[PM-5731] feat: start implementing attestation

2025-12-12 14:23:26 +00:00 · 2024-01-24 11:04:37 +01:00
parent ce550fee74
commit 19639b61c3
7 changed files with 128 additions and 7 deletions
--- a/src/Core/Services/Fido2AuthenticatorService.cs
+++ b/src/Core/Services/Fido2AuthenticatorService.cs
@@ -23,6 +23,20 @@ namespace Bit.Core.Services
            _userInterface = userInterface;
        }
        public Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams) 
        {
            if (makeCredentialParams.CredTypesAndPubKeyAlgs.All((p) => p.Algorithm != (int) Fido2AlgorithmIdentifier.ES256))
            {
                var requestedAlgorithms = string.Join(", ", makeCredentialParams.CredTypesAndPubKeyAlgs.Select((p) => p.Algorithm).ToArray());
                _logService.Warning(
                    $"[Fido2Authenticator] No compatible algorithms found, RP requested: {requestedAlgorithms}"
                );
                throw new NotSupportedError();
            }
            throw new NotImplementedException();
        }
        public async Task<Fido2AuthenticatorGetAssertionResult> GetAssertionAsync(Fido2AuthenticatorGetAssertionParams assertionParams)
        {
            List<CipherView> cipherOptions;
@@ -116,10 +130,6 @@ namespace Bit.Core.Services
            }
        }
        public Task<Fido2AuthenticatorMakeCredentialResult> MakeCredentialAsync(Fido2AuthenticatorMakeCredentialParams makeCredentialParams) {
            throw new NotImplementedException();
        }
        private async Task<List<CipherView>> FindCredentialsById(PublicKeyCredentialDescriptor[] credentials, string rpId)
        {
            var ids = new List<string>();
--- a/src/Core/Utilities/Fido2/Fido2AlgorithmIdentifier.cs
+++ b/src/Core/Utilities/Fido2/Fido2AlgorithmIdentifier.cs
@@ -0,0 +1,6 @@
 namespace Bit.Core.Utilities.Fido2 {
    public enum Fido2AlgorithmIdentifier : int {
        ES256 = -7,
        RS256 = -257,
    }
 }
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorException.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorException.cs
@@ -14,6 +14,13 @@ namespace Bit.Core.Utilities.Fido2
        }
    }
    public class NotSupportedError : Fido2AuthenticatorException
    {
        public NotSupportedError() : base("NotSupportedError")
        {
        }
    }
    public class UnknownError : Fido2AuthenticatorException
    {
        public UnknownError() : base("UnknownError")
--- a/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs
+++ b/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs
@@ -20,7 +20,7 @@ namespace Bit.Core.Utilities.Fido2
        ///<summary>
        /// A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most preferred credential that it can. */
        ///</summary>
-        public PublicKeyCredentialDescriptor[] CredTypesAndPubKeyAlgs { get; set; }
+        public PublicKeyCredentialAlgorithmDescriptor[] CredTypesAndPubKeyAlgs { get; set; }
        ///<summary>
        /// The effective resident key requirement for credential creation, a Boolean value determined by the client. Resident is synonymous with discoverable. */
--- a/src/Core/Utilities/Fido2/PublicKeyCredentialAlgorithmDescriptor.cs
+++ b/src/Core/Utilities/Fido2/PublicKeyCredentialAlgorithmDescriptor.cs
@@ -0,0 +1,9 @@
 namespace Bit.Core.Utilities.Fido2
 {
    public class PublicKeyCredentialAlgorithmDescriptor {
        public byte[] Id {get; set;}
        public string[] Transports;
        public string Type;
        public int Algorithm;
    }
 }
--- a/test/Core.Test/Services/Fido2AuthenticatorGetAssertionTests.cs
+++ b/test/Core.Test/Services/Fido2AuthenticatorGetAssertionTests.cs
@@ -19,7 +19,7 @@ using System.Linq;
 namespace Bit.Core.Test.Services
 {
-    public class Fido2AuthenticatorTests
+    public class Fido2AuthenticatorGetAssertionTests
    {
        #region missing non-discoverable credential
--- a/test/Core.Test/Services/Fido2AuthenticatorMakeCredentialTests.cs
+++ b/test/Core.Test/Services/Fido2AuthenticatorMakeCredentialTests.cs
@@ -0,0 +1,89 @@
 using System;
 using System.Threading.Tasks;
 using Bit.Core.Abstractions;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Models.Domain;
 using Bit.Core.Models.View;
 using Bit.Core.Enums;
 using Bit.Core.Test.AutoFixture;
 using Bit.Core.Utilities.Fido2;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using NSubstitute.ExceptionExtensions;
 using Xunit;
 using Bit.Core.Utilities;
 using System.Collections.Generic;
 using System.Linq;
 namespace Bit.Core.Test.Services
 {
    public class Fido2AuthenticatorMakeCredentialTests
    {
        #region missing non-discoverable credential
        // Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
        [Theory]
        [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
        public async Task GetAssertionAsync_ThrowsNotSupported_NoSupportedAlgorithm(SutProvider<Fido2AuthenticatorService> sutProvider, Fido2AuthenticatorMakeCredentialParams mParams)
        {
            mParams.CredTypesAndPubKeyAlgs = [
                new PublicKeyCredentialAlgorithmDescriptor {
                    Type = "public-key",
                    Algorithm = -257 // RS256 which we do not support
                }
            ];
            await Assert.ThrowsAsync<NotSupportedError>(() => sutProvider.Sut.MakeCredentialAsync(mParams));
        }
        // [Theory]
        // [InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
        // public async Task GetAssertionAsync_Throws_CredentialExistsButRpIdDoesNotMatch(SutProvider<Fido2AuthenticatorService> sutProvider, Fido2AuthenticatorGetAssertionParams aParams)
        // {
        //     var credentialId = Guid.NewGuid();
        //     aParams.RpId = "bitwarden.com";
        //     aParams.AllowCredentialDescriptorList = [
        //         new PublicKeyCredentialDescriptor {
        //             Id = credentialId.ToByteArray(),
        //             Type = "public-key"
        //         }
        //     ];
        //     sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns([
        //         CreateCipherView(credentialId.ToString(), "mismatch-rpid", false),
        //     ]);
        //     await Assert.ThrowsAsync<NotAllowedError>(() => sutProvider.Sut.GetAssertionAsync(aParams));
        // }
        #endregion
        private byte[] RandomBytes(int length)
        {
            var bytes = new byte[length];
            new Random().NextBytes(bytes);
            return bytes;
        }
        #nullable enable
        private CipherView CreateCipherView(string? credentialId, string? rpId, bool? discoverable)
        {
            return new CipherView {
                Type = CipherType.Login,
                Id = Guid.NewGuid().ToString(),
                Reprompt = CipherRepromptType.None,
                Login = new LoginView {
                    Fido2Credentials = new List<Fido2CredentialView> {
                        new Fido2CredentialView {
                            CredentialId = credentialId ?? Guid.NewGuid().ToString(),
                            RpId = rpId ?? "bitwarden.com",
                            Discoverable = discoverable.HasValue ? discoverable.ToString() : "true",
                            UserHandleValue = RandomBytes(32),
                        }
                    }
                }
            };
        }
    }
 }