reimplement authentication methods

Author: marius-se

Sources/WebAuthn/Authenticator/AttestationObject/AuthenticatorData.swift

@@ -12,6 +12,7 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Foundation
 import Crypto
 
 /// AuthenticatorData From §6.1 of the spec.
@@ -35,3 +36,82 @@ struct AuthenticatorData {
     let attestedData: AttestedCredentialData?
     let extData: [UInt8]?
 }
+
+extension AuthenticatorData {
+    init(bytes: Data) throws {
+        let minAuthDataLength = 37
+        guard bytes.count >= minAuthDataLength else {
+            throw WebAuthnError.authDataTooShort
+        }
+
+        let relyingPartyIDHash = Array(bytes[..<32])
+        let flags = AuthenticatorFlags(bytes[32])
+        let counter: UInt32 = Data(bytes[33..<37]).toInteger(endian: .big)
+
+        var remainingCount = bytes.count - minAuthDataLength
+
+        var attestedCredentialData: AttestedCredentialData?
+        // For attestation signatures, the authenticator MUST set the AT flag and include the attestedCredentialData.
+        if flags.attestedCredentialData {
+            let minAttestedAuthLength = 55
+            guard bytes.count > minAttestedAuthLength else {
+                throw WebAuthnError.attestedCredentialDataMissing
+            }
+            let (data, length) = try Self.parseAttestedData(bytes)
+            attestedCredentialData = data
+            remainingCount -= length
+        // For assertion signatures, the AT flag MUST NOT be set and the attestedCredentialData MUST NOT be included.
+        } else {
+            if !flags.extensionDataIncluded && bytes.count != minAuthDataLength {
+                throw WebAuthnError.attestedCredentialFlagNotSet
+            }
+        }
+
+        var extensionData: [UInt8]?
+        if flags.extensionDataIncluded {
+            guard remainingCount != 0 else {
+                throw WebAuthnError.extensionDataMissing
+            }
+            extensionData = Array(bytes[(bytes.count - remainingCount)...])
+            remainingCount -= extensionData!.count
+        }
+
+        guard remainingCount == 0 else {
+            throw WebAuthnError.leftOverBytes
+        }
+
+        self.relyingPartyIDHash = relyingPartyIDHash
+        self.flags = flags
+        self.counter = counter
+        self.attestedData = attestedCredentialData
+        self.extData = extensionData
+
+    }
+
+    /// Returns: Attested credentials data and the length
+    private static func parseAttestedData(_ data: Data) throws -> (AttestedCredentialData, Int) {
+        // We've parsed the first 37 bytes so far, the next bytes now should be the attested credential data
+        // See https://w3c.github.io/webauthn/#sctn-attested-credential-data
+        let aaguidLength = 16
+        let aaguid = data[37..<(37 + aaguidLength)]  // To byte at index 52
+
+        let idLengthBytes = data[53..<55]  // Length is 2 bytes
+        let idLengthData = Data(idLengthBytes)
+        let idLength: UInt16 = idLengthData.toInteger(endian: .big)
+        let credentialIDEndIndex = Int(idLength) + 55
+
+        let credentialID = data[55..<credentialIDEndIndex]
+        let publicKeyBytes = data[credentialIDEndIndex...]
+
+        let data = AttestedCredentialData(
+            aaguid: Array(aaguid),
+            credentialID: Array(credentialID),
+            publicKey: Array(publicKeyBytes)
+        )
+
+        // 2 is the bytes storing the size of the credential ID
+        let length = data.aaguid.count + 2 + data.credentialID.count + data.publicKey.count
+
+        return (data, length)
+    }
+}

Sources/WebAuthn/Authenticator/AuthenticatorAttestationResponse.swift

@@ -0,0 +1,38 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+/// From §5.2.2
+/// The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for
+/// generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of
+/// credentials it is aware of. This response contains a cryptographic signature proving possession of the credential
+/// private key, and optionally evidence of user consent to a specific transaction.
+public struct AuthenticatorAssertionResponse: AuthenticatorResponse, Codable {
+    public let clientDataJSON: URLEncodedBase64
+    /// Contains the authenticator data returned by the authenticator.
+    public let authenticatorData: URLEncodedBase64
+    /// Contains the raw signature returned from the authenticator
+    public let signature: String
+    /// Contains the user handle returned from the authenticator, or null if the authenticator did not return
+    /// a user handle.
+    public let userHandle: String?
+    /// Contains an attestation object, if the authenticator supports attestation in assertions.
+    /// The attestation object, if present, includes an attestation statement. Unlike the attestationObject
+    /// in an AuthenticatorAttestationResponse, it does not contain an authData key because the authenticator
+    /// data is provided directly in an AuthenticatorAssertionResponse structure.
+    public let attestationObject: String?
+}
+
+public struct ParsedAuthenticatorAssertionResponse {
+
+}

Sources/WebAuthn/Authenticator/AuthenticatorResponse/AuthenticatorAssertionResponse.swift

@@ -0,0 +1,72 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Foundation
+import SwiftCBOR
+
+/// From $ 5.2.1 (https://w3c.github.io/webauthn/#authenticatorattestationresponse)
+/// The unprocessed response from the authenticator for the creation of a new public key credential.
+/// It contains information about the new credential that can be used to identify it for later use, and
+/// metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during
+/// registration.
+public struct AuthenticatorAttestationResponse: AuthenticatorResponse, Codable {
+    public let clientDataJSON: URLEncodedBase64
+    public let attestationObject: String
+}
+
+struct ParsedAuthenticatorAttestationResponse {
+    let clientData: CollectedClientData
+    let attestationObject: AttestationObject
+
+    init(from rawResponse: AuthenticatorAttestationResponse) throws {
+        // assembling clientData
+        guard let clientDataJSONData = rawResponse.clientDataJSON.base64URLDecodedData else {
+            throw WebAuthnError.invalidClientDataJSON
+        }
+        let clientData = try JSONDecoder().decode(CollectedClientData.self, from: clientDataJSONData)
+        self.clientData = clientData
+
+        // Step 11. (assembling attestationObject)
+        guard let attestationData = rawResponse.attestationObject.base64URLDecodedData,
+            let decodedAttestationObject = try CBOR.decode([UInt8](attestationData)) else {
+            throw WebAuthnError.cborDecodingAttestationDataFailed
+        }
+
+        guard let authData = decodedAttestationObject["authData"], case let .byteString(authDataBytes) = authData else {
+            throw WebAuthnError.authDataInvalidOrMissing
+        }
+        guard let formatCBOR = decodedAttestationObject["fmt"], case let .utf8String(format) = formatCBOR else {
+            throw WebAuthnError.formatError
+        }
+
+        guard let attestationStatement = decodedAttestationObject["attStmt"] else {
+            throw WebAuthnError.missingAttestationFormat
+        }
+
+        guard let attestationFormat = AttestationFormat(rawValue: format) else {
+            throw WebAuthnError.unsupportedAttestationFormat
+        }
+
+        attestationObject = AttestationObject(
+            authenticatorData: try AuthenticatorData(bytes: Data(authDataBytes)),
+            rawAuthenticatorData: authDataBytes,
+            format: attestationFormat,
+            attestationStatement: attestationStatement
+        )
+    }
+
+    private static func parseAttestationStatement(format: AttestationFormat, statement: CBOR) throws {
+
+    }
+}

Sources/WebAuthn/Authenticator/AuthenticatorResponse/AuthenticatorAttestationResponse.swift

@@ -0,0 +1,20 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+/// From §5.2 (https://w3c.github.io/webauthn/#iface-authenticatorresponse)
+/// Authenticators respond to Relying Party requests by returning an object derived from the
+/// AuthenticatorResponse interface
+public protocol AuthenticatorResponse {
+    var clientDataJSON: URLEncodedBase64 { get }
+}

Sources/WebAuthn/Authenticator/AuthenticatorResponse/AuthenticatorResponse.swift

@@ -0,0 +1,21 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the WebAuthn Swift open source project
+//
+// Copyright (c) 2022 the WebAuthn Swift project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of WebAuthn Swift project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+public enum AuthenticatorTransport: String, Codable {
+    case usb
+    case nfc
+    case ble
+    case hybrid
+    case `internal`
+}