Investigate PRF issue with Hybrid via credentialsd #168
Description
Attempted to repro issue reported by @zR-JB in linux-credentials/credentialsd#6 (comment).
I enabled trace logging for libwebauthn, and it appears the CTAP GetAssertion model includes the PRF extension payload. However, if I decode the serialized CBOR, the PRF input is no longer there:
2026-02-17T20:52:37.630728Z DEBUG webauthn_get_assertion{dev=CableChannel}:user_verification:user_verification_helper:ctap2_get_info: libwebauthn::proto::ctap2::protocol: CTAP2 GetInfo successful
2026-02-17T20:52:37.630735Z TRACE webauthn_get_assertion{dev=CableChannel}:user_verification:user_verification_helper:ctap2_get_info: libwebauthn::proto::ctap2::protocol: ctap_response=Ctap2GetInfoResponse { versions: ["FIDO_2_0", "FIDO_2_1"], extensions: Some(["prf"]), aaguid: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], options: Some({"up": true, "plat": false, "rk": true, "uv": true}), max_msg_size: None, pin_auth_protos: None, max_credential_count: None, max_credential_id_length: None, transports: Some(["internal", "hybrid"]), algorithms: None, max_blob_array: None, force_pin_change: None, min_pin_length: None, firmware_version: None, max_cred_blob_length: None, max_rpids_for_setminpinlength: None, preferred_platform_uv_attempts: None, uv_modality: None, certifications: None, remaining_discoverable_creds: None, vendor_proto_config_cmds: None, attestation_formats: None, uv_count_since_last_pin_entry: None, long_touch_for_reset: None, enc_identifier: None, transports_for_reset: None, pin_complexity_policy: None, pin_complexity_policy_url: None, max_pin_length: None }
2026-02-17T20:52:37.630753Z DEBUG webauthn_get_assertion{dev=CableChannel}:user_verification:user_verification_helper: libwebauthn::webauthn::pin_uv_auth_token: Checking if user verification is required rp_uv_preferred=true dev_uv_protected=true uv=true
2026-02-17T20:52:37.630766Z DEBUG webauthn_get_assertion{dev=CableChannel}:user_verification:user_verification_helper: libwebauthn::proto::ctap2::model::get_info: Deprecated FIDO 2.0 behaviour: populating 'uv' flag
2026-02-17T20:52:37.630775Z DEBUG webauthn_get_assertion{dev=CableChannel}:user_verification:user_verification_helper: libwebauthn::webauthn::pin_uv_auth_token: No client operation. Setting deprecated request options.uv flag to true.
2026-02-17T20:52:37.630801Z TRACE webauthn_get_assertion{dev=CableChannel}:ctap2_get_assertion: libwebauthn::proto::ctap2::protocol: request=Ctap2GetAssertionRequest { relying_party_id: "securitykeys.info", client_data_hash: [218, 10, 63, 182, 104, 92, 51, 233, 2, 164, 51, 108, 68, 47, 48, 94, 16, 254, 41, 140, 38, 177, 221, 162, 251, 109, 92, 166, 234, 1, 174, 213], allow: [], extensions: Some(Ctap2GetAssertionRequestExtensions { cred_blob: None, hmac_secret: None, large_blob_key: None, hmac_or_prf: Prf { eval: Some(PRFValue { first: [4, 3, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], second: Some([1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) }), eval_by_credential: {} } }), options: Some(Ctap2GetAssertionOptions { require_user_presence: true, require_user_verification: true }), pin_auth_param: None, pin_auth_proto: None }
2026-02-17T20:52:37.630846Z DEBUG libwebauthn::transport::cable::tunnel: Sending CBOR request request.command=AuthenticatorGetAssertion
2026-02-17T20:52:37.630852Z DEBUG libwebauthn::transport::cable::tunnel: Sending CBOR request
2026-02-17T20:52:37.630855Z TRACE libwebauthn::transport::cable::tunnel: request=CborRequest { command: AuthenticatorGetAssertion, encoded_data: [163, 1, 113, 115, 101, 99, 117, 114, 105, 116, 121, 107, 101, 121, 115, 46, 105, 110, 102, 111, 2, 88, 32, 218, 10, 63, 182, 104, 92, 51, 233, 2, 164, 51, 108, 68, 47, 48, 94, 16, 254, 41, 140, 38, 177, 221, 162, 251, 109, 92, 166, 234, 1, 174, 213, 5, 162, 98, 117, 112, 245, 98, 117, 118, 245] }
2026-02-17T20:52:37.630868Z TRACE libwebauthn::transport::cable::tunnel: cbor_request=[2, 163, 1, 113, 115, 101, 99, 117, 114, 105, 116, 121, 107, 101, 121, 115, 46, 105, 110, 102, 111, 2, 88, 32, 218, 10, 63, 182, 104, 92, 51, 233, 2, 164, 51, 108, 68, 47, 48, 94, 16, 254, 41, 140, 38, 177, 221, 162, 251, 109, 92, 166, 234, 1, 174, 213, 5, 162, 98, 117, 112, 245, 98, 117, 118, 245] cbor_request_len=66
2026-02-17T20:52:37.630879Z TRACE libwebauthn::transport::cable::tunnel: frame_serialized=[1, 2, 163, 1, 113, 115, 101, 99, 117, 114, 105, 116, 121, 107, 101, 121, 115, 46, 105, 110, 102, 111, 2, 88, 32, 218, 10, 63, 182, 104, 92, 51, 233, 2, 164, 51, 108, 68, 47, 48, 94, 16, 254, 41, 140, 38, 177, 221, 162, 251, 109, 92, 166, 234, 1, 174, 213, 5, 162, 98, 117, 112, 245, 98, 117, 118, 245, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29]
2026-02-17T20:52:37.630936Z DEBUG libwebauthn::transport::cable::tunnel: Sending encrypted frame
2026-02-17T20:52:37.630940Z TRACE libwebauthn::transport::cable::tunnel: encrypted_frame=[118, 2, 136, 189, 131, 65, 65, 2, 99, 79, 39, 35, 210, 91, 9, 192, 26, 172, 79, 229, 78, 217, 151, 171, 245, 138, 150, 226, 251, 52, 21, 89, 9, 74, 15, 19, 13, 255, 180, 68, 101, 44, 135, 99, 130, 71, 148, 186, 30, 60, 198, 195, 34, 153, 59, 28, 138, 159, 222, 76, 149, 13, 248, 132, 105, 166, 194, 179, 138, 174, 116, 226, 138, 159, 129, 83, 37, 111, 248, 95, 36, 0, 194, 100, 29, 127, 210, 200, 208, 135, 122, 229, 18, 173, 110, 59, 11, 241, 150, 185, 147, 85, 76, 224, 29, 33, 13, 9, 168, 39, 224, 196, 165]
2026-02-17T20:52:40.399196Z DEBUG libwebauthn::transport::cable::tunnel: Received WSS message
2026-02-17T20:52:40.399229Z TRACE libwebauthn::transport::cable::tunnel: Binary(b"9\x8d6\xcc\xc3@\x8b\x8d\x83V$\x03J\xc5\xfe\xbd\x90\x90\xa2\x86\xa2D\xe7\x8f\x03\xc9\xc2F\xda\x10\xda{f\x82b\x10\xce\xb5w(\xf0\xe2H\xa9\x82\xac\xe5\xbar\x8f;d\xaf\x13\xd3g\xcea6\x0b9\x9c\x06I\xc1\xcft\xc3\x1d\xf0\xeb\xe2\xe4\xcd\xe19\n\xdc\xeb\xec\xcaF-}[5\xc3\xebmU\x95!\xc7\xdf\xf5\xa3\x15\xc5Y\x8aR/\r5%\xc2Q\xec\x1cP;\xf4\xc8l\x1f\x19R\x8cC\xe4B>Ys\xfa\x178\xa1:\xc6\xe5\x97\xf0\x0e}\x01/\x8c\x87\xd2\xaf\xcek<3,\x97\xc1\xb3\xaa\xcb\xe75\x83g2\x0f\x81<A\x1a\xc7X\xee\x9d\xe5\xdc?\x90\xc2loP\x1e\xdf\xa9m\xe8\xbf\xa6\x0cw\x7f \x17z\x19\xcf\xd0\xa1\xcd\xe2\xd9:\x96\xff\xaep\xde\xf3\xbc\xab\x9c\xed\x1d\x02o\xae")
2026-02-17T20:52:40.399250Z DEBUG libwebauthn::transport::cable::tunnel: Received encrypted CBOR response frame_len=208
2026-02-17T20:52:40.399255Z TRACE libwebauthn::transport::cable::tunnel: encrypted_frame=[57, 141, 54, 204, 195, 64, 139, 141, 131, 86, 36, 3, 74, 197, 254, 189, 144, 144, 162, 134, 162, 68, 231, 143, 3, 201, 194, 70, 218, 16, 218, 123, 102, 130, 98, 16, 206, 181, 119, 40, 240, 226, 72, 169, 130, 172, 229, 186, 114, 143, 59, 100, 175, 19, 211, 103, 206, 97, 54, 11, 57, 156, 6, 73, 193, 207, 116, 195, 29, 240, 235, 226, 228, 205, 225, 57, 10, 220, 235, 236, 202, 70, 45, 125, 91, 53, 195, 235, 109, 85, 149, 33, 199, 223, 245, 163, 21, 197, 89, 138, 82, 47, 13, 53, 37, 194, 81, 236, 28, 80, 59, 244, 200, 108, 31, 25, 82, 140, 67, 228, 66, 62, 89, 115, 250, 23, 56, 161, 58, 198, 229, 151, 240, 14, 125, 1, 47, 140, 135, 210, 175, 206, 107, 60, 51, 44, 151, 193, 179, 170, 203, 231, 53, 131, 103, 50, 15, 129, 60, 65, 26, 199, 88, 238, 157, 229, 220, 63, 144, 194, 108, 111, 80, 30, 223, 169, 109, 232, 191, 166, 12, 119, 127, 32, 23, 122, 25, 207, 208, 161, 205, 226, 217, 58, 150, 255, 174, 112, 222, 243, 188, 171, 156, 237, 29, 2, 111, 174]
2026-02-17T20:52:40.399482Z DEBUG libwebauthn::transport::cable::tunnel: Decrypted CBOR response decrypted_frame_len=192
2026-02-17T20:52:40.399487Z TRACE libwebauthn::transport::cable::tunnel: decrypted_frame=[1, 0, 165, 1, 162, 98, 105, 100, 80, 191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234, 100, 116, 121, 112, 101, 106, 112, 117, 98, 108, 105, 99, 45, 107, 101, 121, 2, 88, 37, 38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70, 29, 0, 0, 0, 0, 3, 88, 71, 48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111, 4, 163, 98, 105, 100, 72, 0, 1, 2, 3, 4, 5, 6, 7, 100, 110, 97, 109, 101, 96, 107, 100, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 96, 6, 245, 0, 1]
2026-02-17T20:52:40.399495Z TRACE libwebauthn::transport::cable::tunnel: Trimmed padding decrypted_frame=[1, 0, 165, 1, 162, 98, 105, 100, 80, 191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234, 100, 116, 121, 112, 101, 106, 112, 117, 98, 108, 105, 99, 45, 107, 101, 121, 2, 88, 37, 38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70, 29, 0, 0, 0, 0, 3, 88, 71, 48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111, 4, 163, 98, 105, 100, 72, 0, 1, 2, 3, 4, 5, 6, 7, 100, 110, 97, 109, 101, 96, 107, 100, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 96, 6, 245] decrypted_frame_len=190
2026-02-17T20:52:40.399505Z TRACE libwebauthn::transport::cable::tunnel: cable_message=CableTunnelMessage { message_type: Ctap, payload: [0, 165, 1, 162, 98, 105, 100, 80, 191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234, 100, 116, 121, 112, 101, 106, 112, 117, 98, 108, 105, 99, 45, 107, 101, 121, 2, 88, 37, 38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70, 29, 0, 0, 0, 0, 3, 88, 71, 48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111, 4, 163, 98, 105, 100, 72, 0, 1, 2, 3, 4, 5, 6, 7, 100, 110, 97, 109, 101, 96, 107, 100, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 96, 6, 245] }
2026-02-17T20:52:40.399518Z DEBUG libwebauthn::transport::cable::tunnel: Received CBOR response
2026-02-17T20:52:40.399522Z TRACE libwebauthn::transport::cable::tunnel: cbor_response=CborResponse { status_code: Ok, data: Some([165, 1, 162, 98, 105, 100, 80, 191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234, 100, 116, 121, 112, 101, 106, 112, 117, 98, 108, 105, 99, 45, 107, 101, 121, 2, 88, 37, 38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70, 29, 0, 0, 0, 0, 3, 88, 71, 48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111, 4, 163, 98, 105, 100, 72, 0, 1, 2, 3, 4, 5, 6, 7, 100, 110, 97, 109, 101, 96, 107, 100, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 96, 6, 245]) }
2026-02-17T20:52:40.399600Z TRACE webauthn_get_assertion{dev=CableChannel}:ctap2_get_assertion: libwebauthn::proto::ctap2::protocol: GetAssertion: [165, 1, 162, 98, 105, 100, 80, 191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234, 100, 116, 121, 112, 101, 106, 112, 117, 98, 108, 105, 99, 45, 107, 101, 121, 2, 88, 37, 38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70, 29, 0, 0, 0, 0, 3, 88, 71, 48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111, 4, 163, 98, 105, 100, 72, 0, 1, 2, 3, 4, 5, 6, 7, 100, 110, 97, 109, 101, 96, 107, 100, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 96, 6, 245]
2026-02-17T20:52:40.399689Z DEBUG webauthn_get_assertion{dev=CableChannel}:ctap2_get_assertion: libwebauthn::proto::ctap2::protocol: CTAP2 GetAssertion successful
2026-02-17T20:52:40.399696Z TRACE webauthn_get_assertion{dev=CableChannel}:ctap2_get_assertion: libwebauthn::proto::ctap2::protocol: ctap_response=Ctap2GetAssertionResponse { credential_id: Some(Ctap2PublicKeyCredentialDescriptor { id: [191, 138, 183, 155, 255, 10, 116, 181, 19, 122, 122, 226, 152, 44, 226, 234], type: PublicKey, transports: None }), authenticator_data: AuthenticatorData { rp_id_hash: [38, 189, 114, 120, 190, 70, 55, 97, 241, 250, 161, 177, 10, 180, 196, 248, 38, 112, 38, 156, 65, 12, 114, 106, 31, 214, 224, 88, 85, 225, 155, 70], flags: AuthenticatorDataFlags(USER_PRESENT | USER_VERIFIED | RFU_2_1 | RFU_2_2), signature_count: 0, attested_credential: None, extensions: None }, signature: [48, 69, 2, 32, 33, 164, 75, 114, 12, 81, 73, 15, 162, 160, 78, 51, 24, 173, 235, 196, 123, 22, 176, 233, 167, 140, 134, 246, 218, 239, 251, 63, 253, 234, 27, 96, 2, 33, 0, 167, 26, 233, 112, 128, 158, 3, 68, 20, 31, 72, 249, 103, 163, 60, 226, 130, 69, 59, 245, 58, 62, 67, 174, 42, 114, 91, 90, 136, 106, 252, 111], user: Some(Ctap2PublicKeyCredentialUserEntity { id: [0, 1, 2, 3, 4, 5, 6, 7], name: Some(""), display_name: Some("") }), credentials_count: None, user_selected: Some(true), large_blob_key: None, enterprise_attestation: None, attestation_statement: None }
2026-02-17T20:52:40.399972Z DEBUG credentialsd::credential_service::hybrid: Reached end of Hybrid updates stream.
2026-02-17T20:52:40.401228Z DEBUG credentialsd_ui::gui::view_model: Received HybridQrState::Completed
2026-02-17T20:52:40.902274Z DEBUG credentialsd_ui::gui: Finishing user request.
Curiously, @msirringhaus cannot repro this for USB/NFC.