chore(deps): bump libwebauthn to 0.8.0

credentialsd/Cargo.toml

@@ -13,7 +13,7 @@ credentialsd-common = { path = "../credentialsd-common" }
 futures = "0.3.32"
 futures-lite.workspace = true
 libc.workspace = true
-libwebauthn = { version = "0.5.1", features = ["nfc-backend-libnfc", "nfc-backend-pcsc"] }
+libwebauthn = { version = "0.8.0", features = ["nfc-backend-libnfc", "nfc-backend-pcsc"] }
 # 0.6.1 fails to build with non-vendored library.
 # https://github.com/alexrsagen/rs-nfc1/issues/15
 nfc1 = { version = "=0.6.0", default-features = false }

credentialsd/src/credential_service/hybrid.rs

@@ -12,7 +12,7 @@ use libwebauthn::transport::cable::channel::{CableUpdate, CableUxUpdate};
 use libwebauthn::transport::cable::qr_code_device::{
     CableQrCodeDevice, CableTransports, QrCodeOperationHint,
 };
-use libwebauthn::transport::{Channel, Device};
+use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::webauthn::{Error as WebAuthnError, WebAuthn};
 
 use credentialsd_common::model::Error;
@@ -68,7 +68,7 @@ impl HybridHandler for InternalHybridHandler {
                 return;
             };
             tokio::spawn(async move {
-                let mut channel = match device.channel().await {
+                let mut channel = match device.channel(ChannelSettings::default()).await {
                     Ok(channel) => channel,
                     Err(e) => {
                         tracing::error!("Failed to open hybrid channel: {:?}", e);

credentialsd/src/credential_service/mod.rs

@@ -5,12 +5,13 @@ pub mod usb;
 use std::{
     fmt::Debug,
     pin::Pin,
-    sync::{Arc, Mutex},
+    sync::{Arc, Mutex, OnceLock},
     task::Poll,
 };
 
 use async_trait::async_trait;
 use futures_lite::{FutureExt, Stream, StreamExt};
+use libwebauthn::pin::persistent_token::{MemoryPersistentTokenStore, PersistentTokenStore};
 use libwebauthn::{
     self,
     ops::webauthn::{GetAssertionResponse, MakeCredentialResponse},
@@ -35,6 +36,14 @@ use self::{
 
 pub use usb::UsbState;
 
+/// Process-wide in-memory store so a security key's pinUvAuthToken is reused across ceremonies.
+fn persistent_token_store() -> Arc<dyn PersistentTokenStore> {
+    static STORE: OnceLock<Arc<MemoryPersistentTokenStore>> = OnceLock::new();
+    STORE
+        .get_or_init(|| Arc::new(MemoryPersistentTokenStore::new()))
+        .clone()
+}
+
 #[derive(Debug)]
 struct RequestContext {
     request: CredentialRequest,

credentialsd/src/credential_service/nfc.rs

@@ -6,7 +6,7 @@ use futures_lite::Stream;
 use libwebauthn::{
     ops::webauthn::GetAssertionResponse,
     proto::CtapError,
-    transport::{nfc::device::NfcDevice, Channel, Device},
+    transport::{nfc::device::NfcDevice, Channel, ChannelSettings, Device},
     webauthn::{Error as WebAuthnError, WebAuthn},
     UvUpdate,
 };
@@ -204,7 +204,12 @@ async fn handle_events(
     signal_tx: &Sender<Result<NfcUvMessage, Error>>,
 ) {
     let device_debug = device.to_string();
-    match device.channel().await {
+    match device
+        .channel(ChannelSettings {
+            persistent_token_store: Some(super::persistent_token_store()),
+        })
+        .await
+    {
         Err(err) => {
             tracing::error!("Failed to open channel to NFC authenticator, cannot receive user verification events: {:?}", err);
         }

credentialsd/src/credential_service/usb.rs

@@ -8,7 +8,7 @@ use libwebauthn::{
     proto::CtapError,
     transport::{
         hid::{channel::HidChannelHandle, HidDevice},
-        Channel, Device,
+        Channel, ChannelSettings, Device,
     },
     webauthn::{Error as WebAuthnError, WebAuthn},
     UvUpdate,
@@ -85,7 +85,7 @@ impl InProcessUsbHandler {
             tokio::spawn(async move {
                 let dev = device.clone();
 
-                let res = match device.channel().await {
+                let res = match device.channel(ChannelSettings::default()).await {
                     Ok(ref mut channel) => {
                         let cancel_handle = channel.get_handle();
                         stx.send((idx, dev, cancel_handle)).await.unwrap();
@@ -290,7 +290,12 @@ async fn handle_events(
     signal_tx: &Sender<Result<UsbUvMessage, Error>>,
 ) {
     let device_debug = device.to_string();
-    match device.channel().await {
+    match device
+        .channel(ChannelSettings {
+            persistent_token_store: Some(super::persistent_token_store()),
+        })
+        .await
+    {
         Err(err) => {
             tracing::error!("Failed to open channel to USB authenticator, cannot receive user verification events: {:?}", err);
         }

credentialsd/src/gateway/mod.rs

@@ -97,6 +97,7 @@ impl GatewayService {
             //    - fail if not supported, or if RP ID doesn't match any related origins.
             let make_cred_request =
                 create_credential_request_try_into_ctap2(&request, &request_environment)
+                    .await
                     .inspect_err(|_| {
                         tracing::error!(
                             "Could not parse passkey creation request. Rejecting request."
@@ -162,12 +163,12 @@ impl GatewayService {
             //    - query for related origins, if supported
             //    - fail if not supported, or if RP ID doesn't match any related origins.
             let get_cred_request =
-                get_credential_request_try_into_ctap2(&request, &request_environment).map_err(
-                    |e| {
+                get_credential_request_try_into_ctap2(&request, &request_environment)
+                    .await
+                    .map_err(|e| {
                         tracing::error!("Could not parse passkey assertion request: {e:?}");
                         WebAuthnError::TypeError
-                    },
-                )?;
+                    })?;
             let cred_request =
                 CredentialRequest::GetPublicKeyCredentialRequest(get_cred_request.clone());