Added KeyPairAuthenticator for authenticating with unattested private keys as data

dimitribouniol · dimitribouniol · commit 7bc6bda045b4 · 2024-10-01T06:38:12.000-07:00
diff --git a/Sources/WebAuthn/Authenticators/KeyPairAuthenticator.swift b/Sources/WebAuthn/Authenticators/KeyPairAuthenticator.swift
@@ -0,0 +1,142 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2024 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Foundation
+import Crypto
+
+public struct KeyPairAuthenticator: AuthenticatorProtocol, Sendable {
+    public let attestationGloballyUniqueID: AAGUID
+    public let attachmentModality: AuthenticatorAttachment
+    public let supportedPublicKeyCredentialParameters: Set<PublicKeyCredentialParameters>
+    public let canPerformUserVerification: Bool = true
+    public let canStoreCredentialSourceClientSide: Bool = true
+    
+    /// Initialize a key-pair based authenticator with a globally unique ID representing your application.
+    /// - Note: To generate an AAGUID, run `% uuidgen` in your terminal. This value should generally not change across installations or versions of your app, and should be the same for every user.
+    /// - Parameter attestationGloballyUniqueID: The AAGUID associated with the authenticator.
+    /// - Parameter attachmentModality: The connected-nature of the authenticator to the device the client is running on. If credential keys can roam between devices, specify ``AuthenticatorModality/crossPlatform``. Set to ``AuthenticatorModality/platform`` by default.
+    /// - Parameter supportedPublicKeyCredentialParameters: A customized set of key credentials the authenticator will limit support to.
+    public init(
+        attestationGloballyUniqueID: AAGUID,
+        attachmentModality: AuthenticatorAttachment = .platform,
+        supportedPublicKeyCredentialParameters: Set<PublicKeyCredentialParameters> = .supported
+    ) {
+        self.attestationGloballyUniqueID = attestationGloballyUniqueID
+        self.attachmentModality = attachmentModality
+        self.supportedPublicKeyCredentialParameters = supportedPublicKeyCredentialParameters
+    }
+    
+    public func generateCredentialSource(
+        requiresClientSideKeyStorage: Bool,
+        credentialParameters: PublicKeyCredentialParameters,
+        relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID,
+        userHandle: PublicKeyCredentialUserEntity.ID
+    ) async throws -> CredentialSource {
+        throw WebAuthnError.unsupported
+    }
+    
+    public func filteredCredentialDescriptors(
+        credentialDescriptors: [PublicKeyCredentialDescriptor],
+        relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID
+    ) -> [PublicKeyCredentialDescriptor] {
+        return credentialDescriptors
+    }
+    
+    public func collectAuthorizationGesture(
+        requiresUserVerification: Bool,
+        requiresUserPresence: Bool,
+        credentialOptions: [CredentialSource]
+    ) async throws -> CredentialSource {
+        guard let credentialSource = credentialOptions.first
+        else { throw WebAuthnError.authorizationGestureNotAllowed }
+        
+        return credentialSource
+    }
+}
+
+extension KeyPairAuthenticator {
+    public struct CredentialSource: AuthenticatorCredentialSourceProtocol, Sendable {
+        public var id: UUID
+        public var relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID
+        public var userHandle: PublicKeyCredentialUserEntity.ID
+        public var counter: UInt32
+        
+        public var credentialParameters: PublicKeyCredentialParameters {
+            PublicKeyCredentialParameters(alg: .algES256)
+        }
+        
+        public var rawKeyData: Data {
+            Data()
+        }
+        
+        public init(
+            id: ID,
+            credentialParameters: PublicKeyCredentialParameters,
+            rawKeyData: some ContiguousBytes,
+            relyingPartyID: PublicKeyCredentialRelyingPartyEntity.ID,
+            userHandle: PublicKeyCredentialUserEntity.ID,
+            counter: UInt32
+        ) throws {
+            guard credentialParameters.type == .publicKey
+            else { throw WebAuthnError.unsupportedCredentialPublicKeyType }
+            
+            self.id = id
+            self.relyingPartyID = relyingPartyID
+            self.userHandle = userHandle
+            self.counter = counter
+        }
+        
+        public func signAssertion(
+            authenticatorData: [UInt8],
+            clientDataHash: SHA256Digest
+        ) throws -> [UInt8] {
+            throw WebAuthnError.unsupported
+        }
+    }
+}
+
+extension KeyPairAuthenticator.CredentialSource: Codable {
+    public init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+        
+        try self.init(
+            id: try container.decode(UUID.self, forKey: .id),
+            credentialParameters: try container.decode(PublicKeyCredentialParameters.self, forKey: .credentialParameters),
+            rawKeyData: try container.decode(Data.self, forKey: .key),
+            relyingPartyID: try container.decode(String.self, forKey: .relyingPartyID),
+            userHandle: PublicKeyCredentialUserEntity.ID(try container.decode(Data.self, forKey: .userHandle)),
+            counter: try container.decode(UInt32.self, forKey: .counter)
+        )
+    }
+    
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+        
+        try container.encode(id, forKey: .id)
+        try container.encode(credentialParameters, forKey: .credentialParameters)
+        try container.encode(rawKeyData, forKey: .key)
+        try container.encode(relyingPartyID, forKey: .relyingPartyID)
+        try container.encode(Data(userHandle), forKey: .userHandle)
+        try container.encode(counter, forKey: .counter)
+    }
+    
+    enum CodingKeys: CodingKey {
+        case id
+        case credentialParameters
+        case key
+        case relyingPartyID
+        case userHandle
+        case counter
+    }
+}
diff --git a/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorCredentialSourceIdentifier.swift b/Sources/WebAuthn/Authenticators/Protocol/AuthenticatorCredentialSourceIdentifier.swift
@@ -12,7 +12,28 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Foundation
+
 public protocol AuthenticatorCredentialSourceIdentifier: Hashable {
     init?(bytes: some BidirectionalCollection<UInt8>)
     var bytes: [UInt8] { get }
 }
+
+extension UUID: AuthenticatorCredentialSourceIdentifier {
+    public init?(bytes: some BidirectionalCollection<UInt8>) {
+        let uuidSize = MemoryLayout<uuid_t>.size
+        guard bytes.count == uuidSize else { return nil }
+        
+        /// Either load it directly, or copy it to a new array to load the uuid from there.
+        let uuid = bytes.withContiguousStorageIfAvailable {
+            $0.withUnsafeBytes {
+                $0.loadUnaligned(as: uuid_t.self)
+            }
+        } ?? Array(bytes).withUnsafeBytes {
+            $0.loadUnaligned(as: uuid_t.self)
+        }
+        self = UUID(uuid: uuid)
+    }
+    
+    public var bytes: [UInt8] { withUnsafeBytes(of: self) { Array($0) } }
+}
diff --git a/Sources/WebAuthn/WebAuthnError.swift b/Sources/WebAuthn/WebAuthnError.swift
@@ -66,6 +66,10 @@ public struct WebAuthnError: Error, Hashable, Sendable {
         case invalidExponent
         case unsupportedCOSEAlgorithmForRSAPublicKey
         case unsupported
+
+        // MARK: Authenticator
+        case unsupportedCredentialPublicKeyType
+        case authorizationGestureNotAllowed
     }
     
     let reason: Reason
@@ -125,4 +129,8 @@ public struct WebAuthnError: Error, Hashable, Sendable {
     public static let invalidExponent = Self(reason: .invalidExponent)
     public static let unsupportedCOSEAlgorithmForRSAPublicKey = Self(reason: .unsupportedCOSEAlgorithmForRSAPublicKey)
     public static let unsupported = Self(reason: .unsupported)
+
+    // MARK: Authenticator
+    public static let unsupportedCredentialPublicKeyType = Self(reason: .unsupportedCredentialPublicKeyType)
+    public static let authorizationGestureNotAllowed = Self(reason: .authorizationGestureNotAllowed)
 }
