Add CTAP support (#281)

* Add Ctap project

* Rename Ctap -> Ctap2

* Make various Cbor models public to support Ctap

* Add PublicKeyCredentialUserEntity model

* Make PublicKeyCredentialRpEntity.Icon optional

* Add CTAP models

* Add basic CTAP test coverage

* Rename AuthenticatorBase -> FidoAuthenticator

* Use C# 10

* [Ctap2]  Include AuthenticationMakeCredentialCommand extensions

* [Cbor2] Implement AuthenticatorClientPinResponse.FromCborObject

* Add CredentialPublicKey(ECDsa ecdsaPublicKey, COSE.Algorithm alg) constructor

* Make PubKeyCredParam options public

* [Ctap2] Implement higher level APIs

* Update System.Formats.Cbor

Author: iamcarbon

Src/Fido2.Ctap2/Cbor/CborHelper.cs

@@ -0,0 +1,81 @@
+using Fido2NetLib.Cbor;
+using Fido2NetLib.Objects;
+
+namespace Fido2NetLib.Ctap2;
+
+internal sealed class CborHelper
+{
+    public static PublicKeyCredentialDescriptor DecodePublicKeyCredentialDescriptor(CborMap map)
+    {
+        var result = new PublicKeyCredentialDescriptor();
+
+        foreach (var (key, value) in map)
+        {
+            switch ((string)key)
+            {
+                case "id":
+                    result.Id = (byte[])value;
+                    break;
+                case "type" when (value is CborTextString { Value: "public-key" }):
+                    result.Type = PublicKeyCredentialType.PublicKey;
+                    break;
+            }
+        }
+
+        return result;
+    }
+
+    public static PublicKeyCredentialUserEntity DecodePublicKeyCredentialUserEntity(CborMap map)
+    {
+        var result = new PublicKeyCredentialUserEntity();
+
+        foreach (var (key, value) in map)
+        {
+            switch ((string)key)
+            {
+                case "id":
+                    result.Id = (byte[])value;
+                    break;
+                case "name":
+                    result.Name = (string)value;
+                    break;
+                case "displayName":
+                    result.DisplayName = (string)value;
+                    break;
+                case "icon":
+                    result.Icon = (string)value;
+                    break;
+            }
+        }
+
+        return result;
+    }
+
+    public static string[] ToStringArray(CborObject cborObject)
+    {
+        var cborArray = (CborArray)cborObject;
+
+        var result = new string[cborArray.Length];
+
+        for (int i = 0; i < cborArray.Length; i++)
+        {
+            result[i] = (string)cborArray[i];
+        }
+
+        return result;
+    }
+
+    public static int[] ToInt32Array(CborObject cborObject)
+    {
+        var cborArray = (CborArray)cborObject;
+
+        var result = new int[cborArray.Length];
+
+        for (int i = 0; i < cborArray.Length; i++)
+        {
+            result[i] = (int)cborArray[i];
+        }
+
+        return result;
+    }
+}

Src/Fido2.Ctap2/Cbor/CborMember.cs

@@ -0,0 +1,16 @@
+namespace Fido2NetLib.Ctap2;
+
+public sealed class CborMember : Attribute
+{
+    public object _key;
+
+    public CborMember(byte key)
+    {
+        _key = key;
+    }
+
+    public CborMember(string key)
+    {
+        _key = key;
+    }
+}

Src/Fido2.Ctap2/Commands/AuthenticatorClientPinCommand.cs

@@ -0,0 +1,104 @@
+using Fido2NetLib.Cbor;
+using Fido2NetLib.Objects;
+
+namespace Fido2NetLib.Ctap2;
+
+public sealed class AuthenticatorClientPinCommand : CtapCommand
+{
+    public AuthenticatorClientPinCommand(
+        uint pinProtocol,
+        AuthenticatorClientPinSubCommand subCommand,
+        CredentialPublicKey? keyAgreement = null,
+        byte[]? pinAuth = null,
+        byte[]? newPinEnc = null,
+        byte[]? pinHashEnc = null)
+    {
+        
+        PinProtocol = pinProtocol;
+        SubCommand = subCommand;
+        KeyAgreement = keyAgreement;
+        PinAuth = pinAuth;
+        NewPinEnc = newPinEnc; 
+        PinHashEnc = pinHashEnc;
+    }
+
+    /// <summary>
+    /// Required PIN protocol version chosen by the client
+    /// </summary>
+    [CborMember(0x01)]
+    public uint PinProtocol { get; }
+
+    /// <summary>
+    /// The authenticator Client PIN sub command currently being requested.
+    /// </summary>
+    [CborMember(0x02)]
+    public AuthenticatorClientPinSubCommand SubCommand { get; }
+
+    /// <summary>
+    /// Public key of platformKeyAgreementKey.
+    /// The COSE_Key-encoded public key MUST contain the optional "alg" parameter and MUST NOT contain any other optional parameters.
+    /// The "alg" parameter MUST contain a COSEAlgorithmIdentifier value.
+    /// </summary>
+    [CborMember(0x03)]
+    public CredentialPublicKey? KeyAgreement { get; }
+
+    /// <summary>
+    /// First 16 bytes of HMAC-SHA-256 of encrypted contents using sharedSecret.
+    /// </summary>
+    [CborMember(0x04)]
+    public byte[]? PinAuth { get; }
+
+    /// <summary>
+    /// Encrypted new PIN using sharedSecret.
+    /// </summary>
+    [CborMember(0x05)]
+    public byte[]? NewPinEnc { get; }
+
+    /// <summary>
+    /// Encrypted first 16 bytes of SHA-256 of PIN using sharedSecret.
+    /// </summary>
+    [CborMember(0x06)]
+    public byte[]? PinHashEnc { get; }
+
+    public override CtapCommandType Type => CtapCommandType.AuthenticatorClientPin;
+
+    protected override CborObject? GetParameters()
+    {
+        var cbor = new CborMap
+        {
+            { 0x01, PinProtocol },
+            { 0x02, (int)SubCommand }
+        };
+
+        if (KeyAgreement != null)
+        {
+            cbor.Add(0x03, KeyAgreement.GetCborObject());
+        }
+
+        if (PinAuth != null)
+        {
+            cbor.Add(0x04, PinAuth);
+        }
+
+        if (NewPinEnc != null)
+        {
+            cbor.Add(0x05, NewPinEnc);
+        }
+
+        if (PinHashEnc != null)
+        {
+            cbor.Add(0x06, PinHashEnc);
+        }
+
+        return cbor;
+    }
+}
+
+public enum AuthenticatorClientPinSubCommand
+{
+    GetRetries      = 0x01,
+    GetKeyAgreement = 0x02,
+    SetPin          = 0x03,
+    ChangePin       = 0x04,
+    GetPinToken     = 0x05,
+}

Src/Fido2.Ctap2/Commands/AuthenticatorGetAssertionCommand.cs

@@ -0,0 +1,136 @@
+using Fido2NetLib.Cbor;
+using Fido2NetLib.Objects;
+
+namespace Fido2NetLib.Ctap2;
+
+public sealed class AuthenticatorGetAssertionCommand : CtapCommand
+{
+    public AuthenticatorGetAssertionCommand(
+        string rpId, 
+        byte[] clientDataHash,
+        PublicKeyCredentialDescriptor[] allowList,
+        CborMap? extensions = null,
+        AuthenticatorGetAssertionOptions? options = null,
+        byte[]? pinAuth = null,
+        uint? pinProtocol = null)
+    {
+        ArgumentNullException.ThrowIfNull(rpId);
+        ArgumentNullException.ThrowIfNull(clientDataHash);
+
+        RpId = rpId;
+        ClientDataHash = clientDataHash;
+        AllowList = allowList;
+        Extensions = extensions;
+        Options = options;
+        PinAuth = pinAuth;
+        PinProtocol = pinProtocol;
+    }
+
+    /// <summary>
+    /// Relying party identifier
+    /// </summary>
+    [CborMember(0x01)]
+    public string RpId { get; }
+
+    /// <summary>
+    /// Hash of the serialized client data collected by the host
+    /// </summary>
+    [CborMember(0x02)]
+    public byte[] ClientDataHash { get; }
+
+    /// <summary>
+    /// A sequence of PublicKeyCredentialDescriptor structures, each denoting a credential, as specified in [WebAuthn].
+    /// If this parameter is present and has 1 or more entries, the authenticator MUST only generate an assertion using one of the denoted credentials.
+    /// </summary>
+    [CborMember(0x03)]
+    public PublicKeyCredentialDescriptor[] AllowList { get; }
+
+    /// <summary>
+    /// CBOR map of extension identifier → authenticator extension input values
+    /// </summary>
+    [CborMember(0x04)]
+    public CborMap? Extensions { get; }
+
+    /// <summary>
+    /// Map of authenticator options
+    /// </summary>
+    [CborMember(0x05)]
+    public AuthenticatorGetAssertionOptions? Options { get; }
+
+    /// <summary>
+    /// First 16 bytes of HMAC-SHA-256 of clientDataHash using pinToken which platform got from the authenticator:
+    /// HMAC-SHA-256(pinToken, clientDataHash).
+    /// </summary>
+    [CborMember(0x06)]
+    public byte[]? PinAuth { get; }
+
+    /// <summary>
+    /// PIN protocol version selected by client.
+    /// </summary>
+    [CborMember(0x07)]
+    public uint? PinProtocol { get; }
+
+    public override CtapCommandType Type => CtapCommandType.AuthenticatorGetAssertion;
+
+    protected override CborObject? GetParameters()
+    {
+        var cbor = new CborMap
+        {
+            { 0x01, RpId },
+            { 0x02, ClientDataHash }
+        };
+
+        cbor.Add(0x03, AllowList.ToCborArray()); // allowList
+
+        if (Extensions != null)
+        {
+            cbor.Add(0x04, Extensions);
+        }
+
+        if (Options != null)
+        {
+            cbor.Add(0x05, Options.ToCborObject());
+        }
+
+        if (PinAuth is not null)
+        {
+            cbor.Add(0x06, PinAuth);           // pinAuth(0x08)
+            cbor.Add(0x07, PinProtocol ?? 1);  // pinProtocol(0x09)
+        }
+
+        return cbor;
+    }
+}
+
+
+public sealed class AuthenticatorGetAssertionOptions
+{
+    /// <summary>
+    /// Instructs the authenticator to require user consent to complete the operation.
+    /// </summary>
+    [CborMember("up")]
+    public bool? UserPresence { get; init; }
+
+    /// <summary>
+    /// Instructs the authenticator to require a gesture that verifies the user to complete the request. Examples of such gestures are fingerprint scan or a PIN.
+    /// </summary>
+    [CborMember("uv")]
+    public bool? UserVerification { get; init; }
+
+    public CborMap ToCborObject()
+    {
+        var result = new CborMap();
+
+        if (UserPresence is bool up)
+        {
+            result.Add("up", up);
+        }
+
+        if (UserVerification is bool uv)
+        {
+            result.Add("uv", uv);
+        }
+
+        return result;
+    }
+}

Src/Fido2.Ctap2/Commands/AuthenticatorGetInfoCommand.cs

@@ -0,0 +1,6 @@
+namespace Fido2NetLib.Ctap2;
+
+public sealed class AuthenticatorGetInfoCommand : CtapCommand
+{
+    public override CtapCommandType Type => CtapCommandType.AuthenticatorGetInfo;
+}

Src/Fido2.Ctap2/Commands/AuthenticatorGetNextAssertionCommand.cs

@@ -0,0 +1,6 @@
+namespace Fido2NetLib.Ctap2;
+
+public sealed class AuthenticatorGetNextAssertionCommand : CtapCommand
+{
+    public override CtapCommandType Type => CtapCommandType.AuthenticatorGetNextAssertion;
+}