fix(ctap2): preserve unknown ctap status codes and add 0x17/0x18

libwebauthn-tests/src/virt/mod.rs

@@ -5,10 +5,8 @@ use std::sync::mpsc::{Receiver, Sender};
 use std::thread;
 use std::thread::JoinHandle;
 
-use libwebauthn::proto::CtapError;
 use libwebauthn::transport::hid::framing::{HidCommand, HidMessage};
 use libwebauthn::transport::hid::{virtual_device, HidDevice, HidPipeBackend};
-use num_enum::TryFromPrimitive;
 
 /// `HidPipeBackend` implementation backed by an in-process trussed-staging
 /// fido-authenticator. Each instance owns a worker thread that owns the
@@ -75,18 +73,14 @@ impl TrussedVirtBackend {
                         }
                         Err(ctaphid::error::Error::CommandError(
                             ctaphid::error::CommandError::CborError(value),
-                        )) => match CtapError::try_from_primitive(value) {
-                            Ok(_) => {
-                                // Known CTAP error code: forward as a successful
-                                // transmission with the status byte as payload.
-                                let mut response = msg.clone();
-                                response.payload = vec![value];
-                                if resp_tx.send(response).is_err() {
-                                    break;
-                                }
+                        )) => {
+                            // Forward the status byte as a successful transmission.
+                            let mut response = msg.clone();
+                            response.payload = vec![value];
+                            if resp_tx.send(response).is_err() {
+                                break;
                             }
-                            Err(_) => panic!("Failed to parse CtapError from {value}"),
-                        },
+                        }
                         Err(err) => panic!("failed to execute CTAP2 command: {err:?}"),
                     }
                 }

libwebauthn-tests/src/virt/pipe.rs

@@ -234,7 +234,7 @@ impl<'a, const N: usize> Pipe<'a, N> {
     }
 
     fn start_sending_error_on_channel(&mut self, channel: u32, error: CtapError) {
-        self.buffer[0] = error as u8;
+        self.buffer[0] = u8::from(error);
         let response = Response::error_on_channel(channel);
         self.start_sending(response);
     }
@@ -243,7 +243,7 @@ impl<'a, const N: usize> Pipe<'a, N> {
         let last_state = core::mem::replace(&mut self.state, State::Idle);
         let last_first_byte = self.buffer[0];
 
-        self.buffer[0] = error as u8;
+        self.buffer[0] = u8::from(error);
         let response = Response::error_from_request(request);
         self.start_sending(response);
         self.maybe_write_packet();

libwebauthn/src/proto/ctap2/cbor/response.rs

@@ -1,8 +1,7 @@
 use crate::proto::error::CtapError;
 
-use std::convert::{TryFrom, TryInto};
+use std::convert::TryFrom;
 use std::io::{Error as IOError, ErrorKind as IOErrorKind};
-use tracing::error;
 
 #[derive(Debug, Clone)]
 pub struct CborResponse {
@@ -32,13 +31,7 @@ impl TryFrom<&Vec<u8>> for CborResponse {
             )
         })?;
 
-        let Ok(status_code) = (*status_byte).try_into() else {
-            error!({ code = ?*status_byte }, "Invalid CTAP error code");
-            return Err(IOError::new(
-                IOErrorKind::InvalidData,
-                format!("Invalid CTAP error code: {:x}", status_byte),
-            ));
-        };
+        let status_code = CtapError::from(*status_byte);
 
         let data = if body.is_empty() {
             None
@@ -48,3 +41,25 @@ impl TryFrom<&Vec<u8>> for CborResponse {
         Ok(CborResponse { status_code, data })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::CborResponse;
+    use crate::proto::error::CtapError;
+    use std::convert::TryFrom;
+
+    #[test]
+    fn unknown_status_byte_is_preserved() {
+        let response = CborResponse::try_from(&vec![0xDEu8]).expect("must not be a framing error");
+        assert_eq!(response.status_code, CtapError::Unknown(0xDE));
+        assert!(response.data.is_none());
+    }
+
+    #[test]
+    fn unknown_status_byte_keeps_body() {
+        let response =
+            CborResponse::try_from(&vec![0xF5u8, 0xAA, 0xBB]).expect("must not be a framing error");
+        assert_eq!(response.status_code, CtapError::Unknown(0xF5));
+        assert_eq!(response.data.as_deref(), Some(&[0xAA, 0xBB][..]));
+    }
+}