Adds Windows Hello support by enabling RSA signatures

backend-tests/backend-tests.hs

@@ -147,7 +147,7 @@ type HttpResponse = record {
 
 type StreamingCallbackHttpResponse = record {
   body: blob;
-  token: opt Token;
+  token: Token;
 };
 
 type Token = record {};
@@ -385,7 +385,7 @@ callIIReject cid user_id l x = do
 
 -- Some common devices
 webauthSK :: SecretKey
-webauthSK = createSecretKeyWebAuthn "foobar"
+webauthSK = createSecretKeyWebAuthnECDSA "foobar"
 webauthPK :: PublicKey
 webauthPK = toPublicKey webauthSK
 webauthID :: EntityId
@@ -399,7 +399,7 @@ device1 = empty
     .+ #key_type .== enum #cross_platform
 
 webauth2SK :: SecretKey
-webauth2SK = createSecretKeyWebAuthn "foobar2"
+webauth2SK = createSecretKeyWebAuthnRSA "foobar2"
 webauth2PK = toPublicKey webauth2SK
 webauth2PK :: PublicKey
 webauth2ID :: EntityId

backend-tests/cabal.project

@@ -8,9 +8,9 @@ source-repository-package
 source-repository-package
     type: git
     location: https://github.com/nomeata/haskell-candid
-    tag: 2f699033b9d255b036b511c66d2e6b86c1798c70
+    tag: 01157c50ec29b1f8ab35ca27f38dc592ed5406f9
 
 source-repository-package
     type: git
     location: https://github.com/dfinity/ic-hs
-    tag: 97775b443dc463837b5ae7c644a34eda904d5e1f
+    tag: c49a2f443d177b6486a1797ca646d8546ac7288c

backend-tests/cabal.project.freeze

@@ -45,7 +45,7 @@ constraints: any.Cabal ==3.0.1.0,
              any.bytestring ==0.10.10.1,
              any.cabal-doctest ==1.0.8,
              any.call-stack ==0.3.0,
-             any.candid ==0.1,
+             any.candid ==0.2,
              any.case-insensitive ==1.2.1.0,
              any.cborg ==0.2.4.0,
              cborg +optimize-gmp,
@@ -154,7 +154,7 @@ constraints: any.Cabal ==3.0.1.0,
              any.regex-tdfa ==1.3.1.0,
              regex-tdfa -force-o2,
              any.resourcet ==1.2.4.2,
-             any.row-types ==0.4.0.0,
+             any.row-types ==1.0.1.0,
              any.rts ==1.0,
              any.scientific ==0.3.6.2,
              scientific -bytestring-builder -integer-simple,

src/frontend/src/flows/register.ts

@@ -1,7 +1,11 @@
 import { WebAuthnIdentity } from "@dfinity/identity";
 import { html, render } from "lit-html";
 import { withLoader } from "../components/loader";
-import { IIConnection, canisterIdPrincipal } from "../utils/iiConnection";
+import {
+  IIConnection,
+  canisterIdPrincipal,
+  creationOptions,
+} from "../utils/iiConnection";
 import { setUserNumber } from "../utils/userNumber";
 import { confirmRegister } from "./confirmRegister";
 import { displayUserNumber } from "./displayUserNumber";
@@ -61,7 +65,9 @@ const init = (): Promise<LoginResult | null> =>
       await tick();
 
       try {
-        const pendingIdentity = WebAuthnIdentity.create().catch((error) => {
+        const pendingIdentity = WebAuthnIdentity.create({
+          publicKey: creationOptions(),
+        }).catch((error) => {
           resolve(apiResultToLoginResult({ kind: "authFail", error }));
           // We can never get here, but TS doesn't understand that
           return 0 as unknown as WebAuthnIdentity;

src/frontend/src/utils/iiConnection.ts

@@ -364,14 +364,18 @@ export const creationOptions = (
             type: "public-key",
           }
     ),
-    attestation: "direct",
     challenge: Uint8Array.from("<ic0.app>", (c) => c.charCodeAt(0)),
     pubKeyCredParams: [
       {
         type: "public-key",
         // alg: PubKeyCoseAlgo.ECDSA_WITH_SHA256
         alg: -7,
       },
+      {
+        type: "public-key",
+        // alg: PubKeyCoseAlgo.RSA_WITH_SHA256
+        alg: -257,
+      },
     ],
     rp: {
       name: "Internet Identity Service",

src/frontend/src/utils/multiWebAuthnIdentity.ts

@@ -13,7 +13,7 @@ import {
   blobFromUint8Array,
   DerEncodedBlob,
 } from "@dfinity/candid";
-import { WebAuthnIdentity } from "@dfinity/identity";
+import { DER_COSE_OID, unwrapDER, WebAuthnIdentity } from "@dfinity/identity";
 import borc from "borc";
 
 export type CredentialId = BinaryBlob;
@@ -68,8 +68,8 @@ export class MultiWebAuthnIdentity extends SignIdentity {
       if (
         cd.credentialId.equals(blobFromUint8Array(Buffer.from(result.rawId)))
       ) {
+        const strippedKey = unwrapDER(cd.pubkey, DER_COSE_OID);
         // would be nice if WebAuthnIdentity had a directly usable constructor
-        const strippedKey = cd.pubkey.slice(19);
         this._actualIdentity = WebAuthnIdentity.fromJSON(
           JSON.stringify({
             rawId: Buffer.from(cd.credentialId).toString("hex"),

src/internet_identity/src/main.rs

@@ -864,7 +864,7 @@ fn trap_if_not_authenticated<'a>(public_keys: impl Iterator<Item = &'a PublicKey
 
 fn check_entry_limits(device_data: &DeviceData) {
     const ALIAS_LEN_LIMIT: usize = 64;
-    const PK_LEN_LIMIT: usize = 100;
+    const PK_LEN_LIMIT: usize = 300;
     const CREDENTIAL_ID_LEN_LIMIT: usize = 200;
 
     let n = device_data.alias.len();