Implemented remaining client registration procedure

Author: dimitribouniol

Sources/WebAuthn/Ceremonies/Registration/AttestationObject.swift

@@ -18,10 +18,10 @@ import Crypto
 
 /// Contains the cryptographic attestation that a new key pair was created by that authenticator.
 public struct AttestationObject: Sendable {
-    let authenticatorData: AuthenticatorData
-    let rawAuthenticatorData: [UInt8]
-    let format: AttestationFormat
-    let attestationStatement: CBOR
+    var authenticatorData: AuthenticatorData
+    var rawAuthenticatorData: [UInt8]
+    var format: AttestationFormat
+    var attestationStatement: CBOR
 
     init(
         authenticatorData: AuthenticatorData,
@@ -45,6 +45,37 @@ public struct AttestationObject: Sendable {
         self.format = format
         self.attestationStatement = attestationStatement
     }
+    
+    init(bytes: [UInt8]) throws {
+        guard let decodedAttestationObject = try? CBOR.decode(bytes, options: CBOROptions(maximumDepth: 16))
+        else { throw WebAuthnError.invalidAttestationObject }
+
+        guard 
+            let authData = decodedAttestationObject["authData"],
+            case let .byteString(authDataBytes) = authData
+        else { throw WebAuthnError.invalidAuthData }
+        self.authenticatorData = try AuthenticatorData(bytes: authDataBytes)
+        self.rawAuthenticatorData = authDataBytes
+        
+        guard
+            let formatCBOR = decodedAttestationObject["fmt"],
+            case let .utf8String(format) = formatCBOR,
+            let attestationFormat = AttestationFormat(rawValue: format)
+        else { throw WebAuthnError.invalidFmt }
+        self.format = attestationFormat
+
+        guard let attestationStatement = decodedAttestationObject["attStmt"]
+        else { throw WebAuthnError.missingAttStmt }
+        self.attestationStatement = attestationStatement
+    }
+    
+    var bytes: [UInt8] {
+        CBOR.encode([
+            "authData": CBOR.byteString(authenticatorData.bytes),
+            "fmt": CBOR.utf8String(format.rawValue),
+            "attStmt": attestationStatement,
+        ])
+    }
 
     func verify(
         relyingPartyID: String,

Sources/WebAuthn/Ceremonies/Registration/AttestedCredentialData.swift

@@ -14,7 +14,7 @@
 
 // Contains the new public key created by the authenticator.
 public struct AttestedCredentialData: Equatable, Sendable {
-    let authenticatorAttestationGUID: AAGUID
-    let credentialID: [UInt8]
-    let publicKey: [UInt8]
+    var authenticatorAttestationGUID: AAGUID
+    var credentialID: [UInt8]
+    var publicKey: [UInt8]
 }

Sources/WebAuthn/Ceremonies/Registration/AuthenticatorAttestationResponse.swift

@@ -55,30 +55,6 @@ struct ParsedAuthenticatorAttestationResponse {
         self.clientData = clientData
 
         // Step 11. (assembling attestationObject)
-        let attestationObjectData = Data(rawResponse.attestationObject)
-        guard let decodedAttestationObject = try? CBOR.decode([UInt8](attestationObjectData), options: CBOROptions(maximumDepth: 16)) else {
-            throw WebAuthnError.invalidAttestationObject
-        }
-
-        guard let authData = decodedAttestationObject["authData"],
-            case let .byteString(authDataBytes) = authData else {
-            throw WebAuthnError.invalidAuthData
-        }
-        guard let formatCBOR = decodedAttestationObject["fmt"],
-            case let .utf8String(format) = formatCBOR,
-            let attestationFormat = AttestationFormat(rawValue: format) else {
-            throw WebAuthnError.invalidFmt
-        }
-
-        guard let attestationStatement = decodedAttestationObject["attStmt"] else {
-            throw WebAuthnError.missingAttStmt
-        }
-
-        attestationObject = AttestationObject(
-            authenticatorData: try AuthenticatorData(bytes: authDataBytes),
-            rawAuthenticatorData: authDataBytes,
-            format: attestationFormat,
-            attestationStatement: attestationStatement
-        )
+        attestationObject = try AttestationObject(bytes: rawResponse.attestationObject)
     }
 }

Sources/WebAuthn/Ceremonies/Registration/RegistrationCredential.swift

@@ -30,6 +30,17 @@ public struct RegistrationCredential: Sendable {
 
     /// The attestation response from the authenticator.
     public let attestationResponse: AuthenticatorAttestationResponse
+    
+    init(
+        type: CredentialType = .publicKey,
+        id: [UInt8],
+        attestationResponse: AuthenticatorAttestationResponse
+    ) {
+        self.id = id.base64URLEncodedString()
+        self.type = type
+        self.rawID = id
+        self.attestationResponse = attestationResponse
+    }
 }
 
 extension RegistrationCredential: Decodable {

Sources/WebAuthn/WebAuthnClient.swift

@@ -152,7 +152,7 @@ public struct WebAuthnClient {
         /// Step 25. While lifetimeTimer has not expired, perform the following actions depending upon lifetimeTimer, and the state and response for each authenticator in authenticators:
         do {
             /// Let the caller do what it needs to do to coordinate with authenticators, so long as at least one of them calls the attestation callback.
-            let result: AttestationObject = try await withCancellableFirstSuccessfulContinuation { [attestRegistration, publicKeyCredentialParameters] continuation in
+            var attestationObjectResult: AttestationObject = try await withCancellableFirstSuccessfulContinuation { [attestRegistration, publicKeyCredentialParameters] continuation in
                 /// → If lifetimeTimer expires,
                 ///     For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.
                 Task {
@@ -213,41 +213,66 @@ public struct WebAuthnClient {
             ///                 whose value is an AuthenticationExtensionsClientOutputs object containing extension identifier → client extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in pkOptions.extensions.
             ///         3. Let constructCredentialAlg be an algorithm that takes a global object global, and whose steps are:
             ///             1. If credentialCreationData.attestationConveyancePreferenceOption’s value is
-            ///                 → none
-            ///                     Replace potentially uniquely identifying information with non-identifying versions of the same:
-            ///                         1. If the aaguid in the attested credential data is 16 zero bytes, credentialCreationData.attestationObjectResult.fmt is "packed", and "x5c" is absent from credentialCreationData.attestationObjectResult, then self attestation is being used and no further action is needed.
-            ///                         2. Otherwise
-            ///                             1. Replace the aaguid in the attested credential data with 16 zero bytes.
-            ///                             2. Set the value of credentialCreationData.attestationObjectResult.fmt to "none", and set the value of credentialCreationData.attestationObjectResult.attStmt to be an empty CBOR map. (See § 8.7 None Attestation Statement Format and § 6.5.4 Generating an Attestation Object).
-            ///                 → indirect
-            ///                     The client MAY replace the aaguid and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing an Anonymization CA).
-            ///                 → direct or enterprise
-            ///                     Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.
+            switch options.attestation {
+                ///                 → none
+            case .none:
+                ///                 Replace potentially uniquely identifying information with non-identifying versions of the same:
+                ///                     1. If the aaguid in the attested credential data is 16 zero bytes, credentialCreationData.attestationObjectResult.fmt is "packed", and "x5c" is absent from credentialCreationData.attestationObjectResult, then self attestation is being used and no further action is needed.
+                ///                     2. Otherwise
+                if attestationObjectResult.authenticatorData.attestedData?.authenticatorAttestationGUID != .anonymous,
+                   attestationObjectResult.format != .packed,
+                   attestationObjectResult.attestationStatement["x5c"] == nil {
+                    ///                     1. Replace the aaguid in the attested credential data with 16 zero bytes.
+                    attestationObjectResult.authenticatorData.attestedData?.authenticatorAttestationGUID = .anonymous
+                    ///                     2. Set the value of credentialCreationData.attestationObjectResult.fmt to "none", and set the value of credentialCreationData.attestationObjectResult.attStmt to be an empty CBOR map. (See § 8.7 None Attestation Statement Format and § 6.5.4 Generating an Attestation Object).
+                    attestationObjectResult.format = .none
+                    attestationObjectResult.attestationStatement = [:]
+                }
+                ///                 → indirect
+                ///                     The client MAY replace the aaguid and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing an Anonymization CA).
+                ///                 → direct or enterprise
+                ///                     Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.
+            }
             ///         5. Let attestationObject be a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.attestationObjectResult’s value.
+            let attestationObject = attestationObjectResult.bytes
+            
             ///         6. Let id be attestationObject.authData.attestedCredentialData.credentialId.
+            guard let credentialID = attestationObjectResult.authenticatorData.attestedData?.credentialID
+            else { throw WebAuthnError.attestedCredentialDataMissing }
+            
             ///         7. Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:
-            ///             [[identifier]]
-            ///                 id
-            ///             authenticatorAttachment
-            ///                 The AuthenticatorAttachment value matching the current authenticator attachment modality of authenticator.
-            ///             response
-            ///                 A new AuthenticatorAttestationResponse object associated with global whose fields are:
-            ///                     clientDataJSON
-            ///                         A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.clientDataJSONResult.
-            ///                     attestationObject
-            ///                         attestationObject
-            ///                     [[transports]]
-            ///                         A sequence of zero or more unique DOMStrings, in lexicographical order, that the authenticator is believed to support. The values SHOULD be members of AuthenticatorTransport, but client platforms MUST ignore unknown values.
-            ///                         If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that Relying Party behavior may be suboptimal.
-            ///                         If the user agent does not have any transport information, it SHOULD set this field to the empty sequence.
-            ///                         NOTE: How user agents discover transports supported by a given authenticator is outside the scope of this specification, but may include information from an attestation certificate (for example [FIDO-Transports-Ext]), metadata communicated in an authenticator protocol such as CTAP2, or special-case knowledge about a platform authenticator.
-            ///             [[clientExtensionsResults]]
-            ///                 A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.clientExtensionResults.
+            let publicKeyCredential = RegistrationCredential(
+                ///         [[identifier]]
+                ///             id
+                id: credentialID,
+                ///         authenticatorAttachment
+                ///             The AuthenticatorAttachment value matching the current authenticator attachment modality of authenticator.
+                ///         response
+                ///             A new AuthenticatorAttestationResponse object associated with global whose fields are:
+                attestationResponse: AuthenticatorAttestationResponse(
+                    ///             clientDataJSON
+                    ///                 A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.clientDataJSONResult.
+                    clientDataJSON: Array(clientDataJSON),
+                    ///             attestationObject
+                    ///                 attestationObject
+                    attestationObject: attestationObject
+                    ///             [[transports]]
+                    ///                 A sequence of zero or more unique DOMStrings, in lexicographical order, that the authenticator is believed to support. The values SHOULD be members of AuthenticatorTransport, but client platforms MUST ignore unknown values.
+                    ///                 If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that Relying Party behavior may be suboptimal.
+                    ///                 If the user agent does not have any transport information, it SHOULD set this field to the empty sequence.
+                    ///                 NOTE: How user agents discover transports supported by a given authenticator is outside the scope of this specification, but may include information from an attestation certificate (for example [FIDO-Transports-Ext]), metadata communicated in an authenticator protocol such as CTAP2, or special-case knowledge about a platform authenticator.
+                )
+                ///         [[clientExtensionsResults]]
+                ///             A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.clientExtensionResults.
+            )
             ///         8. Return pubKeyCred.
+            // Returned below.
+            
             ///     4. For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.
-            ///     5. Return constructCredentialAlg and terminate this algorithm.
+            // Already performed.
 
-            throw WebAuthnError.unsupported
+            ///     5. Return constructCredentialAlg and terminate this algorithm.
+            return publicKeyCredential
         } catch {
             /// Step 35. Throw a "NotAllowedError" DOMException. In order to prevent information leak that could identify the user without consent, this step MUST NOT be executed before lifetimeTimer has expired. See § 14.5.1 Registration Ceremony Privacy for details.
             /// During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator.

Tests/WebAuthnTests/WebAuthnManagerIntegrationTests.swift

@@ -64,9 +64,7 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
         ).build().cborEncoded
 
         let registrationResponse = RegistrationCredential(
-            id: mockCredentialID.base64URLEncodedString(),
-            type: .publicKey,
-            rawID: mockCredentialID,
+            id: mockCredentialID,
             attestationResponse: AuthenticatorAttestationResponse(
                 clientDataJSON: mockClientDataJSON.jsonBytes,
                 attestationObject: mockAttestationObject

Tests/WebAuthnTests/WebAuthnManagerRegistrationTests.swift

@@ -375,9 +375,8 @@ final class WebAuthnManagerRegistrationTests: XCTestCase {
         try await webAuthnManager.finishRegistration(
             challenge: challenge,
             credentialCreationData: RegistrationCredential(
-                id: rawID.base64URLEncodedString(),
                 type: type,
-                rawID: rawID,
+                id: rawID,
                 attestationResponse: AuthenticatorAttestationResponse(
                     clientDataJSON: clientDataJSON,
                     attestationObject: attestationObject