Verify user verification requests

2026-01-31 00:33:33 +00:00 · 2025-12-05 10:25:47 -06:00
parent 2a2f36ed97
commit e69b5cb0af
2 changed files with 20 additions and 4 deletions
--- a/apps/desktop/desktop_native/core/src/autofill/windows.rs
+++ b/apps/desktop/desktop_native/core/src/autofill/windows.rs
@@ -59,7 +59,9 @@ fn handle_user_verification_request(
    request: UserVerificationParameters,
 ) -> Result<UserVerificationResponse> {
    tracing::debug!(?request, "Handling user verification request");
-    let (buf, _) = request.transaction_context[..16].split_at(16);
+    // 0-15 GUID
+    // 16..47 SHA256 hash of Windows operation request
+    let (buf, operation_request_hash) = request.transaction_context[..16].split_at(16);
    let guid_u128 = buf
        .try_into()
        .map_err(|e| anyhow!("Failed to parse transaction ID as u128: {e}"))?;
@@ -81,7 +83,10 @@ fn handle_user_verification_request(
        user_name: request.username,
        display_hint: Some(request.display_hint),
    };
-    let _response = WebAuthnPlugin::perform_user_verification(uv_request)
+    let clsid = Clsid::try_from(PLUGIN_CLSID)
+        .map_err(|err| anyhow!("Failed to parse CLSID from string {PLUGIN_CLSID}: {err}"))?;
+    let plugin = WebAuthnPlugin::new(clsid);
+    let _response = plugin.perform_user_verification(uv_request, operation_request_hash)
        .map_err(|err| anyhow!("User Verification request failed: {err}"))?;
    return Ok(UserVerificationResponse {});
 }
--- a/apps/desktop/desktop_native/win_webauthn/src/plugin/mod.rs
+++ b/apps/desktop/desktop_native/win_webauthn/src/plugin/mod.rs
@@ -149,10 +149,19 @@ impl WebAuthnPlugin {
        }
    }

+    /// Perform user verification related to an associated MakeCredential or GetAssertion request.
+    /// request
    pub fn perform_user_verification(
+        &self,
        request: PluginUserVerificationRequest,
+        operation_request: &[u8],
    ) -> Result<PluginUserVerificationResponse, WinWebAuthnError> {
        tracing::debug!(?request, "Handling user verification request");
+
+        // Get pub key
+        let pub_key = crypto::get_user_verification_public_key(&self.clsid.0)?;
+
+        // Send UV request
        let user_name = request.user_name.to_utf16().to_com_buffer();
        let hint = request.display_hint.map(|d| d.to_utf16().to_com_buffer());
        let uv_request = WEBAUTHN_PLUGIN_USER_VERIFICATION_REQUEST {
@@ -174,11 +183,13 @@ impl WebAuthnPlugin {
                    Vec::new()
                } else {
                    // SAFETY: Windows returned successful response code and length, so we assume that the data is initialized
-                    unsafe {
+                    let signature = unsafe {
                        // SAFETY: Windows only runs on platforms where usize >= u32;
                        let len = response_len as usize;
                        std::slice::from_raw_parts(response_ptr, len).to_vec()
-                    }
+                    };
+                    pub_key.verify_signature(operation_request, &signature)?;
+                    signature
                };
                webauthn_plugin_free_user_verification_response(response_ptr)?;
                Ok(PluginUserVerificationResponse {