add statement verification

marius-se · marius-se · commit db58569ef314 · 2022-12-16T17:11:14.000+01:00
diff --git a/Sources/WebAuthn/Authenticator/AttestationObject/AttestationObject.swift b/Sources/WebAuthn/Authenticator/AttestationObject/AttestationObject.swift
@@ -13,14 +13,15 @@
 //===----------------------------------------------------------------------===//
 
 import Crypto
+import SwiftCBOR
 
 struct AttestationObject {
     let authenticatorData: AuthenticatorData
     let rawAuthenticatorData: [UInt8]
     let format: AttestationFormat
-    let attestationStatement: [String: Any]
+    let attestationStatement: CBOR
 
-    func verify(relyingPartyID: String, verificationRequired: Bool) throws {
+    func verify(relyingPartyID: String, verificationRequired: Bool, clientDataHash: SHA256.Digest) throws {
         let relyingPartyIDHash = SHA256.hash(data: relyingPartyID.data(using: .utf8)!)
 
         // Step 12.
@@ -40,31 +41,29 @@ struct AttestationObject {
             }
         }
 
-        // Step 15.
-        if authenticatorData.flags.isBackupEligible {
-            fatalError("Not implemented yet")
-        }
-
-        // Step 16.
-        if authenticatorData.flags.isCurrentlyBackedUp {
-            fatalError("Not implemented yet")
-        }
-
         // Step 17. happening somewhere else (maybe we can move it here?)
 
         // Attestation format already determined. Skipping step 19.
 
         // Step 20.
-        // TODO: Implement case .packed first! fatalError the rest
-        // switch format {
-        // case .androidKey:
-        // case .androidSafetynet:
-        // case .apple:
-        // case .fidoU2F:
-        // case .packed:
-        // case .tpm:
-        // case .none:
-        //     guard attestationStatement.isEmpty else { throw WebAuthnError.attestationStatementMissing }
-        // }
+        switch format {
+        case .androidKey:
+            fatalError("Not implemented")
+        case .androidSafetynet:
+            fatalError("Not implemented")
+        case .apple:
+            fatalError("Not implemented")
+        case .fidoU2F:
+            fatalError("Not implemented")
+        case .packed:
+            try AttestationStatementVerification.verifyPacked(attestationObject: self, clientDataHash: clientDataHash)
+        case .tpm:
+            fatalError("Not implemented")
+        case .none:
+            // if format is `none` statement must be empty
+            guard attestationStatement == .map([:]) else {
+                throw WebAuthnError.attestationStatementMissing
+            }
+        }
     }
 }
diff --git a/Sources/WebAuthn/Authenticator/AttestationObject/AttestationStatementVerification.swift b/Sources/WebAuthn/Authenticator/AttestationObject/AttestationStatementVerification.swift
@@ -0,0 +1,39 @@
+import SwiftCBOR
+import Crypto
+
+struct AttestationStatementVerification {
+    static func verifyPacked(attestationObject: AttestationObject, clientDataHash: SHA256.Digest) throws {
+        let statement = attestationObject.attestationStatement
+        // guard let formatCBOR = decodedAttestationObject["fmt"], case let .utf8String(format) = formatCBOR else {
+        guard let algCBOR = statement["alg"],
+            case let .negativeInt(alg) = algCBOR,
+            let coseAlg = COSEAlgorithmIdentifier(rawValue: -1 - Int(alg)) else {
+            throw PackedError.invalidOrMissingAlg
+        }
+
+        guard let sigCBOR = statement["sig"],
+              case let .byteString(sig) = sigCBOR else {
+            throw PackedError.invalidOrMissingSig
+        }
+
+        let verificationData = attestationObject.rawAuthenticatorData + clientDataHash
+
+        if let x5cCBOR = statement["x5c"],
+            case let .array(certificates) = x5cCBOR,
+            case let .byteString(attestnCert) = certificates.first {
+            // Basic or AttCA attestation
+
+            print("X5C CERTIFICATE CHAIN VALIDATION NOT IMPLEMENTED YET")
+        } else {
+            // Self Attestation
+
+        }
+    }
+}
+
+extension AttestationStatementVerification {
+    enum PackedError: Error {
+        case invalidOrMissingAlg
+        case invalidOrMissingSig
+    }
+}
diff --git a/Sources/WebAuthn/Authenticator/AuthenticatorAttestationResponse.swift b/Sources/WebAuthn/Authenticator/AuthenticatorAttestationResponse.swift
@@ -49,7 +49,12 @@ struct ParsedAuthenticatorAttestationResponse {
         guard let formatCBOR = decodedAttestationObject["fmt"], case let .utf8String(format) = formatCBOR else {
             throw WebAuthnError.formatError
         }
-        let attestationStatement = decodedAttestationObject["attStmt"]
+
+        guard let attestationStatement = decodedAttestationObject["attStmt"] else {
+            throw WebAuthnError.missingAttestationFormat
+        }
+
+        // use `format` to decode attestationStatement
 
         guard let attestationFormat = AttestationFormat(rawValue: format) else {
             throw WebAuthnError.unsupportedAttestationFormat
@@ -59,10 +64,14 @@ struct ParsedAuthenticatorAttestationResponse {
             authenticatorData: try ParsedAuthenticatorAttestationResponse.parseAuthenticatorData(authDataBytes),
             rawAuthenticatorData: authDataBytes,
             format: attestationFormat,
-            attestationStatement: [:]
+            attestationStatement: attestationStatement
         )
     }
 
+    private static func parseAttestationStatement(format: AttestationFormat, statement: CBOR) throws {
+
+    }
+
     private static func parseAuthenticatorData(_ bytes: [UInt8]) throws -> AuthenticatorData {
         let minAuthDataLength = 37
         guard bytes.count >= minAuthDataLength else {
diff --git a/Sources/WebAuthn/Ceremonies/Registration/CredentialCreationResponse.swift b/Sources/WebAuthn/Ceremonies/Registration/CredentialCreationResponse.swift
@@ -16,13 +16,27 @@ import Foundation
 
 /// The unprocessed response received from `navigator.credentials.create()`.
 /// Internally this will be parsed into a more readable `ParsedCredentialCreationResponse`.
-public struct CredentialCreationResponse: Codable {
-    let id: String
-    let type: String
-    let rawID: URLEncodedBase64
+public struct CredentialCreationResponse {
+    public let id: String
+    public let type: String
+    public let rawID: URLEncodedBase64
     /// Likely the wrong datatype, it should be more like [String: Any]?
-    let clientExtensionResults: [String: String]?
-    let attestationResponse: AuthenticatorAttestationResponse
+    public let clientExtensionResults: [String: String]?
+    public let attestationResponse: AuthenticatorAttestationResponse
+
+    public init(
+        id: String,
+        type: String,
+        rawID: URLEncodedBase64,
+        clientExtensionResults: [String: String]?,
+        attestationResponse: AuthenticatorAttestationResponse
+    ) {
+        self.id = id
+        self.type = type
+        self.rawID = rawID
+        self.clientExtensionResults = clientExtensionResults
+        self.attestationResponse = attestationResponse
+    }
 
     enum CodingKeys: String, CodingKey {
         case id
@@ -32,3 +46,7 @@ public struct CredentialCreationResponse: Codable {
         case attestationResponse = "response"
     }
 }
+
+extension CredentialCreationResponse: Codable {
+
+}
diff --git a/Sources/WebAuthn/Ceremonies/Registration/ParsedCredentialCreationResponse.swift b/Sources/WebAuthn/Ceremonies/Registration/ParsedCredentialCreationResponse.swift
@@ -60,7 +60,8 @@ struct ParsedCredentialCreationResponse {
         // Step 12. - 17.
         try response.attestationObject.verify(
             relyingPartyID: relyingPartyID,
-            verificationRequired: verifyUser
+            verificationRequired: verifyUser,
+            clientDataHash: hash
         )
     }
 }
diff --git a/Sources/WebAuthn/Helpers/Base64Utilities.swift b/Sources/WebAuthn/Helpers/Base64Utilities.swift
@@ -15,7 +15,7 @@
 import Foundation
 import Logging
 
-typealias URLEncodedBase64 = String
+public typealias URLEncodedBase64 = String
 
 extension Array where Element == UInt8 {
     /// Encodes an array of bytes into a base64url-encoded string
diff --git a/Sources/WebAuthn/WebAuthnError.swift b/Sources/WebAuthn/WebAuthnError.swift
@@ -29,6 +29,7 @@ public enum WebAuthnError: Error {
     case relyingPartyIDHashDoesNotMatch
     case attestationStatementMissing
     case missingAttestedCredentialData
+    case missingAttestationFormat
 
     case invalidRawID
     case invalidCredentialCreationType
diff --git a/Tests/WebAuthnTests/CredentialCreationResponseTests.swift b/Tests/WebAuthnTests/CredentialCreationResponseTests.swift
@@ -0,0 +1,26 @@
+import XCTest
+@testable import WebAuthn
+
+final class CredentialCreationResponseTests: XCTestCase {
+    func testDecodingFromJSONSucceeds() throws {
+        // swiftlint:disable line_length
+        let json = """
+        {"id":"Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms","rawId":"Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms","type":"public-key","response":{"attestationObject":"o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"}}
+        """
+
+        let response = try JSONDecoder().decode(CredentialCreationResponse.self, from: json.data(using: .utf8)!)
+
+        XCTAssertEqual(response.id, "Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms")
+        XCTAssertEqual(response.rawID, "Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms")
+        XCTAssertEqual(response.type, "public-key")
+        XCTAssertEqual(
+            response.attestationResponse.clientDataJSON,
+            "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0"
+        )
+        XCTAssertEqual(
+            response.attestationResponse.attestationObject,
+            "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM"
+        )
+        // swiftlint:enable line_length
+    }
+}
diff --git a/Tests/WebAuthnTests/ParsedCredentialCreationResponseTests.swift b/Tests/WebAuthnTests/ParsedCredentialCreationResponseTests.swift
@@ -0,0 +1,33 @@
+import XCTest
+@testable import WebAuthn
+
+final class ParsedCredentialCreationResponseTests: XCTestCase {
+    func testParsingSucceeds() throws {
+        // swiftlint:disable line_length
+        let response = CredentialCreationResponse(
+            id: "Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms",
+            type: "public-key",
+            rawID: "Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms",
+            clientExtensionResults: nil,
+            attestationResponse: AuthenticatorAttestationResponse(
+                clientDataJSON: "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY21GdVpHOXRVM1J5YVc1blJuSnZiVk5sY25abGNnIiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0",
+                attestationObject: "o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIgNTRtpI_SOOZVzU1pN_4cX-osqUPiHMOW48qqq91DXfUCIQC-MHiaIxt2OdIxgqYnyUDHceevNOMfPibenabQGvXgjGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIDo-5W3Kur7A7y9Lfw7ijhExfCz3_5coMEQNY_y6p-JrpQECAyYgASFYIJr_yLoYbYWgcf7aQcd7pcjUj-3o8biafWQH28WijQSvIlggPI2KqqRQ26KKuFaJ0yH7nouCBrzHu8qRONW-CPa9VDM"
+            )
+        )
+
+        let parsedResponse = try ParsedCredentialCreationResponse(from: response)
+
+        print(parsedResponse)
+
+        let expectedRawID: [UInt8] = [58, 62, 229, 109, 202, 186, 190, 192, 239, 47, 75, 127, 14, 226, 142, 17, 49, 124, 44, 247, 255, 151, 40, 48, 68, 13, 99, 252, 186, 167, 226, 107]
+        // let expectedResponse = ParsedAuthenticatorAttestationResponse(clientData: .init, attestationObject: .init(clientDataJSON: URLEncodedBase64, attestationObject: String))
+
+        XCTAssertEqual(parsedResponse.id, "Oj7lbcq6vsDvL0t_DuKOETF8LPf_lygwRA1j_Lqn4ms")
+        XCTAssertEqual(parsedResponse.type, "public-key")
+        XCTAssertEqual(parsedResponse.rawID, Data(bytes: expectedRawID, count: expectedRawID.count))
+        XCTAssertEqual(parsedResponse.clientExtensionResults, nil)
+        // XCTAssertEqual(parsedResponse.response, nil)
+
+        // swiftlint:enable line_length
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,8 @@ struct ParsedCredentialCreationResponse {`
`60`	`60`	`// Step 12. - 17.`
`61`	`61`	`try response.attestationObject.verify(`
`62`	`62`	`relyingPartyID: relyingPartyID,`
`63`		`- verificationRequired: verifyUser`
	`63`	`+ verificationRequired: verifyUser,`
	`64`	`+ clientDataHash: hash`
`64`	`65`	`)`
`65`	`66`	`}`
`66`	`67`	`}`