bitwarden/mobile
1
0
Fork 0
mirror of https://github.com/bitwarden/mobile synced 2025-12-05 23:53:33 +00:00
Code Issues Releases Wiki Activity

[PM-5731] feat: add support for specifying user presence requirement

Browse Source
This commit is contained in:
Andreas Coroiu
2024-01-30 14:19:41 +01:00
parent 6bb724ff06
commit ca250c53ad
3 changed files with 86 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/Core/Services/Fido2AuthenticatorService.cs
View File

@@ -126,14 +126,27 @@ namespace Bit.Core.Services
throw new NotAllowedError();
}
var response = await _userInterface.PickCredentialAsync(new Fido2PickCredentialParams {
CipherIds = cipherOptions.Select((cipher) => cipher.Id).ToArray(),
UserVerification = assertionParams.RequireUserVerification
});
var selectedCipherId = response.CipherId;
var userVerified = response.UserVerified;
var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
string selectedCipherId;
bool userVerified;
bool userPresence;
if (assertionParams.AllowCredentialDescriptorList?.Length == 1 && assertionParams.RequireUserPresence == false)
{
selectedCipherId = cipherOptions[0].Id;
userVerified = false;
userPresence = false;
}
else
{
var response = await _userInterface.PickCredentialAsync(new Fido2PickCredentialParams {
CipherIds = cipherOptions.Select((cipher) => cipher.Id).ToArray(),
UserVerification = assertionParams.RequireUserVerification
});
selectedCipherId = response.CipherId;
userVerified = response.UserVerified;
userPresence = true;
}
var selectedCipher = cipherOptions.FirstOrDefault((c) => c.Id == selectedCipherId);
if (selectedCipher == null) {
// _logService.Info(
// "[Fido2Authenticator] Aborting because the selected credential could not be found."
@@ -142,6 +155,14 @@ namespace Bit.Core.Services
throw new NotAllowedError();
}
if (!userPresence && assertionParams.RequireUserPresence) {
// _logService.Info(
// "[Fido2Authenticator] Aborting because user presence was required but not detected."
// );
throw new NotAllowedError();
}
if (!userVerified && (assertionParams.RequireUserVerification || selectedCipher.Reprompt != CipherRepromptType.None)) {
// _logService.Info(
// "[Fido2Authenticator] Aborting because user verification was unsuccessful."
@@ -164,14 +185,14 @@ namespace Bit.Core.Services
var authenticatorData = await GenerateAuthDataAsync(
rpId: selectedFido2Credential.RpId,
userPresence: true,
userPresence: userPresence,
userVerification: userVerified,
counter: selectedFido2Credential.CounterValue
);
var signature = GenerateSignature(
authData: authenticatorData,
clientDataHash: assertionParams.Hash,
clientDataHash: assertionParams.ClientDataHash,
privateKey: selectedFido2Credential.KeyBytes
);
@@ -207,9 +228,9 @@ namespace Bit.Core.Services
return credentials;
}
///<summary>
/// <summary>
/// Finds existing crendetials and returns the `CipherId` for each one
///</summary>
/// </summary>
private async Task<string[]> FindExcludedCredentialsAsync(
PublicKeyCredentialDescriptor[] credentials
) {

18
src/Core/Utilities/Fido2/Fido2AuthenticatorGetAssertionParams.cs
View File

@@ -6,17 +6,21 @@
public string RpId { get; set; }
/** The hash of the serialized client data, provided by the client. */
public byte[] Hash {get; set;}
public byte[] ClientDataHash { get; set; }
public PublicKeyCredentialDescriptor[] AllowCredentialDescriptorList {get; set;}
public PublicKeyCredentialDescriptor[] AllowCredentialDescriptorList { get; set; }
/** The effective user verification requirement for assertion, a Boolean value provided by the client. */
public bool RequireUserVerification {get; set;}
/// <summary>
/// Instructs the authenticator to require a user-verifying gesture in order to complete the request. Examples of such gestures are fingerprint scan or a PIN.
/// </summary>
public bool RequireUserVerification { get; set; }
/** CTAP2 authenticators support setting this to false, but we only support the WebAuthn authenticator model which does not have that option. */
// public bool RequireUserPresence {get; set;} // Always required
/// <summary>
/// Instructs the authenticator to require user consent to complete the operation.
/// </summary>
public bool RequireUserPresence { get; set; }
public object Extensions {get; set;}
public object Extensions { get; set; }
}
}

47
test/Core.Test/Services/Fido2AuthenticatorGetAssertionTests.cs
View File

@@ -6,7 +6,6 @@ using Bit.Core.Services;
using Bit.Core.Models.Domain;
using Bit.Core.Models.View;
using Bit.Core.Enums;
using Bit.Core.Test.AutoFixture;
using Bit.Core.Utilities.Fido2;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
@@ -34,7 +33,7 @@ namespace Bit.Core.Test.Services
[Theory]
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
public async Task GetAssertionAsync_Throws_CredentialExistsButRpIdDoesNotMatch(SutProvider<Fido2AuthenticatorService> sutProvider, Fido2AuthenticatorGetAssertionParams aParams)
public async Task GetAssertionAsync_ThrowsNotAllowed_CredentialExistsButRpIdDoesNotMatch(SutProvider<Fido2AuthenticatorService> sutProvider, Fido2AuthenticatorGetAssertionParams aParams)
{
var credentialId = Guid.NewGuid();
aParams.RpId = "bitwarden.com";
@@ -305,7 +304,7 @@ namespace Bit.Core.Test.Services
// Arrange
var keyPair = GenerateKeyPair();
var rpIdHashMock = RandomBytes(32);
aParams.Hash = RandomBytes(32);
aParams.ClientDataHash = RandomBytes(32);
sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(aParams.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
cipherView.Login.MainFido2Credential.CounterValue = 9000;
cipherView.Login.MainFido2Credential.KeyValue = CoreHelpers.Base64UrlEncode(keyPair.ExportPkcs8PrivateKey());
@@ -324,7 +323,47 @@ namespace Bit.Core.Test.Services
Assert.Equal(rpIdHashMock, rpIdHash);
Assert.Equal(new byte[] { 0b00000101 }, flags); // UP = true, UV = true
Assert.Equal(new byte[] { 0, 0, 0x23, 0x29 }, counter); // 9001 in binary big-endian format
Assert.True(keyPair.VerifyData(authData.Concat(aParams.Hash).ToArray(), result.Signature, HashAlgorithmName.SHA256), "Signature verification failed");
Assert.True(keyPair.VerifyData(authData.Concat(aParams.ClientDataHash).ToArray(), result.Signature, HashAlgorithmName.SHA256), "Signature verification failed");
}
[Theory]
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
public async Task GetAssertionAsync_DoesNotAskForConfirmation_ParamsContainsOneAllowedCredentialAndUserPresenceIsFalse(SutProvider<Fido2AuthenticatorService> sutProvider, Fido2AuthenticatorGetAssertionParams aParams)
{
// Common arrange
var credentialIds = new[] { Guid.NewGuid(), Guid.NewGuid() };
List<CipherView> ciphers = [
CreateCipherView(credentialIds[0].ToString(), "bitwarden.com", false),
CreateCipherView(credentialIds[1].ToString(), "bitwarden.com", true)
];
var cipherView = ciphers[0];
aParams.RpId = "bitwarden.com";
aParams.RequireUserVerification = false;
aParams.RequireUserPresence = false;
aParams.AllowCredentialDescriptorList = [
new PublicKeyCredentialDescriptor {
Id = credentialIds[1].ToByteArray(),
Type = "public-key"
}
];
sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns(ciphers);
// Arrange
var keyPair = GenerateKeyPair();
var rpIdHashMock = RandomBytes(32);
aParams.ClientDataHash = RandomBytes(32);
sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(aParams.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
cipherView.Login.MainFido2Credential.CounterValue = 9000;
cipherView.Login.MainFido2Credential.KeyValue = CoreHelpers.Base64UrlEncode(keyPair.ExportPkcs8PrivateKey());
// Act
var result = await sutProvider.Sut.GetAssertionAsync(aParams);
// Assert
await sutProvider.GetDependency<IFido2UserInterface>().DidNotReceive().PickCredentialAsync(Arg.Any<Fido2PickCredentialParams>());
var authData = result.AuthenticatorData;
var flags = authData.Skip(32).Take(1);
Assert.Equal(new byte[] { 0b00000000 }, flags); // UP = false, UV = false
}
[Theory]