Migrate from Newtonsoft to System.Text.Json (#249)

* Migrate from Newtonsoft to System.Text.Json

* Add fast path for decoding UTF8-encoded Base64Url data

* Ensure x5c is an Array

* Add Async suffix to GetMetadataStatement

* Remove trailing spaces

* Add FidoEnumConverter test coverage

* Extend FidoEnumConverter test coverage

* [Demo] Use built-in System.Text.Json serializer

Author: iamcarbon

Demo/ConformanceTesting.cs

@@ -23,7 +23,7 @@ public static IMetadataService MetadataServiceInstance(string cacheDir, string o
                             new FileSystemMetadataRepository(cacheDir)
                         };
                         _instance = new SimpleMetadataService(repos);
-                        _instance.Initialize().Wait();
+                        _instance.InitializeAsync().Wait();
                     }
                 }
             }

Demo/Demo.csproj

@@ -7,8 +7,6 @@
     <ProjectReference Include="..\Src\Fido2.AspNet\Fido2.AspNet.csproj" />
     <ProjectReference Include="..\Src\Fido2.Models\Fido2.Models.csproj" />
     <ProjectReference Include="..\Src\Fido2\Fido2.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="5.0.10" />
-
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="5.0.2" />    
   </ItemGroup>
   <ItemGroup>

Demo/Startup.cs

@@ -26,7 +26,7 @@ public void ConfigureServices(IServiceCollection services)
             {
                 // we don't care about antiforgery in the demo
                 opts.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
-            }).AddNewtonsoftJson(); // the FIDO2 library requires Json.NET
+            });
 
             // Use the in-memory implementation of IDistributedCache.
             services.AddDistributedMemoryCache();

Src/Fido2.AspNet/DistributedCacheMetadataService.cs

@@ -2,10 +2,10 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 namespace Fido2NetLib
 {
@@ -86,7 +86,7 @@ protected virtual async Task LoadTocEntryStatement(
                 var cachedEntry = await _cache.GetStringAsync(cacheKey);
                 if (cachedEntry != null)
                 {
-                    var statement = JsonConvert.DeserializeObject<MetadataStatement>(cachedEntry);
+                    var statement = JsonSerializer.Deserialize<MetadataStatement>(cachedEntry);
                     if (!string.IsNullOrWhiteSpace(statement.AaGuid))
                     {
                         var aaGuid = Guid.Parse(statement.AaGuid);
@@ -102,7 +102,7 @@ protected virtual async Task LoadTocEntryStatement(
                     {
                         if (!string.IsNullOrWhiteSpace(entry.AaGuid))
                         {
-                            var statementJson = JsonConvert.SerializeObject(entry.MetadataStatement, Formatting.Indented);
+                            var statementJson = JsonSerializer.Serialize(entry.MetadataStatement, new JsonSerializerOptions { WriteIndented = true });
 
                             _log?.LogDebug("{0}:{1}\n{2}", entry.AaGuid, entry.MetadataStatement.Description, statementJson);
 
@@ -149,7 +149,7 @@ protected virtual async Task LoadTocEntryStatement(
             return null;
         }
 
-        protected virtual async Task InitializeRepository(IMetadataRepository repository)
+        protected virtual async Task InitializeRepositoryAsync(IMetadataRepository repository)
         {
             var blobCacheKey = GetTocCacheKey(repository);
 
@@ -161,7 +161,7 @@ protected virtual async Task InitializeRepository(IMetadataRepository repository
 
             if (cachedToc != null)
             {
-                blob = JsonConvert.DeserializeObject<MetadataBLOBPayload>(cachedToc);
+                blob = JsonSerializer.Deserialize<MetadataBLOBPayload>(cachedToc);
                 cacheUntil = GetCacheUntilTime(blob);
             }
             else
@@ -186,7 +186,7 @@ protected virtual async Task InitializeRepository(IMetadataRepository repository
                 {
                     await _cache.SetStringAsync(
                         blobCacheKey,
-                        JsonConvert.SerializeObject(blob),
+                        JsonSerializer.Serialize(blob),
                         new DistributedCacheEntryOptions()
                         {
                             AbsoluteExpiration = cacheUntil
@@ -204,19 +204,19 @@ await _cache.SetStringAsync(
                     }
                     catch (Exception ex)
                     {
-                        _log?.LogError(ex, "Error getting statement from {0} for AAGUID '{1}'.\nTOC entry:\n{2} ", repository.GetType().Name, entry.AaGuid, JsonConvert.SerializeObject(entry, Formatting.Indented));
+                        _log?.LogError(ex, "Error getting statement from {0} for AAGUID '{1}'.\nTOC entry:\n{2} ", repository.GetType().Name, entry.AaGuid, JsonSerializer.Serialize(entry, new JsonSerializerOptions { WriteIndented = true }));
                     }
                 }
             }
         }
 
-        public virtual async Task Initialize()
+        public virtual async Task InitializeAsync()
         {
             foreach (var repository in _repositories)
             {
                 try
                 {
-                    await InitializeRepository(repository);
+                    await InitializeRepositoryAsync(repository);
                 }
                 catch (Exception ex)
                 {

Src/Fido2.AspNet/Fido2NetLibBuilderExtensions.cs

@@ -87,7 +87,7 @@ private static void AddMetadataService<TService>(this IFido2NetLibBuilder builde
             builder.Services.AddSingleton<IMetadataService>(r =>
             {
                 var service = r.GetService<TService>();
-                service.Initialize().Wait();
+                service.InitializeAsync().Wait();
                 return service;
             });
         }

Src/Fido2.AspNet/NullMetadataService.cs

@@ -15,7 +15,7 @@ MetadataBLOBPayloadEntry IMetadataService.GetEntry(Guid aaguid)
             return null;
         }
 
-        Task IMetadataService.Initialize()
+        Task IMetadataService.InitializeAsync()
         {
             return Task.CompletedTask;
         }

Src/Fido2.Models/AssertionOptions.cs

@@ -1,6 +1,8 @@
 using System.Collections.Generic;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
 using Fido2NetLib.Objects;
-using Newtonsoft.Json;
 
 namespace Fido2NetLib
 {
@@ -12,38 +14,39 @@ public class AssertionOptions : Fido2ResponseBase
         /// <summary>
         /// This member represents a challenge that the selected authenticator signs, along with other data, when producing an authentication assertion.See the §13.1 Cryptographic Challenges security consideration.
         /// </summary>
-        [JsonProperty("challenge")]
+        [JsonPropertyName("challenge")]
         [JsonConverter(typeof(Base64UrlConverter))]
         public byte[] Challenge { get; set; }
 
         /// <summary>
         /// This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.
         /// </summary>
-        [JsonProperty("timeout")]
+        [JsonPropertyName("timeout")]
         public uint Timeout { get; set; }
 
         /// <summary>
         /// This OPTIONAL member specifies the relying party identifier claimed by the caller.If omitted, its value will be the CredentialsContainer object’s relevant settings object's origin's effective domain
         /// </summary>
-        [JsonProperty("rpId")]
+        [JsonPropertyName("rpId")]
         public string RpId { get; set; }
 
         /// <summary>
         /// This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference(the first item in the list is the most preferred credential, and so on down the list)
         /// </summary>
-        [JsonProperty("allowCredentials")]
+        [JsonPropertyName("allowCredentials")]
         public IEnumerable<PublicKeyCredentialDescriptor> AllowCredentials { get; set; }
 
         /// <summary>
         /// This member describes the Relying Party's requirements regarding user verification for the get() operation. Eligible authenticators are filtered to only those capable of satisfying this requirement
         /// </summary>
-        [JsonProperty("userVerification")]
+        [JsonPropertyName("userVerification")]
         public UserVerificationRequirement? UserVerification { get; set; }
 
         /// <summary>
         /// This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might be included as an extension.
         /// </summary>
-        [JsonProperty("extensions", NullValueHandling = NullValueHandling.Ignore)]
+        [JsonPropertyName("extensions")]
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
         public AuthenticationExtensionsClientInputs Extensions { get; set; }
 
         public static AssertionOptions Create(Fido2Configuration config, byte[] challenge, IEnumerable<PublicKeyCredentialDescriptor> allowedCredentials, UserVerificationRequirement? userVerification, AuthenticationExtensionsClientInputs extensions)
@@ -63,12 +66,12 @@ public static AssertionOptions Create(Fido2Configuration config, byte[] challeng
 
         public string ToJson()
         {
-            return JsonConvert.SerializeObject(this);
+            return JsonSerializer.Serialize(this);
         }
 
         public static AssertionOptions FromJson(string json)
         {
-            return JsonConvert.DeserializeObject<AssertionOptions>(json);
+            return JsonSerializer.Deserialize<AssertionOptions>(json);
         }
     }
 }

Src/Fido2.Models/AuthenticatorAssertionRawResponse.cs

@@ -1,6 +1,7 @@
 #nullable disable
 
-using Newtonsoft.Json;
+using System.Text.Json.Serialization;
+
 using Fido2NetLib.Objects;
 
 namespace Fido2NetLib
@@ -11,32 +12,39 @@ namespace Fido2NetLib
     public class AuthenticatorAssertionRawResponse
     {
         [JsonConverter(typeof(Base64UrlConverter))]
+        [JsonPropertyName("id")]
         public byte[] Id { get; set; }
 
         // might be wrong to base64url encode this...
         [JsonConverter(typeof(Base64UrlConverter))]
+        [JsonPropertyName("rawId")]
         public byte[] RawId { get; set; }
 
+        [JsonPropertyName("response")]
         public AssertionResponse Response { get; set; }
 
+        [JsonPropertyName("type")]
         public PublicKeyCredentialType? Type { get; set; }
 
+        [JsonPropertyName("extensions")]
         public AuthenticationExtensionsClientOutputs Extensions { get; set; }
 
         public class AssertionResponse
         {
             [JsonConverter(typeof(Base64UrlConverter))]
+            [JsonPropertyName("authenticatorData")]
             public byte[] AuthenticatorData { get; set; }
 
             [JsonConverter(typeof(Base64UrlConverter))]
+            [JsonPropertyName("signature")]
             public byte[] Signature { get; set; }
 
-            [JsonProperty("clientDataJson")]
             [JsonConverter(typeof(Base64UrlConverter))]
+            [JsonPropertyName("clientDataJSON")]
             public byte[] ClientDataJson { get; set; }
 
-            [JsonProperty("userHandle")]
-            [JsonConverter(typeof(Base64UrlConverter), Required.AllowNull)]
+            [JsonPropertyName("userHandle")]
+            [JsonConverter(typeof(Base64UrlConverter))]
             public byte[] UserHandle { get; set; }
         }
     }

Src/Fido2.Models/AuthenticatorAttestationRawResponse.cs

@@ -1,27 +1,36 @@
-using Newtonsoft.Json;
+using System.Text.Json.Serialization;
+
 using Fido2NetLib.Objects;
 
 namespace Fido2NetLib
 {
-    public class AuthenticatorAttestationRawResponse
+    public sealed class AuthenticatorAttestationRawResponse
     {
         [JsonConverter(typeof(Base64UrlConverter))]
+        [JsonPropertyName("id")]
         public byte[] Id { get; set; }
 
         [JsonConverter(typeof(Base64UrlConverter))]
+        [JsonPropertyName("rawId")]
         public byte[] RawId { get; set; }
 
+        [JsonPropertyName("type")]
         public PublicKeyCredentialType? Type { get; set; }
 
+        [JsonPropertyName("response")]
         public ResponseData Response { get; set; }
 
+        [JsonPropertyName("extensions")]
         public AuthenticationExtensionsClientOutputs Extensions { get; set; }
 
-        public class ResponseData
+        public sealed class ResponseData
         {
             [JsonConverter(typeof(Base64UrlConverter))]
+            [JsonPropertyName("attestationObject")]
             public byte[] AttestationObject { get; set; }
+
             [JsonConverter(typeof(Base64UrlConverter))]
+            [JsonPropertyName("clientDataJSON")]
             public byte[] ClientDataJson { get; set; }
         }
     }