Previous fix for eddsa key fail at authentication (#449)

* Fix wrong creation of eddsa public key

Closes #448

Previously added for issue #436, the field kty must be text string or
int but not byte string (rfc8152 section 7)

* Add tests to check if fixed OKP key can be check by validator

issue #448

* Fix coding standard & cose-lib dependency version in webauthn package

* cose-lib 4.2.3+ required

---------

Co-authored-by: Florent Morselli <florent.morselli@spomky-labs.com>

composer.json

@@ -69,7 +69,7 @@
         "symfony/serializer": "^6.1",
         "symfony/uid": "^6.1",
         "symfony/validator": "^6.1",
-        "web-auth/cose-lib": "^4.0.12",
+        "web-auth/cose-lib": "^4.2.3",
         "web-token/jwt-signature": "^3.1"
     },
     "replace": {

src/webauthn/composer.json

@@ -31,7 +31,7 @@
         "psr/log": "^1.0|^2.0|^3.0",
         "spomky-labs/cbor-php": "^3.0",
         "symfony/uid": "^6.1",
-        "web-auth/cose-lib": "^4.0.12",
+        "web-auth/cose-lib": "^4.2.3",
         "web-auth/metadata-service": "self.version"
     },
     "autoload": {

src/webauthn/src/AuthenticatorDataLoader.php

@@ -107,7 +107,7 @@ private function fixIncorrectEdDSAKey(string $data): string
         );
         $correctX = ByteStringObject::create($keyBytes);
         $correctKey = MapObject::create()
-            ->add(UnsignedIntegerObject::create(1), ByteStringObject::create('OKP'))
+            ->add(UnsignedIntegerObject::create(1), TextStringObject::create('OKP'))
             ->add(UnsignedIntegerObject::create(3), NegativeIntegerObject::create(-8))
             ->add(NegativeIntegerObject::create(-1), TextStringObject::create('Ed25519'))
             ->add(NegativeIntegerObject::create(-2), $correctX);

tests/library/Functional/AssertionTest.php

@@ -8,6 +8,8 @@
 use PHPUnit\Framework\Attributes\Test;
 use Symfony\Component\Uid\Uuid;
 use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\AuthenticatorAttestationResponse;
+use Webauthn\PublicKeyCredentialCreationOptions;
 use Webauthn\PublicKeyCredentialDescriptor;
 use Webauthn\PublicKeyCredentialRequestOptions;
 
@@ -155,4 +157,36 @@ public function anAssertionWithUserHandleCanBeVerified(): void
             );
         static::assertSame(1_548_765_641, $publicKeyCredentialSource->getCounter());
     }
+
+    #[Test]
+    public function aPreviouslyFixedKeyCanBeVerified(): void
+    {
+        $publicKeyCredentialCreationOptions = PublicKeyCredentialCreationOptions::createFromString(
+            '{"rp": {"name": "Tuleap","id": "tuleap-web.tuleap-aio-dev.docker"},"user": {"name": "admin","id": "MTAx","displayName": "Site Administrator"},"challenge": "sNZel5OhIwA5vR4wdVkwiGHR6QEnNhYOqi97OHQrc2A","pubKeyCredParams": [{"type": "public-key","alg": -8},{"type": "public-key","alg": -7},{"type": "public-key","alg": -257}],"attestation": "none"}'
+        );
+        $publicKeyCredential = $this->getPublicKeyCredentialLoader()
+            ->load(
+                '{"clientExtensionResults": {},"id": "31ivJEY3jmIoxWuGZ7pZjDuBW5n1PAMeG-e0drfhayCzOsuNaCG3PH43i-OebKT0jqY-bAFCEUh1JCCATSPa9N5QIUwwSlUQO9Pb5X1_yXJnY9q7GYfm3LvR4Yk6-HKj4MpBj6cbVOZyoLZQtd2lDEU7pSTcbTZBELQlODGSlbQ","rawId": "31ivJEY3jmIoxWuGZ7pZjDuBW5n1PAMeG-e0drfhayCzOsuNaCG3PH43i-OebKT0jqY-bAFCEUh1JCCATSPa9N5QIUwwSlUQO9Pb5X1_yXJnY9q7GYfm3LvR4Yk6-HKj4MpBj6cbVOZyoLZQtd2lDEU7pSTcbTZBELQlODGSlbQ","response": {"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBBxawLfvD1MyjfrwvZRZlmxIhDbnhAYq58TqWkGOOpv2oRQAAAAEvwFefgRNH6rEWu1qNuSAqAIDfWK8kRjeOYijFa4ZnulmMO4FbmfU8Ax4b57R2t-FrILM6y41oIbc8fjeL455spPSOpj5sAUIRSHUkIIBNI9r03lAhTDBKVRA709vlfX_Jcmdj2rsZh-bcu9HhiTr4cqPgykGPpxtU5nKgtlC13aUMRTulJNxtNkEQtCU4MZKVtKMBY09LUAMnIGdFZDI1NTE5IZggGC0YVhiMGPEYGxjCGD8DFBiuGMAYLhhjCRjKGKYY3xhSGBgYnhhnGKEYIQwYPBjeGG0YwRidGIcY8Rjs","clientDataJSON": "eyJjaGFsbGVuZ2UiOiJzTlplbDVPaEl3QTV2UjR3ZFZrd2lHSFI2UUVuTmhZT3FpOTdPSFFyYzJBIiwib3JpZ2luIjoiaHR0cHM6Ly90dWxlYXAtd2ViLnR1bGVhcC1haW8tZGV2LmRvY2tlciIsInR5cGUiOiJ3ZWJhdXRobi5jcmVhdGUifQ"},"type": "public-key"}'
+            );
+        static::assertInstanceOf(AuthenticatorAttestationResponse::class, $publicKeyCredential->getResponse());
+        $source = $this->getAuthenticatorAttestationResponseValidator()
+            ->check($publicKeyCredential->getResponse(), $publicKeyCredentialCreationOptions, 'localhost');
+
+        $publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString(
+            '{"challenge": "2MSn916xPaaOcp86sSYBVsqYzROi4Y8H7Brl_8D5Drc","allowCredentials": [{"type": "public-key","id": "31ivJEY3jmIoxWuGZ7pZjDuBW5n1PAMeG-e0drfhayCzOsuNaCG3PH43i-OebKT0jqY-bAFCEUh1JCCATSPa9N5QIUwwSlUQO9Pb5X1_yXJnY9q7GYfm3LvR4Yk6-HKj4MpBj6cbVOZyoLZQtd2lDEU7pSTcbTZBELQlODGSlbQ"}]}'
+        );
+        $publicKeyCredential = $this->getPublicKeyCredentialLoader()
+            ->load(
+                '{"id": "31ivJEY3jmIoxWuGZ7pZjDuBW5n1PAMeG-e0drfhayCzOsuNaCG3PH43i-OebKT0jqY-bAFCEUh1JCCATSPa9N5QIUwwSlUQO9Pb5X1_yXJnY9q7GYfm3LvR4Yk6-HKj4MpBj6cbVOZyoLZQtd2lDEU7pSTcbTZBELQlODGSlbQ","rawId": "31ivJEY3jmIoxWuGZ7pZjDuBW5n1PAMeG-e0drfhayCzOsuNaCG3PH43i-OebKT0jqY-bAFCEUh1JCCATSPa9N5QIUwwSlUQO9Pb5X1_yXJnY9q7GYfm3LvR4Yk6-HKj4MpBj6cbVOZyoLZQtd2lDEU7pSTcbTZBELQlODGSlbQ","response": {"authenticatorData": "FrAt-8PUzKN-vC9lFmWbEiENueEBirnxOpaQY46m_agFAAAAAg","clientDataJSON": "eyJjaGFsbGVuZ2UiOiIyTVNuOTE2eFBhYU9jcDg2c1NZQlZzcVl6Uk9pNFk4SDdCcmxfOEQ1RHJjIiwib3JpZ2luIjoiaHR0cHM6Ly90dWxlYXAtd2ViLnR1bGVhcC1haW8tZGV2LmRvY2tlciIsInR5cGUiOiJ3ZWJhdXRobi5nZXQifQ","signature": "eK5Yk9G8LjEsaEbK9Qq9Ovcx_Nf9xbRU5EURdMsiqJSQMpSCMHhcOBwfhPxx_zuPfYPxv_mRPgtPrX0vNQ3YAg"},"type": "public-key","clientExtensionResults": {}}'
+            );
+        static::assertInstanceOf(AuthenticatorAssertionResponse::class, $publicKeyCredential->getResponse());
+        $this->getAuthenticatorAssertionResponseValidator()
+            ->check(
+                $source,
+                $publicKeyCredential->getResponse(),
+                $publicKeyCredentialRequestOptions,
+                'tuleap-web.tuleap-aio-dev.docker',
+                '101'
+            );
+    }
 }