Should cbor_encode_cred_ext() encode the minPinLength value?

[ntwerdochlib]

I see that the corresponding decode_cred_extension() does look for and decode a value for minPinLength, but cbor_encode_cred_ext() only encodes a bool for the extension.

Is this by design or an oversight?

[LDVG]

The implementation follows the CTAP2.1 specification, see §12.4. Minimum PIN Length Extension (minPinLength):

Authenticator extension input

Boolean asking for minimum PIN length value in Unicode code points. The platform sends the authenticatorMakeCredential request with the following CBOR map entry in the "extensions" field to the authenticator:

"minPinLength": true

and

Authenticator extension output

If the RP is

• authorized, the authenticator sets the minPinLength return value to the current minimum PIN length value.
• not authorized, the authenticator ignores the extension and does not return any authenticator extension output.

CDDL:
"minPinLength": uint

i.e. cbor_encode_cred_ext() encodes the authenticator extension input; and decode_cred_extension() decodes the authenticator extension output.

If your intention is to set a minimum PIN length, you use the authenticatorConfig command’s setMinPINLength sub-command (see also §7.4. Set Minimum PIN Length). This is abstracted in libfido2 via the fido_dev_set_pin_minlen() function.

[ntwerdochlib]

Well damn. I saw this extension as a means for the RP to enforce a minimum pin length, not as a request for minimum pin length. This clears that up for me.

Thanks