-
-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Support device public key and passkeys #356
Changes from 2 commits
91d7056
c685ec3
b14ff27
c499134
134e01f
eb40bd4
8555ab6
f8fe767
4f82fa3
c64bd03
d969c66
0131ee7
457412d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,14 +8,38 @@ namespace Fido2NetLib.Objects; | |
/// </summary> | ||
public class AttestationVerificationSuccess : AssertionVerificationResult | ||
{ | ||
[JsonConverter(typeof(Base64UrlConverter))] | ||
public byte[] PublicKey { get; set; } | ||
|
||
public Fido2User User { get; set; } | ||
public string CredType { get; set; } | ||
public System.Guid Aaguid { get; set; } | ||
#nullable enable | ||
public X509Certificate2? AttestationCertificate { get; set; } | ||
#nullable disable | ||
public X509Certificate2[] AttestationCertificateChain { get; set; } | ||
/// <summary> | ||
/// The type of the public key credential source. | ||
/// </summary> | ||
public PublicKeyCredentialType Type { get; set; } = PublicKeyCredentialType.PublicKey; | ||
/// <summary> | ||
/// The Credential ID of the public key credential source. | ||
/// </summary> | ||
public byte[] Id { get; set; } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to use the same JsonConverter as we do on PublicKey? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Already done in AuthenticatorAttestationRawResponse, no? |
||
/// <summary> | ||
/// The credential public key of the public key credential source. | ||
/// </summary> | ||
[JsonConverter(typeof(Base64UrlConverter))] | ||
public byte[] PublicKey { get; set; } | ||
/// <summary> | ||
/// The value returned from getTransports() when the public key credential source was registered. | ||
/// </summary> | ||
public AuthenticatorTransport[] Transports { get; set; } | ||
/// <summary> | ||
/// The value of the BE flag when the public key credential source was created. | ||
/// </summary> | ||
public bool BE { get; set; } | ||
/// <summary> | ||
/// The value of the attestationObject attribute when the public key credential source was registered. | ||
/// Storing this enables the Relying Party to reference the credential's attestation statement at a later time. | ||
/// </summary> | ||
public byte[] AttestationObject { get; set; } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to use JsonConverter on this and There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Already done in AuthenticatorAttestationRawResponse, no? |
||
/// <summary> | ||
/// The value of the clientDataJSON attribute when the public key credential source was registered. | ||
/// Storing this in combination with the above attestationObject item enables the Relying Party to re-verify the attestation signature at a later time. | ||
/// </summary> | ||
public byte[] AttestationClientDataJSON { get; set; } | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
using System; | ||
using System.Text.Json.Serialization; | ||
|
||
namespace Fido2NetLib.Objects | ||
aseigler marked this conversation as resolved.
Show resolved
Hide resolved
|
||
{ | ||
public sealed class AuthenticationExtensionsDevicePublicKeyInputs | ||
{ | ||
[JsonPropertyName("attestation")] | ||
public string Attestation { get; set; } = "none"; | ||
|
||
[JsonPropertyName("attestationFormats")] | ||
public string[] AttestationFormats { get; set; } = Array.Empty<string>(); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
using System.Text.Json.Serialization; | ||
|
||
namespace Fido2NetLib.Objects | ||
aseigler marked this conversation as resolved.
Show resolved
Hide resolved
|
||
{ | ||
public sealed class AuthenticationExtensionsDevicePublicKeyOutputs | ||
{ | ||
[JsonConverter(typeof(Base64UrlConverter))] | ||
[JsonPropertyName("authenticatorOutput")] | ||
public byte[] AuthenticatorOutput { get; set; } | ||
|
||
[JsonConverter(typeof(Base64UrlConverter))] | ||
[JsonPropertyName("signature")] | ||
public byte[] Signature { get; set; } | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand what we are doing here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basically if a new device public key was discovered in the assertion flow, add it to the list of device public keys associated with this credential.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... I think I understand @aseigler. Am I right to think that before saving the DPK the RP would perhaps check some policy or trigger a risk based ceremony before trusting that DPK and then saving/updating the storage with
res.DevicePublicKey
but in our demo we just add it directly to our in memory storage?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, basically same as registering a new credential against an existing user, but way more complicated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright makes sense, I was just confused about how we used it in our demo. When I get the time I'll add a
// TODO: Check policy if we allow new devices, if-so, store it to db