clean up files and add rsa

Author: marius-se

Package.swift

@@ -34,6 +34,7 @@ let package = Package(
             dependencies: [
                 "SwiftCBOR",
                 .product(name: "Crypto", package: "swift-crypto"),
+                .product(name: "_CryptoExtras", package: "swift-crypto"),
                 .product(name: "Logging", package: "swift-log")
             ]
         ),

Sources/WebAuthn/Authenticator.swift

@@ -12,27 +12,20 @@
 //
 //===----------------------------------------------------------------------===//
 
-/// From §5.2.2
-/// The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for
-/// generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of
-/// credentials it is aware of. This response contains a cryptographic signature proving possession of the credential
-/// private key, and optionally evidence of user consent to a specific transaction.
-public struct AuthenticatorAssertionResponse: AuthenticatorResponse, Codable {
+/// This is what the authenticator device returned after we requested it to authenticate a user.
+public struct AuthenticatorAssertionResponse: Codable {
+    /// Representation of what we passed to `navigator.credentials.get()`
     public let clientDataJSON: URLEncodedBase64
     /// Contains the authenticator data returned by the authenticator.
     public let authenticatorData: URLEncodedBase64
     /// Contains the raw signature returned from the authenticator
-    public let signature: String
+    public let signature: URLEncodedBase64
     /// Contains the user handle returned from the authenticator, or null if the authenticator did not return
-    /// a user handle.
+    /// a user handle. Used by to give scope to credentials.
     public let userHandle: String?
     /// Contains an attestation object, if the authenticator supports attestation in assertions.
     /// The attestation object, if present, includes an attestation statement. Unlike the attestationObject
     /// in an AuthenticatorAttestationResponse, it does not contain an authData key because the authenticator
     /// data is provided directly in an AuthenticatorAssertionResponse structure.
     public let attestationObject: String?
 }
-
-public struct ParsedAuthenticatorAssertionResponse {
-
-}

Sources/WebAuthn/Authenticator/AttestationObject/AttestationStatementVerification.swift

@@ -14,6 +14,7 @@
 
 import Foundation
 
+/// The `PublicKeyCredentialRequestOptions` gets passed to the WebAuthn API (`navigator.credentials.get()`)
 public struct PublicKeyCredentialRequestOptions: Codable {
     public let challenge: String
     public let timeout: TimeInterval?
@@ -26,6 +27,18 @@ public struct PublicKeyCredentialRequestOptions: Codable {
 }
 
 public struct PublicKeyCredentialDescriptor: Codable {
+    public enum AuthenticatorTransport: String, Codable {
+        case usb
+        case nfc
+        case ble
+        case hybrid
+        case `internal`
+    }
+
+    enum CodingKeys: String, CodingKey {
+        case type, id, transports
+    }
+
     public let type: String
     public let id: [UInt8]
     public let transports: [AuthenticatorTransport]
@@ -36,10 +49,6 @@ public struct PublicKeyCredentialDescriptor: Codable {
         self.transports = transports
     }
 
-    enum CodingKeys: String, CodingKey {
-        case type, id, transports
-    }
-
     public func encode(to encoder: Encoder) throws {
         var container = encoder.container(keyedBy: CodingKeys.self)
 
@@ -48,3 +57,9 @@ public struct PublicKeyCredentialDescriptor: Codable {
         try container.encode(transports, forKey: .transports)
     }
 }
+
+public enum UserVerificationRequirement: String, Codable {
+    case required
+    case preferred
+    case discouraged
+}

Sources/WebAuthn/Authenticator/AuthenticatorResponse/AuthenticatorResponse.swift

@@ -0,0 +1,14 @@
+import Foundation
+
+/// On successful authentication, this structure contains a summary of the authentication flow
+public struct VerifiedAuthentication {
+    public enum CredentialDeviceType: String, Codable {
+        case singleDevice = "single_device"
+        case multiDevice = "multi_device"
+    }
+
+    let credentialID: URLEncodedBase64
+    let newSignCount: UInt32
+    let credentialDeviceType: CredentialDeviceType
+    let credentialBackedUp: Bool
+}

Sources/WebAuthn/Authenticator/AuthenticatorTransport.swift

@@ -15,6 +15,7 @@
 import Crypto
 import SwiftCBOR
 
+/// Contains the cryptographic attestation that a new key pair was created by that authenticator.
 public struct AttestationObject {
     let authenticatorData: AuthenticatorData
     let rawAuthenticatorData: [UInt8]
@@ -24,46 +25,28 @@ public struct AttestationObject {
     func verify(relyingPartyID: String, verificationRequired: Bool, clientDataHash: SHA256.Digest) throws {
         let relyingPartyIDHash = SHA256.hash(data: relyingPartyID.data(using: .utf8)!)
 
-        // Step 12.
         guard relyingPartyIDHash == authenticatorData.relyingPartyIDHash else {
             throw WebAuthnError.relyingPartyIDHashDoesNotMatch
         }
 
-        // Step 13.
         guard authenticatorData.flags.userPresent else {
             throw WebAuthnError.userPresentFlagNotSet
         }
 
-        // Step 14.
         if verificationRequired {
             guard authenticatorData.flags.userVerified else {
                 throw WebAuthnError.userVerificationRequiredButFlagNotSet
             }
         }
 
-        // Step 17. happening somewhere else (maybe we can move it here?)
-
-        // Attestation format already determined. Skipping step 19.
-
-        // Step 20.
         switch format {
-        case .androidKey:
-            fatalError("Not implemented")
-        case .androidSafetynet:
-            fatalError("Not implemented")
-        case .apple:
-            fatalError("Not implemented")
-        case .fidoU2F:
-            fatalError("Not implemented")
-        case .packed:
-            try AttestationStatementVerification.verifyPacked(attestationObject: self, clientDataHash: clientDataHash)
-        case .tpm:
-            fatalError("Not implemented")
         case .none:
             // if format is `none` statement must be empty
             guard attestationStatement == .map([:]) else {
                 throw WebAuthnError.attestationStatementMissing
             }
+        default:
+            throw WebAuthnError.attestationVerificationNotSupported
         }
     }
 }