[EC-598] feat: add support for saving discoverable credential

2025-12-15 15:53:27 +00:00 · 2023-03-22 15:37:16 +01:00
parent cb9f102b7d
commit 4926278fb9
2 changed files with 78 additions and 5 deletions
--- a/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.spec.ts
@@ -163,7 +163,7 @@ describe("FidoAuthenticatorService", () => {
        } as NewCredentialParams);
      });

-      /** Spec: If the user declines permission */
+      /** Spec: If the user declines permission, return the CTAP2_ERR_OPERATION_DENIED error. */
      it("should throw error if user denies creation request", async () => {
        userInterface.confirmNewCredential.mockResolvedValue(false);
        const params = await createCredentialParams();
@@ -175,6 +175,35 @@ describe("FidoAuthenticatorService", () => {
        );
      });
    });
+
+    describe("creation of discoverable credential", () => {
+      it("should save credential to vault if request confirmed by user", async () => {
+        const encryptedCipher = Symbol();
+        userInterface.confirmNewCredential.mockResolvedValue(true);
+        cipherService.encrypt.mockResolvedValue(encryptedCipher as unknown as Cipher);
+        const params = await createCredentialParams({ options: { rk: true } });
+
+        await authenticator.makeCredential(params);
+
+        const saved = cipherService.encrypt.mock.lastCall?.[0];
+        expect(saved).toEqual(
+          expect.objectContaining({
+            type: CipherType.Fido2Key,
+            name: params.rp.name,
+
+            fido2Key: expect.objectContaining({
+              keyType: "ECDSA",
+              keyCurve: "P-256",
+              rpId: params.rp.id,
+              rpName: params.rp.name,
+              userHandle: Fido2Utils.bufferToString(params.user.id),
+              userName: params.user.name,
+            }),
+          })
+        );
+        expect(cipherService.createWithServer).toHaveBeenCalledWith(encryptedCipher);
+      });
+    });
  });
 });

--- a/libs/common/src/webauthn/services/fido2-authenticator.service.ts
+++ b/libs/common/src/webauthn/services/fido2-authenticator.service.ts
@@ -1,3 +1,5 @@
+import { CipherType } from "../../vault/enums/cipher-type";
+import { CipherView } from "../../vault/models/view/cipher.view";
 import { CipherService } from "../../vault/services/cipher.service";
 import {
  Fido2AlgorithmIdentifier,
@@ -8,6 +10,9 @@ import {
 } from "../abstractions/fido2-authenticator.service.abstraction";
 import { Fido2UserInterfaceService } from "../abstractions/fido2-user-interface.service.abstraction";
 import { Fido2Utils } from "../abstractions/fido2-utils";
+import { Fido2KeyView } from "../models/view/fido2-key.view";
+
+const KeyUsages: KeyUsage[] = ["sign"];

 /**
 * Bitwarden implementation of the Authenticator API described by the FIDO Alliance
@@ -40,12 +45,12 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
    // We deviate from this because we allow duplicates to be created if the user confirms it,
    // and we don't want to ask the user for confirmation if the input params haven't already
    // been verified.
-    const duplicateExists = await this.vaultContainsId(
+    const isExcluded = await this.vaultContainsId(
      params.excludeList.map((key) => Fido2Utils.bufferToString(key.id))
    );
    let userVerification = false;

-    if (duplicateExists) {
+    if (isExcluded) {
      userVerification = await this.userInterface.confirmDuplicateCredential(
        [Fido2Utils.bufferToString(params.excludeList[0].id)],
        {
@@ -60,11 +65,17 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr
      });
    }

-    if (!userVerification && duplicateExists) {
+    if (!userVerification && isExcluded) {
      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_CREDENTIAL_EXCLUDED);
-    } else if (!userVerification && !duplicateExists) {
+    } else if (!userVerification && !isExcluded) {
      throw new Fido2AutenticatorError(Fido2AutenticatorErrorCode.CTAP2_ERR_OPERATION_DENIED);
    }
+
+    const keyPair = await this.createKeyPair();
+    const vaultItem = await this.createVaultItem(params, keyPair.privateKey);
+
+    const encrypted = await this.cipherService.encrypt(vaultItem);
+    await this.cipherService.createWithServer(encrypted);
  }

  private async vaultContainsId(ids: string[]): Promise<boolean> {
@@ -76,4 +87,37 @@ export class Fido2AuthenticatorService implements Fido2AuthenticatorServiceAbstr

    return false;
  }
+
+  private async createKeyPair() {
+    return await crypto.subtle.generateKey(
+      {
+        name: "ECDSA",
+        namedCurve: "P-256",
+      },
+      true,
+      KeyUsages
+    );
+  }
+
+  private async createVaultItem(
+    params: Fido2AuthenticatorMakeCredentialsParams,
+    keyValue: CryptoKey
+  ): Promise<CipherView> {
+    const pcks8Key = await crypto.subtle.exportKey("pkcs8", keyValue);
+
+    const view = new CipherView();
+    view.type = CipherType.Fido2Key;
+    view.name = params.rp.name;
+
+    view.fido2Key = new Fido2KeyView();
+    view.fido2Key.keyType = "ECDSA";
+    view.fido2Key.keyCurve = "P-256";
+    view.fido2Key.keyValue = Fido2Utils.bufferToString(pcks8Key);
+    view.fido2Key.rpId = params.rp.id;
+    view.fido2Key.rpName = params.rp.name;
+    view.fido2Key.userHandle = Fido2Utils.bufferToString(params.user.id);
+    view.fido2Key.userName = params.user.name;
+
+    return view;
+  }
 }