further simplify beginRegistration

Author: marius-se

Sources/WebAuthn/Helpers/WebAuthn+generateChallenge.swift renamed to Sources/WebAuthn/Helpers/Base64Utilities.swift

@@ -1,19 +1,6 @@
 import Foundation
 import Logging
 
-extension WebAuthnManager {
-    struct ChallengeGeneratorError: Error {}
-    /// Generate a suitably random value to be used as an attestation or assertion challenge
-    /// - Throws: An error if something went wrong while generating random byte
-    /// - Returns: 32 bytes
-    public static func generateChallenge() throws -> [UInt8] {
-        var bytes = [UInt8](repeating: 0, count: 32)
-        let status = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
-        guard status == errSecSuccess else { throw ChallengeGeneratorError() }
-        return bytes
-    }
-}
-
 extension Array where Element == UInt8 {
     /// Encodes an array of bytes into a base64url-encoded string
     /// - Returns: A base64url-encoded string
@@ -37,4 +24,14 @@ extension String {
     public static func base64(fromBase64URLEncoded base64URLEncoded: String) -> Self {
         return base64URLEncoded.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
     }
+}
+
+extension String {
+    var base64URLDecodedData: Data? {
+        var result = self.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
+        while result.count % 4 != 0 {
+            result = result.appending("=")
+        }
+        return Data(base64Encoded: result)
+    }
 }

Sources/WebAuthn/PublicKeyCredentialCreationOptions.swift

@@ -1,8 +1,13 @@
+import Foundation
+
 /// See §5.4. https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions
 /// Contains a PublicKeyCredentialCreationOptions object specifying the desired attributes of the
 /// to-be-created public key credential.
 public struct PublicKeyCredentialCreationOptions: Codable {
+    /// Base64-encoded challenge string
     public let challenge: String
     public let user: PublicKeyCredentialUserEntity
     public let relyingParty: PublicKeyCredentialRpEntity
+    public let publicKeyCredentialParameters: [PublicKeyCredentialParameters]
+    public let timeout: TimeInterval
 }

Sources/WebAuthn/PublicKeyCredentialParameters.swift

@@ -0,0 +1,41 @@
+public enum PublicKeyCredentialParameters: Codable, CaseIterable {
+    case algES256
+    // TODO: Add more algorithms
+
+    enum CodingKeys: String, CodingKey {
+        case alg
+        case type
+    }
+
+    public init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+        guard try container.decode(String.self, forKey: .type) == "public-key" else {
+            throw DecodingError.dataCorruptedError(
+                forKey: .type,
+                in: container,
+                debugDescription: "Currently only public-key is supported."
+            )
+        }
+
+        let algorithm = try container.decode(String.self, forKey: .alg)
+        switch algorithm {
+        case "AlgES256": self = .algES256
+        default:
+            throw DecodingError.dataCorruptedError(
+                forKey: .alg,
+                in: container,
+                debugDescription: "Unsupported algorithm: \(algorithm)"
+            )
+        }
+    }
+
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+
+        try container.encode("public-key", forKey: .type)
+
+        switch self {
+            case .algES256: try container.encode("AlgES256", forKey: .alg)
+        }
+    }
+}

Sources/WebAuthn/SessionData.swift

@@ -1,6 +1,8 @@
 /// SessionData is the data that should be stored by the Relying Party for the duration of the web authentication
 /// ceremony
 public struct SessionData {
+    /// Base64url-encoded challenge string
     public let challenge: String
+    /// Plain user id (not encoded)
     public let userID: String
 }

Sources/WebAuthn/String+Base64URL.swift

@@ -1,11 +1,6 @@
-public struct User {
-    public let id: String
-    public let name: String
-    public let displayName: String
-
-    public init(id: String, name: String, displayName: String) {
-        self.id = id
-        self.name = name
-        self.displayName = displayName
-    }
+/// Protocol to interact with a user throughout the registration ceremony
+public protocol User {
+    var userID: String { get }
+    var name: String { get }
+    var displayName: String { get }
 }

Sources/WebAuthn/User.swift

@@ -1,11 +1,13 @@
-public struct Config {
+import Foundation
+
+public struct WebAuthnConfig {
     public let relyingPartyDisplayName: String
     public let relyingPartyID: String
+    public let timeout: TimeInterval
 
-    public init(relyingPartyDisplayName: String, relyingPartyID: String) {
+    public init(relyingPartyDisplayName: String, relyingPartyID: String, timeout: TimeInterval) {
         self.relyingPartyDisplayName = relyingPartyDisplayName
         self.relyingPartyID = relyingPartyID
+        self.timeout = timeout
     }
-}
-
-public var config: Config!
+}

Sources/WebAuthn/WebAuthnConfig.swift

@@ -17,20 +17,36 @@ import Crypto
 import Logging
 import Foundation
 
-public enum WebAuthnManager {
+public struct WebAuthnManager {
+    enum WebAuthnManagerError: Error {
+        case base64EncodingFailed
+        case challengeGenerationFailed
+    }
+    private let config: WebAuthnConfig
+
+    public init(config: WebAuthnConfig) {
+        self.config = config
+    }
+
     /// Generate a new set of registration data to be sent to the client and authenticator.
-    public static func beginRegistration(user: User) throws -> (PublicKeyCredentialCreationOptions, SessionData) {
-        let userEntity = PublicKeyCredentialUserEntity(name: user.name, id: user.id, displayName: user.displayName)
+    public func beginRegistration(user: User) throws -> (PublicKeyCredentialCreationOptions, SessionData) {
+        guard let base64ID = user.userID.data(using: .utf8)?.base64EncodedString() else {
+            throw WebAuthnManagerError.base64EncodingFailed
+        }
+
+        let userEntity = PublicKeyCredentialUserEntity(name: user.name, id: base64ID, displayName: user.displayName)
         let relyingParty = PublicKeyCredentialRpEntity(name: config.relyingPartyDisplayName, id: config.relyingPartyID)
 
         let challenge = try generateChallenge()
 
         let options = PublicKeyCredentialCreationOptions(
             challenge: challenge.base64EncodedString(),
             user: userEntity,
-            relyingParty: relyingParty
+            relyingParty: relyingParty,
+            publicKeyCredentialParameters: PublicKeyCredentialParameters.allCases,
+            timeout: config.timeout
         )
-        let sessionData = SessionData(challenge: challenge.base64URLEncodedString(), userID: user.id)
+        let sessionData = SessionData(challenge: challenge.base64URLEncodedString(), userID: user.userID)
 
         return (options, sessionData)
     }
@@ -44,7 +60,7 @@ public enum WebAuthnManager {
     ///   - logger: A logger
     /// - Throws:
     ///   - An error if the authentication response isn't valid
-    public static func verifyAuthenticationResponse(
+    public func verifyAuthenticationResponse(
         _ data: AuthenticationResponse,
         expectedChallenge: String,
         publicKey: P256.Signing.PublicKey,
@@ -74,7 +90,7 @@ public enum WebAuthnManager {
         }
     }
 
-    public static func parseRegisterCredentials(
+    public func parseRegisterCredentials(
         _ data: RegistrationResponse,
         challengeProvided: String,
         origin: String,
@@ -148,7 +164,7 @@ public enum WebAuthnManager {
         return Credential(credentialID: data.id, publicKey: key)
     }
 
-    static func parseAttestedData(
+    func parseAttestedData(
         _ data: [UInt8],
         logger: Logger
     ) throws -> AttestedCredentialData {
@@ -168,7 +184,7 @@ public enum WebAuthnManager {
         return AttestedCredentialData(aaguid: Array(aaguid), credentialID: Array(credentialID), publicKey: Array(publicKeyBytes))
     }
 
-    static func parseAttestationObject(
+    func parseAttestationObject(
         _ bytes: [UInt8],
         logger: Logger
     ) throws -> AttestedCredentialData? {
@@ -219,4 +235,16 @@ public enum WebAuthnManager {
         }
         return credentialsData
     }
+}
+
+extension WebAuthnManager {
+    /// Generate a suitably random value to be used as an attestation or assertion challenge
+    /// - Throws: An error if something went wrong while generating random byte
+    /// - Returns: 32 bytes
+    func generateChallenge() throws -> [UInt8] {
+        var bytes = [UInt8](repeating: 0, count: 32)
+        let status = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
+        guard status == errSecSuccess else { throw WebAuthnManagerError.challengeGenerationFailed }
+        return bytes
+    }
 }

Sources/WebAuthn/WebAuthnManager.swift

@@ -3,8 +3,9 @@ import XCTest
 
 final class HelpersTests: XCTestCase {
     func testGenerateChallengeReturnsRandomBytes() throws {
-        let challenge1 = try WebAuthnManager.generateChallenge()
-        let challenge2 = try WebAuthnManager.generateChallenge()
+        let webAuthn = WebAuthnManager(config: .init(relyingPartyDisplayName: "123", relyingPartyID: "1", timeout: 60))
+        let challenge1 = try webAuthn.generateChallenge()
+        let challenge2 = try webAuthn.generateChallenge()
 
         XCTAssertNotEqual(challenge1, challenge2)
     }