Add ERC7913WebAuthnVerifier for external WebAuthn verification (#188)

Co-authored-by: Hadrien Croubois <[email protected]>

Author: ernestognw

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 16-07-2025
+
+- `ERC7913WebAuthnVerifier`: Add an ERC-7913 signature verifier that supports WebAuthn authentication assertions using P256 keys.
+
 ## 08-07-2025
 
 - `WebAuthn.sol`: Add library for on-chain verification of WebAuthn authentication assertions and P256 signatures.

contracts/utils/cryptography/README.adoc

@@ -16,7 +16,7 @@ A collection of contracts and libraries that implement various signature validat
  * {SignerERC7913}, {MultiSignerERC7913}, {MultiSignerERC7913Weighted}: Implementations of {AbstractSigner} that validate signatures based on ERC-7913. Including a simple and weighted multisignature scheme.
  * {SignerZKEmail}: Implementation of an {AbstractSigner} that enables email-based authentication through zero-knowledge proofs.
  * {SignerWebAuthn}: Implementation of {SignerP256} that supports WebAuthn authentication assertions.
- * {ERC7913P256Verifier}, {ERC7913RSAVerifier}, {ERC7913ZKEmailVerifier}: Ready to use ERC-7913 signature verifiers for P256, RSA keys, and ZKEmail.
+ * {ERC7913P256Verifier}, {ERC7913RSAVerifier}, {ERC7913ZKEmailVerifier}, {ERC7913WebAuthnVerifier}: Ready to use ERC-7913 signature verifiers for P256, RSA keys, ZKEmail and WebAuthn.
 
 == Utils
 
@@ -60,3 +60,5 @@ A collection of contracts and libraries that implement various signature validat
 {{ERC7913RSAVerifier}}
 
 {{ERC7913ZKEmailVerifier}}
+
+{{ERC7913WebAuthnVerifier}}

contracts/utils/cryptography/verifiers/ERC7913WebAuthnVerifier.sol

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {WebAuthn} from "../WebAuthn.sol";
+import {IERC7913SignatureVerifier} from "@openzeppelin/contracts/interfaces/IERC7913.sol";
+
+/**
+ * @dev ERC-7913 signature verifier that supports WebAuthn authentication assertions.
+ *
+ * This verifier enables the validation of WebAuthn signatures using P256 public keys.
+ * The key is expected to be a 64-byte concatenation of the P256 public key coordinates (qx || qy).
+ * The signature is expected to be an abi-encoded {WebAuthn-WebAuthnAuth} struct.
+ *
+ * Uses {WebAuthn-verifyMinimal} for signature verification, which performs the essential
+ * WebAuthn checks: type validation, challenge matching, and cryptographic signature verification.
+ *
+ * NOTE: Wallets that may require default P256 validation may install a P256 verifier separately.
+ */
+contract ERC7913WebAuthnVerifier is IERC7913SignatureVerifier {
+    /// @inheritdoc IERC7913SignatureVerifier
+    function verify(bytes calldata key, bytes32 hash, bytes calldata signature) public view virtual returns (bytes4) {
+        (bool decodeSuccess, WebAuthn.WebAuthnAuth calldata auth) = WebAuthn.tryDecodeAuth(signature);
+
+        return
+            decodeSuccess &&
+                key.length == 0x40 &&
+                WebAuthn.verifyMinimal(abi.encodePacked(hash), auth, bytes32(key[0x00:0x20]), bytes32(key[0x20:0x40]))
+                ? IERC7913SignatureVerifier.verify.selector
+                : bytes4(0xFFFFFFFF);
+    }
+}

test/account/AccountERC7913.test.js

@@ -8,7 +8,7 @@ const {
   P256SigningKey,
   RSASHA256SigningKey,
 } = require('@openzeppelin/contracts/test/helpers/signers');
-const { ZKEmailSigningKey } = require('../helpers/signers');
+const { ZKEmailSigningKey, WebAuthnSigningKey } = require('../helpers/signers');
 
 const { shouldBehaveLikeAccountCore, shouldBehaveLikeAccountHolder } = require('./Account.behavior');
 const { shouldBehaveLikeERC1271 } = require('../utils/cryptography/ERC1271.behavior');
@@ -18,6 +18,7 @@ const { shouldBehaveLikeERC7821 } = require('./extensions/ERC7821.behavior');
 const signerECDSA = ethers.Wallet.createRandom();
 const signerP256 = new NonNativeSigner(P256SigningKey.random());
 const signerRSA = new NonNativeSigner(RSASHA256SigningKey.random());
+const signerWebAuthn = new NonNativeSigner(WebAuthnSigningKey.random());
 
 // Constants for ZKEmail
 const accountSalt = '0x046582bce36cdd0a8953b9d40b8f20d58302bacf3bcecffeb6741c98a52725e2'; // keccak256("[email protected]")
@@ -48,6 +49,7 @@ async function fixture() {
   // ERC-7913 verifiers
   const verifierP256 = await ethers.deployContract('ERC7913P256Verifier');
   const verifierRSA = await ethers.deployContract('ERC7913RSAVerifier');
+  const verifierWebAuthn = await ethers.deployContract('ERC7913WebAuthnVerifier');
   const verifierZKEmail = await ethers.deployContract('$ERC7913ZKEmailVerifier');
 
   // ERC-4337 env
@@ -72,6 +74,7 @@ async function fixture() {
     helper,
     verifierP256,
     verifierRSA,
+    verifierWebAuthn,
     verifierZKEmail,
     dkim,
     zkEmailVerifier,
@@ -142,6 +145,25 @@ describe('AccountERC7913', function () {
     shouldBehaveLikeERC7821();
   });
 
+  // Using WebAuthn key with an ERC-7913 verifier
+  describe('WebAuthn key', function () {
+    beforeEach(async function () {
+      this.signer = signerWebAuthn;
+      this.mock = await this.makeMock(
+        ethers.concat([
+          this.verifierWebAuthn.target,
+          this.signer.signingKey.publicKey.qx,
+          this.signer.signingKey.publicKey.qy,
+        ]),
+      );
+    });
+
+    shouldBehaveLikeAccountCore();
+    shouldBehaveLikeAccountHolder();
+    shouldBehaveLikeERC1271({ erc7739: true });
+    shouldBehaveLikeERC7821();
+  });
+
   // Using ZKEmail with an ERC-7913 verifier
   describe('ZKEmail', function () {
     beforeEach(async function () {