minor changes

Author: marius-se

Sources/WebAuthn/Authenticator/AttestationObject/AttestationStatementVerification.swift

@@ -1,3 +1,17 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
 import SwiftCBOR
 import Crypto
 

Sources/WebAuthn/Ceremonies/Registration/ParsedCredentialCreationResponse.swift

@@ -30,18 +30,27 @@ struct ParsedCredentialCreationResponse {
     init(from rawResponse: CredentialCreationResponse) throws {
         id = rawResponse.id
 
-        guard let decodedRawID = rawResponse.rawID.base64URLDecodedData else { throw WebAuthnError.invalidRawID }
+        guard let decodedRawID = rawResponse.rawID.base64URLDecodedData else {
+            throw WebAuthnError.invalidRawID
+        }
         rawID = decodedRawID
 
-        guard rawResponse.type == "public-key" else { throw WebAuthnError.invalidCredentialCreationType }
+        guard rawResponse.type == "public-key" else {
+            throw WebAuthnError.invalidCredentialCreationType
+        }
         type = rawResponse.type
 
         clientExtensionResults = rawResponse.clientExtensionResults
         raw = rawResponse.attestationResponse
         response = try ParsedAuthenticatorAttestationResponse(from: raw)
     }
 
-    func verify(storedChallenge: String, verifyUser: Bool, relyingPartyID: String, relyingPartyOrigin: String) throws {
+    func verify(
+        storedChallenge: URLEncodedBase64,
+        verifyUser: Bool,
+        relyingPartyID: String,
+        relyingPartyOrigin: String
+    ) throws {
         // Step 7. - 9.
         try response.clientData.verify(
             storedChallenge: storedChallenge,
@@ -63,5 +72,10 @@ struct ParsedCredentialCreationResponse {
             verificationRequired: verifyUser,
             clientDataHash: hash
         )
+
+        // Step 23.
+        guard rawID.count <= 1023 else {
+            throw WebAuthnError.credentialIDTooBig
+        }
     }
 }

Sources/WebAuthn/Ceremonies/Registration/PublicKeyCredentialCreationOptions.swift

@@ -18,8 +18,7 @@ import Foundation
 /// Contains a PublicKeyCredentialCreationOptions object specifying the desired attributes of the
 /// to-be-created public key credential.
 public struct PublicKeyCredentialCreationOptions: Codable {
-    /// Base64-encoded challenge string
-    public let challenge: String
+    public let challenge: EncodedBase64
     public let user: PublicKeyCredentialUserEntity
     public let relyingParty: PublicKeyCredentialRpEntity
     public let publicKeyCredentialParameters: [PublicKeyCredentialParameters]

Sources/WebAuthn/Helpers/Base64Utilities.swift

@@ -16,15 +16,14 @@ import Foundation
 import Logging
 
 public typealias URLEncodedBase64 = String
+public typealias EncodedBase64 = String
 
 extension Array where Element == UInt8 {
     /// Encodes an array of bytes into a base64url-encoded string
     /// - Returns: A base64url-encoded string
     public func base64URLEncodedString() -> String {
         let base64String = Data(bytes: self, count: self.count).base64EncodedString()
-        return base64String.replacingOccurrences(of: "+", with: "-")
-            .replacingOccurrences(of: "/", with: "_")
-            .replacingOccurrences(of: "=", with: "")
+        return String.base64URL(fromBase64: base64String)
     }
 
     /// Encodes an array of bytes into a base64 string
@@ -40,6 +39,12 @@ extension String {
     public static func base64(fromBase64URLEncoded base64URLEncoded: String) -> Self {
         return base64URLEncoded.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
     }
+
+    public static func base64URL(fromBase64 base64Encoded: String) -> Self {
+        return base64Encoded.replacingOccurrences(of: "+", with: "-")
+            .replacingOccurrences(of: "/", with: "_")
+            .replacingOccurrences(of: "=", with: "")
+    }
 }
 
 extension String {

Sources/WebAuthn/SessionData.swift

@@ -31,6 +31,9 @@ public enum WebAuthnError: Error {
     case missingAttestedCredentialData
     case missingAttestationFormat
 
+    case credentialIDTooBig
+    case credentialIDAlreadyExists
+
     case invalidRawID
     case invalidCredentialCreationType
     case invalidClientDataJSON

Sources/WebAuthn/WebAuthnError.swift

@@ -30,7 +30,7 @@ public struct WebAuthnManager {
     }
 
     /// Generate a new set of registration data to be sent to the client and authenticator.
-    public func beginRegistration(user: User) throws -> (PublicKeyCredentialCreationOptions, SessionData) {
+    public func beginRegistration(user: User) throws -> PublicKeyCredentialCreationOptions {
         guard let base64ID = user.userID.data(using: .utf8)?.base64EncodedString() else {
             throw WebAuthnManagerError.base64EncodingFailed
         }
@@ -40,38 +40,33 @@ public struct WebAuthnManager {
 
         let challenge = try generateChallengeString()
 
-        let options = PublicKeyCredentialCreationOptions(
+        return PublicKeyCredentialCreationOptions(
             challenge: challenge.base64EncodedString(),
             user: userEntity,
             relyingParty: relyingParty,
             publicKeyCredentialParameters: PublicKeyCredentialParameters.supported,
             timeout: config.timeout
         )
-        let sessionData = SessionData(challenge: challenge.base64URLEncodedString(), userID: user.userID)
-
-        return (options, sessionData)
     }
 
     /// Take response from authenticator and client and verify credential against the user's credentials and
     /// session data.
     /// - Parameters:
-    ///   - user: The user to verify against the authenticator response
-    ///   - sessionData: The data passed to the authenticator within the preceding registration options
+    ///   - challenge: The user to verify against the authenticator response. Base64 encoded.
     ///   - credentialCreationData: The value returned from `navigator.credentials.create()`
     ///   - requireUserVerification: Whether or not to require that the authenticator verified the user.
     /// - Returns:  A new `Credential` with information about the authenticator and registration
     public func finishRegistration(
-        for user: User,
-        sessionData: SessionData,
+        challenge: EncodedBase64,
         credentialCreationData: CredentialCreationResponse,
         requireUserVerification: Bool = false,
-        supportedPublicKeyAlgorithms: [PublicKeyCredentialParameters] = PublicKeyCredentialParameters.supported
-    ) throws -> Credential {
-        guard user.userID == sessionData.userID else { throw WebAuthnManagerError.userIDMismatch }
-
+        supportedPublicKeyAlgorithms: [PublicKeyCredentialParameters] = PublicKeyCredentialParameters.supported,
+        confirmCredentialIDNotRegisteredYet: (String) async throws -> Bool
+    ) async throws -> Credential {
+        // Step 3. - 16.
         let parsedData = try ParsedCredentialCreationResponse(from: credentialCreationData)
         try parsedData.verify(
-            storedChallenge: sessionData.challenge,
+            storedChallenge: String.base64URL(fromBase64: challenge),
             verifyUser: requireUserVerification,
             relyingPartyID: config.relyingPartyID,
             relyingPartyOrigin: config.relyingPartyOrigin
@@ -81,10 +76,18 @@ public struct WebAuthnManager {
             throw WebAuthnError.missingAttestedCredentialData
         }
 
+        // Step 17.
         let parsedPublicKeyData = try ParsedPublicKeyData(fromPublicKeyBytes: attestedData.publicKey)
         try parsedPublicKeyData.verify(supportedPublicKeyAlgorithms: supportedPublicKeyAlgorithms)
 
-        // Return a new credential record (based on step 25.)
+        // TODO: Step 18. -> Verify client extensions
+
+        // Step 24.
+        guard try await confirmCredentialIDNotRegisteredYet(parsedData.id) else {
+            throw WebAuthnError.credentialIDAlreadyExists
+        }
+
+        // Step 25.
         return Credential(
             type: parsedData.type,
             id: parsedData.id,