctap2() {
     let challenge: [u8; 32] = thread_rng().gen();
 
     println!("Selected HID authenticator: {}", &device);
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.wink(TIMEOUT).await.unwrap();
 
     // Make Credentials ceremony

libwebauthn-tests/tests/pin_protocols.rs

@@ -2,7 +2,7 @@ use std::time::Duration;
 
 use libwebauthn::pin::PinManagement;
 use libwebauthn::proto::ctap2::Ctap2PinUvAuthProtocol;
-use libwebauthn::transport::{Channel, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
 use test_log::test;
@@ -23,7 +23,7 @@ async fn test_webauthn_change_pin_once() {
     let protos = [Ctap2PinUvAuthProtocol::One, Ctap2PinUvAuthProtocol::Two];
     for proto in protos {
         let mut device = get_virtual_device();
-        let mut channel = device.channel().await.unwrap();
+        let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
         let mut state_recv = channel.get_ux_update_receiver();
 
@@ -43,7 +43,7 @@ async fn test_webauthn_change_pin_twice() {
     let protos = [Ctap2PinUvAuthProtocol::One, Ctap2PinUvAuthProtocol::Two];
     for proto in protos {
         let mut device = get_virtual_device();
-        let mut channel = device.channel().await.unwrap();
+        let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
         let state_recv = channel.get_ux_update_receiver();
         let update_handle = tokio::spawn(handle_updates(state_recv));

libwebauthn-tests/tests/preflight.rs

@@ -11,7 +11,7 @@ use libwebauthn::proto::ctap2::{
 };
 use libwebauthn::proto::CtapError;
 use libwebauthn::transport::hid::channel::HidChannel;
-use libwebauthn::transport::{Channel, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::webauthn::{Error, WebAuthn};
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
@@ -98,7 +98,7 @@ fn create_credential(id: &[u8]) -> Ctap2PublicKeyCredentialDescriptor {
 async fn preflight_no_exclude_list() {
     // Make credential with exclude_list: None. Should do nothing in preflight and return a credential
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 
@@ -119,7 +119,7 @@ async fn preflight_nonsense_exclude_list() {
     // Make credential with nonsense exclude_list. Should remove everything in preflight and return a credential
 
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 
@@ -147,7 +147,7 @@ async fn preflight_mixed_exclude_list() {
     // Make credential with a mixed exclude_list that contains 2 real ones. Should remove the two fake ones in preflight and return an error
 
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 
@@ -194,7 +194,7 @@ async fn preflight_no_allow_list() {
     // Get assertion with allow_list: None. Should do nothing in preflight and return an error OR credentials, if a discoverable credential for example.org is present on the device
 
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 
@@ -221,7 +221,7 @@ async fn preflight_nonsense_allow_list() {
     // Get assertion with nonsense allow_list. Should remove everything in preflight and return an error, AND run a dummy request to provoke a touch
 
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 
@@ -255,7 +255,7 @@ async fn preflight_with_appid_exclude_finds_legacy_credential() {
     // while passing the legacy rpId as `appid_exclude`. The credential
     // should be detected, matching WebAuthn L3 §10.1.2 semantics.
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
     let _state_recv = channel.get_ux_update_receiver();
@@ -305,7 +305,7 @@ async fn preflight_mixed_allow_list() {
     // Get assertion with a mixed allow_list that contains 2 real ones. Should remove the two fake ones in preflight
 
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
 

libwebauthn-tests/tests/prf.rs

@@ -8,7 +8,7 @@ use libwebauthn::ops::webauthn::{
 use libwebauthn::pin::PinManagement;
 use libwebauthn::proto::ctap2::{Ctap2PinUvAuthProtocol, Ctap2PublicKeyCredentialDescriptor};
 use libwebauthn::transport::hid::channel::HidChannel;
-use libwebauthn::transport::{Channel, Ctap2AuthTokenStore, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Ctap2AuthTokenStore, Device};
 use libwebauthn::webauthn::{Error as WebAuthnError, PlatformError, WebAuthn};
 use libwebauthn::UvUpdate;
 use libwebauthn::{
@@ -28,14 +28,14 @@ const TIMEOUT: Duration = Duration::from_secs(10);
 #[test(tokio::test)]
 async fn test_webauthn_prf_no_pin_set() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     run_test_battery(&mut channel, false).await;
 }
 
 #[test(tokio::test)]
 async fn test_webauthn_prf_with_pin_set() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel
         .change_pin(String::from("1234"), TIMEOUT)
         .await
@@ -46,7 +46,7 @@ async fn test_webauthn_prf_with_pin_set() {
 #[test(tokio::test)]
 async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_one() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.set_forced_pin_protocol(Ctap2PinUvAuthProtocol::One);
     channel
         .change_pin(String::from("1234"), TIMEOUT)
@@ -58,7 +58,7 @@ async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_one() {
 #[test(tokio::test)]
 async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_two() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.set_forced_pin_protocol(Ctap2PinUvAuthProtocol::Two);
     channel
         .change_pin(String::from("1234"), TIMEOUT)
@@ -74,7 +74,7 @@ async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_two() {
 #[test(tokio::test)]
 async fn test_webauthn_prf_eval_at_create_degrades_when_unsupported() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     let state_recv = channel.get_ux_update_receiver();
     // PRF forces UV=required (webauthn#2337); no-PIN device drives PIN setup.
     tokio::spawn(handle_updates(
@@ -659,7 +659,7 @@ async fn run_failed_test(
 #[test(tokio::test)]
 async fn test_webauthn_prf_variable_length_input() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();
     let challenge: [u8; 32] = thread_rng().gen();
@@ -810,7 +810,7 @@ fn basic_make_credential_request(
 #[test(tokio::test)]
 async fn test_webauthn_prf_upgrades_uv_at_registration() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.change_pin("1234".into(), TIMEOUT).await.unwrap();
 
     let state_recv = channel.get_ux_update_receiver();
@@ -852,7 +852,7 @@ async fn test_webauthn_prf_upgrades_uv_at_registration() {
 #[test(tokio::test)]
 async fn test_webauthn_no_prf_no_upgrade() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.change_pin("1234".into(), TIMEOUT).await.unwrap();
 
     let state_recv = channel.get_ux_update_receiver();
@@ -886,7 +886,7 @@ async fn test_webauthn_no_prf_no_upgrade() {
 #[test(tokio::test)]
 async fn test_webauthn_prf_upgrades_uv_at_assertion() {
     let mut device = get_virtual_device();
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     channel.change_pin("1234".into(), TIMEOUT).await.unwrap();
 
     let user_id: [u8; 32] = thread_rng().gen();

libwebauthn/Cargo.toml

@@ -87,6 +87,7 @@ aes = "0.8.2"
 hmac = "0.12.1"
 cbc = { version = "0.1", features = ["alloc"] }
 hkdf = "0.12"
+zeroize = { version = "1.8", features = ["derive"] }
 text_io = "0.1"
 tungstenite = { version = "0.26.2" }
 tokio-tungstenite = { version = "0.26", features = [

libwebauthn/examples/ceremony/u2f_ble.rs

@@ -3,7 +3,7 @@ use std::time::Duration;
 
 use libwebauthn::ops::u2f::{RegisterRequest, SignRequest};
 use libwebauthn::transport::ble::list_devices;
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::u2f::U2F;
 
 #[path = "../common/mod.rs"]
@@ -19,7 +19,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     println!("Found {} devices.", devices.len());
 
     for mut device in devices {
-        let mut channel = device.channel().await?;
+        let mut channel = device.channel(ChannelSettings::default()).await?;
 
         const APP_ID: &str = "https://foo.example.org";
         let challenge: &[u8] =

libwebauthn/examples/ceremony/u2f_hid.rs

@@ -3,7 +3,7 @@ use std::time::Duration;
 
 use libwebauthn::ops::u2f::{RegisterRequest, SignRequest};
 use libwebauthn::transport::hid::list_devices;
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::u2f::U2F;
 
 #[path = "../common/mod.rs"]
@@ -20,7 +20,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     for mut device in devices {
         println!("Winking device: {}", device);
-        let mut channel = device.channel().await?;
+        let mut channel = device.channel(ChannelSettings::default()).await?;
         channel.wink(TIMEOUT).await?;
 
         const APP_ID: &str = "https://foo.example.org";

libwebauthn/examples/ceremony/u2f_nfc.rs

@@ -3,7 +3,7 @@ use std::time::Duration;
 
 use libwebauthn::ops::u2f::{RegisterRequest, SignRequest};
 use libwebauthn::transport::nfc::{get_nfc_device, is_nfc_available};
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::u2f::U2F;
 
 #[path = "../common/mod.rs"]
@@ -24,7 +24,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     if let Some(mut device) = device {
         println!("Selected NFC authenticator: {}", &device);
-        let mut channel = device.channel().await?;
+        let mut channel = device.channel(ChannelSettings::default()).await?;
 
         const APP_ID: &str = "https://foo.example.org";
         let challenge: &[u8] =

libwebauthn/examples/ceremony/webauthn_ble.rs

@@ -6,7 +6,7 @@ use libwebauthn::ops::webauthn::{
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::ble::list_devices;
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::webauthn::WebAuthn;
 
 #[path = "../common/mod.rs"]
@@ -21,7 +21,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     for mut device in devices {
         println!("Selected BLE authenticator: {}", &device);
-        let mut channel = device.channel().await?;
+        let mut channel = device.channel(ChannelSettings::default()).await?;
 
         let request_origin: RequestOrigin =
             "https://example.org".try_into().expect("Invalid origin");

libwebauthn/examples/ceremony/webauthn_cable.rs

@@ -14,7 +14,7 @@ use libwebauthn::ops::webauthn::{
     DatFilePublicSuffixList, JsonFormat, MakeCredentialRequest, OriginValidation, RelatedOrigins,
     RequestOrigin, RequestSettings, WebAuthnIDLResponse as _,
 };
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::webauthn::WebAuthn;
 
 #[path = "../common/mod.rs"]
@@ -79,7 +79,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         .build();
     println!("{}", image);
 
-    let mut channel = device.channel().await.unwrap();
+    let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
     println!("Channel established {:?}", channel);
 
     let state_recv = channel.get_ux_update_receiver();

libwebauthn/examples/ceremony/webauthn_cable_wss.rs

@@ -18,7 +18,7 @@ use libwebauthn::ops::webauthn::{
     RequestOrigin, RequestSettings, SystemPublicSuffixList, WebAuthnIDLResponse as _,
 };
 use libwebauthn::transport::cable::channel::CableChannel;
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::webauthn::WebAuthn;
 
 #[path = "../common/mod.rs"]
@@ -89,7 +89,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             .build();
         println!("{}", image);
 
-        let mut channel = device.channel().await.unwrap();
+        let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
         println!("Channel established {:?}", channel);
 
         let state_recv = channel.get_ux_update_receiver();
@@ -131,7 +131,10 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         )
         .await
         .unwrap();
-        let mut channel = known_device.channel().await.unwrap();
+        let mut channel = known_device
+            .channel(ChannelSettings::default())
+            .await
+            .unwrap();
         println!("Channel established {:?}", channel);
         run_get_assertion(&mut channel, &request_origin, &psl).await?;
     } else {
@@ -148,7 +151,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             .light_color(unicode::Dense1x2::Dark)
             .build();
         println!("{}", image);
-        let mut channel = device.channel().await.unwrap();
+        let mut channel = device.channel(ChannelSettings::default()).await.unwrap();
         println!("Channel established {:?}", channel);
         run_get_assertion(&mut channel, &request_origin, &psl).await?;
     }

libwebauthn/examples/ceremony/webauthn_hid.rs

@@ -7,7 +7,7 @@ use libwebauthn::ops::webauthn::{
 };
 use libwebauthn::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
 use libwebauthn::transport::hid::list_devices;
-use libwebauthn::transport::{Channel as _, Device};
+use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
 use libwebauthn::webauthn::WebAuthn;
 
 #[path = "../common/mod.rs"]
@@ -24,7 +24,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
     for mut device in devices {
         println!("Selected HID authenticator: {}", &device);
-        let mut channel = device.channel().await?;
+        let mut channel = device.channel(ChannelSettings::default()).await?;
         channel.wink(TIMEOUT).await?;
 
         let request_origin: RequestOrigin =