Implement webauthn-extensions.

webext/add-on/background.js

@@ -78,6 +78,39 @@ function serializeRequest(options) {
       cred.id = serializeBytes(cred.id);
     }
   }
+  if (clone.publicKey.extensions && clone.publicKey.extensions.prf) {
+    if (clone.publicKey.extensions.prf.eval) {
+      clone.publicKey.extensions.prf.eval.first = serializeBytes(clone.publicKey.extensions.prf.eval.first);
+      if (clone.publicKey.extensions.prf.eval.second) {
+        clone.publicKey.extensions.prf.eval.second = serializeBytes(clone.publicKey.extensions.prf.eval.second);
+      }
+    }
+    if (clone.publicKey.extensions.prf.evalByCredential) {
+      const evalByCredential = clone.publicKey.extensions.prf.evalByCredential;
+
+      // Iterate over all credentialIDs, serialize the first/second bytebuffer and replace the original evalByCredential map
+      const result = {};
+      for (const credId in evalByCredentialData) {
+        const prfValue = evalByCredentialData[credId];
+
+        if (prfValue && prfValue.first) {
+          const newPrfValue = {
+              first: serializeBytes(prfValue.first)
+          };
+
+          if (prfValue.second) {
+              newPrfValue.second = serializeBytes(prfValue.second);
+          }
+          result[credId] = newPrfValue;
+        };
+      }
+      clone.publicKey.extensions.prf.evalByCredential = result;
+    }
+
+    if (clone.publicKey.extensions && clone.publicKey.extensions.credBlob) {
+      clone.publicKey.extensions.credBlob = serializeBytes(clone.publicKey.extensions.credBlob);
+    }
+  }
   return clone
 }
 

webext/add-on/content.js

@@ -29,6 +29,7 @@ function endRequest(requestId, data, error) {
         request.resolve(data)
     }
 }
+
 async function cloneCredentialResponse(credential) {
     try {
         const options = { alphabet: "base64url" }
@@ -82,13 +83,44 @@ async function cloneCredentialResponse(credential) {
         else {
             throw cloneInto(new Error("Unknown credential response type received"), window)
         }
+
+        // Unlike CreatePublicKey, for GetPublicKey, we have a lot of Byte arrays,
+        // so we need a lot of deconstructions. So no: obj.clientExtensionResults = cloneInto(credential.clientExtensionResults, obj);
+        const extensions = {}
+        if (credential.clientExtensionResults) {
+            if (credential.clientExtensionResults.hmac_get_secret) {
+                extensions.hmac_get_secret = {}
+                extensions.hmac_get_secret.output1 = Uint8Array.fromBase64(credential.clientExtensionResults.hmac_get_secret.output1, options);
+                if (credential.clientExtensionResults.hmac_get_secret.output2) {
+                    extensions.hmac_get_secret.output2 = Uint8Array.fromBase64(credential.clientExtensionResults.hmac_get_secret.output2, options);
+                }
+            }
+
+            if (credential.clientExtensionResults.prf) {
+                extensions.prf = {}
+                if (credential.clientExtensionResults.prf.results) {
+                    extensions.prf.results = {}
+                    extensions.prf.results.first = Uint8Array.fromBase64(credential.clientExtensionResults.prf.results.first, options);
+                    if (credential.clientExtensionResults.prf.results.second) {
+                        extensions.prf.results.second = Uint8Array.fromBase64(credential.clientExtensionResults.prf.results.second, options);
+                    }
+                }
+            }
+
+            if (credential.clientExtensionResults.large_blob) {
+                extensions.large_blob = {}
+                if (credential.clientExtensionResults.large_blob.blob) {
+                    extensions.large_blob.blob = Uint8Array.fromBase64(credential.clientExtensionResults.large_blob.blob, options);
+                }
+            }
+        }
         obj.response = cloneInto(response, obj, { cloneFunctions: true })
-        obj.clientExtensionResults = new window.Object();
+        obj.clientExtensionResults = extensions;
         obj.getClientExtensionResults = function() {
-            // TODO
-            return this.clientExtensionResults
+            return this.clientExtensionResults;
         }
         obj.type = "public-key"
+
         obj.toJSON = function() {
             json = new window.Object();
             json.id = this.id
@@ -115,8 +147,8 @@ async function cloneCredentialResponse(credential) {
                 throw cloneInto(new Error("Unknown credential type received"), window)
             }
 
-            json.authenticatorAttachment = this.authenticatorAttachment
-            json.clientExtensionResults = this.clientExtensionResults
+            json.authenticatorAttachment = this.authenticatorAttachment;
+            json.clientExtensionResults = this.clientExtensionResults;
             json.type = this.type
             return json
         }

webext/add-on/manifest.json

@@ -1,5 +1,4 @@
 {
-
   "description": "Linux WebAuthn Desktop Portal Shim",
   "manifest_version": 3,
   "name": "WebAuthn Portal",
@@ -20,7 +19,7 @@
   },
   "content_scripts": [
     {
-        "matches": ["https://webauthn.io/*"],
+        "matches": ["https://webauthn.io/*", "https://demo.yubico.com/*"],
         "js": ["content.js"],
         "run_at": "document_start"
     }
@@ -31,5 +30,4 @@
   },
 
   "permissions": ["nativeMessaging"]
-
 }

xyz-iinuwa-credential-manager-portal-gtk/Cargo.toml

@@ -16,10 +16,11 @@ openssl = "0.10.72"
 ring = "0.17.14"
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"
+# serde_cbor = "0.11.1"
 tracing = "0.1.41"
 tracing-subscriber = "0.3"
 zbus = "5.5.0"
-libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn", rev = "24eb47113e2282ff31c53de3029928e914349559" }
+libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn", rev = "dc23daed528f512f2bcb61fce9eb6b8ee74066e2" }
 async-trait = "0.1.88"
 tokio = { version = "1", features = ["rt-multi-thread"] }