refactor(error): per-transport TransportError and generic ceremony Error

libwebauthn-tests/tests/basic_ctap1.rs

@@ -3,7 +3,7 @@ use std::time::Duration;
 use libwebauthn::ops::u2f::{RegisterRequest, SignRequest};
 use libwebauthn::transport::{Channel, ChannelSettings, Device};
 use libwebauthn::u2f::U2F;
-use libwebauthn::webauthn::{CtapError, Error};
+use libwebauthn::webauthn::{CtapError, WebAuthnError};
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
 use tokio::sync::broadcast::Receiver;
@@ -82,7 +82,10 @@ async fn test_webauthn_ctap1_exclude_list() {
         RegisterRequest::new_u2f_v2(APP_ID, challenge, vec![registered_key], TIMEOUT, false);
     let result = channel.u2f_register(&excluded_request).await;
     assert!(
-        matches!(result, Err(Error::Ctap(CtapError::CredentialExcluded))),
+        matches!(
+            result,
+            Err(WebAuthnError::Ctap(CtapError::CredentialExcluded))
+        ),
         "expected CredentialExcluded, got {:?}",
         result
     );

libwebauthn-tests/tests/large_blob.rs

@@ -13,7 +13,7 @@ use libwebauthn::proto::ctap2::{
     Ctap2PublicKeyCredentialUserEntity,
 };
 use libwebauthn::transport::{Channel, ChannelSettings, Device};
-use libwebauthn::webauthn::{Error, PlatformError, WebAuthn};
+use libwebauthn::webauthn::{PlatformError, WebAuthn, WebAuthnError};
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
 use rand::{thread_rng, Rng};
@@ -637,7 +637,10 @@ async fn test_webauthn_large_blob_write_requires_single_allow_credential() {
         .webauthn_get_assertion(&two)
         .await
         .expect_err("write with two allowCredentials must be rejected");
-    assert_eq!(err, Error::Platform(PlatformError::NotSupported));
+    assert!(matches!(
+        err,
+        WebAuthnError::Platform(PlatformError::NotSupported)
+    ));
 
     let mut none = ga_request(
         &cred_a,
@@ -649,7 +652,10 @@ async fn test_webauthn_large_blob_write_requires_single_allow_credential() {
         .webauthn_get_assertion(&none)
         .await
         .expect_err("write with empty allowCredentials must be rejected");
-    assert_eq!(err, Error::Platform(PlatformError::NotSupported));
+    assert!(matches!(
+        err,
+        WebAuthnError::Platform(PlatformError::NotSupported)
+    ));
 
     update_handle.await.unwrap();
 }

libwebauthn-tests/tests/preflight.rs

@@ -11,8 +11,9 @@ use libwebauthn::proto::ctap2::{
 };
 use libwebauthn::proto::CtapError;
 use libwebauthn::transport::hid::channel::HidChannel;
+use libwebauthn::transport::hid::HidError;
 use libwebauthn::transport::{Channel, ChannelSettings, Device};
-use libwebauthn::webauthn::{Error, WebAuthn};
+use libwebauthn::webauthn::{WebAuthn, WebAuthnError};
 use libwebauthn::UvUpdate;
 use libwebauthn_tests::virt::get_virtual_device;
 use rand::{thread_rng, Rng};
@@ -36,7 +37,7 @@ async fn make_credential_call(
     channel: &mut HidChannel<'_>,
     user_id: &[u8],
     exclude_list: Option<Vec<Ctap2PublicKeyCredentialDescriptor>>,
-) -> Result<(Ctap2PublicKeyCredentialDescriptor, [u8; 32]), Error> {
+) -> Result<(Ctap2PublicKeyCredentialDescriptor, [u8; 32]), WebAuthnError<HidError>> {
     make_credential_call_with_rp(channel, user_id, exclude_list, "example.org").await
 }
 
@@ -45,7 +46,7 @@ async fn make_credential_call_with_rp(
     user_id: &[u8],
     exclude_list: Option<Vec<Ctap2PublicKeyCredentialDescriptor>>,
     rp_id: &str,
-) -> Result<(Ctap2PublicKeyCredentialDescriptor, [u8; 32]), Error> {
+) -> Result<(Ctap2PublicKeyCredentialDescriptor, [u8; 32]), WebAuthnError<HidError>> {
     let challenge: [u8; 32] = thread_rng().gen();
     let make_credentials_request = MakeCredentialRequest {
         origin: rp_id.to_owned(),
@@ -71,7 +72,7 @@ async fn make_credential_call_with_rp(
 async fn get_assertion_call(
     channel: &mut HidChannel<'_>,
     allow_list: Vec<Ctap2PublicKeyCredentialDescriptor>,
-) -> Result<GetAssertionResponse, Error> {
+) -> Result<GetAssertionResponse, WebAuthnError<HidError>> {
     let challenge: [u8; 32] = thread_rng().gen();
     let get_assertion = GetAssertionRequest {
         origin: "example.org".to_owned(),
@@ -182,7 +183,7 @@ async fn preflight_mixed_exclude_list() {
     let res = make_credential_call(&mut channel, &user_id, Some(exclude_list)).await;
     assert!(matches!(
         res,
-        Err(Error::Ctap(CtapError::CredentialExcluded))
+        Err(WebAuthnError::Ctap(CtapError::CredentialExcluded))
     ));
 
     expected_uv_updates(
@@ -216,7 +217,10 @@ async fn preflight_no_allow_list() {
 
     let allow_list = Vec::new();
     let res = get_assertion_call(&mut channel, allow_list).await;
-    assert!(matches!(res, Err(Error::Ctap(CtapError::NoCredentials))));
+    assert!(matches!(
+        res,
+        Err(WebAuthnError::Ctap(CtapError::NoCredentials))
+    ));
 
     expected_uv_updates(
         state_recv,
@@ -250,7 +254,10 @@ async fn preflight_nonsense_allow_list() {
     assert!(filtered_list.is_empty());
 
     let res = get_assertion_call(&mut channel, allow_list).await;
-    assert!(matches!(res, Err(Error::Ctap(CtapError::NoCredentials))));
+    assert!(matches!(
+        res,
+        Err(WebAuthnError::Ctap(CtapError::NoCredentials))
+    ));
 
     expected_uv_updates(
         state_recv,

libwebauthn-tests/tests/prf.rs

@@ -8,8 +8,9 @@ use libwebauthn::ops::webauthn::{
 use libwebauthn::pin::PinManagement;
 use libwebauthn::proto::ctap2::{Ctap2PinUvAuthProtocol, Ctap2PublicKeyCredentialDescriptor};
 use libwebauthn::transport::hid::channel::HidChannel;
+use libwebauthn::transport::hid::HidError;
 use libwebauthn::transport::{Channel, ChannelSettings, Ctap2AuthTokenStore, Device};
-use libwebauthn::webauthn::{Error as WebAuthnError, PlatformError, WebAuthn};
+use libwebauthn::webauthn::{PlatformError, WebAuthn, WebAuthnError};
 use libwebauthn::UvUpdate;
 use libwebauthn::{
     ops::webauthn::{MakeCredentialRequest, ResidentKeyRequirement, UserVerificationRequirement},
@@ -490,7 +491,7 @@ async fn run_test_battery(channel: &mut HidChannel<'_>, using_pin: bool) {
         &challenge,
         prf,
         "Wrongly encoded credential_id",
-        WebAuthnError::Platform(PlatformError::SyntaxError),
+        PlatformError::SyntaxError,
     )
     .await;
 
@@ -514,7 +515,7 @@ async fn run_test_battery(channel: &mut HidChannel<'_>, using_pin: bool) {
         &challenge,
         prf,
         "Empty credential_id",
-        WebAuthnError::Platform(PlatformError::SyntaxError),
+        PlatformError::SyntaxError,
     )
     .await;
 
@@ -538,7 +539,7 @@ async fn run_test_battery(channel: &mut HidChannel<'_>, using_pin: bool) {
         &challenge,
         prf,
         "Empty allow_list, set eval_by_credential",
-        WebAuthnError::Platform(PlatformError::NotSupported),
+        PlatformError::NotSupported,
     )
     .await;
 
@@ -621,7 +622,7 @@ async fn run_failed_test(
     challenge: &[u8; 32],
     prf: PrfInput,
     printoutput: &str,
-    expected_error: WebAuthnError,
+    expected_error: PlatformError,
 ) {
     let get_assertion = GetAssertionRequest {
         relying_party_id: "example.org".to_owned(),
@@ -637,7 +638,7 @@ async fn run_failed_test(
         top_origin: None,
     };
 
-    let response: Result<(), WebAuthnError> = loop {
+    let response: Result<(), WebAuthnError<HidError>> = loop {
         match channel.webauthn_get_assertion(&get_assertion).await {
             Ok(_) => panic!("Success, even though it should have errored out!"),
             Err(WebAuthnError::Ctap(ctap_error)) => {
@@ -651,7 +652,10 @@ async fn run_failed_test(
         };
     };
 
-    assert_eq!(response, Err(expected_error), "{printoutput}:");
+    match response {
+        Err(WebAuthnError::Platform(got)) => assert_eq!(got, expected_error, "{printoutput}:"),
+        other => panic!("{printoutput}: expected {expected_error:?}, got {other:?}"),
+    }
     println!("Success for test: {printoutput}")
 }
 

libwebauthn/examples/common/mod.rs

@@ -123,12 +123,12 @@ macro_rules! retry_user_errors {
         loop {
             match $call.await {
                 Ok(response) => break Ok(response),
-                Err(libwebauthn::webauthn::Error::Ctap(ctap_error)) => {
+                Err(libwebauthn::webauthn::WebAuthnError::Ctap(ctap_error)) => {
                     if ctap_error.is_retryable_user_error() {
                         println!("Oops, try again! Error: {}", ctap_error);
                         continue;
                     }
-                    break Err(libwebauthn::webauthn::Error::Ctap(ctap_error));
+                    break Err(libwebauthn::webauthn::WebAuthnError::Ctap(ctap_error));
                 }
                 Err(err) => break Err(err),
             }

libwebauthn/examples/features/webauthn_preflight_hid.rs

@@ -14,7 +14,7 @@ use libwebauthn::proto::ctap2::{
 };
 use libwebauthn::transport::hid::list_devices;
 use libwebauthn::transport::{Channel, ChannelSettings, Device};
-use libwebauthn::webauthn::{CtapError, Error as WebAuthnError, WebAuthn};
+use libwebauthn::webauthn::{CtapError, WebAuthn, WebAuthnError};
 
 #[path = "../common/mod.rs"]
 mod common;
@@ -103,11 +103,11 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
     Ok(())
 }
 
-async fn make_credential_call(
-    channel: &mut impl Channel,
+async fn make_credential_call<C: Channel>(
+    channel: &mut C,
     user_id: &[u8],
     exclude_list: Option<Vec<Ctap2PublicKeyCredentialDescriptor>>,
-) -> Result<Ctap2PublicKeyCredentialDescriptor, WebAuthnError> {
+) -> Result<Ctap2PublicKeyCredentialDescriptor, WebAuthnError<C::TransportError>> {
     let challenge: [u8; 32] = thread_rng().gen();
     let make_credentials_request = MakeCredentialRequest {
         challenge: Vec::from(challenge),
@@ -128,10 +128,10 @@ async fn make_credential_call(
         .map(|x| (&x.authenticator_data).try_into().unwrap())
 }
 
-async fn get_assertion_call(
-    channel: &mut impl Channel,
+async fn get_assertion_call<C: Channel>(
+    channel: &mut C,
     allow_list: Vec<Ctap2PublicKeyCredentialDescriptor>,
-) -> Result<GetAssertionResponse, WebAuthnError> {
+) -> Result<GetAssertionResponse, WebAuthnError<C::TransportError>> {
     let challenge: [u8; 32] = thread_rng().gen();
     let get_assertion = GetAssertionRequest {
         relying_party_id: "example.org".to_owned(),

libwebauthn/examples/features/webauthn_prf_hid.rs

@@ -17,7 +17,7 @@ use libwebauthn::proto::ctap2::{
 };
 use libwebauthn::transport::hid::list_devices;
 use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
-use libwebauthn::webauthn::{Error as WebAuthnError, PlatformError, WebAuthn};
+use libwebauthn::webauthn::{PlatformError, WebAuthn, WebAuthnError};
 
 #[path = "../common/mod.rs"]
 mod common;
@@ -274,7 +274,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 eval_by_credential,
             },
             "Wrongly encoded credential_id",
-            WebAuthnError::Platform(PlatformError::SyntaxError),
+            PlatformError::SyntaxError,
         )
         .await;
 
@@ -296,7 +296,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 eval_by_credential,
             },
             "Empty credential_id",
-            WebAuthnError::Platform(PlatformError::SyntaxError),
+            PlatformError::SyntaxError,
         )
         .await;
 
@@ -318,7 +318,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 eval_by_credential,
             },
             "Empty allow_list, set eval_by_credential",
-            WebAuthnError::Platform(PlatformError::NotSupported),
+            PlatformError::NotSupported,
         )
         .await;
     }
@@ -361,7 +361,7 @@ async fn run_failed_test(
     challenge: &[u8; 32],
     prf: PrfInput,
     printoutput: &str,
-    expected_error: WebAuthnError,
+    expected_error: PlatformError,
 ) {
     let get_assertion = GetAssertionRequest {
         relying_party_id: "example.org".to_owned(),
@@ -377,9 +377,12 @@ async fn run_failed_test(
         timeout: TIMEOUT,
     };
 
-    let response = retry_user_errors!(channel.webauthn_get_assertion(&get_assertion))
-        .map(|_| panic!("Success, even though it should have errored out!"));
+    let response = retry_user_errors!(channel.webauthn_get_assertion(&get_assertion));
 
-    assert_eq!(response, Err(expected_error), "{printoutput}:");
+    match response {
+        Ok(_) => panic!("Success, even though it should have errored out!"),
+        Err(WebAuthnError::Platform(got)) => assert_eq!(got, expected_error, "{printoutput}:"),
+        Err(other) => panic!("{printoutput}: expected {expected_error:?}, got {other:?}"),
+    }
     println!("Success for test: {printoutput}")
 }

libwebauthn/examples/management/bio_enrollment_hid.rs

@@ -7,8 +7,9 @@ use text_io::read;
 use libwebauthn::management::BioEnrollment;
 use libwebauthn::proto::ctap2::{Ctap2, Ctap2GetInfoResponse, Ctap2LastEnrollmentSampleStatus};
 use libwebauthn::transport::hid::list_devices;
+use libwebauthn::transport::hid::HidError;
 use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
-use libwebauthn::webauthn::Error as WebAuthnError;
+use libwebauthn::webauthn::WebAuthnError;
 
 #[path = "../common/mod.rs"]
 mod common;
@@ -101,7 +102,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         }
 
         let idx = common::prompt_index(options.len());
-        let result: Result<String, WebAuthnError> = match options[idx] {
+        let result: Result<String, WebAuthnError<HidError>> = match options[idx] {
             Operation::GetModality => {
                 retry_user_errors!(channel.get_bio_modality(TIMEOUT)).map(|x| format!("{x:?}"))
             }

libwebauthn/examples/management/cred_management_hid.rs

@@ -7,8 +7,9 @@ use libwebauthn::proto::ctap2::{
 };
 use libwebauthn::proto::CtapError;
 use libwebauthn::transport::hid::list_devices;
+use libwebauthn::transport::hid::HidError;
 use libwebauthn::transport::{Channel as _, ChannelSettings, Device};
-use libwebauthn::webauthn::Error as WebAuthnError;
+use libwebauthn::webauthn::WebAuthnError;
 use std::io::{self, Write};
 use text_io::read;
 
@@ -31,7 +32,7 @@ fn format_credential(cred: &Ctap2CredentialData) -> String {
 
 async fn enumerate_rps<T: CredentialManagement>(
     channel: &mut T,
-) -> Result<Vec<Ctap2RPData>, WebAuthnError> {
+) -> Result<Vec<Ctap2RPData>, WebAuthnError<T::TransportError>> {
     let (rp, total_rps) = retry_user_errors!(channel.enumerate_rps_begin(TIMEOUT))?;
     let mut rps = vec![rp];
     for _ in 1..total_rps {
@@ -44,7 +45,7 @@ async fn enumerate_rps<T: CredentialManagement>(
 async fn enumerate_credentials_for_rp<T: CredentialManagement>(
     channel: &mut T,
     rp_id_hash: &[u8],
-) -> Result<Vec<Ctap2CredentialData>, WebAuthnError> {
+) -> Result<Vec<Ctap2CredentialData>, WebAuthnError<T::TransportError>> {
     let (credential, num_of_creds) =
         retry_user_errors!(channel.enumerate_credentials_begin(rp_id_hash, TIMEOUT))?;
     let mut credentials = vec![credential];
@@ -77,7 +78,7 @@ impl Display for Operation {
 }
 
 #[tokio::main]
-pub async fn main() -> Result<(), WebAuthnError> {
+pub async fn main() -> Result<(), WebAuthnError<HidError>> {
     common::setup_logging();
 
     let devices = list_devices().await.unwrap();
@@ -86,7 +87,10 @@ pub async fn main() -> Result<(), WebAuthnError> {
     for mut device in devices {
         println!("Selected HID authenticator: {}", &device);
         let mut channel = device.channel(ChannelSettings::default()).await?;
-        channel.wink(TIMEOUT).await?;
+        channel
+            .wink(TIMEOUT)
+            .await
+            .map_err(WebAuthnError::Transport)?;
 
         let state_recv = channel.get_ux_update_receiver();
         tokio::spawn(common::handle_uv_updates(state_recv));