change origin verify to use fully qualified origin (#213)

aseigler · dgorbach · web-flow · commit e082a67b945b · 2021-03-18T19:32:35.000-04:00
see also duo-labs/webauthn#60 Co-authored-by: dgorbach <daniel.gorbach@gmail.com>
diff --git a/Src/Fido2/AuthenticatorResponse.cs b/Src/Fido2/AuthenticatorResponse.cs
@@ -68,7 +68,7 @@ protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[
                 throw new Fido2VerificationException("Challenge not equal to original challenge");
 
             // 5. Verify that the value of C.origin matches the Relying Party's origin.
-            if (Origin != expectedOrigin)
+            if (!string.Equals(FullyQualifiedOrigin(this.Origin), expectedOrigin, StringComparison.OrdinalIgnoreCase))
                 throw new Fido2VerificationException($"Origin {Origin} not equal to original origin {expectedOrigin}");
 
             // 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained. 
@@ -78,5 +78,12 @@ protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[
                 TokenBinding.Verify(requestTokenBindingId);
             }
         }
+
+        private string FullyQualifiedOrigin(string origin)
+        {
+            var uri = new Uri(origin);
+
+            return $"{uri.Scheme}://{uri.Host}";
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[`
`68`	`68`	`throw new Fido2VerificationException("Challenge not equal to original challenge");`
`69`	`69`
`70`	`70`	`// 5. Verify that the value of C.origin matches the Relying Party's origin.`
`71`		`- if (Origin != expectedOrigin)`
	`71`	`+ if (!string.Equals(FullyQualifiedOrigin(this.Origin), expectedOrigin, StringComparison.OrdinalIgnoreCase))`
`72`	`72`	`throw new Fido2VerificationException($"Origin {Origin} not equal to original origin {expectedOrigin}");`
`73`	`73`
`74`	`74`	`// 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained.`
`@@ -78,5 +78,12 @@ protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[`
`78`	`78`	`TokenBinding.Verify(requestTokenBindingId);`
`79`	`79`	`}`
`80`	`80`	`}`
	`81`	`+`
	`82`	`+ private string FullyQualifiedOrigin(string origin)`
	`83`	`+ {`
	`84`	`+ var uri = new Uri(origin);`
	`85`	`+`
	`86`	`+ return $"{uri.Scheme}://{uri.Host}";`
	`87`	`+ }`
`81`	`88`	`}`
`82`	`89`	`}`