[Feature Request] Allow make_cred and get_assert to take a PUAT

[James-ZHANG]

libfido2, as per 1.14.0, exchanges a fresh PUAT for each fido_dev_make_cred and fido_dev_get_assert call. This means the only way a caller can "cache UV" is to cache a pin in memory and reuse that across libfido2 calls, and this pin-caching only works for pin-based UV, not built-in UV.

I think we should allow libfido2 to expose/take PUATs, by having the following changes:

• a new fido_dev_exchange_puat(fido_dev_t *dev, const char *pin) method that allows returning a PUAT (I omit details like permissions);
• PUAT as a possible input (a replacement of pin) to fido_dev_make_cred and fido_dev_get_assert.

The benefits:

• Callers can instead cache a PUAT, not the FIDO2 pin: PUAT is less sensitive since authenticators can choose to restrict the lifetime of a PUAT, whereas compromise of a FIDO2 pin means compromise of the UV for an authenticator.
• It's possible to cache built-in UV: a PUAT exchanged from a built-in UV allows callers to reuse that PUAT for subsequent make_cred/get_assert, without triggering a new built-in UV ceremony (e.g., fingerprint).

[LDVG]

Hi,

Thank you for the request. This is indeed something that we've had in mind for a while now!

Additional thoughts: If we provide an fido_dev_set_puat() function (or similar) that associates the PUAT with the dev for use in subsequent operations, we could either have that happen automatically or by passing some sentinel value in place of the pin argument (and preserve backwards compatibility).

Pull requests are welcome.