Move challenge logic into helper functions

Author: marius-se

Package.swift

@@ -16,7 +16,7 @@
 import PackageDescription
 
 let package = Package(
-    name: "WebAuthn",
+    name: "webauthn-swift",
     platforms: [
         .macOS(.v12)
     ],

Sources/WebAuthn/AssertionCredential.swift renamed to Sources/WebAuthn/AuthenticationResponse.swift

@@ -14,23 +14,26 @@
 
 import Foundation
 
-public struct AssertionCredential: Codable {
+public struct AuthenticationResponse: Codable {
     public let id: String
-    public let type: String
-    public let response: AssertionCredentialResponse
     public let rawID: String
-    
+    public let response: AuthenticatorAssertionResponse
+    public let authenticatorAttachment: String?
+    /// This is the public-key
+    public let type: String
+
     enum CodingKeys: String, CodingKey {
         case id
         case rawID = "rawId"
-        case type
         case response
+        case authenticatorAttachment
+        case type
     }
 }
 
-public struct AssertionCredentialResponse: Codable {
-    let authenticatorData: String
+public struct AuthenticatorAssertionResponse: Codable {
     let clientDataJSON: String
+    let authenticatorData: String
     let signature: String
-    let userHandle: String
+    let userHandle: String?
 }

Sources/WebAuthn/AuthenticatorFlags.swift

@@ -13,7 +13,7 @@
 //===----------------------------------------------------------------------===//
 
 struct AuthenticatorFlags {
-    
+
     /**
      Taken from https://w3c.github.io/webauthn/#sctn-authenticator-data
      Bit 0: User Present Result
@@ -23,26 +23,26 @@ struct AuthenticatorFlags {
      Bit 6: Attested credential data included
      Bit 7: Extension data include
      */
-    
+
     enum Bit: UInt8 {
         case userPresent = 0
         case userVerified = 2
         case attestedCredentialDataIncluded = 6
         case extensionDataIncluded = 7
     }
-    
+
     let userPresent: Bool
     let userVerified: Bool
     let attestedCredentialData: Bool
     let extensionDataIncluded: Bool
-    
+
     init(_ byte: UInt8) {
         userPresent = Self.isFlagSet(on: byte, at: .userPresent)
         userVerified = Self.isFlagSet(on: byte, at: .userVerified)
         attestedCredentialData = Self.isFlagSet(on: byte, at: .attestedCredentialDataIncluded)
         extensionDataIncluded = Self.isFlagSet(on: byte, at: .extensionDataIncluded)
     }
-    
+
     static func isFlagSet(on byte: UInt8, at position: Bit) -> Bool {
         (byte & (1 << position.rawValue)) != 0
     }

Sources/WebAuthn/Helpers/WebAuthn+generateChallenge.swift

@@ -0,0 +1,34 @@
+import Foundation
+import Logging
+
+extension WebAuthn {
+    struct ChallengeGeneratorError: Error {}
+    /// Generate a suitably random value to be used as an attestation or assertion challenge
+    /// - Throws: An error if something went wrong while generating random byte
+    /// - Returns: 32 bytes
+    public static func generateChallenge() throws -> [UInt8] {
+        var bytes = [UInt8](repeating: 0, count: 32)
+        let status = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
+        guard status == errSecSuccess else { throw ChallengeGeneratorError() }
+        return bytes
+    }
+}
+
+extension Array where Element == UInt8 {
+    /// Encodes an array of bytes into a base64url-encoded string
+    /// - Returns: A base64url-encoded string
+    public func base64URLEncode() -> String {
+        let base64String = Data(bytes: self, count: self.count).base64EncodedString()
+        return base64String.replacingOccurrences(of: "+", with: "-")
+            .replacingOccurrences(of: "/", with: "_")
+            .replacingOccurrences(of: "=", with: "")
+    }
+}
+
+extension String {
+    /// Decode a base64url-encoded `String` to a base64 `String`
+    /// - Returns: A base64-encoded `String`
+    public static func base64(fromBase64URLEncoded base64URLEncoded: String) -> Self {
+        return base64URLEncoded.replacingOccurrences(of: "-", with: "+").replacingOccurrences(of: "_", with: "/")
+    }
+}

Sources/WebAuthn/RegisterWebAuthnCredentialData.swift renamed to Sources/WebAuthn/RegistrationResponse.swift

@@ -14,12 +14,13 @@
 
 import Foundation
 
-public struct RegisterWebAuthnCredentialData: Codable {
+public struct RegistrationResponse: Codable {
     public let id: String
     let rawID: String
+    /// This is the public-key
     let type: String
-    let response: RegisterCredentialsResponse
-    
+    let response: AuthenticatorAttestationResponse
+
     enum CodingKeys: String, CodingKey {
         case id
         case rawID = "rawId"
@@ -28,7 +29,7 @@ public struct RegisterWebAuthnCredentialData: Codable {
     }
 }
 
-public struct RegisterCredentialsResponse: Codable {
-    let attestationObject: String
+public struct AuthenticatorAttestationResponse: Codable {
     let clientDataJSON: String
+    let attestationObject: String
 }

Sources/WebAuthn/WebAuthn.swift

@@ -18,21 +18,36 @@ import Logging
 import Foundation
 
 public enum WebAuthn {
-    public static func validateAssertion(_ data: AssertionCredential, challengeProvided: String, publicKey: P256.Signing.PublicKey, logger: Logger) throws {
+    /// Verify that the user has legitimately completed the login process
+    ///
+    /// - Parameters:
+    ///   - data: The response to verify
+    ///   - expectedChallenge: The expected base64url-encoded challenge
+    ///   - publicKey: The users public key
+    ///   - logger: A logger
+    /// - Throws:
+    ///   - An error if the authentication response isn't valid
+    public static func verifyAuthenticationResponse(
+        _ data: AuthenticationResponse,
+        expectedChallenge: String,
+        publicKey: P256.Signing.PublicKey,
+        // requireUserVerification: Bool = false
+        logger: Logger
+    ) throws {
         guard let clientObjectData = data.response.clientDataJSON.base64URLDecodedData else {
             throw WebAuthnError.badRequestData
         }
         let clientObject = try JSONDecoder().decode(ClientDataObject.self, from: clientObjectData)
-        guard challengeProvided == clientObject.challenge else {
+        guard expectedChallenge == clientObject.challenge else {
             throw WebAuthnError.validationError
         }
         let clientDataJSONHash = SHA256.hash(data: clientObjectData)
-        
+
         guard let authenticatorData = data.response.authenticatorData.base64URLDecodedData else {
             throw WebAuthnError.badRequestData
         }
         let signedData = authenticatorData + clientDataJSONHash
-        
+
         guard let signatureData = data.response.signature.base64URLDecodedData else {
             throw WebAuthnError.badRequestData
         }
@@ -41,8 +56,13 @@ public enum WebAuthn {
             throw WebAuthnError.validationError
         }
     }
-    
-    public static func parseRegisterCredentials(_ data: RegisterWebAuthnCredentialData, challengeProvided: String, origin: String, logger: Logger) throws -> Credential {
+
+    public static func parseRegisterCredentials(
+        _ data: RegistrationResponse,
+        challengeProvided: String,
+        origin: String,
+        logger: Logger
+    ) throws -> Credential {
         guard let clientObjectData = data.response.clientDataJSON.base64URLDecodedData else {
             throw WebAuthnError.badRequestData
         }
@@ -64,7 +84,7 @@ public enum WebAuthn {
             throw WebAuthnError.badRequestData
         }
         logger.debug("Got COBR decoded data: \(decodedAttestationObject)")
-        
+
         // Ignore format/statement for now
         guard let authData = decodedAttestationObject["authData"], case let .byteString(authDataBytes) = authData else {
             throw WebAuthnError.badRequestData
@@ -86,11 +106,11 @@ public enum WebAuthn {
         // https://github.com/unrelentingtech/SwiftCBOR#swiftcbor
         // Negative integers are decoded as NegativeInt(UInt), where the actual number is -1 - i
         let algorithm: Int = -1 - Int(algorithmNegative)
-        
+
         // Curve is key -1 - or -0 for SwiftCBOR
         // X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
         // Y Coordinate is key -3, or NegativeInt 2 for SwiftCBOR
-        
+
         guard let curveRaw = publicKeyObject[.negativeInt(0)], case let .unsignedInt(curve) = curveRaw else {
             throw WebAuthnError.badRequestData
         }
@@ -100,54 +120,60 @@ public enum WebAuthn {
         guard let yCoordRaw = publicKeyObject[.negativeInt(2)], case let .byteString(yCoordinateBytes) = yCoordRaw else {
             throw WebAuthnError.badRequestData
         }
-        
+
         logger.debug("Key type was \(keyType)")
         logger.debug("Algorithm was \(algorithm)")
         logger.debug("Curve was \(curve)")
-        
+
         let key = try P256.Signing.PublicKey(rawRepresentation: xCoordinateBytes + yCoordinateBytes)
         logger.debug("Key is \(key.pemRepresentation)")
-        
+
         return Credential(credentialID: data.id, publicKey: key)
     }
-    
-    static func parseAttestedData(_ data: [UInt8], logger: Logger) throws -> AttestedCredentialData {
+
+    static func parseAttestedData(
+        _ data: [UInt8],
+        logger: Logger
+    ) throws -> AttestedCredentialData {
         // We've parsed the first 37 bytes so far, the next bytes now should be the attested credential data
         // See https://w3c.github.io/webauthn/#sctn-attested-credential-data
         let aaguidLength = 16
         let aaguid = data[37..<(37 + aaguidLength)] // To byte at index 52
-        
+
         let idLengthBytes = data[53..<55] // Length is 2 bytes
         let idLengthData = Data(idLengthBytes)
         let idLength: UInt16 = idLengthData.toInteger(endian: .big)
         let credentialIDEndIndex = Int(idLength) + 55
-        
+
         let credentialID = data[55..<credentialIDEndIndex]
         let publicKeyBytes = data[credentialIDEndIndex...]
-        
+
         return AttestedCredentialData(aaguid: Array(aaguid), credentialID: Array(credentialID), publicKey: Array(publicKeyBytes))
     }
-    
-    static func parseAttestationObject(_ bytes: [UInt8], logger: Logger) throws -> AttestedCredentialData? {
+
+    static func parseAttestationObject(
+        _ bytes: [UInt8],
+        logger: Logger
+    ) throws -> AttestedCredentialData? {
         let minAuthDataLength = 37
         let minAttestedAuthLength = 55
         // TODO - fix
         // let maxCredentialIDLength = 1023
         // What to do when we don't have this
         var credentialsData: AttestedCredentialData? = nil
-        
+
         guard bytes.count >= minAuthDataLength else {
             throw WebAuthnError.authDataTooShort
         }
-        
+
         // TODO: Use
         // let rpIDHashData = bytes[..<32]
         let flags = AuthenticatorFlags(bytes[32])
         // TODO: Use
         // let counter: UInt32 = Data(bytes[33..<37]).toInteger(endian: .big)
-        
+
         var remainingCount = bytes.count - minAuthDataLength
-        
+
         if flags.attestedCredentialData {
             guard bytes.count > minAttestedAuthLength else {
                 throw WebAuthnError.attestedCredentialDataMissing
@@ -162,15 +188,15 @@ public enum WebAuthn {
                 throw WebAuthnError.attestedCredentialFlagNotSet
             }
         }
-        
+
         if flags.extensionDataIncluded {
             guard remainingCount != 0 else {
                 throw WebAuthnError.extensionDataMissing
             }
             let extensionData = bytes[(bytes.count - remainingCount)...]
             remainingCount -= extensionData.count
         }
-        
+
         guard remainingCount == 0 else {
             throw WebAuthnError.leftOverBytes
         }