Add PRF extension support (#69)

Samuel-B-D · web-flow · commit d5982a0013a7 · 2024-02-13T11:08:37.000-05:00
* Added types for PRF extension

* Fixed issue with extensions payload decoding

* Fixed issue with extensions payload decoding
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "slauth"
-version = "0.7.4"
+version = "0.7.5"
 authors = ["richer <richer.arc@gmail.com>", "LucFauvel <luc.fauvel@hotmail.com>"]
 edition = "2021"
 description = "oath HOTP and TOTP complient implementation"
diff --git a/src/webauthn/proto/raw_message.rs b/src/webauthn/proto/raw_message.rs
@@ -14,7 +14,6 @@ use bytes::Buf;
 use serde_cbor::Value;
 use serde_derive::*;
 use std::{
-    collections::BTreeMap,
     io::{Cursor, Read},
     str::FromStr,
 };
@@ -101,10 +100,13 @@ impl AuthenticatorData {
         cursor.read_exact(&mut rp_id_hash)?;
 
         let flags = cursor.read_u8()?;
+        let has_attested_credential_data = flags & (1 << 6) > 0;
+        let has_extensions = flags & (1 << 7) > 0;
 
         let sign_count = cursor.read_u32::<BigEndian>()?;
 
-        let attested_credential_data = if cursor.remaining() > 16 {
+        let mut remaining_cbor = Value::Null;
+        let attested_credential_data = if has_attested_credential_data {
             let mut aaguid = [0u8; 16];
             cursor.read_exact(&mut aaguid)?;
 
@@ -115,27 +117,55 @@ impl AuthenticatorData {
 
             let mut remaining = vec![0u8; cursor.remaining()];
             cursor.read_exact(&mut remaining[..])?;
+            let public_key_cbor = match serde_cbor::from_slice::<serde_cbor::Value>(remaining.as_slice()) {
+                Ok(cred) => cred,
+                Err(e) if has_extensions && e.is_syntax() => {
+                    // serde_cbor will send a `ErrorImpl` with code: `ErrorCode::TrailingData` and offset: offset of
+                    // first extra byte if we have Extensions blob afterward.
+                    // Since `ErrorImpl` is not public, the best we can do is catch the syntax category and retry
+                    // the slice before the first offset error.
+
+                    // The offset is incorectly reported as of serde_cbor 0.11.2;
+                    // If, for example, a buffer of 93 bytes contain a valid CBOR payload from [0..77] (77 bytes,
+                    // bytes from 0 to 76 as the 77 bound is exclusive), the reported offset in the error will be 78.
+                    let offset = (e.offset() - 1) as usize;
+
+                    remaining_cbor = serde_cbor::from_slice::<serde_cbor::Value>(&remaining[offset..])?;
+                    serde_cbor::from_slice::<serde_cbor::Value>(&remaining[..offset])?
+                }
+                Err(e) => return Err(Error::CborError(e).into()),
+            };
 
-            let remaining_value = serde_cbor::from_slice::<serde_cbor::Value>(remaining.as_slice()).map_err(Error::CborError)?;
-
-            let credential_public_key = CredentialPublicKey::from_value(remaining_value)?;
+            let credential_public_key = CredentialPublicKey::from_value(&public_key_cbor)?;
 
             Some(AttestedCredentialData {
                 aaguid,
                 credential_id,
                 credential_public_key,
             })
         } else {
+            if has_extensions {
+                let mut remaining = vec![0u8; cursor.remaining()];
+                cursor.read_exact(&mut remaining[..])?;
+                remaining_cbor = serde_cbor::from_slice::<serde_cbor::Value>(remaining.as_slice()).map_err(Error::CborError)?;
+            }
+
             None
         };
 
+        let extensions = if has_extensions {
+            remaining_cbor
+        } else {
+            Value::Null
+        };
+
         Ok((
             AuthenticatorData {
                 rp_id_hash,
                 flags,
                 sign_count,
                 attested_credential_data,
-                extensions: Value::Null,
+                extensions,
             },
             cursor.into_inner(),
         ))
@@ -176,10 +206,10 @@ pub enum CoseKeyInfo {
 }
 
 impl CredentialPublicKey {
-    pub fn from_value(value: serde_cbor::Value) -> Result<Self, Error> {
+    pub fn from_value(value: &serde_cbor::Value) -> Result<Self, Error> {
         let map = match value {
             Value::Map(m) => m,
-            _ => BTreeMap::new(),
+            _ => return Err(Error::Other("Invalid Cbor for CredentialPublicKey".to_string())),
         };
 
         let key_type = map
diff --git a/src/webauthn/proto/web_message.rs b/src/webauthn/proto/web_message.rs
@@ -1,7 +1,7 @@
+use std::collections::HashMap;
 use serde_derive::*;
-use serde_json::Value;
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 #[serde(rename = "publicKey", rename_all = "camelCase")]
 pub struct PublicKeyCredentialCreationOptions {
     pub rp: PublicKeyCredentialRpEntity,
@@ -16,8 +16,8 @@ pub struct PublicKeyCredentialCreationOptions {
     pub authenticator_selection: Option<AuthenticatorSelectionCriteria>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub attestation: Option<AttestationConveyancePreference>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub extensions: Option<Value>,
+    #[serde(default, skip_serializing_if = "Extensions::is_empty")]
+    pub extensions: Extensions,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug)]
@@ -32,11 +32,11 @@ pub struct PublicKeyCredentialRequestOptions {
     pub allow_credentials: Vec<PublicKeyCredentialDescriptor>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub user_verification: Option<UserVerificationRequirement>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub extensions: Option<Value>,
+    #[serde(default, skip_serializing_if = "Extensions::is_empty")]
+    pub extensions: Extensions,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub struct PublicKeyCredentialRpEntity {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub id: Option<String>,
@@ -45,7 +45,7 @@ pub struct PublicKeyCredentialRpEntity {
     pub icon: Option<String>,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 #[serde(rename_all = "camelCase")]
 pub struct PublicKeyCredentialUserEntity {
     pub id: String,
@@ -55,14 +55,14 @@ pub struct PublicKeyCredentialUserEntity {
     pub icon: Option<String>,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub struct PublicKeyCredentialParameters {
     #[serde(rename = "type")]
     pub auth_type: PublicKeyCredentialType,
     pub alg: i64,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq)]
 pub struct PublicKeyCredentialDescriptor {
     #[serde(rename = "type")]
     pub cred_type: PublicKeyCredentialType,
@@ -77,13 +77,13 @@ impl PartialEq for PublicKeyCredentialDescriptor {
     }
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub enum PublicKeyCredentialType {
     #[serde(rename = "public-key")]
     PublicKey,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 pub enum AuthenticatorTransport {
     #[serde(rename = "usb")]
     Usb,
@@ -95,7 +95,7 @@ pub enum AuthenticatorTransport {
     Internal,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 #[serde(rename_all = "camelCase")]
 pub struct AuthenticatorSelectionCriteria {
     #[serde(skip_serializing_if = "Option::is_none")]
@@ -106,7 +106,7 @@ pub struct AuthenticatorSelectionCriteria {
     pub user_verification: Option<UserVerificationRequirement>,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 #[serde(rename_all = "camelCase")]
 pub enum AuthenticatorAttachment {
     Platform,
@@ -122,7 +122,7 @@ pub enum UserVerificationRequirement {
     Discouraged,
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
 #[serde(rename_all = "camelCase")]
 pub enum AttestationConveyancePreference {
     None,
@@ -178,3 +178,37 @@ pub enum TokenBindingStatus {
     Present,
     Supported,
 }
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default, Eq, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct Extensions {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub prf: Option<PrfExtension>,
+}
+
+impl Extensions {
+    pub fn is_empty(&self) -> bool {
+        self.prf.is_none()
+    }
+}
+
+// https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfinputs
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct PrfExtension {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub eval: Option<AuthenticationExtensionsPRFValues>,
+
+    // Only supported in authentication, not creation
+    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
+    pub eval_by_credential: HashMap<String, AuthenticationExtensionsPRFValues>,
+}
+
+// https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfvalues
+#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthenticationExtensionsPRFValues {
+    pub first: Vec<u8>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub second: Option<Vec<u8>>,
+}
diff --git a/src/webauthn/server/mod.rs b/src/webauthn/server/mod.rs
