Merge pull request #11 from swift-server/refactor2

Refactor2

Author: marius-se

.swiftlint.yml

@@ -0,0 +1,4 @@
+disabled_rules:
+ - comment_spacing
+excluded:
+ - .build

Package.resolved

@@ -21,24 +21,25 @@ let package = Package(
         .macOS(.v12)
     ],
     products: [
-        .library(name: "WebAuthn", targets: ["WebAuthn"]),
+        .library(name: "WebAuthn", targets: ["WebAuthn"])
     ],
     dependencies: [
         .package(url: "https://github.com/unrelentingtech/SwiftCBOR.git", from: "0.4.5"),
         .package(url: "https://github.com/apple/swift-crypto.git", from: "2.0.0"),
-        .package(url: "https://github.com/apple/swift-log.git", from: "1.0.0"),
+        .package(url: "https://github.com/apple/swift-log.git", from: "1.0.0")
     ],
     targets: [
         .target(
             name: "WebAuthn",
             dependencies: [
                 "SwiftCBOR",
                 .product(name: "Crypto", package: "swift-crypto"),
-                .product(name: "Logging", package: "swift-log"),
+                .product(name: "_CryptoExtras", package: "swift-crypto"),
+                .product(name: "Logging", package: "swift-log")
             ]
         ),
         .testTarget(name: "WebAuthnTests", dependencies: [
-            .target(name: "WebAuthn"),
+            .target(name: "WebAuthn")
         ])
     ]
 )

Package.swift

@@ -14,26 +14,17 @@
 
 import Foundation
 
-public struct AuthenticationResponse: Codable {
-    public let id: String
-    public let rawID: String
+/// The unprocessed response received from `navigator.credentials.get()`.
+public struct AuthenticationCredential: Codable {
+    public let id: URLEncodedBase64
     public let response: AuthenticatorAssertionResponse
     public let authenticatorAttachment: String?
-    /// This is the public-key
     public let type: String
 
     enum CodingKeys: String, CodingKey {
         case id
-        case rawID = "rawId"
         case response
         case authenticatorAttachment
         case type
     }
 }
-
-public struct AuthenticatorAssertionResponse: Codable {
-    let clientDataJSON: String
-    let authenticatorData: String
-    let signature: String
-    let userHandle: String?
-}

Sources/WebAuthn/AuthenticationResponse.swift renamed to Sources/WebAuthn/Ceremonies/Authentication/AuthenticationCredential.swift

@@ -0,0 +1,31 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+/// This is what the authenticator device returned after we requested it to authenticate a user.
+public struct AuthenticatorAssertionResponse: Codable {
+    /// Representation of what we passed to `navigator.credentials.get()`
+    public let clientDataJSON: URLEncodedBase64
+    /// Contains the authenticator data returned by the authenticator.
+    public let authenticatorData: URLEncodedBase64
+    /// Contains the raw signature returned from the authenticator
+    public let signature: URLEncodedBase64
+    /// Contains the user handle returned from the authenticator, or null if the authenticator did not return
+    /// a user handle. Used by to give scope to credentials.
+    public let userHandle: String?
+    /// Contains an attestation object, if the authenticator supports attestation in assertions.
+    /// The attestation object, if present, includes an attestation statement. Unlike the attestationObject
+    /// in an AuthenticatorAttestationResponse, it does not contain an authData key because the authenticator
+    /// data is provided directly in an AuthenticatorAssertionResponse structure.
+    public let attestationObject: String?
+}

Sources/WebAuthn/Ceremonies/Authentication/AuthenticatorAssertionResponse.swift

@@ -0,0 +1,65 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Foundation
+
+/// The `PublicKeyCredentialRequestOptions` gets passed to the WebAuthn API (`navigator.credentials.get()`)
+public struct PublicKeyCredentialRequestOptions: Codable {
+    public let challenge: String
+    public let timeout: TimeInterval?
+    public let rpId: String?
+    public let allowCredentials: [PublicKeyCredentialDescriptor]?
+    public let userVerification: UserVerificationRequirement?
+    public let attestation: String?
+    public let attestationFormats: [String]?
+    // let extensions: [String: Any]
+}
+
+public struct PublicKeyCredentialDescriptor: Codable {
+    public enum AuthenticatorTransport: String, Codable {
+        case usb
+        case nfc
+        case ble
+        case hybrid
+        case `internal`
+    }
+
+    enum CodingKeys: String, CodingKey {
+        case type, id, transports
+    }
+
+    public let type: String
+    public let id: [UInt8]
+    public let transports: [AuthenticatorTransport]
+
+    public init(type: String, id: [UInt8], transports: [AuthenticatorTransport] = []) {
+        self.type = type
+        self.id = id
+        self.transports = transports
+    }
+
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+
+        try container.encode(type, forKey: .type)
+        try container.encode(id.base64EncodedString(), forKey: .id)
+        try container.encode(transports, forKey: .transports)
+    }
+}
+
+public enum UserVerificationRequirement: String, Codable {
+    case required
+    case preferred
+    case discouraged
+}

Sources/WebAuthn/Ceremonies/Authentication/PublicKeyCredentialRequestOptions.swift

@@ -0,0 +1,14 @@
+import Foundation
+
+/// On successful authentication, this structure contains a summary of the authentication flow
+public struct VerifiedAuthentication {
+    public enum CredentialDeviceType: String, Codable {
+        case singleDevice = "single_device"
+        case multiDevice = "multi_device"
+    }
+
+    let credentialID: URLEncodedBase64
+    let newSignCount: UInt32
+    let credentialDeviceType: CredentialDeviceType
+    let credentialBackedUp: Bool
+}

Sources/WebAuthn/Ceremonies/Authentication/VerifiedAuthentication.swift

@@ -12,12 +12,12 @@
 //
 //===----------------------------------------------------------------------===//
 
-import WebAuthn
-import XCTest
-
-final class WebAuthnTests: XCTestCase {
-    func testHelloWorld() throws {
-        let hello = "Hello, World!"
-        XCTAssertEqual(hello, "Hello, World!")
-    }
+public enum AttestationFormat: String, RawRepresentable {
+    case packed
+    case tpm
+    case androidKey = "android-key"
+    case androidSafetynet = "android-safetynet"
+    case fidoU2F = "fido-u2f"
+    case apple
+    case none
 }

Tests/WebAuthnTests/WebAuthnTests.swift renamed to Sources/WebAuthn/Ceremonies/Registration/AttestationFormat.swift

@@ -0,0 +1,52 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Crypto
+import SwiftCBOR
+
+/// Contains the cryptographic attestation that a new key pair was created by that authenticator.
+public struct AttestationObject {
+    let authenticatorData: AuthenticatorData
+    let rawAuthenticatorData: [UInt8]
+    let format: AttestationFormat
+    let attestationStatement: CBOR
+
+    func verify(relyingPartyID: String, verificationRequired: Bool, clientDataHash: SHA256.Digest) throws {
+        let relyingPartyIDHash = SHA256.hash(data: relyingPartyID.data(using: .utf8)!)
+
+        guard relyingPartyIDHash == authenticatorData.relyingPartyIDHash else {
+            throw WebAuthnError.relyingPartyIDHashDoesNotMatch
+        }
+
+        guard authenticatorData.flags.userPresent else {
+            throw WebAuthnError.userPresentFlagNotSet
+        }
+
+        if verificationRequired {
+            guard authenticatorData.flags.userVerified else {
+                throw WebAuthnError.userVerificationRequiredButFlagNotSet
+            }
+        }
+
+        switch format {
+        case .none:
+            // if format is `none` statement must be empty
+            guard attestationStatement == .map([:]) else {
+                throw WebAuthnError.attestationStatementMissing
+            }
+        default:
+            throw WebAuthnError.attestationVerificationNotSupported
+        }
+    }
+}

Sources/WebAuthn/Ceremonies/Registration/AttestationObject.swift

@@ -12,7 +12,8 @@
 //
 //===----------------------------------------------------------------------===//
 
-struct AttestedCredentialData {
+// Contains the new public key created by the authenticator.
+struct AttestedCredentialData: Codable {
     let aaguid: [UInt8]
     let credentialID: [UInt8]
     let publicKey: [UInt8]