Fixes and test for MC

Author: AlfioEmanueleFresta

libwebauthn/src/ops/webauthn/client_data.rs

@@ -0,0 +1,36 @@
+use crate::ops::webauthn::Operation;
+
+use serde::Deserialize;
+use sha2::{Digest, Sha256};
+
+#[derive(Debug, Clone, PartialEq, Deserialize)]
+pub struct ClientData {
+    pub operation: Operation,
+    pub challenge: Vec<u8>,
+    pub origin: String,
+    #[serde(rename = "crossOrigin")]
+    pub cross_origin: Option<bool>,
+}
+
+impl ClientData {
+    pub fn hash(&self) -> Vec<u8> {
+        let op_str = match &self.operation {
+            Operation::MakeCredential => "webauthn.create",
+            Operation::GetAssertion => "webauthn.get",
+        };
+        let challenge_str = base64_url::encode(&self.challenge);
+        let origin_str = &self.origin;
+        let cross_origin_str = if self.cross_origin.unwrap_or(false) {
+            "true"
+        } else {
+            "false"
+        };
+        let json =     
+            format!("{{\"type\":\"{op_str}\",\"challenge\":\"{challenge_str}\",\"origin\":\"{origin_str}\",\"crossOrigin\":{cross_origin_str}}}");
+
+        let mut hasher = Sha256::new();
+        hasher.update(json.as_bytes());
+        hasher.finalize().to_vec()
+    }
+}
+

libwebauthn/src/ops/webauthn/idl.rs renamed to libwebauthn/src/ops/webauthn/idl/base64url.rs

@@ -1,40 +1,8 @@
 use std::ops::Deref;
 
 use base64_url;
-use serde::{de::DeserializeOwned, Deserialize, Serialize};
-use serde_json;
+use serde::{Deserialize, Serialize};
 
-use super::rpid::RelyingPartyId;
-
-pub type JsonError = serde_json::Error;
-
-pub trait WebAuthnIDL<E>: Sized
-where
-    E: std::error::Error, // Validation error type.
-    Self: FromInnerModel<Self::InnerModel, E>,
-{
-    /// An error type that can be returned when deserializing from JSON, including
-    /// JSON parsing errors and any additional validation errors.
-    type Error: std::error::Error + From<JsonError> + From<E>;
-
-    /// The JSON model that this IDL can deserialize from.
-    type InnerModel: DeserializeOwned;
-
-    fn from_json(rpid: &RelyingPartyId, json: &str) -> Result<Self, Self::Error> {
-        let inner_model: Self::InnerModel = serde_json::from_str(json)?;
-        Self::from_inner_model(rpid, inner_model).map_err(From::from)
-    }
-}
-
-pub trait FromInnerModel<T, E>: Sized
-where
-    T: DeserializeOwned,
-    E: std::error::Error,
-{
-    fn from_inner_model(rpid: &RelyingPartyId, inner: T) -> Result<Self, E>;
-}
-
-// TODO(afresta): Move to ctap2 module.
 #[derive(Debug, Clone, PartialEq)]
 pub struct Base64UrlString(pub Vec<u8>);
 

libwebauthn/src/ops/webauthn/create.rs renamed to libwebauthn/src/ops/webauthn/idl/create.rs

@@ -1,11 +1,10 @@
-use super::idl::Base64UrlString;
+use super::Base64UrlString;
 use crate::{
     ops::webauthn::{
         MakeCredentialsRequestExtensions, ResidentKeyRequirement, UserVerificationRequirement,
     },
     proto::ctap2::{
         Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
-        Ctap2PublicKeyCredentialUserEntity,
     },
 };
 
@@ -33,10 +32,18 @@ fn default_user_verification() -> UserVerificationRequirement {
     UserVerificationRequirement::Preferred
 }
 
+#[derive(Debug, Clone, PartialEq, Deserialize)]
+pub struct PublicKeyCredentialUserEntity {
+    pub id: Base64UrlString,
+    pub name: String,
+    #[serde(rename = "displayName")]
+    pub display_name: String,
+}
+
 #[derive(Debug, Clone, Deserialize)]
 pub struct PublicKeyCredentialCreationOptionsJSON {
     pub rp: Ctap2PublicKeyCredentialRpEntity,
-    pub user: Ctap2PublicKeyCredentialUserEntity,
+    pub user: PublicKeyCredentialUserEntity,
     pub challenge: Base64UrlString,
     #[serde(rename = "pubKeyCredParams")]
     pub params: Vec<Ctap2CredentialType>,

libwebauthn/src/ops/webauthn/idl/mod.rs

@@ -0,0 +1,38 @@
+mod base64url;
+pub mod create;
+pub mod rpid;
+
+pub use base64url::Base64UrlString;
+
+use rpid::RelyingPartyId;
+
+use serde::de::DeserializeOwned;
+use serde_json;
+
+pub type JsonError = serde_json::Error;
+
+pub trait WebAuthnIDL<E>: Sized
+where
+    E: std::error::Error, // Validation error type.
+    Self: FromInnerModel<Self::InnerModel, E>,
+{
+    /// An error type that can be returned when deserializing from JSON, including
+    /// JSON parsing errors and any additional validation errors.
+    type Error: std::error::Error + From<JsonError> + From<E>;
+
+    /// The JSON model that this IDL can deserialize from.
+    type InnerModel: DeserializeOwned;
+
+    fn from_json(rpid: &RelyingPartyId, json: &str) -> Result<Self, Self::Error> {
+        let inner_model: Self::InnerModel = serde_json::from_str(json)?;
+        Self::from_inner_model(rpid, inner_model).map_err(From::from)
+    }
+}
+
+pub trait FromInnerModel<T, E>: Sized
+where
+    T: DeserializeOwned,
+    E: std::error::Error,
+{
+    fn from_inner_model(rpid: &RelyingPartyId, inner: T) -> Result<Self, E>;
+}

libwebauthn/src/ops/webauthn/rpid.rs renamed to libwebauthn/src/ops/webauthn/idl/rpid.rs

@@ -9,9 +9,12 @@ use tracing::{debug, instrument, trace};
 use crate::{
     fido::AuthenticatorData,
     ops::webauthn::{
-        create::PublicKeyCredentialCreationOptionsJSON,
-        idl::{Base64UrlString, FromInnerModel, JsonError, WebAuthnIDL},
-        rpid::RelyingPartyId,
+        client_data::ClientData,
+        idl::{
+            create::PublicKeyCredentialCreationOptionsJSON, Base64UrlString, FromInnerModel,
+            JsonError, WebAuthnIDL,
+        },
+        Operation, RelyingPartyId,
     },
     proto::{
         ctap1::{Ctap1RegisteredKey, Ctap1Version},
@@ -162,7 +165,7 @@ impl MakeCredentialsResponseUnsignedExtensions {
     }
 }
 
-#[derive(Debug, Clone, Copy, Deserialize)]
+#[derive(Debug, Clone, Copy, Deserialize, PartialEq)]
 pub enum ResidentKeyRequirement {
     #[serde(rename = "required")]
     Required,
@@ -172,7 +175,7 @@ pub enum ResidentKeyRequirement {
     Discouraged,
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub struct MakeCredentialRequest {
     pub hash: Vec<u8>,
     pub origin: String,
@@ -221,14 +224,21 @@ impl FromInnerModel<PublicKeyCredentialCreationOptionsJSON, MakeCredentialReques
 
         let timeout: Duration = inner
             .timeout
-            .map(|s| Duration::from_secs(s.into()))
+            .map(|s| Duration::from_millis(s.into()))
             .unwrap_or(DEFAULT_TIMEOUT);
 
+        let client_data_json = ClientData {
+            operation: Operation::MakeCredential,
+            challenge: inner.challenge.to_vec(),
+            origin: rpid.to_string(),
+            cross_origin: None,
+        };
+
         Ok(Self {
-            hash: inner.challenge.into(),
+            hash: client_data_json.hash(),
             origin: rpid.to_owned().into(),
             relying_party: inner.rp,
-            user: inner.user,
+            user: inner.user.into(),
             resident_key,
             user_verification,
             algorithms: inner.params,
@@ -255,7 +265,7 @@ impl WebAuthnIDL<MakeCredentialRequestParsingError> for MakeCredentialRequest {
     type InnerModel = PublicKeyCredentialCreationOptionsJSON;
 }
 
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Deserialize, PartialEq)]
 pub struct MakeCredentialPrfInput {
     #[serde(rename = "eval")]
     pub _eval: Option<JsonValue>,
@@ -267,7 +277,7 @@ pub struct MakeCredentialPrfOutput {
     pub enabled: Option<bool>,
 }
 
-#[derive(Debug, Clone, Deserialize)]
+#[derive(Debug, Clone, Deserialize, PartialEq)]
 pub struct CredentialProtectionExtension {
     #[serde(rename = "credentialProtectionPolicy")]
     pub policy: CredentialProtectionPolicy,
@@ -324,7 +334,7 @@ pub struct CredentialPropsExtension {
     pub rk: Option<bool>,
 }
 
-#[derive(Debug, Default, Clone, Deserialize)]
+#[derive(Debug, Default, Clone, Deserialize, PartialEq)]
 pub struct MakeCredentialLargeBlobExtensionInput {
     pub support: MakeCredentialLargeBlobExtension,
 }
@@ -346,7 +356,7 @@ pub struct MakeCredentialLargeBlobExtensionOutput {
     pub supported: Option<bool>,
 }
 
-#[derive(Debug, Default, Clone, Deserialize)]
+#[derive(Debug, Default, Clone, Deserialize, PartialEq)]
 pub struct MakeCredentialsRequestExtensions {
     #[serde(rename = "credProps")]
     pub cred_props: Option<bool>,
@@ -452,3 +462,86 @@ impl DowngradableRequest<RegisterRequest> for MakeCredentialRequest {
         Ok(downgraded)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use std::time::Duration;
+
+    use crate::ops::webauthn::MakeCredentialRequest;
+    use crate::ops::webauthn::RelyingPartyId;
+
+    use super::*;
+
+    pub const REQUEST_BASE_JSON: &str = r#"
+    {
+        "rp": {
+            "id": "example.org",
+            "name": "example.org"
+        },
+        "user": {
+            "id": "dXNlcmlk",
+            "name": "mario.rossi",
+            "displayName": "Mario Rossi"
+        },
+        "challenge": "Y3JlZGVudGlhbHMtZm9yLWxpbnV4L2xpYndlYmF1dGhu",
+        "pubKeyCredParams": [
+            {
+                "type": "public-key",
+                "alg": -7
+            }
+        ],
+        "timeout": 30000,
+        "excludeCredentials": [],
+        "authenticatorSelection": {
+            "residentKey": "discouraged",
+            "userVerification": "preferred"
+        },
+        "attestation": "none",
+        "attestationFormats": ["packed", "fido-u2f"]
+    }
+    "#;
+
+    fn request_base() -> MakeCredentialRequest {
+        MakeCredentialRequest {
+            origin: "example.org".to_string(),
+            hash: ClientData {
+                operation: Operation::MakeCredential,
+                challenge: base64_url::decode("Y3JlZGVudGlhbHMtZm9yLWxpbnV4L2xpYndlYmF1dGhu")
+                    .unwrap(),
+                origin: "example.org".to_string(),
+                cross_origin: None,
+            }
+            .hash(),
+            relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
+            user: Ctap2PublicKeyCredentialUserEntity::new(b"userid", "mario.rossi", "Mario Rossi"),
+            resident_key: Some(ResidentKeyRequirement::Discouraged),
+            user_verification: UserVerificationRequirement::Preferred,
+            algorithms: vec![Ctap2CredentialType::default()],
+            exclude: None,
+            extensions: None,
+            timeout: Duration::from_secs(30),
+        }
+    }
+
+    fn json_field_add(str: &str, field: &str, value: &str) -> String {
+        let mut v: serde_json::Value = serde_json::from_str(str).unwrap();
+        v.as_object_mut()
+            .unwrap()
+            .insert(field.to_owned(), serde_json::from_str(value).unwrap());
+        serde_json::to_string(&v).unwrap()
+    }
+
+    fn json_field_rm(str: &str, field: &str) -> String {
+        let mut v: serde_json::Value = serde_json::from_str(str).unwrap();
+        v.as_object_mut().unwrap().remove(field);
+        serde_json::to_string(&v).unwrap()
+    }
+
+    #[test]
+    fn test_request_from_json_base() {
+        let rpid = RelyingPartyId::try_from("example.org").unwrap();
+        let req: MakeCredentialRequest =
+            MakeCredentialRequest::from_json(&rpid, REQUEST_BASE_JSON).unwrap();
+        assert_eq!(req, request_base());
+    }
+}

libwebauthn/src/ops/webauthn/make_credential.rs

@@ -1,8 +1,7 @@
-mod create;
+mod client_data;
 mod get_assertion;
-pub(crate) mod idl;
+pub mod idl;
 mod make_credential;
-mod rpid;
 
 use super::u2f::{RegisterRequest, SignRequest};
 use crate::webauthn::CtapError;
@@ -13,18 +12,23 @@ pub use get_assertion::{
     GetAssertionResponseExtensions, GetAssertionResponseUnsignedExtensions, HMACGetSecretInput,
     HMACGetSecretOutput, PRFValue, PrfInput,
 };
-pub use idl::{Base64UrlString, WebAuthnIDL};
+pub use idl::{rpid::RelyingPartyId, Base64UrlString, WebAuthnIDL};
 pub use make_credential::{
     CredentialPropsExtension, CredentialProtectionExtension, CredentialProtectionPolicy,
     MakeCredentialLargeBlobExtension, MakeCredentialLargeBlobExtensionOutput,
     MakeCredentialPrfInput, MakeCredentialPrfOutput, MakeCredentialRequest, MakeCredentialResponse,
     MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
     MakeCredentialsResponseUnsignedExtensions, ResidentKeyRequirement,
 };
-pub use rpid::RelyingPartyId;
 use serde::Deserialize;
 
-#[derive(Debug, Clone, Copy, Deserialize)]
+#[derive(Debug, Clone, Copy, Deserialize, PartialEq)]
+pub enum Operation {
+    MakeCredential,
+    GetAssertion,
+}
+
+#[derive(Debug, Clone, Copy, Deserialize, PartialEq)]
 pub enum UserVerificationRequirement {
     #[serde(rename = "required")]
     Required,