Support Multiple Origins (#237)

* Add support for using multiple origins

* Improve error message by converting the lists to strings

* Changed demo to use origins.

* Change Origins to HashSet

* Fix conformance test controller, update tests to use origins instead of origin

Co-authored-by: Alex Seigler <[email protected]>

Author: Hinton

Demo/Startup.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -45,7 +46,7 @@ public void ConfigureServices(IServiceCollection services)
             {
                 options.ServerDomain = Configuration["fido2:serverDomain"];
                 options.ServerName = "FIDO2 Test";
-                options.Origin = Configuration["fido2:origin"];
+                options.Origins = new HashSet<string> { Configuration["fido2:origin"] };
                 options.TimestampDriftTolerance = Configuration.GetValue<int>("fido2:timestampDriftTolerance");
                 options.MDSCacheDirPath = Configuration["fido2:MDSCacheDirPath"];
             })

Demo/TestController.cs

@@ -22,13 +22,13 @@ public class TestController : Controller
 
         public TestController(IOptions<Fido2Configuration> fido2Configuration)
         {
-            _origin = fido2Configuration.Value.Origin;
+            _origin = fido2Configuration.Value.FullyQualifiedOrigins.FirstOrDefault();
 
             _fido2 = new Fido2(new Fido2Configuration
             {
                 ServerDomain = fido2Configuration.Value.ServerDomain,
                 ServerName = fido2Configuration.Value.ServerName,
-                Origin = _origin,
+                Origins = fido2Configuration.Value.FullyQualifiedOrigins,
             }, 
             ConformanceTesting.MetadataServiceInstance(
                 System.IO.Path.Combine(fido2Configuration.Value.MDSCacheDirPath, @"Conformance"), _origin)

Src/Fido2.Models/Fido2Configuration.cs

@@ -1,5 +1,7 @@
-using System.Net.Http;
-
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
 namespace Fido2NetLib
 {
     public class Fido2Configuration
@@ -38,18 +40,44 @@ public class Fido2Configuration
         /// <summary>
         /// Server origin, including protocol host and port.
         /// </summary>
-        public string Origin { get; set; }
-
-        /// <summary>
-        /// MDSCacheDirPath
-        /// </summary>
+        [Obsolete("This property is obsolete. Use Origins instead.")]
+        public string Origin { get; set; }
+
+        /// <summary>
+        /// Server origins, including protocol host and port.
+        /// </summary>
+        public HashSet<string> Origins
+        {
+            get => _origins ?? new HashSet<string> { Origin };
+            set
+            {
+                _origins = value;
+                _fullyQualifiedOrigins = new HashSet<string>(value.Select(o => o.ToFullyQualifiedOrigin()), StringComparer.OrdinalIgnoreCase);
+            }
+        }
+
+        /// <summary>
+        /// Fully Qualified Server origins, generated automatically from Origins.
+        /// </summary>
+        public HashSet<string> FullyQualifiedOrigins
+        {
+            get => _fullyQualifiedOrigins ?? new HashSet<string> { Origin?.ToFullyQualifiedOrigin() };
+            private set => _fullyQualifiedOrigins = value;
+        }
+
+        /// <summary>
+        /// MDSCacheDirPath
+        /// </summary>
         public string MDSCacheDirPath { get; set; }
 
         /// <summary>
         /// Create the configuration for Fido2
         /// </summary>
         public Fido2Configuration()
         {
-        }
+        }
+
+        private HashSet<string> _origins;
+        private HashSet<string> _fullyQualifiedOrigins;
     }
 }

Src/Fido2.Models/StringExtensions.cs

@@ -0,0 +1,17 @@
+using System;
+
+namespace Fido2NetLib
+{
+    public static class StringExtensions
+    {
+        public static string ToFullyQualifiedOrigin(this string origin)
+        {
+            var uri = new Uri(origin);
+
+            if (UriHostNameType.Unknown != uri.HostNameType)
+                return uri.IsDefaultPort ? $"{uri.Scheme}://{uri.Host}" : $"{uri.Scheme}://{uri.Host}:{uri.Port}";
+
+            return origin;
+        }
+    }
+}

Src/Fido2/AuthenticatorAssertionResponse.cs

@@ -1,6 +1,8 @@
+using System;
+using System.Collections.Generic;
+
 #nullable disable
 
-using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
@@ -44,22 +46,22 @@ public static AuthenticatorAssertionResponse Parse(AuthenticatorAssertionRawResp
         /// Implements alghoritm from https://www.w3.org/TR/webauthn/#verifying-assertion
         /// </summary>
         /// <param name="options">The assertionoptions that was sent to the client</param>
-        /// <param name="expectedOrigin">
-        /// The expected server origin, used to verify that the signature is sent to the expected server
+        /// <param name="fullyQualifiedExpectedOrigins">
+        /// The expected fully qualified server origins, used to verify that the signature is sent to the expected server
         /// </param>
         /// <param name="storedPublicKey">The stored public key for this CredentialId</param>
         /// <param name="storedSignatureCounter">The stored counter value for this CredentialId</param>
         /// <param name="isUserHandleOwnerOfCredId">A function that returns <see langword="true"/> if user handle is owned by the credential ID</param>
         /// <param name="requestTokenBindingId"></param>
         public async Task<AssertionVerificationResult> VerifyAsync(
             AssertionOptions options,
-            string expectedOrigin,
+            HashSet<string> fullyQualifiedExpectedOrigins,
             byte[] storedPublicKey,
             uint storedSignatureCounter,
             IsUserHandleOwnerOfCredentialIdAsync isUserHandleOwnerOfCredId,
             byte[] requestTokenBindingId)
         {
-            BaseVerify(expectedOrigin, options.Challenge, requestTokenBindingId);
+            BaseVerify(fullyQualifiedExpectedOrigins, options.Challenge, requestTokenBindingId);
 
             if (Raw.Type != PublicKeyCredentialType.PublicKey)
                 throw new Fido2VerificationException("AssertionResponse Type is not set to public-key");

Src/Fido2/AuthenticatorAttestationResponse.cs

@@ -86,7 +86,7 @@ public async Task<AttestationVerificationSuccess> VerifyAsync(CredentialCreateOp
             // 5. Verify that the value of C.origin matches the Relying Party's origin.
             // 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained. 
             // If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.
-            BaseVerify(config.Origin, originalOptions.Challenge, requestTokenBindingId);
+            BaseVerify(config.FullyQualifiedOrigins, originalOptions.Challenge, requestTokenBindingId);
 
             if (Raw.Id is null || Raw.Id.Length == 0)
                 throw new Fido2VerificationException("AttestationResponse is missing Id");

Src/Fido2/AuthenticatorResponse.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
 using System.Text.Json.Serialization;
@@ -44,6 +45,8 @@ protected AuthenticatorResponse(ReadOnlySpan<byte> utf8EncodedJson)
         }
 #nullable enable
 
+        public const int MAX_ORIGINS_TO_PRINT = 5;
+
         [JsonPropertyName("type")]
         public string Type { get; set; }
 
@@ -56,7 +59,7 @@ protected AuthenticatorResponse(ReadOnlySpan<byte> utf8EncodedJson)
 
         // todo: add TokenBinding https://www.w3.org/TR/webauthn/#dictdef-tokenbinding
 
-        protected void BaseVerify(string expectedOrigin, ReadOnlySpan<byte> originalChallenge, ReadOnlySpan<byte> requestTokenBindingId)
+        protected void BaseVerify(HashSet<string> fullyQualifiedExpectedOrigins, ReadOnlySpan<byte> originalChallenge, ReadOnlySpan<byte> requestTokenBindingId)
         {
             if (Type is not "webauthn.create" && Type is not "webauthn.get")
                 throw new Fido2VerificationException($"Type not equal to 'webauthn.create' or 'webauthn.get'. Was: '{Type}'");
@@ -68,12 +71,11 @@ protected void BaseVerify(string expectedOrigin, ReadOnlySpan<byte> originalChal
             if (!Challenge.AsSpan().SequenceEqual(originalChallenge))
                 throw new Fido2VerificationException("Challenge not equal to original challenge");
 
-            var fullyQualifiedOrigin = FullyQualifiedOrigin(Origin);
-            var fullyQualifiedExpectedOrigin = FullyQualifiedOrigin(expectedOrigin);
+            var fullyQualifiedOrigin = Origin.ToFullyQualifiedOrigin();
 
             // 5. Verify that the value of C.origin matches the Relying Party's origin.
-            if (!string.Equals(fullyQualifiedOrigin, fullyQualifiedExpectedOrigin, StringComparison.OrdinalIgnoreCase))
-                throw new Fido2VerificationException($"Fully qualified origin {fullyQualifiedOrigin} of {Origin} not equal to fully qualified original origin {fullyQualifiedExpectedOrigin} of {expectedOrigin}");
+            if (!fullyQualifiedExpectedOrigins.Contains(fullyQualifiedOrigin))
+                throw new Fido2VerificationException($"Fully qualified origin {fullyQualifiedOrigin} of {Origin} not equal to fully qualified original origin {string.Join(", ", fullyQualifiedExpectedOrigins.Take(MAX_ORIGINS_TO_PRINT))} ({fullyQualifiedExpectedOrigins.Count})");
 
         }
 

Src/Fido2/Fido2NetLib.cs

@@ -2,7 +2,7 @@
 using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Fido2NetLib.Objects;
-
+
 namespace Fido2NetLib
 {
     /// <summary>
@@ -14,21 +14,21 @@ public partial class Fido2 : IFido2
         private readonly IMetadataService? _metadataService;
 
         public Fido2(
-            Fido2Configuration config,
+            Fido2Configuration config,
             IMetadataService? metadataService = null)
         {
             _config = config;
             _metadataService = metadataService;
-        }
+        }
 
         /// <summary>
         /// Returns CredentialCreateOptions including a challenge to be sent to the browser/authr to create new credentials
         /// </summary>
         /// <returns></returns>
         /// <param name="excludeCredentials">Recommended. This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator.The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.</param>
-        public CredentialCreateOptions RequestNewCredential(
-            Fido2User user,
-            List<PublicKeyCredentialDescriptor> excludeCredentials,
+        public CredentialCreateOptions RequestNewCredential(
+            Fido2User user,
+            List<PublicKeyCredentialDescriptor> excludeCredentials,
             AuthenticationExtensionsClientInputs? extensions = null)
         {
             return RequestNewCredential(user, excludeCredentials, AuthenticatorSelection.Default, AttestationConveyancePreference.None, extensions);
@@ -40,11 +40,11 @@ public CredentialCreateOptions RequestNewCredential(
         /// <returns></returns>
         /// <param name="attestationPreference">This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance. The default is none.</param>
         /// <param name="excludeCredentials">Recommended. This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator.The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.</param>
-        public CredentialCreateOptions RequestNewCredential(
-            Fido2User user,
-            List<PublicKeyCredentialDescriptor> excludeCredentials,
-            AuthenticatorSelection authenticatorSelection,
-            AttestationConveyancePreference attestationPreference,
+        public CredentialCreateOptions RequestNewCredential(
+            Fido2User user,
+            List<PublicKeyCredentialDescriptor> excludeCredentials,
+            AuthenticatorSelection authenticatorSelection,
+            AttestationConveyancePreference attestationPreference,
             AuthenticationExtensionsClientInputs? extensions = null)
         {
             var challenge = new byte[_config.ChallengeSize];
@@ -60,10 +60,10 @@ public CredentialCreateOptions RequestNewCredential(
         /// <param name="attestationResponse"></param>
         /// <param name="origChallenge"></param>
         /// <returns></returns>
-        public async Task<CredentialMakeResult> MakeNewCredentialAsync(
-            AuthenticatorAttestationRawResponse attestationResponse,
-            CredentialCreateOptions origChallenge,
-            IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser,
+        public async Task<CredentialMakeResult> MakeNewCredentialAsync(
+            AuthenticatorAttestationRawResponse attestationResponse,
+            CredentialCreateOptions origChallenge,
+            IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser,
             byte[]? requestTokenBindingId = null)
         {
             var parsedResponse = AuthenticatorAttestationResponse.Parse(attestationResponse);
@@ -81,9 +81,9 @@ public async Task<CredentialMakeResult> MakeNewCredentialAsync(
         /// Returns AssertionOptions including a challenge to the browser/authr to assert existing credentials and authenticate a user.
         /// </summary>
         /// <returns></returns>
-        public AssertionOptions GetAssertionOptions(
-            IEnumerable<PublicKeyCredentialDescriptor> allowedCredentials,
-            UserVerificationRequirement? userVerification,
+        public AssertionOptions GetAssertionOptions(
+            IEnumerable<PublicKeyCredentialDescriptor> allowedCredentials,
+            UserVerificationRequirement? userVerification,
             AuthenticationExtensionsClientInputs? extensions = null)
         {
             var challenge = new byte[_config.ChallengeSize];
@@ -97,21 +97,21 @@ public AssertionOptions GetAssertionOptions(
         /// Verifies the assertion response from the browser/authr to assert existing credentials and authenticate a user.
         /// </summary>
         /// <returns></returns>
-        public async Task<AssertionVerificationResult> MakeAssertionAsync(
-            AuthenticatorAssertionRawResponse assertionResponse,
-            AssertionOptions originalOptions,
-            byte[] storedPublicKey,
-            uint storedSignatureCounter,
-            IsUserHandleOwnerOfCredentialIdAsync isUserHandleOwnerOfCredentialIdCallback,
+        public async Task<AssertionVerificationResult> MakeAssertionAsync(
+            AuthenticatorAssertionRawResponse assertionResponse,
+            AssertionOptions originalOptions,
+            byte[] storedPublicKey,
+            uint storedSignatureCounter,
+            IsUserHandleOwnerOfCredentialIdAsync isUserHandleOwnerOfCredentialIdCallback,
             byte[]? requestTokenBindingId = null)
         {
             var parsedResponse = AuthenticatorAssertionResponse.Parse(assertionResponse);
 
-            var result = await parsedResponse.VerifyAsync(originalOptions,
-                                                          _config.Origin,
-                                                          storedPublicKey,
-                                                          storedSignatureCounter,
-                                                          isUserHandleOwnerOfCredentialIdCallback,
+            var result = await parsedResponse.VerifyAsync(originalOptions,
+                                                          _config.FullyQualifiedOrigins,
+                                                          storedPublicKey,
+                                                          storedSignatureCounter,
+                                                          isUserHandleOwnerOfCredentialIdCallback,
                                                           requestTokenBindingId);
 
             return result;
@@ -122,11 +122,11 @@ public async Task<AssertionVerificationResult> MakeAssertionAsync(
         /// </summary>
         public sealed class CredentialMakeResult : Fido2ResponseBase
         {
-            public CredentialMakeResult(string status, string errorMessage, AttestationVerificationSuccess result)
-            {
-                Status = status;
-                ErrorMessage = errorMessage;
-                Result = result;
+            public CredentialMakeResult(string status, string errorMessage, AttestationVerificationSuccess result)
+            {
+                Status = status;
+                ErrorMessage = errorMessage;
+                Result = result;
             }
 
             public AttestationVerificationSuccess Result { get; }

Test/Attestation/Apple.cs

@@ -213,7 +213,7 @@ public void TestApplePublicKeyMismatch()
             {
                 ServerDomain = "6cc3c9e7967a.ngrok.io",
                 ServerName = "6cc3c9e7967a.ngrok.io",
-                Origin = "6cc3c9e7967a.ngrok.io",
+                Origins = new HashSet<string> { "https://6cc3c9e7967a.ngrok.io" },
             });
 
             var credentialMakeResult = lib.MakeNewCredentialAsync(attestationResponse, origChallenge, callback);