Corrected attestation validation based on authenticator MDS status reports. (#290)

* Corrected attestation validation based on authenticator MDS status reports.

* Corrected merge of master branch into mds-verification.

Author: syh-jeffk

Src/Fido2.Models/Fido2Configuration.cs

@@ -92,6 +92,18 @@ public HashSet<string> FullyQualifiedOrigins
         /// </summary>
         public string MDSCacheDirPath { get; set; }
 
+        /// <summary>
+        /// List of metadata statuses for an authenticator that should cause attestations to be rejected.
+        /// </summary>
+        public AuthenticatorStatus[] UndesiredAuthenticatorMetadataStatuses { get; set; } = new AuthenticatorStatus[]
+        {
+            AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE,
+            AuthenticatorStatus.USER_VERIFICATION_BYPASS,
+            AuthenticatorStatus.USER_KEY_REMOTE_COMPROMISE,
+            AuthenticatorStatus.USER_KEY_PHYSICAL_COMPROMISE,
+            AuthenticatorStatus.REVOKED
+        };
+
         /// <summary>
         /// Create the configuration for Fido2
         /// </summary>

Src/Fido2.Models/Metadata/MetadataBLOBPayloadEntry.cs

@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using System.Linq;
 using System.Text.Json.Serialization;
 
 namespace Fido2NetLib
@@ -78,5 +79,14 @@ public sealed class MetadataBLOBPayloadEntry
         /// </remarks>
         [JsonPropertyName("rogueListHash")]
         public string RogueListHash { get; set; }
+
+        /// <summary>
+        /// Gets the latest, most current status report for the authenticator.
+        /// </summary>
+        /// <returns>Latest status report, or null if there are no reports.</returns>
+        public StatusReport GetLatestStatusReport()
+        {
+            return StatusReports.LastOrDefault();
+        }
     }
 }

Src/Fido2.Models/UndesiredMetdatataStatusFido2VerificationException.cs

@@ -0,0 +1,24 @@
+using System;
+using System.Runtime.Serialization;
+
+namespace Fido2NetLib
+{
+    /// <summary>
+    /// Exception thrown when a new attestation comes from an authenticator with a current reported security issue.
+    /// </summary>
+    [Serializable]
+    public class UndesiredMetdatataStatusFido2VerificationException : Fido2VerificationException
+    {
+        public UndesiredMetdatataStatusFido2VerificationException(StatusReport statusReport) : base($"Authenticator found with undesirable status. Was {statusReport.Status}")
+        {
+            StatusReport = statusReport;
+        }
+
+        protected UndesiredMetdatataStatusFido2VerificationException(SerializationInfo info, StreamingContext context) : base(info, context) { }
+
+        /// <summary>
+        /// Status report from the authenticator that caused the attestation to be rejected.
+        /// </summary>
+        public StatusReport StatusReport { get; }
+    }
+}

Src/Fido2/AuthenticatorAttestationResponse.cs

@@ -211,12 +211,10 @@ static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAtte
             }
 
             // Check status resports for authenticator with undesirable status
-            foreach (var report in metadataEntry?.StatusReports ?? Array.Empty<StatusReport>())
+            var latestStatusReport = metadataEntry?.GetLatestStatusReport();
+            if (latestStatusReport != null && config.UndesiredAuthenticatorMetadataStatuses.Contains(latestStatusReport.Status))
             {
-                if (report.Status.IsUndesired())
-                {
-                    throw new Fido2VerificationException($"Authenticator found with undesirable status. Was {report.Status}");
-                }
+                throw new UndesiredMetdatataStatusFido2VerificationException(latestStatusReport);
             }
 
             // 16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:

Src/Fido2/Extensions/AuthenticatorStatusExtensions.cs

@@ -21,7 +21,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
-
+using Moq;
 using NSec.Cryptography;
 
 using Xunit;
@@ -630,6 +630,87 @@ public async Task TestInvalidU2FAttestationASync()
             Assert.True(acd.ToByteArray().SequenceEqual(acdBytes));
         }
 
+        [Fact]
+        public async Task TestMdsStatusReportsSuccessAsync()
+        {
+            var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationNoneOptions.json"));
+            var response = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationNoneResponse.json"));
+
+            var mockMetadataService = new Mock<IMetadataService>(MockBehavior.Strict);
+            mockMetadataService.Setup(m => m.GetEntryAsync(It.IsAny<Guid>(), It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new MetadataBLOBPayloadEntry()
+                {
+                    StatusReports = new StatusReport[]
+                    {
+                        new StatusReport() { Status = AuthenticatorStatus.FIDO_CERTIFIED }
+                    }
+                });
+            mockMetadataService.Setup(m => m.ConformanceTesting()).Returns(false);
+
+            var o = AuthenticatorAttestationResponse.Parse(response);
+            await o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), mockMetadataService.Object, null, CancellationToken.None);
+        }
+
+        [Fact]
+        public async Task TestMdsStatusReportsUndesiredAsync()
+        {
+            var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationNoneOptions.json"));
+            var response = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationNoneResponse.json"));
+
+            var mockMetadataService = new Mock<IMetadataService>(MockBehavior.Strict);
+            mockMetadataService.Setup(m => m.GetEntryAsync(It.IsAny<Guid>(), It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new MetadataBLOBPayloadEntry()
+                {
+                    StatusReports = new StatusReport[]
+                    {
+                        new StatusReport() { Status = AuthenticatorStatus.FIDO_CERTIFIED },
+                        new StatusReport() { Status = AuthenticatorStatus.REVOKED }
+                    }
+                });
+            mockMetadataService.Setup(m => m.ConformanceTesting()).Returns(false);
+
+            var o = AuthenticatorAttestationResponse.Parse(response);
+            await Assert.ThrowsAsync<UndesiredMetdatataStatusFido2VerificationException>(() =>
+                o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), mockMetadataService.Object, null, CancellationToken.None));
+        }
+
+        [Fact]
+        public async Task TestMdsStatusReportsUndesiredFixedAsync()
+        {
+            var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationNoneOptions.json"));
+            var response = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationNoneResponse.json"));
+
+            var mockMetadataService = new Mock<IMetadataService>(MockBehavior.Strict);
+            mockMetadataService.Setup(m => m.GetEntryAsync(It.IsAny<Guid>(), It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new MetadataBLOBPayloadEntry()
+                {
+                    StatusReports = new StatusReport[]
+                    {
+                        new StatusReport() { Status = AuthenticatorStatus.FIDO_CERTIFIED },
+                        new StatusReport() { Status = AuthenticatorStatus.REVOKED },
+                        new StatusReport() { Status = AuthenticatorStatus.UPDATE_AVAILABLE }
+                    }
+                });
+            mockMetadataService.Setup(m => m.ConformanceTesting()).Returns(false);
+
+            var o = AuthenticatorAttestationResponse.Parse(response);
+            await o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), mockMetadataService.Object, null, CancellationToken.None);
+        }
+
+        [Fact]
+        public async Task TestMdsStatusReportsNullAsync()
+        {
+            var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationNoneOptions.json"));
+            var response = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationNoneResponse.json"));
+
+            var mockMetadataService = new Mock<IMetadataService>(MockBehavior.Strict);
+            mockMetadataService.Setup(m => m.GetEntryAsync(It.IsAny<Guid>(), It.IsAny<CancellationToken>())).ReturnsAsync((MetadataBLOBPayloadEntry)null);
+            mockMetadataService.Setup(m => m.ConformanceTesting()).Returns(false);
+
+            var o = AuthenticatorAttestationResponse.Parse(response);
+            await o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), mockMetadataService.Object, null, CancellationToken.None);
+        }
+
         //public void TestHasCorrentAAguid()
         //{
         //    var expectedAaguid = new Uint8Array([

Test/Fido2Tests.cs

@@ -26,6 +26,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
+    <PackageReference Include="Moq" Version="4.17.2" />
     <PackageReference Include="ReportGenerator" Version="5.0.0" />
     <PackageReference Include="xunit" Version="2.4.1" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">