Merge pull request #37 from dimitribouniol/dimitri/auth-data-decoding

Author: 0xTim

Sources/WebAuthn/Ceremonies/Shared/AuthenticatorData.swift

@@ -14,6 +14,7 @@
 
 import Foundation
 import Crypto
+import SwiftCBOR
 
 /// Data created and/ or used by the authenticator during authentication/ registration.
 /// The data contains, for example, whether a user was present or verified.
@@ -93,7 +94,13 @@ extension AuthenticatorData {
             throw WebAuthnError.credentialIDTooShort
         }
         let credentialID = data[55..<credentialIDEndIndex]
-        let publicKeyBytes = data[credentialIDEndIndex...]
+
+        /// **credentialPublicKey** (variable): The credential public key encoded in COSE_Key format, as defined in Section 7 of [RFC9052], using the CTAP2 canonical CBOR encoding form.
+        /// Assuming valid CBOR, verify the public key's length by decoding the next CBOR item.
+        let inputStream = ByteInputStream(data[credentialIDEndIndex...])
+        let decoder = CBORDecoder(stream: inputStream)
+        _ = try decoder.decodeItem()
+        let publicKeyBytes = data[credentialIDEndIndex..<(data.count - inputStream.remainingBytes)]
 
         let data = AttestedCredentialData(
             aaguid: Array(aaguid),
@@ -107,3 +114,27 @@ extension AuthenticatorData {
         return (data, length)
     }
 }
+
+/// A helper type to determine how many bytes were consumed when decoding CBOR items.
+class ByteInputStream: CBORInputStream {
+    private var slice : ArraySlice<UInt8>
+    
+    init(_ slice: Data) {
+        self.slice = Array(slice)[...]
+    }
+    
+    /// The remaining bytes in the original data buffer.
+    var remainingBytes: Int { slice.count }
+    
+    func popByte() throws -> UInt8 {
+        if slice.count < 1 { throw CBORError.unfinishedSequence }
+        return slice.removeFirst()
+    }
+    
+    func popBytes(_ n: Int) throws -> ArraySlice<UInt8> {
+        if slice.count < n { throw CBORError.unfinishedSequence }
+        let result = slice.prefix(n)
+        slice = slice.dropFirst(n)
+        return result
+    }
+}

Tests/WebAuthnTests/Utils/TestModels/TestAuthData.swift

@@ -62,7 +62,7 @@ struct TestAuthDataBuilder {
     func validMock() -> Self {
         self
             .rpIDHash(fromRpID: "example.com")
-            .flags(0b01000101)
+            .flags(0b11000101)
             .counter([0b00000000, 0b00000000, 0b00000000, 0b00000000])
             .attestedCredData(
                 aaguid: [UInt8](repeating: 0, count: 16),
@@ -139,6 +139,7 @@ struct TestAuthDataBuilder {
 
     func noExtensionData() -> Self {
         var temp = self
+        temp.wrapped.flags = temp.wrapped.flags.map{ $0 & 0b01111111 }
         temp.wrapped.extensions = nil
         return temp
     }

Tests/WebAuthnTests/WebAuthnManagerRegistrationTests.swift

@@ -200,7 +200,7 @@ final class WebAuthnManagerRegistrationTests: XCTestCase {
             await finishRegistration(
                 attestationObject: TestAttestationObjectBuilder()
                     .validMock()
-                    .authData(TestAuthDataBuilder().validMock().flags(0b11000001).noExtensionData())
+                    .authData(TestAuthDataBuilder().validMock().noExtensionData().flags(0b11000001))
                     .build()
                     .cborEncoded
             ),
@@ -248,7 +248,7 @@ final class WebAuthnManagerRegistrationTests: XCTestCase {
             await finishRegistration(
                 attestationObject: TestAttestationObjectBuilder()
                     .validMock()
-                    .authData(TestAuthDataBuilder().validMock().flags(0b01000000))
+                    .authData(TestAuthDataBuilder().validMock().flags(0b11000000))
                     .build()
                     .cborEncoded
             ),
@@ -261,7 +261,7 @@ final class WebAuthnManagerRegistrationTests: XCTestCase {
             await finishRegistration(
                 attestationObject: TestAttestationObjectBuilder()
                     .validMock()
-                    .authData(TestAuthDataBuilder().validMock().flags(0b01000001))
+                    .authData(TestAuthDataBuilder().validMock().flags(0b11000001))
                     .build()
                     .cborEncoded,
                 requireUserVerification: true