fix api leaking private type

src/extensions/hmac.rs

@@ -1,6 +1,5 @@
 use crate::{
-    AuthenticatorOptions, FidoAssertionRequestBuilder,
+    FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest,
-    FidoCredentialRequest,
 };
 use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
 use cbor_codec::value::{Bytes, Int, Key, Text, Value};
@@ -13,7 +12,7 @@ use rust_crypto::mac::Mac;
 use rust_crypto::sha2::Sha256;
 use std::collections::BTreeMap;
 use std::io::Cursor;
-use std::iter::FromIterator;
+
 
 pub trait HmacExtension {
     fn extension_name() -> &'static str {
@@ -40,8 +39,10 @@ pub trait HmacExtension {
 
     /// Convenience function to create an credential which includes extension specific data
     /// Use `FidoDevice::make_credential` if you need more control
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential>;
+    fn make_hmac_credential(
-
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential>;
 
     /// Request an assertion from the authenticator for a given credential and salt(s).
     /// at least one `salt` must be provided, consider using a hashing function like SHA256
@@ -53,13 +54,11 @@ pub trait HmacExtension {
     /// provided, and will fail if a PIN is required but not provided or if the
     /// device returns malformed data.
     ///
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        assertion: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
 
     /// Convenience function for `get_hmac_assertion` that will accept arbitrary
@@ -75,11 +74,13 @@ pub trait HmacExtension {
         digest.input(input);
         digest.result(&mut salt);
         self.get_hmac_assertion(
-            rp_id,
+            &FidoAssertionRequestBuilder::default()
-            &[credential],
+                .rp_id(rp_id)
+                .credential(&credential)
+                .build()
+                .unwrap(),
             &salt,
             None,
-            Some(AuthenticatorOptions { uv: true, rk: true, up: false }),
         )
         .map(|(_cred, secret)| secret.0)
     }
@@ -138,43 +139,35 @@ impl HmacExtension for FidoDevice {
         Ok(Value::Map(map))
     }
 
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential> {
+    fn make_hmac_credential(
-        let mut request = request;
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential> {
+        let mut request = request.clone();
         request.rk = true;
-        request.extension_data.insert(<Self as HmacExtension>::extension_name(), <Self as HmacExtension>::extension_input());
+        request.extension_data.insert(
+            <Self as HmacExtension>::extension_name(),
+            <Self as HmacExtension>::extension_input(),
+        );
         self.make_credential(&request)
     }
 
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        request: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;
         }
         let ext_data: Value = self.get_data(salt, salt2)?;
+        let mut request = request.clone();
+        request
+            .extension_data
+            .insert(<Self as HmacExtension>::extension_name(), &ext_data);
 
-        let ext_data: BTreeMap<&str, &Value> = BTreeMap::from_iter(
+        let (cred, auth_data) = self.get_assertion(&request)?;
-            [(<Self as HmacExtension>::extension_name(), &ext_data)]
-                .iter()
-                .cloned(),
-        );
-
-        let mut builder = FidoAssertionRequestBuilder::default()
-            .credentials(credentials)
-            .rp_id(rp_id)
-            .extension_data(ext_data);
-
-        if let Some(opts) = options {
-            builder = builder.uv(opts.uv).up(opts.up);
-        }
-
-        let (cred, auth_data) =
-            self.get_assertion(&builder.build().unwrap())?;
         let shared_secret = self.shared_secret.as_ref().unwrap();
         let mut decryptor = shared_secret.decryptor();
         let mut hmac_secret_combined = [0u8; 64];
@@ -206,7 +199,11 @@ impl HmacExtension for FidoDevice {
         let mut hmac_secret_1 = [0u8; 32];
         hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
         hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
-        let cred = credentials.into_iter().find(|c| c.id == cred.id).unwrap();
+        let cred = request
+            .credentials
+            .into_iter()
+            .find(|c| c.id == cred.id)
+            .unwrap();
         Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
     }
 }

src/lib.rs

@@ -217,7 +217,7 @@ impl<'a> FidoCredentialRequest<'a> {
 #[derive(Clone, Debug, Builder)]
 #[builder(setter(into))]
 #[builder(pattern = "owned")]
-pub struct FidoAssertionRequest<'a> {
+pub struct FidoAssertionRequest<'a, 'b> {
     #[builder(default)]
     up: bool,
     #[builder(default)]
@@ -232,16 +232,16 @@ pub struct FidoAssertionRequest<'a> {
     #[builder(default = "&[0u8; 32]")]
     client_data_hash: &'a [u8],
     #[builder(default)]
-    extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
+    extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>,
 }
 
-impl<'a> FidoAssertionRequest<'a> {
+impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
     pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
         device.get_assertion(self).map(|res| res.0)
     }
 }
 
-impl<'a> FidoAssertionRequestBuilder<'a> {
+impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
     pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
         self.credentials = Some(std::slice::from_ref(credential));
         self
@@ -458,9 +458,9 @@ impl FidoDevice {
     /// This method will fail if a PIN is required but the device is not
     /// unlocked or if the device returns malformed data.
 
-    pub fn get_assertion<'a>(
+    pub fn get_assertion<'a, 'b>(
         &mut self,
-        assertion: &FidoAssertionRequest<'a>,
+        assertion: &FidoAssertionRequest<'a, 'b>,
     ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;

src/util.rs

@@ -1,7 +1,11 @@
-use crate::cbor::AuthenticatorData;
+#[cfg(feature = "request_multiple")]
-use crate::{FidoAssertionRequest, FidoCredentialRequest, FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
+use crate::{
+    cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
+    FidoDevice, FidoErrorKind, FidoResult,
+};
 #[cfg(feature = "request_multiple")]
 use crossbeam::thread;
+#[cfg(feature = "request_multiple")]
 use std::sync::mpsc::channel;
 
 #[cfg(feature = "request_multiple")]