Updated AuthenticatorProtocol to include essential members for registration and authentication

dimitribouniol · dimitribouniol · commit 2b1fe1ad0c9c · 2024-10-01T06:38:12.000-07:00
diff --git a/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorCredentialSourceProtocol.swift b/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorCredentialSourceProtocol.swift
@@ -12,11 +12,19 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Foundation
+import Crypto
+
 public protocol AuthenticatorCredentialSourceProtocol: Sendable, Identifiable where ID: AuthenticatorCredentialSourceIdentifier {
     
     var id: ID { get }
+    var credentialParameters: PublicKeyCredentialParameters { get }
+    var relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID { get }
+    var userHandle: PublicKeyCredentialUserEntity.ID { get }
+    var counter: UInt32 { get }
     
-    init(
-        id: ID
-    ) throws
+    func signAssertion(
+        authenticatorData: [UInt8],
+        clientDataHash: SHA256Digest
+    ) async throws -> [UInt8]
 }
diff --git a/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorProtocol.swift b/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorProtocol.swift
@@ -12,6 +12,103 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Crypto
+import SwiftCBOR
+
 public protocol AuthenticatorProtocol<CredentialSource> {
     associatedtype CredentialSource: AuthenticatorCredentialSourceProtocol
+    
+    var attestationGloballyUniqueID: AAGUID { get }
+    var attachmentModality: AuthenticatorAttachment { get }
+    var supportedPublicKeyCredentialParameters: Set<PublicKeyCredentialParameters> { get }
+    var canPerformUserVerification: Bool { get }
+    var canStoreCredentialSourceClientSide: Bool { get }
+    
+    /// Generate a credential source for this authenticator.
+    /// - Parameters:
+    ///   - requiresClientSideKeyStorage: `true` if the relying party requires that the credential ID is stored client size, as it won't be provided during authentication requests.
+    ///   - credentialParameters: The chosen credential parameters.
+    ///   - relyingPartyID: The ID of the relying party the credential is being generated for.
+    ///   - userHandle: The user handle the credential is being generated for.
+    /// - Returns: A new credential source to be returned to the caller upon successful registration.
+    func generateCredentialSource(
+        requiresClientSideKeyStorage: Bool,
+        credentialParameters: PublicKeyCredentialParameters,
+        relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID,
+        userHandle: PublicKeyCredentialUserEntity.ID
+    ) async throws -> CredentialSource
+    
+    /// The preferred attestation format for the authenticator, optionally taking into account the provided list of formats the relying party prefers.
+    /// 
+    /// The default implementation returns ``AttestationFormat/none``.
+    ///
+    /// - Parameter attestationFormats: A list of attestation formats the relying party prefers.
+    /// - Returns: The attestation format that will be used to sign an attestation statement.
+    func preferredAttestationFormat(from attestationFormats: [AttestationFormat]) -> AttestationFormat
+    
+    /// Sign an attestation statement for the provided authenticator data and client data using the specified format.
+    /// - Parameters:
+    ///   - attestationFormat: The attestation format to sign with.
+    ///   - authenticatorData: The authenticator data to be signed.
+    ///   - clientDataHash: The client data to be signed.
+    /// - Returns: A signiture in the specified format.
+    func signAttestationStatement(
+        attestationFormat: AttestationFormat,
+        authenticatorData: [UInt8],
+        clientDataHash: SHA256.Digest
+    ) async throws -> CBOR
+    
+    /// Filter the provided credential descriptors to determine which, if any, should be handled by this authenticator.
+    /// 
+    /// This method should execute a client platform-specific procedure to determine which, if any, public key credentials described by `pkOptions.allowCredentials` are bound to this authenticator, by matching with `rpId`, `pkOptions.allowCredentials.id`, and `pkOptions.allowCredentials.type`
+    /// 
+    /// The default implementation returns the list as is.
+    /// - Parameters:
+    ///   - credentialDescriptors: A list of credentials that will be used assert authorization against.
+    ///   - relyingPartyID: The relying party ID the credentials belong to.
+    /// - Returns: A filtered list of credentials that are suitable for this authenticator.
+    func filteredCredentialDescriptors(
+        credentialDescriptors: [PublicKeyCredentialDescriptor],
+        relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID
+    ) -> [PublicKeyCredentialDescriptor]
+    
+    /// Collect an authorization gesture from the user for one of the specified credential sources, making sure to increment the counter for the credential source if relevant.
+    /// - Parameters:
+    ///   - requiresUserVerification: The user is required to verify that the credential should be used to assert authorization. If the user cannot perform this task, this method should throw an error.
+    ///   - requiresUserPresence: The user is required to be present in order for authorization to be attempted. ie. authorization should not be done in the background without the user's knowledge while they are away from this device.
+    ///   - credentialOptions: A list of available credentials to verify against.
+    /// - Returns: The chosen credential to use for authorization.
+    func collectAuthorizationGesture(
+        requiresUserVerification: Bool,
+        requiresUserPresence: Bool,
+        credentialOptions: [CredentialSource]
+    ) async throws -> CredentialSource
+}
+
+// MARK: - Default Implementations
+
+extension AuthenticatorProtocol {
+    public func preferredAttestationFormat(
+        from attestationFormats: [AttestationFormat]
+    ) -> AttestationFormat {
+        .none
+    }
+    
+    public func signAttestationStatement(
+        attestationFormat: AttestationFormat,
+        authenticatorData: [UInt8],
+        clientDataHash: SHA256.Digest
+    ) async throws -> CBOR {
+        guard attestationFormat == .none
+        else { throw WebAuthnError.attestationFormatNotSupported }
+        
+        return [:]
+    }
+    
+    public func filteredCredentialDescriptors(
+        credentialDescriptors: [PublicKeyCredentialDescriptor],
+        relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID
+    ) -> [PublicKeyCredentialDescriptor] {
+        return credentialDescriptors
+    }
 }
diff --git a/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift b/Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift
@@ -111,7 +111,7 @@ extension Set where Element == PublicKeyCredentialParameters {
 /// From §5.4.2 (https://www.w3.org/TR/webauthn/#sctn-rp-credential-params).
 /// The PublicKeyCredentialRelyingPartyEntity dictionary is used to supply additional Relying Party attributes when
 /// creating a new credential.
-public struct PublicKeyCredentialRelyingPartyEntity: Encodable, Sendable {
+public struct PublicKeyCredentialRelyingPartyEntity: Identifiable, Encodable, Sendable {
     /// A unique identifier for the Relying Party entity.
     public let id: String
 
@@ -126,7 +126,7 @@ public struct PublicKeyCredentialRelyingPartyEntity: Encodable, Sendable {
  /// creating a new credential.
  ///
  /// When encoding using `Encodable`, `id` is base64url encoded.
-public struct PublicKeyCredentialUserEntity: Encodable, Sendable {
+public struct PublicKeyCredentialUserEntity: Identifiable, Encodable, Sendable {
     /// Generated by the Relying Party, unique to the user account, and must not contain personally identifying
     /// information about the user.
     ///
