Add USB external authenticator support for Linux

.github/workflows/ci.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.85.1
+          - 1.87.0
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
@@ -33,6 +33,9 @@ jobs:
           toolchain: ${{ matrix.rust }}
           components: clippy
 
+      - name: Install libudev
+        run: sudo apt-get update && sudo apt-get install -y libudev-dev
+
       - name: Run Clippy
         run: rustup run ${{ matrix.rust }} cargo clippy --all --all-targets --all-features -- -D warnings
 
@@ -44,7 +47,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.85.1
+          - 1.87.0
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
@@ -82,7 +85,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.85.1
+          - 1.87.0
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
@@ -106,7 +109,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.85.1
+          - 1.87.0
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
@@ -119,6 +122,9 @@ jobs:
           profile: minimal
           toolchain: ${{ matrix.rust }}
 
+      - name: Install libudev
+        run: sudo apt-get update && sudo apt-get install -y libudev-dev
+
       - name: Run tests
         run: rustup run ${{ matrix.rust }} cargo test
 
@@ -130,7 +136,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.85.1
+          - 1.87.0
         lang:
           - typescript
           - kotlin

Cargo.toml

@@ -16,7 +16,7 @@ edition = "2024"
 keywords = ["ctap", "fido2", "passkey", "passwordless", "webauthn"]
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/1Password/passkey-rs"
-rust-version = "1.85.1"
+rust-version = "1.87.0"
 
 [workspace.dependencies]
 coset = ">=0.3.8, <=0.4"

passkey-authenticator/Cargo.toml

@@ -19,22 +19,30 @@ workspace = true
 default = []
 testable = ["dep:mockall", "passkey-types/testable"]
 tokio = ["dep:tokio"]
+linux = ["dep:ciborium", "dep:tokio", "passkey-transports/linux"]
 
 [dependencies]
 async-trait = "0.1"
+ciborium = { version = "0.2", optional = true }
 coset = { workspace = true }
 log = "0.4"
 mockall = { version = "0.11", optional = true }
 p256 = { version = "0.13", features = ["arithmetic", "jwk", "pem"] }
+passkey-transports = { path = "../passkey-transports", version = "0.1" }
 passkey-types = { path = "../passkey-types", version = "0.5" }
 rand = "0.8"
 tokio = { version = "1", features = ["sync"], optional = true }
 
 [dev-dependencies]
+authenticator = { version = "0.4", default-features = false, features = [
+  "crypto_dummy",
+] }
+ciborium = "0.2"
 generic-array = { version = "=0.14.7", default-features = false }
 mockall = { version = "0.11" }
 passkey-types = { path = "../passkey-types", version = "0.5", features = [
   "testable",
 ] }
+serde_cbor = "0.11"
 signature = { version = "2", features = ["rand_core"] }
 tokio = { version = "1", features = ["macros", "rt", "sync"] }

passkey-authenticator/src/authenticator.rs

@@ -66,6 +66,31 @@ impl From<CredentialIdLength> for usize {
     }
 }
 
+trait ValidationOptions {
+    fn uv(&self) -> bool;
+    fn up(&self) -> bool;
+}
+
+impl ValidationOptions for passkey_types::ctap2::make_credential::Options {
+    fn uv(&self) -> bool {
+        self.uv
+    }
+
+    fn up(&self) -> bool {
+        self.up
+    }
+}
+
+impl ValidationOptions for passkey_types::ctap2::get_assertion::Options {
+    fn uv(&self) -> bool {
+        self.uv
+    }
+
+    fn up(&self) -> bool {
+        self.up
+    }
+}
+
 /// A virtual authenticator with all the necessary state and information.
 pub struct Authenticator<S, U> {
     /// The authenticator's AAGUID
@@ -202,22 +227,22 @@ where
     async fn check_user(
         &self,
         hint: UiHint<'_, <U as UserValidationMethod>::PasskeyItem>,
-        options: &passkey_types::ctap2::make_credential::Options,
+        options: &impl ValidationOptions,
     ) -> Result<Flags, Ctap2Error> {
-        if options.uv && self.user_validation.is_verification_enabled() != Some(true) {
+        if options.uv() && self.user_validation.is_verification_enabled() != Some(true) {
             return Err(Ctap2Error::UnsupportedOption);
         };
 
         let check_result = self
             .user_validation
-            .check_user(hint, options.up, options.uv)
+            .check_user(hint, options.up(), options.uv())
             .await?;
 
-        if options.up && !check_result.presence {
+        if options.up() && !check_result.presence {
             return Err(Ctap2Error::OperationDenied);
         }
 
-        if options.uv && !check_result.verification {
+        if options.uv() && !check_result.verification {
             return Err(Ctap2Error::OperationDenied);
         }
 

passkey-authenticator/src/authenticator/get_assertion/tests.rs

@@ -38,7 +38,6 @@ fn good_request() -> Request {
         options: Options {
             up: true,
             uv: true,
-            rk: false,
         },
     }
 }

passkey-authenticator/src/credential_store.rs

@@ -5,8 +5,7 @@ use passkey_types::{
     Passkey,
     ctap2::{
         Ctap2Error, StatusCode,
-        get_assertion::Options,
-        make_credential::{PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity},
+        make_credential::{Options, PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity},
     },
     webauthn::PublicKeyCredentialDescriptor,
 };

passkey-authenticator/src/ctap2.rs

@@ -15,6 +15,9 @@ mod sealed {
     pub trait Sealed {}
 
     impl<S: CredentialStore, U: UserValidationMethod> Sealed for Authenticator<S, U> {}
+
+    #[cfg(all(feature = "linux", target_os = "linux"))]
+    impl Sealed for crate::linux::LinuxAuthenticator {}
 }
 
 /// Methods defined as being required for a [CTAP 2.0] compliant authenticator to implement.

passkey-authenticator/src/lib.rs

@@ -30,6 +30,9 @@ mod passkey;
 mod u2f;
 mod user_validation;
 
+#[cfg(all(feature = "linux", target_os = "linux"))]
+pub mod linux;
+
 use coset::{
     CoseKey, CoseKeyBuilder,
     iana::{self, Algorithm, EnumI64},