Add initial library

Author: 0xTim

Package.resolved

@@ -0,0 +1,28 @@
+// swift-tools-version:5.6
+import PackageDescription
+
+let package = Package(
+    name: "PasskeyDemo",
+    platforms: [
+       .macOS(.v12)
+    ],
+    dependencies: [
+        // 💧 A server-side Swift web framework.
+        .package(url: "https://github.com/unrelentingtech/SwiftCBOR.git", from: "0.4.5"),
+        .package(url: "https://github.com/apple/swift-crypto.git", from: "2.0.0"),
+        .package(url: "https://github.com/apple/swift-log.git", from: "1.0.0"),
+    ],
+    targets: [
+        .target(
+            name: "WebAuthn",
+            dependencies: [
+                "SwiftCBOR",
+                .product(name: "Crypto", package: "swift-crypto"),
+                .product(name: "Logging", package: "swift-log"),
+            ]
+        ),
+        .testTarget(name: "WebAuthnTests", dependencies: [
+            .target(name: "WebAuthn"),
+        ])
+    ]
+)

Package.swift

@@ -0,0 +1,22 @@
+import Foundation
+
+public struct AssertionCredential: Codable {
+    public let id: String
+    public let type: String
+    public let response: AssertionCredentialResponse
+    public let rawID: String
+    
+    enum CodingKeys: String, CodingKey {
+        case id
+        case rawID = "rawId"
+        case type
+        case response
+    }
+}
+
+public struct AssertionCredentialResponse: Codable {
+    let authenticatorData: String
+    let clientDataJSON: String
+    let signature: String
+    let userHandle: String
+}

Sources/WebAuthn/AssertionCredential.swift

@@ -0,0 +1,5 @@
+struct AttestedCredentialData {
+    let aaguid: [UInt8]
+    let credentialID: [UInt8]
+    let publicKey: [UInt8]
+}

Sources/WebAuthn/AttestedCredentialData.swift

@@ -0,0 +1,35 @@
+struct AuthenticatorFlags {
+    
+    /**
+     Taken from https://w3c.github.io/webauthn/#sctn-authenticator-data
+     Bit 0: User Present Result
+     Bit 1: Reserved for future use
+     Bit 2: User Verified Result
+     Bits 3-5: Reserved for future use
+     Bit 6: Attested credential data included
+     Bit 7: Extension data include
+     */
+    
+    enum Bit: UInt8 {
+        case userPresent = 0
+        case userVerified = 2
+        case attestedCredentialDataIncluded = 6
+        case extensionDataIncluded = 7
+    }
+    
+    let userPresent: Bool
+    let userVerified: Bool
+    let attestedCredentialData: Bool
+    let extensionDataIncluded: Bool
+    
+    init(_ byte: UInt8) {
+        userPresent = Self.isFlagSet(on: byte, at: .userPresent)
+        userVerified = Self.isFlagSet(on: byte, at: .userVerified)
+        attestedCredentialData = Self.isFlagSet(on: byte, at: .attestedCredentialDataIncluded)
+        extensionDataIncluded = Self.isFlagSet(on: byte, at: .extensionDataIncluded)
+    }
+    
+    static func isFlagSet(on byte: UInt8, at position: Bit) -> Bool {
+        (byte & (1 << position.rawValue)) != 0
+    }
+}

Sources/WebAuthn/AuthenticatorFlags.swift

@@ -0,0 +1,7 @@
+import Foundation
+
+struct ClientDataObject: Codable {
+    let challenge: String
+    let origin: String
+    let type: String
+}

Sources/WebAuthn/ClientDataObject.swift

@@ -0,0 +1,10 @@
+import Foundation
+import Crypto
+
+public struct Credential {
+    /// base64 encoded String of the credential ID bytes
+    public let credentialID: String
+    
+    /// The public key for this certificate
+    public let publicKey: P256.Signing.PublicKey
+}

Sources/WebAuthn/Credential.swift

@@ -0,0 +1,19 @@
+import Foundation
+
+public enum Endian {
+    case big, little
+}
+
+protocol IntegerTransform: Sequence where Element: FixedWidthInteger {
+    func toInteger<I: FixedWidthInteger>(endian: Endian) -> I
+}
+
+extension IntegerTransform {
+    func toInteger<I: FixedWidthInteger>(endian: Endian) -> I {
+        let f = { (accum: I, next: Element) in accum &<< next.bitWidth | I(next) }
+        return endian == .big ? reduce(0, f) : reversed().reduce(0, f)
+    }
+}
+
+extension Data: IntegerTransform {}
+extension Array: IntegerTransform where Element: FixedWidthInteger {}

Sources/WebAuthn/Numbers+Bytes.swift

@@ -0,0 +1,20 @@
+import Foundation
+
+public struct RegisterWebAuthnCredentialData: Codable {
+    public let id: String
+    let rawID: String
+    let type: String
+    let response: RegisterCredentialsResponse
+    
+    enum CodingKeys: String, CodingKey {
+        case id
+        case rawID = "rawId"
+        case type
+        case response
+    }
+}
+
+public struct RegisterCredentialsResponse: Codable {
+    let attestationObject: String
+    let clientDataJSON: String
+}

Sources/WebAuthn/RegisterWebAuthnCredentialData.swift

@@ -0,0 +1,173 @@
+import SwiftCBOR
+import Crypto
+import Logging
+import Foundation
+
+public enum WebAuthn {
+    public static func validateAssertion(_ data: AssertionCredential, challengeProvided: String, publicKey: P256.Signing.PublicKey, logger: Logger) throws {
+        guard let clientObjectData = Data(base64Encoded: data.response.clientDataJSON) else {
+            throw WebAuthnError.badRequestData
+        }
+        let clientObject = try JSONDecoder().decode(ClientDataObject.self, from: clientObjectData)
+        guard challengeProvided == clientObject.challenge else {
+            throw WebAuthnError.validationError
+        }
+        let clientDataJSONHash = SHA256.hash(data: clientObjectData)
+        
+        var base64AssertionString = data.response.authenticatorData.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
+        while base64AssertionString.count % 4 != 0 {
+            base64AssertionString = base64AssertionString.appending("=")
+        }
+        guard let authenticatorData = Data(base64Encoded: base64AssertionString) else {
+            throw WebAuthnError.badRequestData
+        }
+        let signedData = authenticatorData + clientDataJSONHash
+        
+        var base64SignatureString = data.response.signature.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
+        while base64SignatureString.count % 4 != 0 {
+            base64SignatureString = base64SignatureString.appending("=")
+        }
+        guard let signatureData = Data(base64Encoded: base64SignatureString) else {
+            throw WebAuthnError.badRequestData
+        }
+        let signature = try P256.Signing.ECDSASignature(derRepresentation: signatureData)
+        guard publicKey.isValidSignature(signature, for: signedData) else {
+            throw WebAuthnError.validationError
+        }
+    }
+    
+    public static func parseRegisterCredentials(_ data: RegisterWebAuthnCredentialData, challengeProvided: String, origin: String, logger: Logger) throws -> Credential {
+        guard let clientObjectData = Data(base64Encoded: data.response.clientDataJSON) else {
+            throw WebAuthnError.badRequestData
+        }
+        let clientObject = try JSONDecoder().decode(ClientDataObject.self, from: clientObjectData)
+        guard challengeProvided == clientObject.challenge else {
+            throw WebAuthnError.validationError
+        }
+        guard clientObject.type == "webauthn.create" else {
+            throw WebAuthnError.badRequestData
+        }
+        guard origin == clientObject.origin else {
+            throw WebAuthnError.validationError
+        }
+        var base64AttestationString = data.response.attestationObject.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
+        while base64AttestationString.count % 4 != 0 {
+            base64AttestationString = base64AttestationString.appending("=")
+        }
+        guard let attestationData = Data(base64Encoded: base64AttestationString) else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let decodedAttestationObject = try CBOR.decode([UInt8](attestationData)) else {
+            throw WebAuthnError.badRequestData
+        }
+        logger.debug("Got COBR decoded data: \(decodedAttestationObject)")
+        
+        // Ignore format/statement for now
+        guard let authData = decodedAttestationObject["authData"], case let .byteString(authDataBytes) = authData else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let credentialsData = try parseAttestationObject(authDataBytes, logger: logger) else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let publicKeyObject = try CBOR.decode(credentialsData.publicKey) else {
+            throw WebAuthnError.badRequestData
+        }
+        // This is now in COSE format
+        // https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+        guard let keyTypeRaw = publicKeyObject[.unsignedInt(1)], case let .unsignedInt(keyType) = keyTypeRaw else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let algorithmRaw = publicKeyObject[.unsignedInt(3)], case let .negativeInt(algorithmNegative) = algorithmRaw else {
+            throw WebAuthnError.badRequestData
+        }
+        // https://github.com/unrelentingtech/SwiftCBOR#swiftcbor
+        // Negative integers are decoded as NegativeInt(UInt), where the actual number is -1 - i
+        let algorithm: Int = -1 - Int(algorithmNegative)
+        
+        // Curve is key -1 - or -0 for SwiftCBOR
+        // X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
+        // Y Coordinate is key -3, or NegativeInt 2 for SwiftCBOR
+        
+        guard let curveRaw = publicKeyObject[.negativeInt(0)], case let .unsignedInt(curve) = curveRaw else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let xCoordRaw = publicKeyObject[.negativeInt(1)], case let .byteString(xCoordinateBytes) = xCoordRaw else {
+            throw WebAuthnError.badRequestData
+        }
+        guard let yCoordRaw = publicKeyObject[.negativeInt(2)], case let .byteString(yCoordinateBytes) = yCoordRaw else {
+            throw WebAuthnError.badRequestData
+        }
+        
+        logger.debug("Key type was \(keyType)")
+        logger.debug("Algorithm was \(algorithm)")
+        logger.debug("Curve was \(curve)")
+        
+        let key = try P256.Signing.PublicKey(rawRepresentation: xCoordinateBytes + yCoordinateBytes)
+        logger.debug("Key is \(key.pemRepresentation)")
+        
+        return Credential(credentialID: data.id, publicKey: key)
+    }
+    
+    static func parseAttestedData(_ data: [UInt8], logger: Logger) throws -> AttestedCredentialData {
+        // We've parsed the first 37 bytes so far, the next bytes now should be the attested credential data
+        // See https://w3c.github.io/webauthn/#sctn-attested-credential-data
+        let aaguidLength = 16
+        let aaguid = data[37..<(37 + aaguidLength)] // To byte at index 52
+        
+        let idLengthBytes = data[53..<55] // Length is 2 bytes
+        let idLengthData = Data(idLengthBytes)
+        let idLength: UInt16 = idLengthData.toInteger(endian: .big)
+        let credentialIDEndIndex = Int(idLength) + 55
+        
+        let credentialID = data[55..<credentialIDEndIndex]
+        let publicKeyBytes = data[credentialIDEndIndex...]
+        
+        return AttestedCredentialData(aaguid: Array(aaguid), credentialID: Array(credentialID), publicKey: Array(publicKeyBytes))
+    }
+    
+    static func parseAttestationObject(_ bytes: [UInt8], logger: Logger) throws -> AttestedCredentialData? {
+        let minAuthDataLength = 37
+        let minAttestedAuthLength = 55
+        let maxCredentialIDLength = 1023
+        // What to do when we don't have this
+        var credentialsData: AttestedCredentialData? = nil
+        
+        guard bytes.count >= minAuthDataLength else {
+            throw WebAuthnError.authDataTooShort
+        }
+        
+        let rpIDHashData = bytes[..<32]
+        let flags = AuthenticatorFlags(bytes[32])
+        let counter: UInt32 = Data(bytes[33..<37]).toInteger(endian: .big)
+        
+        var remainingCount = bytes.count - minAuthDataLength
+        
+        if flags.attestedCredentialData {
+            guard bytes.count > minAttestedAuthLength else {
+                throw WebAuthnError.attestedCredentialDataMissing
+            }
+            let attestedCredentialData = try parseAttestedData(bytes, logger: logger)
+            // 2 is the bytes storing the size of the credential ID
+            let credentialDataLength = attestedCredentialData.aaguid.count + 2 + attestedCredentialData.credentialID.count + attestedCredentialData.publicKey.count
+            remainingCount -= credentialDataLength
+            credentialsData = attestedCredentialData
+        } else {
+            if !flags.extensionDataIncluded && bytes.count != minAuthDataLength {
+                throw WebAuthnError.attestedCredentialFlagNotSet
+            }
+        }
+        
+        if flags.extensionDataIncluded {
+            guard remainingCount != 0 else {
+                throw WebAuthnError.extensionDataMissing
+            }
+            let extensionData = bytes[(bytes.count - remainingCount)...]
+            remainingCount -= extensionData.count
+        }
+        
+        guard remainingCount == 0 else {
+            throw WebAuthnError.leftOverBytes
+        }
+        return credentialsData
+    }
+}