fix: tolerate newer versions

Cargo.toml

@@ -1,12 +1,13 @@
 [package]
 name = "ctap_hmac"
 description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension"
-version = "0.3.0"
+version = "0.4.5"
 license = "Apache-2.0/MIT"
-homepage = "https://github.com/ArdaXi/ctap/pull/2"
+homepage = "https://github.com/shimunn/ctap"
 repository = "https://github.com/shimunn/ctap"
 authors = ["Arda Xi <arda@ardaxi.com>", "shimun <shimun@shimun.net>"]
 edition = "2018"
+readme = "README.md"
 
 [dependencies]
 rand = "0.6"
@@ -19,8 +20,16 @@ cbor-codec = "0.7"
 ring = "0.13"
 untrusted = "0.6"
 rust-crypto = "0.2"
-csv-core = "0.1.6"
 derive_builder = "0.9.0"
+crossbeam = { version = "0.7.3", optional = true }
 [dev-dependencies]
 crossbeam = "0.7.3"
 hex = "0.4.0"
+[build-dependencies]
+csv = "1.1.3"
+serde = "1.0.106"
+serde_derive = "1.0.106"
+
+
+[features]
+request_multiple = ["crossbeam"]

build.rs

@@ -0,0 +1,41 @@
+use csv::{Reader, StringRecord};
+use serde_derive::Deserialize;
+use std::env;
+use std::fs::File;
+use std::io::{Result, Write};
+use std::iter::FromIterator;
+use std::string::String;
+
+fn main() {
+    parse_error_codes().expect("Failed to parse error codes")
+}
+
+fn parse_error_codes() -> Result<()> {
+    println!("cargo:rerun-if-changed=ctap_error_codes.csv");
+    let mut out_file = File::create(format!(
+        "{}/ctap_error_codes.rs",
+        env::var("OUT_DIR").unwrap()
+    ))?;
+    out_file.write_all(b"static CTAP_ERROR_CODES: &[(usize, &str, &str)] = &[")?;
+    let mut rdr = Reader::from_path("ctap_error_codes.csv")?;
+    rdr.set_headers(StringRecord::from_iter(&["code", "name", "desc"]));
+    #[derive(Debug, Deserialize)]
+    struct ErrorCode {
+        code: String,
+        name: String,
+        desc: String,
+    }
+    for result in rdr.deserialize() {
+        let record: ErrorCode = result.unwrap();
+        out_file.write_all(
+            format!(
+                "({}, \"{}\", \"{}\"),\n",
+                i64::from_str_radix(&record.code[2..], 16).unwrap(),
+                record.name,
+                record.desc
+            )
+            .as_bytes(),
+        )?;
+    }
+    out_file.write_all(b"];")
+}

examples/hmac.rs

@@ -3,7 +3,7 @@ extern crate ctap_hmac as ctap;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 use ctap::extensions::hmac::HmacExtension;
-use ctap::{FidoCredential, FidoCredentialRequestBuilder, AuthenticatorOptions};
+use ctap::{FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder};
 use hex;
 use std::env::args;
 use std::io::prelude::*;
@@ -17,23 +17,30 @@ fn main() -> ctap::FidoResult<()> {
     let device_info = &mut devices.next().expect("No authenticator found");
     let mut device = ctap::FidoDevice::new(device_info)?;
 
-    let mut credential = match args().skip(1).next().map(|h| FidoCredential {
+    let credential = match args().skip(1).next().map(|h| FidoCredential {
         id: hex::decode(&h).expect("Invalid credential"),
         public_key: None,
     }) {
         Some(cred) => cred,
         _ => {
-            let req = FidoCredentialRequestBuilder::default().rp_id(RP_ID).rp_name("ctap_hmac crate").user_name("example").uv(false).build().unwrap();
+            let req = FidoCredentialRequestBuilder::default()
+                .rp_id(RP_ID)
+                .rp_name("ctap_hmac crate")
+                .user_name("example")
+                .uv(false)
+                .build()
+                .unwrap();
 
             println!("Authorize using your device");
-            let cred = device.make_hmac_credential(req).expect("Failed to request credential");
+            let cred = device
+                .make_hmac_credential(&req)
+                .expect("Failed to request credential");
             println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id));
             cred
         }
     };
-    let credential = credential;
     print!("Type in your message: ");
-    stdout().flush();
+    stdout().flush().unwrap();
     let mut message = String::new();
     stdin()
         .read_line(&mut message)
@@ -44,7 +51,13 @@ fn main() -> ctap::FidoResult<()> {
     let mut digest = Sha256::new();
     digest.input(&message.as_bytes());
     digest.result(&mut salt);
-    let (cred, (hash1, _hash2)) = device.get_hmac_assertion(RP_ID, &[&credential], &salt, None, None)?;
+    let credential = &&credential;
+    let request = FidoAssertionRequestBuilder::default()
+        .rp_id(RP_ID)
+        .credential(credential)
+        .build()
+        .unwrap();
+    let (_cred, (hash1, _hash2)) = device.get_hmac_assertion(&request, &salt, None)?;
     println!("Hash: {}", hex::encode(&hash1));
     Ok(())
 }

examples/multiple.rs

@@ -1,55 +1,49 @@
 extern crate ctap_hmac as ctap;
+use ctap::{
+    FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder, FidoDevice,
+    FidoResult,
+};
 
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
-use ctap::{FidoCredential, FidoCredentialRequestBuilder, FidoAssertionRequestBuilder, AuthenticatorOptions, FidoDevice, FidoError, FidoResult};
-use failure::_core::time::Duration;
 use hex;
 use std::env::args;
-use std::io::prelude::*;
+use std::time::Duration;
-use std::io::stdin;
-use std::io::stdout;
-use std::sync::mpsc::channel;
-use std::sync::Mutex;
-use crossbeam::thread;
 
 const RP_ID: &str = "ctap_demo";
 
-fn run() -> ctap::FidoResult<()> {
+fn main() -> ctap::FidoResult<()> {
-    let mut credentials = args().skip(1).map(|id| FidoCredential {
+    let mut credentials = args()
-        id: hex::decode(&id).expect("Invalid credential"),
+        .skip(1)
-        public_key: None,
+        .map(|id| FidoCredential {
-    }).collect::<Vec<_>>();
+            id: hex::decode(&id).expect("Invalid credential"),
+            public_key: None,
+        })
+        .collect::<Vec<_>>();
     if credentials.len() == 0 {
-        credentials = ctap::get_devices()?.map(|h| FidoDevice::new(&h).and_then(|mut dev| FidoCredentialRequestBuilder::default()
+        credentials = ctap::get_devices()?
-            .rp_id(RP_ID).build().unwrap().make_credential(&mut dev))).collect::<FidoResult<Vec<FidoCredential>>>()?;
+            .map(|h| {
-    }
-    let credentials = credentials.iter().collect::<Vec<_>>();
-    let (s, r) = channel();
-    thread::scope(|scope| {
-        let handles = ctap::get_devices()?.map(|h| {
-            let req = FidoAssertionRequestBuilder::default().rp_id(RP_ID).credentials(&credentials[..]).build().unwrap();
-            let s = s.clone();
-            scope.spawn(move |_| {
                 FidoDevice::new(&h).and_then(|mut dev| {
-                    req.get_assertion(&mut dev).map(|res| {
+                    FidoCredentialRequestBuilder::default()
-                        s.send(res.clone());
+                        .rp_id(RP_ID)
-                        res
+                        .user_name("test")
-                    })
+                        .build()
+                        .unwrap()
+                        .make_credential(&mut dev)
                 })
             })
-        }).collect::<Vec<_>>();
+            .collect::<FidoResult<Vec<FidoCredential>>>()?;
-        for h in handles {
-            h.join();
-        }
-        Ok::<(), FidoError>(())
-    }).unwrap();
-    for res in r.iter().take(credentials.len()) {
-        dbg!(res);
     }
+    let credentials = credentials.iter().collect::<Vec<_>>();
+    let req = FidoAssertionRequestBuilder::default()
+        .rp_id(RP_ID)
+        .credentials(&credentials[..])
+        .build()
+        .unwrap();
+    let mut devices = ctap::get_devices()?
+        .map(|handle| FidoDevice::new(&handle))
+        .collect::<FidoResult<Vec<_>>>()?;
+    // run with --features request_multiple
+    let (cred, _) =
+        ctap::get_assertion_devices(&req, devices.iter_mut(), Some(Duration::from_secs(10)))?;
+    println!("Success, got assertion for: {}", hex::encode(&cred.id));
     Ok(())
 }
-
-fn main() {
-    dbg!(run());
-}

src/cbor.rs

@@ -7,6 +7,7 @@
 use cbor_codec::value;
 use cbor_codec::value::Value;
 use cbor_codec::{Config, Decoder, Encoder, GenericDecoder, GenericEncoder};
+use cbor::skip::Skip;
 
 use byteorder::{BigEndian, ByteOrder, ReadBytesExt, WriteBytesExt};
 use failure::ResultExt;
@@ -38,7 +39,7 @@ impl<'a> Request<'a> {
         }
     }
 
-    pub fn decode<R: ReadBytesExt>(&self, reader: R) -> FidoResult<Response> {
+    pub fn decode<R: ReadBytesExt + Skip>(&self, reader: R) -> FidoResult<Response> {
         Ok(match self {
             Request::MakeCredential(_) => {
                 Response::MakeCredential(MakeCredentialResponse::decode(reader)?)
@@ -277,7 +278,7 @@ pub struct GetInfoResponse {
 }
 
 impl GetInfoResponse {
-    pub fn decode<R: ReadBytesExt>(mut reader: R) -> FidoResult<Self> {
+    pub fn decode<R: ReadBytesExt + Skip>(mut reader: R) -> FidoResult<Self> {
         let status = reader.read_u8().context(FidoErrorKind::CborDecode)?;
         if status != 0 {
             Err(FidoErrorKind::CborError(CborErrorCode::from(status)))?
@@ -304,7 +305,7 @@ impl GetInfoResponse {
                         response.pin_protocols.push(decoder.u8()?);
                     }
                 }
-                _ => continue,
+                _ => decoder.skip()?,
             }
         }
         Ok(response)
@@ -597,14 +598,45 @@ impl CoseKey {
         let mut cose_key = CoseKey::default();
         cose_key.algorithm = -7;
         for _ in 0..items {
-            match generic.borrow_mut().i16()? {
+            match generic.value()? {
-                0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
+                Value::Text(value::Text::Text(text)) => match &text[..] {
-                0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
+                    "type" => {
-                key if key < 0 => {
+                        cose_key.key_type = match generic.value()? {
-                    cose_key.parameters.insert(key, generic.value()?);
+                            Value::Text(value::Text::Text(type_)) if &type_ == "public-key" => 0u16,
+                            Value::U16(i) => i,
+                            Value::U8(i) => i.into(),
+                            _ => {
+                                continue;
+                            }
+                        }
+                    }
+                    "alg" => cose_key.algorithm = generic.borrow_mut().i32()?,
+                    _ => continue,
+                },
+                val @ Value::I8(_)
+                | val @ Value::I16(_)
+                | val @ Value::U16(_)
+                | val @ Value::U8(_) => {
+                    let int_val = match val {
+                        Value::I8(i) => i as i32,
+                        Value::I16(i) => i as i32,
+                        Value::U8(i) => i as i32,
+                        Value::U16(i) => i as i32,
+                        _ => unreachable!(),
+                    };
+                    match int_val {
+                        0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
+                        0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
+                        key if key < 0 => {
+                            cose_key.parameters.insert(key as i16, generic.value()?);
+                        }
+                        unknown => {
+                            (unknown, generic.value()?); // skip unknown parameter
+                        }
+                    }
                 }
-                _ => {
+                unknown => {
-                    generic.value()?; // skip unknown parameter
+                    (unknown, generic.value()?); // skip unknown parameter
                 }
             }
         }

src/error.rs

@@ -5,8 +5,8 @@
 // http://opensource.org/licenses/MIT>, at your option. This file may not be
 // copied, modified, or distributed except according to those terms.
 use cbor_codec::{DecodeError, EncodeError};
-use csv_core::{ReadFieldResult, Reader};
 use failure::_core::fmt::{Error, Formatter};
+use failure::_core::option::Option;
 use failure::{Backtrace, Context, Fail};
 use std::fmt;
 use std::fmt::Display;
@@ -19,10 +19,38 @@ pub struct FidoError(Context<FidoErrorKind>);
 #[derive(Debug, Copy, Clone, Fail, Eq, PartialEq)]
 pub struct CborErrorCode(u8);
 
+// generated using build.rs
+include!(concat!(env!("OUT_DIR"), "/ctap_error_codes.rs"));
+
+impl CborErrorCode {
+    fn detail(&self) -> Option<(u8, &'static str, &'static str)> {
+        for (code, name, desc) in CTAP_ERROR_CODES {
+            if *code == self.0 as usize {
+                return Some((self.0, name, desc));
+            }
+        }
+        None
+    }
+
+    pub fn name(&self) -> Option<&'static str> {
+        self.detail().map(|(_, name, _)| name)
+    }
+
+    pub fn description(&self) -> Option<&'static str> {
+        self.detail().map(|(_, _, desc)| desc)
+    }
+
+    pub fn code(&self) -> u8 {
+        self.0
+    }
+}
+
 #[derive(Copy, Clone, Eq, PartialEq, Debug, Fail)]
 pub enum FidoErrorKind {
     #[fail(display = "Read/write error with device.")]
     Io,
+    #[fail(display = "Operation timed out")]
+    Timeout,
     #[fail(display = "Error while reading packet from device.")]
     ReadPacket,
     #[fail(display = "Error while writing packet to device.")]
@@ -45,7 +73,7 @@ pub enum FidoErrorKind {
     EncryptPin,
     #[fail(display = "Failed to decrypt PIN.")]
     DecryptPin,
-    #[fail(display = "Supplied key has incorrect type.")]
+    #[fail(display = "Failed to verify response signature.")]
     VerifySignature,
     #[fail(display = "Failed to verify response signature.")]
     KeyType,
@@ -114,58 +142,24 @@ impl From<u8> for CborErrorCode {
 
 impl Display for CborErrorCode {
     fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
-        let messages = include_str!("ctap_error_codes.csv");
+        if let Some((code, _name, desc)) = self.detail() {
-        let mut rdr = Reader::new();
-        let mut bytes = messages.as_bytes();
-        let mut col: usize = 0;
-        let mut row: usize = 0;
-        let mut correct_row: bool = false;
-        let mut field = [0u8; 1024];
-        let mut name: Option<String> = None;
-        let mut desc: Option<String> = None;
-        loop {
-            let (result, nin, read) = rdr.read_field(&bytes, &mut field);
-            bytes = &bytes[nin..];
-            match result {
-                ReadFieldResult::InputEmpty => {}
-                ReadFieldResult::OutputFull => panic!("field too large"),
-                ReadFieldResult::Field { record_end } => {
-                    let text = String::from_utf8(field[..read].iter().cloned().collect()).unwrap();
-                    if row > 0 {
-                        match col {
-                            0 if i64::from_str_radix(&text[2..], 16)
-                                .expect("malformed ctap_error_codes.csv")
-                                == self.0 as i64 =>
-                            {
-                                correct_row = true
-                            }
-                            1 | 2 if correct_row => {
-                                if let Some(_) = name {
-                                    desc = Some(text);
-                                    break;
-                                } else {
-                                    name = Some(text);
-                                }
-                            }
-                            _ => (),
-                        }
-                    }
-                    col += 1;
-                    if record_end {
-                        col = 0;
-                        row += 1;
-                    }
-                }
-                ReadFieldResult::End => break,
-            }
-        }
-        if let Some((code, _name, desc)) =
-            name.and_then(|name| desc.map(|desc| (self.0, name, desc)))
-        {
             write!(f, "CborError: 0x{:x?}: {}", code, desc)?;
         } else {
-            write!(f, "CborError: 0x{:x?}", self.0)?;
+            write!(f, "CborError: 0x{:x?}: unknown", self.code())?;
         }
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[test]
+    fn cbor_error_code() {
+        assert_eq!(
+            CborErrorCode(0x33).to_string(),
+            "CborError: 0x33: PIN authentication, pinAuth, verification failed."
+        )
+    }
+}

src/extensions/hmac.rs

@@ -1,7 +1,4 @@
-use crate::{
+use crate::{FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest};
-    AuthenticatorOptions, FidoAssertionRequestBuilder,
-    FidoCredentialRequest,
-};
 use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
 use cbor_codec::value::{Bytes, Int, Key, Text, Value};
 use cbor_codec::Encoder;
@@ -13,7 +10,6 @@ use rust_crypto::mac::Mac;
 use rust_crypto::sha2::Sha256;
 use std::collections::BTreeMap;
 use std::io::Cursor;
-use std::iter::FromIterator;
 
 pub trait HmacExtension {
     fn extension_name() -> &'static str {
@@ -40,8 +36,10 @@ pub trait HmacExtension {
 
     /// Convenience function to create an credential which includes extension specific data
     /// Use `FidoDevice::make_credential` if you need more control
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential>;
+    fn make_hmac_credential(
-
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential>;
 
     /// Request an assertion from the authenticator for a given credential and salt(s).
     /// at least one `salt` must be provided, consider using a hashing function like SHA256
@@ -53,13 +51,11 @@ pub trait HmacExtension {
     /// provided, and will fail if a PIN is required but not provided or if the
     /// device returns malformed data.
     ///
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        assertion: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
 
     /// Convenience function for `get_hmac_assertion` that will accept arbitrary
@@ -75,11 +71,13 @@ pub trait HmacExtension {
         digest.input(input);
         digest.result(&mut salt);
         self.get_hmac_assertion(
-            rp_id,
+            &FidoAssertionRequestBuilder::default()
-            &[credential],
+                .rp_id(rp_id)
+                .credential(&credential)
+                .build()
+                .unwrap(),
             &salt,
             None,
-            Some(AuthenticatorOptions { uv: true, rk: true, up: false }),
         )
         .map(|(_cred, secret)| secret.0)
     }
@@ -138,43 +136,35 @@ impl HmacExtension for FidoDevice {
         Ok(Value::Map(map))
     }
 
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential> {
+    fn make_hmac_credential(
-        let mut request = request;
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential> {
+        let mut request = request.clone();
         request.rk = true;
-        request.extension_data.insert(<Self as HmacExtension>::extension_name(), <Self as HmacExtension>::extension_input());
+        request.extension_data.insert(
+            <Self as HmacExtension>::extension_name(),
+            <Self as HmacExtension>::extension_input(),
+        );
         self.make_credential(&request)
     }
 
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        request: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;
         }
         let ext_data: Value = self.get_data(salt, salt2)?;
+        let mut request = request.clone();
+        request
+            .extension_data
+            .insert(<Self as HmacExtension>::extension_name(), &ext_data);
 
-        let ext_data: BTreeMap<&str, &Value> = BTreeMap::from_iter(
+        let (cred, auth_data) = self.get_assertion(&request)?;
-            [(<Self as HmacExtension>::extension_name(), &ext_data)]
-                .iter()
-                .cloned(),
-        );
-
-        let mut builder = FidoAssertionRequestBuilder::default()
-            .credentials(credentials)
-            .rp_id(rp_id)
-            .extension_data(ext_data);
-
-        if let Some(opts) = options {
-            builder = builder.uv(opts.uv).up(opts.up);
-        }
-
-        let (cred, auth_data) =
-            self.get_assertion(&builder.build().unwrap())?;
         let shared_secret = self.shared_secret.as_ref().unwrap();
         let mut decryptor = shared_secret.decryptor();
         let mut hmac_secret_combined = [0u8; 64];
@@ -206,7 +196,11 @@ impl HmacExtension for FidoDevice {
         let mut hmac_secret_1 = [0u8; 32];
         hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
         hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
-        let cred = credentials.into_iter().find(|c| c.id == cred.id).unwrap();
+        let cred = request
+            .credentials
+            .into_iter()
+            .find(|c| c.id == cred.id)
+            .unwrap();
         Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
     }
 }

src/lib.rs

@@ -61,6 +61,7 @@ pub mod extensions;
 mod hid_common;
 mod hid_linux;
 mod packet;
+mod util;
 
 use std::cmp;
 use std::fs;
@@ -68,13 +69,11 @@ use std::io::{Cursor, Write};
 use std::u16;
 use std::u8;
 
-use self::cbor::{
+use self::cbor::{AuthenticatorOptions, PublicKeyCredentialDescriptor};
-    PublicKeyCredentialDescriptor,
-};
 pub use self::error::*;
-pub use self::cbor::AuthenticatorOptions;
 use self::hid_linux as hid;
 use self::packet::CtapCommand;
+pub use self::util::*;
 use crate::cbor::{AuthenticatorData, GetAssertionRequest};
 use failure::{Fail, ResultExt};
 use num_traits::FromPrimitive;
@@ -99,7 +98,6 @@ pub struct FidoCredential {
     /// The public key provided by the authenticator, in uncompressed form.
     pub public_key: Option<Vec<u8>>,
 }
-
 /// An opened FIDO authenticator.
 pub struct FidoDevice {
     device: fs::File,
@@ -111,6 +109,46 @@ pub struct FidoDevice {
     aaguid: [u8; 16],
 }
 
+pub struct FidoCancelHandle {
+    device: fs::File,
+    packet_size: u16,
+    channel_id: [u8; 4],
+}
+
+impl FidoCancelHandle {
+    pub fn cancel(&mut self) -> FidoResult<()> {
+        let payload = &[1u8];
+        let to_send = payload.len() as u16;
+        let max_payload = (self.packet_size - 7) as usize;
+        let (frame, payload) = payload.split_at(cmp::min(payload.len(), max_payload));
+        packet::write_init_packet(
+            &mut self.device,
+            64,
+            &self.channel_id,
+            &CtapCommand::Cancel,
+            to_send,
+            frame,
+        )?;
+        if payload.is_empty() {
+            return Ok(());
+        }
+        let max_payload = (self.packet_size - 5) as usize;
+        for (seq, frame) in (0..u8::MAX).zip(payload.chunks(max_payload)) {
+            packet::write_cont_packet(&mut self.device, 64, &self.channel_id, seq, frame)?;
+        }
+        self.device.flush().context(FidoErrorKind::WritePacket)?;
+        Ok(())
+    }
+
+    pub fn cancel_after<T>(&mut self, body: impl Fn(()) -> T) -> FidoResult<T> {
+        let res = body(());
+        match self.cancel() {
+            Ok(_) => Ok(res),
+            Err(e) => Err(e),
+        }
+    }
+}
+
 /// Request a new credential from the authenticator. The `rp_id` should be
 /// a stable string used to identify the party for whom the credential is
 /// created, for convenience it will be returned with the credential.
@@ -179,7 +217,7 @@ impl<'a> FidoCredentialRequest<'a> {
 #[derive(Clone, Debug, Builder)]
 #[builder(setter(into))]
 #[builder(pattern = "owned")]
-pub struct FidoAssertionRequest<'a> {
+pub struct FidoAssertionRequest<'a, 'b> {
     #[builder(default)]
     up: bool,
     #[builder(default)]
@@ -194,21 +232,16 @@ pub struct FidoAssertionRequest<'a> {
     #[builder(default = "&[0u8; 32]")]
     client_data_hash: &'a [u8],
     #[builder(default)]
-    extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
+    extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>,
 }
 
-impl<'a> FidoAssertionRequest<'a> {
+impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
-    pub fn get_assertion(
+    pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
-        &self,
+        device.get_assertion(self).map(|res| res.0)
-        device: &mut FidoDevice,
-    ) -> FidoResult<&'a FidoCredential> {
-        device
-            .get_assertion(self)
-            .map(|res| res.0)
     }
 }
 
-impl<'a> FidoAssertionRequestBuilder<'a> {
+impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
     pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
         self.credentials = Some(std::slice::from_ref(credential));
         self
@@ -254,14 +287,14 @@ impl FidoDevice {
             cbor::Response::GetInfo(resp) => resp,
             _ => Err(FidoErrorKind::CborDecode)?,
         };
-        if !response.versions.iter().any(|ver| ver == "FIDO_2_0") {
+        if !response.versions.iter().any(|ver| ["FIDO_2_0", "FIDO_2_1_PRE"].contains(&ver.as_str())) {
             Err(FidoErrorKind::DeviceUnsupported)?
         }
         // Require pin protocol version 1, only if pin-protocol is supported at all
         if !response
             .pin_protocols
             .iter()
-            .fold(true, |supported, ver| *ver == 1 && supported)
+            .any(|ver| *ver == 1) && response.pin_protocols.len() > 0
         {
             Err(FidoErrorKind::DeviceUnsupported)?
         }
@@ -292,6 +325,11 @@ impl FidoDevice {
         }
     }
 
+    /// True if this authenticator requires a PIN
+    pub fn needs_pin(&self) -> bool {
+        self.needs_pin
+    }
+
     /// Unlock the device with the provided PIN. Internally this will generate
     /// an ECDH keypair, send the encrypted PIN to the device and store the PIN
     /// token that the device generates on every power cycle. The PIN itself is
@@ -324,10 +362,21 @@ impl FidoDevice {
         }
     }
 
+    pub fn cancel_handle(&mut self) -> FidoResult<FidoCancelHandle> {
+        Ok(self
+            .device
+            .try_clone()
+            .map(|device| FidoCancelHandle {
+                device,
+                packet_size: self.packet_size,
+                channel_id: self.channel_id,
+            })
+            .context(FidoErrorKind::Io)?)
+    }
 
     pub fn make_credential(
         &mut self,
-        request: &FidoCredentialRequest<'_>
+        request: &FidoCredentialRequest<'_>,
     ) -> FidoResult<FidoCredential> {
         let rp = cbor::PublicKeyCredentialRpEntity {
             id: request.rp_id,
@@ -343,7 +392,8 @@ impl FidoDevice {
 
         let options = Some(AuthenticatorOptions {
             up: false,
-            uv: request.uv, rk: request.rk
+            uv: request.uv,
+            rk: request.rk,
         });
         if self.needs_pin && self.pin_token.is_none() {
             Err(FidoErrorKind::PinRequired)?
@@ -364,13 +414,17 @@ impl FidoDevice {
             rp,
             user,
             pub_key_cred_params: &pub_key_cred_params,
-            exclude_list: &request.exclude_list.iter()
+            exclude_list: &request
+                .exclude_list
+                .iter()
                 .map(|cred| PublicKeyCredentialDescriptor {
                     cred_type: "public-key".into(),
                     id: cred.id.clone(),
                 })
                 .collect::<Vec<_>>()[..],
-            extensions: &request.extension_data.iter()
+            extensions: &request
+                .extension_data
+                .iter()
                 .map(|(name, data)| (*name, *data))
                 .collect::<Vec<_>>()[..],
             options,
@@ -388,7 +442,7 @@ impl FidoDevice {
                 .attested_credential_data
                 .credential_public_key,
         )?
-            .bytes();
+        .bytes();
         Ok(FidoCredential {
             id: response.auth_data.attested_credential_data.credential_id,
             public_key: Some(Vec::from(&public_key[..])),
@@ -408,11 +462,9 @@ impl FidoDevice {
     ///
     /// This method will fail if a PIN is required but the device is not
     /// unlocked or if the device returns malformed data.
-
+    pub fn get_assertion<'a, 'b>(
-
-    pub fn get_assertion<'a>(
         &mut self,
-        assertion: &FidoAssertionRequest<'a>,
+        assertion: &FidoAssertionRequest<'a, 'b>,
     ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;
@@ -446,7 +498,7 @@ impl FidoDevice {
             options: Some(AuthenticatorOptions {
                 rk: assertion.rk,
                 uv: assertion.uv,
-                up: assertion.up
+                up: assertion.up,
             }),
             pin_auth: pin_auth,
             pin_protocol: pin_auth.and(Some(0x01)),
@@ -467,19 +519,28 @@ impl FidoDevice {
             })
             .next();
 
-        credential.and_then(|cred| {
+        credential
-            cred.public_key.as_ref().map(|public_key|
+            .and_then(|cred| {
-                Some(crypto::verify_signature(
+                if cred
+                    .public_key
+                    .as_ref()
+                    .map(|public_key| {
+                        crypto::verify_signature(
                             &public_key,
                             &assertion.client_data_hash,
                             &response.auth_data_bytes,
                             &response.signature,
                         )
-            ).unwrap_or(true)).iter().filter_map( |valid| match valid {
+                    })
-                true => Some(cred),
+                    .unwrap_or(true)
-                false => None,
+                {
-            }).next()
+                    Some(cred)
-        }).ok_or(FidoError::from(FidoErrorKind::VerifySignature)).map(|cred| (cred, response.auth_data))
+                } else {
+                    None
+                }
+            })
+            .ok_or(FidoError::from(FidoErrorKind::VerifySignature))
+            .map(|cred| (cred, response.auth_data))
     }
 
     fn cbor(&mut self, request: cbor::Request) -> FidoResult<cbor::Response> {

src/util.rs

@@ -0,0 +1,88 @@
+#[cfg(feature = "request_multiple")]
+use crate::{
+    cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
+    FidoDevice, FidoErrorKind, FidoResult,
+};
+#[cfg(feature = "request_multiple")]
+use crossbeam::thread;
+#[cfg(feature = "request_multiple")]
+use std::sync::mpsc::channel;
+#[cfg(feature = "request_multiple")]
+use std::time::Duration;
+#[cfg(feature = "request_multiple")]
+pub fn request_multiple_devices<
+    'a,
+    T: Send + 'a,
+    F: Fn(&mut FidoDevice) -> FidoResult<T> + 'a + Sync,
+>(
+    devices: impl Iterator<Item = (&'a mut FidoDevice, &'a F)>,
+    timeout: Option<Duration>,
+) -> FidoResult<T> {
+    thread::scope(|scope| -> FidoResult<T> {
+        let (tx, rx) = channel();
+        let handles = devices
+            .map(|(device, fn_)| {
+                let cancel = device.cancel_handle()?;
+                let tx = tx.clone();
+                let thread_handle = scope.spawn(move |_| tx.send(fn_(device)));
+                Ok((cancel, thread_handle))
+            })
+            .collect::<FidoResult<Vec<_>>>()?;
+        let mut err = None;
+        let mut slept = Duration::from_millis(0);
+        let interval = Duration::from_millis(10);
+        let mut received = 0usize;
+        let res = loop {
+            match timeout {
+                Some(t) if t < slept => {
+                    break if let Some(cause) = err {
+                        cause
+                    } else {
+                        Err(FidoErrorKind::Timeout.into())
+                    };
+                }
+                _ => (),
+            }
+            if timeout.map(|t| t < slept).unwrap_or(true) {}
+            if let Ok(msg) = rx.recv_timeout(interval) {
+                received += 1;
+                match msg {
+                    e @ Err(_) if received == handles.len() => break e,
+                    e @ Err(_) => err = Some(e),
+                    res @ Ok(_) => break res,
+                }
+            } else {
+                slept += interval;
+            }
+        };
+        for (mut cancel, join) in handles {
+            // Canceling out of courtesy don't care if it fails
+            let _ = cancel.cancel();
+            let _ = join.join();
+        }
+        res
+    })
+    .unwrap()
+}
+
+/// Will send the `assertion_request` to all supplied `devices` and return either the first successful assertion or the last error
+#[cfg(feature = "request_multiple")]
+pub fn get_assertion_devices<'a>(
+    assertion_request: &'a FidoAssertionRequest,
+    devices: impl Iterator<Item = &'a mut FidoDevice>,
+    timeout: Option<Duration>,
+) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
+    let get_assertion = |device: &mut FidoDevice| device.get_assertion(assertion_request);
+    request_multiple_devices(devices.map(|device| (device, &get_assertion)), timeout)
+}
+
+/// Will send the `credential_request` to all supplied `devices` and return either the first credential or the last error
+#[cfg(feature = "request_multiple")]
+pub fn make_credential_devices<'a>(
+    credential_request: &'a FidoCredentialRequest,
+    devices: impl Iterator<Item = &'a mut FidoDevice>,
+    timeout: Option<Duration>,
+) -> FidoResult<FidoCredential> {
+    let make_credential = |device: &mut FidoDevice| device.make_credential(credential_request);
+    request_multiple_devices(devices.map(|device| (device, &make_credential)), timeout)
+}