add more tests

Author: marius-se

Sources/WebAuthn/Ceremonies/Registration/AttestationFormat.swift

@@ -12,7 +12,7 @@
 //
 //===----------------------------------------------------------------------===//
 
-public enum AttestationFormat: String, RawRepresentable {
+public enum AttestationFormat: String, RawRepresentable, Equatable {
     case packed
     case tpm
     case androidKey = "android-key"

Sources/WebAuthn/Ceremonies/Registration/AttestationObject.swift

@@ -16,7 +16,7 @@ import Crypto
 import SwiftCBOR
 
 /// Contains the cryptographic attestation that a new key pair was created by that authenticator.
-public struct AttestationObject {
+public struct AttestationObject: Equatable {
     let authenticatorData: AuthenticatorData
     let rawAuthenticatorData: [UInt8]
     let format: AttestationFormat

Sources/WebAuthn/Ceremonies/Registration/AttestedCredentialData.swift

@@ -13,7 +13,7 @@
 //===----------------------------------------------------------------------===//
 
 // Contains the new public key created by the authenticator.
-struct AttestedCredentialData: Codable {
+struct AttestedCredentialData: Codable, Equatable {
     let aaguid: [UInt8]
     let credentialID: [UInt8]
     let publicKey: [UInt8]

Sources/WebAuthn/Ceremonies/Registration/AuthenticatorAttestationResponse.swift

@@ -35,9 +35,9 @@ struct ParsedAuthenticatorAttestationResponse {
         self.clientData = clientData
 
         // Step 11. (assembling attestationObject)
-        guard let attestationData = rawResponse.attestationObject.base64URLDecodedData,
-            let decodedAttestationObject = try CBOR.decode([UInt8](attestationData)) else {
-            throw WebAuthnError.invalidAttestationData
+        guard let attestationObjectData = rawResponse.attestationObject.base64URLDecodedData,
+            let decodedAttestationObject = try CBOR.decode([UInt8](attestationObjectData)) else {
+            throw WebAuthnError.invalidAttestationObject
         }
 
         guard let authData = decodedAttestationObject["authData"],
@@ -51,7 +51,7 @@ struct ParsedAuthenticatorAttestationResponse {
         }
 
         guard let attestationStatement = decodedAttestationObject["attStmt"] else {
-            throw WebAuthnError.invalidAttStmt
+            throw WebAuthnError.missingAttStmt
         }
 
         attestationObject = AttestationObject(

Sources/WebAuthn/Ceremonies/Shared/AuthenticatorData.swift

@@ -17,7 +17,7 @@ import Crypto
 
 /// Data created and/ or used by the authenticator during authentication/ registration.
 /// The data contains, for example, whether a user was present or verified.
-struct AuthenticatorData {
+struct AuthenticatorData: Equatable {
     let relyingPartyIDHash: [UInt8]
     let flags: AuthenticatorFlags
     let counter: UInt32

Sources/WebAuthn/Ceremonies/Shared/AuthenticatorFlags.swift

@@ -12,7 +12,7 @@
 //
 //===----------------------------------------------------------------------===//
 
-struct AuthenticatorFlags {
+struct AuthenticatorFlags: Equatable {
 
     /**
      Taken from https://w3c.github.io/webauthn/#sctn-authenticator-data
@@ -40,6 +40,12 @@ struct AuthenticatorFlags {
     let attestedCredentialData: Bool
     let extensionDataIncluded: Bool
 
+    static func isFlagSet(on byte: UInt8, at position: Bit) -> Bool {
+        (byte & (1 << position.rawValue)) != 0
+    }
+}
+
+extension AuthenticatorFlags {
     init(_ byte: UInt8) {
         userPresent = Self.isFlagSet(on: byte, at: .userPresent)
         userVerified = Self.isFlagSet(on: byte, at: .userVerified)
@@ -48,8 +54,4 @@ struct AuthenticatorFlags {
         attestedCredentialData = Self.isFlagSet(on: byte, at: .attestedCredentialDataIncluded)
         extensionDataIncluded = Self.isFlagSet(on: byte, at: .extensionDataIncluded)
     }
-
-    static func isFlagSet(on byte: UInt8, at position: Bit) -> Bool {
-        (byte & (1 << position.rawValue)) != 0
-    }
 }

Sources/WebAuthn/WebAuthnError.swift

@@ -36,10 +36,10 @@ public enum WebAuthnError: Error {
     case invalidAssertionCredentialType
 
     // MARK: ParsedAuthenticatorAttestationResponse
-    case invalidAttestationData
+    case invalidAttestationObject
     case invalidAuthData
     case invalidFmt
-    case invalidAttStmt
+    case missingAttStmt
     case attestationFormatNotSupported
 
     // MARK: ParsedCredentialCreationResponse

Tests/WebAuthnTests/ParsedAuthenticatorAttestationResponseTests.swift

@@ -0,0 +1,116 @@
+import XCTest
+import SwiftCBOR
+@testable import WebAuthn
+
+// swiftlint:disable line_length
+
+// swiftlint:disable:next type_name
+final class ParsedAuthenticatorAttestationResponseTests: XCTestCase {
+    let realClientDataJSON = "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"
+    let realAttestationObject = "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM"
+
+    func testInitFromRawResponseFailsWithInvalidClientDataJSON() throws {
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: "a", // this isn't base64 decodable, so parsing should fail
+            attestationObject: ""
+        )) { error in
+            XCTAssertEqual(error as? WebAuthnError, .invalidClientDataJSON)
+        }
+    }
+
+    func testInitFromRawResponseFailsIfClientDataJSONDecodingFails() throws {
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: "abc", // this is base64 decodable, but will not result in a proper clientData json object
+            attestationObject: ""
+        )) { error in
+            XCTAssertNotNil(error as? DecodingError)
+        }
+    }
+
+    func testInitFromRawResponseFailsIfAttestationObjectIsNotBase64() throws {
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: realClientDataJSON,
+            attestationObject: "a"
+        )) { error in
+            XCTAssertEqual(error as? WebAuthnError, .invalidAttestationObject)
+        }
+    }
+
+    func testInitFromRawResponseFailsIfAuthDataIsInvalid() throws {
+        let attestationObjectWithInvalidAuthData = "A363666D74667061636B65646761747453746D74A263616C67266373696758473045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C68617574684461746101"
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: realClientDataJSON,
+            attestationObject: attestationObjectWithInvalidAuthData
+        )) { error in
+            XCTAssertEqual(error as? WebAuthnError, .invalidAuthData)
+        }
+    }
+
+    func testInitFromRawResponseFailsIfFmtIsInvalid() throws {
+        let attestationObjectWithInvalidFmt = "o2NmbXQBZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM"
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: realClientDataJSON,
+            attestationObject: attestationObjectWithInvalidFmt
+        )) { error in
+            XCTAssertEqual(error as? WebAuthnError, .invalidFmt)
+        }
+    }
+
+    func testInitFromRawResponseFailsIfAttStmtIsMissing() throws {
+        let attestationObjectWithMissingAttStmt = "omNmbXRmcGFja2VkaGF1dGhEYXRhWKRJlg3liA6MaHQ0Fw9kdmBbj-SuuaKGMseZXPO6gx2XY0UAAAAArc4AAjW8xgpkiwsl8fBVAwAgOj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4mulAQIDJiABIVggmv_IuhhthaBx_tpBx3ulyNSP7ejxuJp9ZAfbxaKNBK8iWCA8jYqqpFDbooq4VonTIfuei4IGvMe7ypE41b4I9r1UMw"
+        XCTAssertThrowsError(try parseResponse(
+            clientDataJSON: realClientDataJSON,
+            attestationObject: attestationObjectWithMissingAttStmt
+        )) { error in
+            XCTAssertEqual(error as? WebAuthnError, .missingAttStmt)
+        }
+    }
+
+    func testInitFromRawResponseSucceeds() throws {
+        let expectedAttestationObject = AttestationObject(
+            authenticatorData: AuthenticatorData(
+                relyingPartyIDHash: "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763".hexadecimal!,
+                flags: AuthenticatorFlags(
+                    userPresent: true,
+                    userVerified: true,
+                    isBackupEligible: false,
+                    isCurrentlyBackedUp: false,
+                    attestedCredentialData: true,
+                    extensionDataIncluded: false
+                ),
+                counter: 0,
+                attestedData: AttestedCredentialData(
+                    aaguid: "adce000235bcc60a648b0b25f1f05503".hexadecimal!,
+                    credentialID: "3a3ee56dcababec0ef2f4b7f0ee28e11317c2cf7ff972830440d63fcbaa7e26b".hexadecimal!,
+                    publicKey: "a50102032620012158209affc8ba186d85a071feda41c77ba5c8d48fede8f1b89a7d6407dbc5a28d04af2258203c8d8aaaa450dba28ab85689d321fb9e8b8206bcc7bbca9138d5be08f6bd5433".hexadecimal!
+                ),
+                extData: nil
+            ),
+            rawAuthenticatorData: "49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d97634500000000adce000235bcc60a648b0b25f1f0550300203a3ee56dcababec0ef2f4b7f0ee28e11317c2cf7ff972830440d63fcbaa7e26ba50102032620012158209affc8ba186d85a071feda41c77ba5c8d48fede8f1b89a7d6407dbc5a28d04af2258203c8d8aaaa450dba28ab85689d321fb9e8b8206bcc7bbca9138d5be08f6bd5433".hexadecimal!,
+            format: .packed,
+            attestationStatement: .map([
+                .utf8String("sig"): .byteString("3045022035346DA48FD238E655CD4D6937FE1C5FEA2CA943E21CC396E3CAAAABDD435DF5022100BE30789A231B7639D23182A627C940C771E7AF34E31F3E26DE9DA6D01AF5E08C".hexadecimal!),
+                .utf8String("alg"): .negativeInt(6)
+            ])
+        )
+
+        let response = try parseResponse(clientDataJSON: realClientDataJSON, attestationObject: realAttestationObject)
+
+        XCTAssertEqual(response.clientData.challenge, "cmFuZG9tU3RyaW5nRnJvbVNlcnZlcg")
+        XCTAssertEqual(response.clientData.origin, "http://localhost:8080")
+        XCTAssertEqual(response.clientData.type, .create)
+
+        XCTAssertEqual(expectedAttestationObject, response.attestationObject)
+    }
+
+    private func parseResponse(
+        clientDataJSON: URLEncodedBase64,
+        attestationObject: URLEncodedBase64
+    ) throws
+    -> ParsedAuthenticatorAttestationResponse {
+        try ParsedAuthenticatorAttestationResponse(from: .init(
+            clientDataJSON: clientDataJSON,
+            attestationObject: attestationObject
+        ))
+    }
+}

Tests/WebAuthnTests/Utils/Hexadecimal.swift

@@ -0,0 +1,27 @@
+import Foundation
+
+extension String {
+    /// Create `[UInt8]` from hexadecimal string representation
+    var hexadecimal: [UInt8]? {
+        let hex = self
+        guard hex.count.isMultiple(of: 2) else {
+            return nil
+        }
+
+        let chars = hex.map { $0 }
+        let bytes = stride(from: 0, to: chars.count, by: 2)
+            .map { String(chars[$0]) + String(chars[$0 + 1]) }
+            .compactMap { UInt8($0, radix: 16) }
+
+        guard hex.count / bytes.count == 2 else { return nil }
+
+        return bytes
+    }
+}
+
+extension Data {
+    var hexadecimal: String {
+        return map { String(format: "%02x", $0) }
+            .joined()
+    }
+}