From 019a5d1e467be24dfbf8726a640fb9e4fab1f42b Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Tue, 21 Nov 2023 12:04:17 +0100
Subject: [PATCH] Add largeBlobKey to stripped credential
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a resident credential is passed in the allowlist, we don’t
deserialize the full credential.  This means that we previously did not
have access to the largeBlobKey in that case.  Therefore, this patch
adds the largeBlobKey to the StrippedCredential so that we can always
access it.

The downside is that this inceases the size of the credential ID.  So a
better alternative would be to load the full credential from the
filesystem instead.
---
 src/credential.rs |  4 ++++
 src/ctap1.rs      |  1 +
 src/ctap2.rs      | 12 ++++++++----
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/credential.rs b/src/credential.rs
index b67ea62..9b17cdd 100644
--- a/src/credential.rs
+++ b/src/credential.rs
@@ -450,6 +450,9 @@ pub struct StrippedCredential {
     pub hmac_secret: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub cred_protect: Option<CredentialProtectionPolicy>,
+    // TODO: HACK -- remove
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob_key: Option<Bytes<32>>,
 }
 
 impl StrippedCredential {
@@ -484,6 +487,7 @@ impl From<&FullCredential> for StrippedCredential {
             nonce: credential.nonce.clone(),
             hmac_secret: credential.data.hmac_secret,
             cred_protect: credential.data.cred_protect,
+            large_blob_key: credential.data.large_blob_key.clone(),
         }
     }
 }
diff --git a/src/ctap1.rs b/src/ctap1.rs
index f3df339..4e5623e 100644
--- a/src/ctap1.rs
+++ b/src/ctap1.rs
@@ -90,6 +90,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
             nonce,
             hmac_secret: None,
             cred_protect: None,
+            large_blob_key: None,
         };
 
         // info!("made credential {:?}", &credential);
diff --git a/src/ctap2.rs b/src/ctap2.rs
index bebfc0f..7713b2d 100644
--- a/src/ctap2.rs
+++ b/src/ctap2.rs
@@ -1652,7 +1652,7 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
 
         // User with empty IDs are ignored for compatibility
         if is_rk {
-            if let Credential::Full(credential) = credential {
+            if let Credential::Full(credential) = &credential {
                 if !credential.user.id.is_empty() {
                     let mut user = credential.user.clone();
                     // User identifiable information (name, DisplayName, icon) MUST not
@@ -1665,10 +1665,14 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
                     }
                     response.user = Some(user);
                 }
+            }
 
-                if large_blob_key_requested {
-                    response.large_blob_key = credential.large_blob_key.clone();
-                }
+            if large_blob_key_requested {
+                debug!("Sending largeBlobKey in getAssertion");
+                response.large_blob_key = match credential {
+                    Credential::Stripped(stripped) => stripped.large_blob_key,
+                    Credential::Full(full) => full.data.large_blob_key,
+                };
             }
         }