Update passkey-rs (#606)

## 🎟️ Tracking

[PM-17241](https://bitwarden.atlassian.net/browse/PM-17241)

## 📔 Objective

This updates the SDK to point to a new version of our passkey-rs fork
that has been synced with upstream. (The remaining differences between
upstream and our fork are documented in the README of our fork.)

If approved, we should update `passkey-rs`'s `main` branch to point to
the version referenced in this PR
(bitwarden/passkey-rs@2e5c0ba).

## 🚨 Breaking Changes

- `is_user_verification_enabled()` is no longer asynchronous. Clients
should implement any dynamic checks for UV availability in the
`check_user()` implementation.
- `user_handle has been added to the `find_credential()` method as an
optional parameter. If the incoming request contains the user handle,
then clients should pass it on. Otherwise, pass a `null` value, and the
previous behavior.

iOS PR: bitwarden/ios#2190

[PM-17241]:
https://bitwarden.atlassian.net/browse/PM-17241?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Author: iinuwa

Cargo.lock

@@ -10,7 +10,7 @@ version = "2.0.0"
 authors = ["Bitwarden Inc"]
 edition = "2024"
 # Important: Changing rust-version should be considered a breaking change
-rust-version = "1.85"
+rust-version = "1.85.1"
 homepage = "https://bitwarden.com"
 repository = "https://github.com/bitwarden/sdk-internal"
 license-file = "LICENSE"

Cargo.toml

@@ -27,8 +27,8 @@ chrono = { workspace = true }
 coset = ">=0.3.7, <0.4"
 itertools = ">=0.13.0, <0.15"
 p256 = ">=0.13.2, <0.14"
-passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "3b764633ebc6576c07bdd12ee14d8e5c87b494ed" }
-passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "3b764633ebc6576c07bdd12ee14d8e5c87b494ed", features = [
+passkey = { git = "https://github.com/bitwarden/passkey-rs", rev = "357cc9672340f6ff1f22a0b210a74de64799fa73" }
+passkey-client = { git = "https://github.com/bitwarden/passkey-rs", rev = "357cc9672340f6ff1f22a0b210a74de64799fa73", features = [
     "android-asset-validation",
 ] }
 reqwest = { workspace = true }

crates/bitwarden-fido/Cargo.toml

@@ -5,7 +5,7 @@ use bitwarden_crypto::CryptoError;
 use bitwarden_vault::{CipherError, CipherView, EncryptionContext};
 use itertools::Itertools;
 use passkey::{
-    authenticator::{Authenticator, DiscoverabilitySupport, StoreInfo, UIHint, UserCheck},
+    authenticator::{Authenticator, DiscoverabilitySupport, StoreInfo, UiHint, UserCheck},
     types::{
         Passkey,
         ctap2::{self, Ctap2Error, StatusCode, VendorError},
@@ -163,7 +163,7 @@ impl<'a> Fido2Authenticator<'a> {
                 options: passkey::types::ctap2::make_credential::Options {
                     rk: request.options.rk,
                     up: true,
-                    uv: self.convert_requested_uv(request.options.uv).await,
+                    uv: self.convert_requested_uv(request.options.uv),
                 },
                 pin_auth: None,
                 pin_protocol: None,
@@ -175,7 +175,7 @@ impl<'a> Fido2Authenticator<'a> {
             Err(e) => return Err(MakeCredentialError::Other(format!("{e:?}"))),
         };
 
-        let attestation_object = response.as_bytes().to_vec();
+        let attestation_object = response.as_webauthn_bytes().to_vec();
         let authenticator_data = response.auth_data.to_vec();
         let attested_credential_data = response
             .auth_data
@@ -222,7 +222,7 @@ impl<'a> Fido2Authenticator<'a> {
                 options: passkey::types::ctap2::make_credential::Options {
                     rk: request.options.rk,
                     up: true,
-                    uv: self.convert_requested_uv(request.options.uv).await,
+                    uv: self.convert_requested_uv(request.options.uv),
                 },
                 pin_auth: None,
                 pin_protocol: None,
@@ -255,9 +255,13 @@ impl<'a> Fido2Authenticator<'a> {
     pub async fn silently_discover_credentials(
         &mut self,
         rp_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<Fido2CredentialAutofillView>, SilentlyDiscoverCredentialsError> {
         let key_store = self.client.internal.get_key_store();
-        let result = self.credential_store.find_credentials(None, rp_id).await?;
+        let result = self
+            .credential_store
+            .find_credentials(None, rp_id, user_handle)
+            .await?;
 
         let mut ctx = key_store.context();
         result
@@ -305,8 +309,8 @@ impl<'a> Fido2Authenticator<'a> {
         )
     }
 
-    async fn convert_requested_uv(&self, uv: UV) -> bool {
-        let verification_enabled = self.user_interface.is_verification_enabled().await;
+    fn convert_requested_uv(&self, uv: UV) -> bool {
+        let verification_enabled = self.user_interface.is_verification_enabled();
         match (uv, verification_enabled) {
             (UV::Preferred, true) => true,
             (UV::Preferred, false) => false,
@@ -353,6 +357,7 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
         &self,
         ids: Option<&[passkey::types::webauthn::PublicKeyCredentialDescriptor]>,
         rp_id: &str,
+        user_handle: Option<&[u8]>,
     ) -> Result<Vec<Self::PasskeyItem>, StatusCode> {
         #[derive(Debug, Error)]
         enum InnerError {
@@ -369,14 +374,15 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             this: &CredentialStoreImpl<'_>,
             ids: Option<&[passkey::types::webauthn::PublicKeyCredentialDescriptor]>,
             rp_id: &str,
+            user_handle: Option<&[u8]>,
         ) -> Result<Vec<CipherViewContainer>, InnerError> {
             let ids: Option<Vec<Vec<u8>>> =
                 ids.map(|ids| ids.iter().map(|id| id.id.clone().into()).collect());
 
             let ciphers = this
                 .authenticator
                 .credential_store
-                .find_credentials(ids, rp_id.to_string())
+                .find_credentials(ids, rp_id.to_string(), user_handle.map(|h| h.to_vec()))
                 .await?;
 
             // Remove any that don't have Fido2 credentials
@@ -419,7 +425,7 @@ impl passkey::authenticator::CredentialStore for CredentialStoreImpl<'_> {
             }
         }
 
-        inner(self, ids, rp_id).await.map_err(|error| {
+        inner(self, ids, rp_id, user_handle).await.map_err(|error| {
             error!(%error, "Error finding credentials.");
             VendorError::try_from(0xF0)
                 .expect("Valid vendor error code")
@@ -600,7 +606,7 @@ impl passkey::authenticator::UserValidationMethod for UserValidationMethodImpl<'
 
     async fn check_user<'a>(
         &self,
-        hint: UIHint<'a, Self::PasskeyItem>,
+        hint: UiHint<'a, Self::PasskeyItem>,
         presence: bool,
         _verification: bool,
     ) -> Result<UserCheck, Ctap2Error> {
@@ -617,7 +623,7 @@ impl passkey::authenticator::UserValidationMethod for UserValidationMethodImpl<'
         };
 
         let result = match hint {
-            UIHint::RequestNewCredential(user, rp) => {
+            UiHint::RequestNewCredential(user, rp) => {
                 let new_credential = try_from_credential_new_view(user, rp)
                     .map_err(|_| Ctap2Error::InvalidCredential)?;
 
@@ -655,22 +661,17 @@ impl passkey::authenticator::UserValidationMethod for UserValidationMethodImpl<'
         })
     }
 
-    async fn is_presence_enabled(&self) -> bool {
+    fn is_presence_enabled(&self) -> bool {
         true
     }
 
-    async fn is_verification_enabled(&self) -> Option<bool> {
-        Some(
-            self.authenticator
-                .user_interface
-                .is_verification_enabled()
-                .await,
-        )
+    fn is_verification_enabled(&self) -> Option<bool> {
+        Some(self.authenticator.user_interface.is_verification_enabled())
     }
 }
 
-fn map_ui_hint(hint: UIHint<'_, CipherViewContainer>) -> UIHint<'_, CipherView> {
-    use UIHint::*;
+fn map_ui_hint(hint: UiHint<'_, CipherViewContainer>) -> UiHint<'_, CipherView> {
+    use UiHint::*;
     match hint {
         InformExcludedCredentialFound(c) => InformExcludedCredentialFound(&c.cipher),
         InformNoCredentialsFound => InformNoCredentialsFound,

crates/bitwarden-fido/src/authenticator.rs

@@ -130,10 +130,7 @@ impl Fido2Client<'_> {
                 cred_props: result
                     .client_extension_results
                     .cred_props
-                    .map(|c| CredPropsResult {
-                        rk: c.discoverable,
-                        authenticator_display_name: c.authenticator_display_name,
-                    }),
+                    .map(|c| CredPropsResult { rk: c.discoverable }),
             },
             response: AuthenticatorAssertionResponse {
                 client_data_json: result.response.client_data_json.into(),

crates/bitwarden-fido/src/client.rs

@@ -7,7 +7,7 @@ use bitwarden_vault::{
     CipherError, CipherView, Fido2CredentialFullView, Fido2CredentialNewView, Fido2CredentialView,
 };
 use crypto::{CoseKeyToPkcs8Error, PrivateKeyFromSecretKeyError};
-use passkey::types::{Passkey, ctap2::Aaguid};
+use passkey::types::{CredentialExtensions, Passkey, ctap2::Aaguid};
 
 #[cfg(feature = "uniffi")]
 uniffi::setup_scaffolding!();
@@ -26,7 +26,7 @@ pub use authenticator::{
 };
 pub use client::{Fido2Client, Fido2ClientError};
 pub use client_fido::{ClientFido2, ClientFido2Ext, DecryptFido2AutofillCredentialsError};
-pub use passkey::authenticator::UIHint;
+pub use passkey::authenticator::UiHint;
 use thiserror::Error;
 pub use traits::{
     CheckUserOptions, CheckUserResult, Fido2CallbackError, Fido2CredentialStore,
@@ -126,6 +126,7 @@ fn try_from_credential_full_view(value: Fido2CredentialFullView) -> Result<Passk
         rp_id: value.rp_id.clone(),
         user_handle: user_handle.map(|u| u.into_bytes().into()),
         counter,
+        extensions: CredentialExtensions { hmac_secret: None },
     })
 }
 

crates/bitwarden-fido/src/lib.rs

@@ -1,5 +1,5 @@
 use bitwarden_vault::{CipherListView, CipherView, EncryptionContext, Fido2CredentialNewView};
-use passkey::authenticator::UIHint;
+use passkey::authenticator::UiHint;
 use thiserror::Error;
 
 #[allow(missing_docs)]
@@ -21,7 +21,7 @@ pub trait Fido2UserInterface: Send + Sync {
     async fn check_user<'a>(
         &self,
         options: CheckUserOptions,
-        hint: UIHint<'a, CipherView>,
+        hint: UiHint<'a, CipherView>,
     ) -> Result<CheckUserResult, Fido2CallbackError>;
     async fn pick_credential_for_authentication(
         &self,
@@ -32,7 +32,7 @@ pub trait Fido2UserInterface: Send + Sync {
         options: CheckUserOptions,
         new_credential: Fido2CredentialNewView,
     ) -> Result<(CipherView, CheckUserResult), Fido2CallbackError>;
-    async fn is_verification_enabled(&self) -> bool;
+    fn is_verification_enabled(&self) -> bool;
 }
 
 #[allow(missing_docs)]
@@ -42,6 +42,7 @@ pub trait Fido2CredentialStore: Send + Sync {
         &self,
         ids: Option<Vec<Vec<u8>>>,
         rip_id: String,
+        user_handle: Option<Vec<u8>>,
     ) -> Result<Vec<CipherView>, Fido2CallbackError>;
 
     async fn all_credentials(&self) -> Result<Vec<CipherListView>, Fido2CallbackError>;