Merge pull request #70 from Devolutions/add-passkey-support

feat(authenticator): Added rudimentary CTAP implementation for WebAuthn
Devolutions · Feb 21, 2024 · 5466cd7 · 5466cd7
2 parents d5982a0 + 87cdcb6
commit 5466cd7
Show file tree

Hide file tree

Showing 13 changed files with 943 additions and 73 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "slauth"
-version = "0.7.5"
+version = "0.7.6-beta.0"
 authors = ["richer <richer.arc@gmail.com>", "LucFauvel <luc.fauvel@hotmail.com>"]
 edition = "2021"
 description = "oath HOTP and TOTP complient implementation"
@@ -20,7 +20,8 @@ default = ["u2f-server", "webauthn-server", "native-bindings"]
 native-bindings = []
 u2f-server = ["u2f", "webpki"]
 u2f = ["auth-base", "untrusted",  "serde_repr", ]
-webauthn-server = [ "auth-base", "bytes", "serde_cbor", "http", "uuid" ]
+webauthn-server = [ "webauthn", "webpki" ]
+webauthn = [ "auth-base", "bytes", "serde_cbor", "uuid", "http", "ed25519-dalek", "p256" ]
 auth-base = ["base64", "byteorder", "ring", "serde", "serde_derive", "serde_json", "serde_bytes"]
 android = ["jni"]
 
@@ -32,6 +33,7 @@ time = "0.3"
 base32 = "0.4"
 hex = "0.4"
 rsa = "0.9.2"
+rand = "0.8.5"
 x509-parser = "0.15.0"
 
 base64 = { version = "0.13", optional = true }
@@ -48,19 +50,22 @@ webpki = { version = "0.22", optional = true, features = ["alloc"] }
 bytes = { version = "1.2", optional = true }
 http = { version = "1.0", optional = true }
 uuid = { version = "1.6", optional = true }
+ed25519-dalek = { version =  "2.1.0", features = ["rand_core", "pkcs8"], optional = true }
+p256 = { version = "0.13.2", optional = true }
 
 [target.'cfg(target_os="android")'.dependencies]
 jni = { version = "0.20", default-features = false, optional = true }
 
 [target.'cfg(target_arch="wasm32")'.dependencies]
-wasm-bindgen = { version = "0.2.60" }
+wasm-bindgen = { version = "0.2.91" }
 js-sys = "0.3.37"
 # FIXME: https://docs.rs/getrandom/0.2.2/getrandom/#webassembly-support
 # let `getrandom` know that JavaScript is available for our targets
 # `getrandom` is not used directly, but by adding the right feature here
 # it will be compiled with it in our dependencies as well (since union of
 # all the features selected is used when building a Cargo project)
 getrandom = { version = "0.2", features = ["js"] }
+serde-wasm-bindgen = "0.6.3"
 
 [target.'cfg(target_arch="wasm32")'.dev-dependencies]
 wasm-bindgen-test = "0.3.10"

diff --git a/README.md b/README.md
@@ -47,7 +47,11 @@ Status is describe by : ✔ as implemented, ❌ as not implemented and ⚠️ as
 | Raw Message |    ✔   |  [Spec](https://www.w3.org/TR/webauthn/) |
 | COSE |    ⚠️   |  [Spec](https://tools.ietf.org/html/rfc8152) |
 
-For the server side validation, only ECDSA P256 and P384 key validation is supported at this time. Eventually RSA and ECDAA Key validation will be added. 
+For the server side validation, the following algorithm are implemented:
+- `ES256`
+- `ES384`
+- `ED25519`
+- `RS256`
 
 #### Universal Authentication Framework (UAF)
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -12,7 +12,7 @@ pub mod oath;
 #[cfg(feature = "u2f")]
 pub mod u2f;
 
-#[cfg(feature = "webauthn-server")]
+#[cfg(feature = "webauthn")]
 pub mod webauthn;
 
 #[cfg(target_arch = "wasm32")]

diff --git a/src/wasm.rs b/src/wasm.rs
@@ -1,9 +1,16 @@
+use uuid::Uuid;
 use wasm_bindgen::prelude::*;
 
-use crate::oath::{
-    decode_hex_or_base_32,
-    totp::{TOTPBuilder, TOTPContext},
-    HashesAlgorithm, OtpAuth,
+use crate::{
+    oath::{
+        decode_hex_or_base_32,
+        totp::{TOTPBuilder, TOTPContext},
+        HashesAlgorithm, OtpAuth,
+    },
+    webauthn::{
+        authenticator::WebauthnAuthenticator,
+        proto::web_message::{PublicKeyCredentialCreationOptions, PublicKeyCredentialRequestOptions},
+    },
 };
 
 #[wasm_bindgen]
@@ -74,3 +81,58 @@ impl Totp {
         self.inner.gen()
     }
 }
+
+#[cfg(feature = "webauthn")]
+#[wasm_bindgen]
+#[derive(Clone)]
+pub struct PasskeyAuthenticator {
+    aaguid: Uuid,
+}
+
+#[cfg(feature = "webauthn")]
+#[wasm_bindgen]
+impl PasskeyAuthenticator {
+    #[wasm_bindgen(constructor)]
+    pub fn new(aaguid: String) -> Result<PasskeyAuthenticator, String> {
+        let aaguid = Uuid::parse_str(aaguid.as_str()).map_err(|_| "Failed to parse aaguid from string")?;
+        Ok(PasskeyAuthenticator { aaguid })
+    }
+
+    #[wasm_bindgen(js_name = "generateCredentialCreationResponse")]
+    pub fn generate_credential_creation_response(
+        &self,
+        options: JsValue,
+        credential_id: Vec<u8>,
+        attestation_flags: u8,
+        origin: Option<String>,
+    ) -> Result<JsValue, String> {
+        let options: PublicKeyCredentialCreationOptions = serde_wasm_bindgen::from_value(options).map_err(|e| format!("{e:?}"))?;
+        let cred =
+            WebauthnAuthenticator::generate_credential_creation_response(options, self.aaguid, credential_id, origin, attestation_flags)
+                .map_err(|e| format!("{e:?}"))?;
+        serde_wasm_bindgen::to_value(&cred).map_err(|e| format!("{e:?}"))
+    }
+
+    #[wasm_bindgen(js_name = "generateCredentialRequestResponse")]
+    pub fn generate_credential_request_response(
+        &self,
+        options: JsValue,
+        credential_id: Vec<u8>,
+        attestation_flags: u8,
+        origin: Option<String>,
+        user_handle: Option<Vec<u8>>,
+        private_key: String,
+    ) -> Result<JsValue, String> {
+        let options: PublicKeyCredentialRequestOptions = serde_wasm_bindgen::from_value(options).map_err(|e| format!("{e:?}"))?;
+        let cred = WebauthnAuthenticator::generate_credential_request_response(
+            credential_id,
+            attestation_flags,
+            options,
+            origin,
+            user_handle,
+            private_key,
+        )
+        .map_err(|e| format!("{e:?}"))?;
+        serde_wasm_bindgen::to_value(&cred).map_err(|e| format!("{e:?}"))
+    }
+}