mirror of
https://github.com/bitwarden/mobile
synced 2025-12-10 21:33:36 +00:00
71de3bedf4
* [PM-5731] feat: implement get assertion params object * [PM-5731] feat: add first test * [PM-5731] feat: add rp mismatch test * [PM-5731] feat: ask for credentials when found * [PM-5731] feat: find discoverable credentials * [PM-5731] feat: add tests for successful UV requests * [PM-5731] feat: add user does not consent test * [PM-5731] feat: check for UV when reprompt is active * [PM-5731] fix: tests a bit, needed some additional "arrange" steps * [PM-5731] feat: add support for counter * [PM-5731] feat: implement assertion without signature * [PM-5732] feat: finish authenticator assertion implementation note: CryptoFunctionService still needs Sign implemenation * [PM-5731] chore: minor clean up * [PM-5731] feat: scaffold make credential * [PM-5731] feat: start implementing attestation * [PM-5731] feat: implement credential exclusion * [PM-5731] feat: add new credential confirmaiton * [PM-5731] feat: implement credential creation * [PM-5731] feat: add user verification checks * [PM-5731] feat: add unknown error handling * [PM-5731] chore: clean up unusued params * [PM-5731] feat: partial attestation implementation * [PM-5731] feat: implement key generation * [PM-5731] feat: return public key in DER format * [PM-5731] feat: implement signing * [PM-5731] feat: remove logging * [PM-5731] chore: use primary constructor * [PM-5731] chore: add Async to method names * [PM-5731] feat: add support for silent discoverability * [PM-5731] feat: add support for specifying user presence requirement * [PM-5731] feat: ensure unlocked vault * [PM-5731] chore: clean up and refactor assertion tests * [PM-5731] chore: clean up and refactor attestation tests * [PM-5731] chore: add user presence todo comment * [PM-5731] feat: scaffold fido2 client * PM-5731 Fix build updating discoverable flag * [PM-5731] fix: failing test * [PM-5731] feat: add sameOriginWithAncestor and user id length checks * [PM-5731] feat: add incomplete rpId verification * [PM-5731] chore: document uri helpers * [PM-5731] feat: implement fido2 client createCredential * [PM-5731] feat: implement credential assertion in client * fix wrong signature format (cherry picked from commita1c9ebf01f) * [PM-5731] fix: issues after cherry-pick * Fix incompatible GUID conversions (cherry picked from commitc801b2fc3a) * [PM-5731] chore: remove default constructor * [PM-5731] feat: refactor user interface to increase flexibility * [PM-5731] feat: implement generic assertion user interface class * [PM-5731] feat: remove ability to make user presence optional * [PM-5731] chore: remove logging comments * [PM-5731] feat: add native reprompt support to the authenticator * [PM-5731] feat: allow pre and post UV * [PM-5731] chore: add `Async` to method name. Remove `I` from struct * [PM-5731] fix: discoverable string repr lowercase * [PM-5731] chore: don't use C# 12 features * [PM-5731] fix: replace magic strings and numbers with contants and enums * [PM-5731] fix: use UTC creation date * [PM-5731] fix: formatting * [PM-5731] chore: use properties for public fields * [PM-5731] chore: remove TODO * [PM-5731] fix: IsValidRpId --------- Co-authored-by: Federico Maccaroni <fedemkr@gmail.com> Co-authored-by: mpbw2 <59324545+mpbw2@users.noreply.github.com>
344 lines
16 KiB
C#
344 lines
16 KiB
C#
using System;
|
|
using System.Threading.Tasks;
|
|
using Bit.Core.Abstractions;
|
|
using Bit.Core.Services;
|
|
using Bit.Core.Models.Domain;
|
|
using Bit.Core.Models.View;
|
|
using Bit.Core.Enums;
|
|
using Bit.Core.Utilities.Fido2;
|
|
using Bit.Test.Common.AutoFixture;
|
|
using Bit.Test.Common.AutoFixture.Attributes;
|
|
using NSubstitute;
|
|
using NSubstitute.ExceptionExtensions;
|
|
using Xunit;
|
|
using Bit.Core.Utilities;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Security.Cryptography;
|
|
|
|
namespace Bit.Core.Test.Services
|
|
{
|
|
public class Fido2AuthenticatorGetAssertionTests : IDisposable
|
|
{
|
|
private readonly string _rpId = "bitwarden.com";
|
|
private readonly SutProvider<Fido2AuthenticatorService> _sutProvider = new SutProvider<Fido2AuthenticatorService>().Create();
|
|
private readonly IFido2GetAssertionUserInterface _userInterface = Substitute.For<IFido2GetAssertionUserInterface>();
|
|
|
|
private List<string> _credentialIds;
|
|
private List<byte[]> _rawCredentialIds;
|
|
private List<CipherView> _ciphers;
|
|
private Fido2AuthenticatorGetAssertionParams _params;
|
|
private CipherView _selectedCipher;
|
|
private string _selectedCipherCredentialId;
|
|
private byte[] _selectedCipherRawCredentialId;
|
|
|
|
/// <summary>
|
|
/// Sets up a working environment for the tests.
|
|
/// </summary>
|
|
public Fido2AuthenticatorGetAssertionTests()
|
|
{
|
|
_credentialIds = [
|
|
"2a346a27-02c5-4967-ae9e-8a090a1a8ef3",
|
|
"924e812b-540e-445f-a2fc-b392a1bf9f27",
|
|
"547d7aea-0d0e-493c-bf86-d8587e730dc1",
|
|
"c07c71c4-030f-4e24-b284-c853aad72e2b"
|
|
];
|
|
_rawCredentialIds = [
|
|
[0x2a, 0x34, 0x6a, 0x27, 0x02, 0xc5, 0x49, 0x67, 0xae, 0x9e, 0x8a, 0x09, 0x0a, 0x1a, 0x8e, 0xf3],
|
|
[0x92, 0x4e, 0x81, 0x2b, 0x54, 0x0e, 0x44, 0x5f, 0xa2, 0xfc, 0xb3, 0x92, 0xa1, 0xbf, 0x9f, 0x27],
|
|
[0x54, 0x7d, 0x7a, 0xea, 0x0d, 0x0e, 0x49, 0x3c, 0xbf, 0x86, 0xd8, 0x58, 0x7e, 0x73, 0x0d, 0xc1],
|
|
[0xc0, 0x7c, 0x71, 0xc4, 0x03, 0x0f, 0x4e, 0x24, 0xb2, 0x84, 0xc8, 0x53, 0xaa, 0xd7, 0x2e, 0x2b]
|
|
];
|
|
_ciphers = [
|
|
CreateCipherView(_credentialIds[0].ToString(), _rpId, false, false),
|
|
CreateCipherView(_credentialIds[1].ToString(), _rpId, true, true),
|
|
];
|
|
_selectedCipher = _ciphers[0];
|
|
_selectedCipherCredentialId = _credentialIds[0];
|
|
_selectedCipherRawCredentialId = _rawCredentialIds[0];
|
|
_params = CreateParams(
|
|
rpId: _rpId,
|
|
allowCredentialDescriptorList: [
|
|
new PublicKeyCredentialDescriptor {
|
|
Id = _rawCredentialIds[0],
|
|
Type = Constants.DefaultFido2CredentialType
|
|
},
|
|
new PublicKeyCredentialDescriptor {
|
|
Id = _rawCredentialIds[1],
|
|
Type = Constants.DefaultFido2CredentialType
|
|
},
|
|
],
|
|
requireUserVerification: false
|
|
);
|
|
_sutProvider.GetDependency<ICipherService>().GetAllDecryptedAsync().Returns(_ciphers);
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((_ciphers[0].Id, false));
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
}
|
|
|
|
#region missing non-discoverable credential
|
|
|
|
[Fact]
|
|
// Spec: If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
|
|
public async Task GetAssertionAsync_ThrowsNotAllowed_NoCredentialsExists()
|
|
{
|
|
// Arrange
|
|
_ciphers.Clear();
|
|
|
|
// Act & Assert
|
|
await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
[Fact]
|
|
public async Task GetAssertionAsync_ThrowsNotAllowed_CredentialExistsButRpIdDoesNotMatch()
|
|
{
|
|
// Arrange
|
|
_params.RpId = "mismatch-rpid";
|
|
|
|
// Act & Assert
|
|
await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region vault contains credential
|
|
|
|
[Fact]
|
|
public async Task GetAssertionAsync_AsksForAllCredentials_ParamsContainsAllowedCredentialsList()
|
|
{
|
|
// Arrange
|
|
_params.AllowCredentialDescriptorList = [
|
|
new PublicKeyCredentialDescriptor {
|
|
Id = _rawCredentialIds[0],
|
|
Type = Constants.DefaultFido2CredentialType
|
|
},
|
|
new PublicKeyCredentialDescriptor {
|
|
Id = _rawCredentialIds[1],
|
|
Type = Constants.DefaultFido2CredentialType
|
|
},
|
|
];
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2GetAssertionUserInterfaceCredential[]>(
|
|
(credentials) => credentials.Select(c => c.CipherId).SequenceEqual(_ciphers.Select((c) => c.Id))
|
|
));
|
|
}
|
|
|
|
[Fact]
|
|
public async Task GetAssertionAsync_AsksForDiscoverableCredentials_ParamsDoesNotContainAllowedCredentialsList()
|
|
{
|
|
// Arrange
|
|
_params.AllowCredentialDescriptorList = null;
|
|
var discoverableCiphers = _ciphers.Where((cipher) => cipher.Login.MainFido2Credential.DiscoverableValue).ToList();
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((discoverableCiphers[0].Id, true));
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2GetAssertionUserInterfaceCredential[]>(
|
|
(credentials) => credentials.Select(c => c.CipherId).SequenceEqual(discoverableCiphers.Select((c) => c.Id))
|
|
));
|
|
}
|
|
|
|
[Fact]
|
|
// Spec: Prompt the user to select a public key credential source `selectedCredential` from `credentialOptions`.
|
|
// If requireUserVerification is true, the authorization gesture MUST include user verification.
|
|
public async Task GetAssertionAsync_RequestsUserVerification_ParamsRequireUserVerification() {
|
|
// Arrange
|
|
_params.RequireUserVerification = true;
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((_ciphers[0].Id, true));
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2GetAssertionUserInterfaceCredential[]>(
|
|
(credentials) => credentials.All((c) => c.RequireUserVerification == true)
|
|
));
|
|
}
|
|
|
|
[Fact]
|
|
// Spec: Prompt the user to select a public key credential source `selectedCredential` from `credentialOptions`.
|
|
// If `requireUserPresence` is true, the authorization gesture MUST include a test of user presence.
|
|
// Comment: User presence is implied by the UI returning a credential.
|
|
// Extension: UserVerification is required if the cipher requires reprompting.
|
|
public async Task GetAssertionAsync_DoesNotRequestUserVerification_ParamsDoNotRequireUserVerification() {
|
|
// Arrange
|
|
_params.RequireUserVerification = false;
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _userInterface.Received().PickCredentialAsync(Arg.Is<Fido2GetAssertionUserInterfaceCredential[]>(
|
|
(credentials) => credentials.Select(c => c.RequireUserVerification).SequenceEqual(_ciphers.Select((c) => c.Reprompt == CipherRepromptType.Password))
|
|
));
|
|
}
|
|
|
|
[Fact]
|
|
// Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
|
|
public async Task GetAssertionAsync_ThrowsNotAllowed_UserDoesNotConsent() {
|
|
// Arrange
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((null, false));
|
|
|
|
// Act & Assert
|
|
await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
[Fact]
|
|
// Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
|
|
public async Task GetAssertionAsync_ThrowsNotAllowed_NoUserVerificationWhenRequired() {
|
|
// Arrange
|
|
_params.RequireUserVerification = true;
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((_selectedCipher.Id, false));
|
|
|
|
// Act and assert
|
|
await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
[Fact]
|
|
// Spec: If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation.
|
|
public async Task GetAssertionAsync_ThrowsNotAllowed_NoUserVerificationForCipherWithReprompt() {
|
|
// Arrange
|
|
_selectedCipher.Reprompt = CipherRepromptType.Password;
|
|
_params.RequireUserVerification = false;
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((_selectedCipher.Id, false));
|
|
|
|
// Act & Assert
|
|
await Assert.ThrowsAsync<NotAllowedError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
#endregion
|
|
|
|
#region assertion of credential
|
|
|
|
[Theory]
|
|
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
|
|
// Spec: Increment the credential associated signature counter
|
|
public async Task GetAssertionAsync_IncrementsCounter_CounterIsLargerThanZero(Cipher encryptedCipher) {
|
|
// Arrange
|
|
_selectedCipher.Login.MainFido2Credential.CounterValue = 9000;
|
|
_sutProvider.GetDependency<ICipherService>().EncryptAsync(_selectedCipher).Returns(encryptedCipher);
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _sutProvider.GetDependency<ICipherService>().Received().SaveWithServerAsync(encryptedCipher);
|
|
await _sutProvider.GetDependency<ICipherService>().Received().EncryptAsync(Arg.Is<CipherView>(
|
|
(cipher) => cipher.Login.MainFido2Credential.CounterValue == 9001
|
|
));
|
|
}
|
|
|
|
[Theory]
|
|
[InlineCustomAutoData(new[] { typeof(SutProviderCustomization) })]
|
|
// Spec: Increment the credential associated signature counter
|
|
public async Task GetAssertionAsync_DoesNotIncrementsCounter_CounterIsZero(Cipher encryptedCipher) {
|
|
// Arrange
|
|
_selectedCipher.Login.MainFido2Credential.CounterValue = 0;
|
|
_sutProvider.GetDependency<ICipherService>().EncryptAsync(_selectedCipher).Returns(encryptedCipher);
|
|
|
|
// Act
|
|
await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
await _sutProvider.GetDependency<ICipherService>().Received().SaveWithServerAsync(encryptedCipher);
|
|
await _sutProvider.GetDependency<ICipherService>().Received().EncryptAsync(Arg.Is<CipherView>(
|
|
(cipher) => cipher.Login.MainFido2Credential.CounterValue == 0
|
|
));
|
|
}
|
|
|
|
[Fact]
|
|
public async Task GetAssertionAsync_ReturnsAssertion() {
|
|
// Arrange
|
|
var keyPair = GenerateKeyPair();
|
|
var rpIdHashMock = RandomBytes(32);
|
|
_params.Hash = RandomBytes(32);
|
|
_params.RequireUserVerification = true;
|
|
_selectedCipher.Login.MainFido2Credential.CounterValue = 9000;
|
|
_selectedCipher.Login.MainFido2Credential.KeyValue = CoreHelpers.Base64UrlEncode(keyPair.ExportPkcs8PrivateKey());
|
|
_sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(_params.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
|
|
_userInterface.PickCredentialAsync(Arg.Any<Fido2GetAssertionUserInterfaceCredential[]>()).Returns((_selectedCipher.Id, true));
|
|
|
|
// Act
|
|
var result = await _sutProvider.Sut.GetAssertionAsync(_params, _userInterface);
|
|
|
|
// Assert
|
|
var authData = result.AuthenticatorData;
|
|
var rpIdHash = authData.Take(32);
|
|
var flags = authData.Skip(32).Take(1);
|
|
var counter = authData.Skip(33).Take(4);
|
|
|
|
Assert.Equal(_selectedCipherRawCredentialId, result.SelectedCredential.Id);
|
|
Assert.Equal(CoreHelpers.Base64UrlDecode(_selectedCipher.Login.MainFido2Credential.UserHandle), result.SelectedCredential.UserHandle);
|
|
Assert.Equal(rpIdHashMock, rpIdHash);
|
|
Assert.Equal(new byte[] { 0b00011101 }, flags); // UP = true, UV = true, BS = true, BE = true
|
|
Assert.Equal(new byte[] { 0, 0, 0x23, 0x29 }, counter); // 9001 in binary big-endian format
|
|
Assert.True(keyPair.VerifyData(authData.Concat(_params.Hash).ToArray(), result.Signature, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence), "Signature verification failed");
|
|
}
|
|
|
|
[Fact]
|
|
public async Task GetAssertionAsync_ThrowsUnknownError_SaveFails() {
|
|
// Arrange
|
|
_sutProvider.GetDependency<ICipherService>().SaveWithServerAsync(Arg.Any<Cipher>()).Throws(new Exception());
|
|
|
|
// Act & Assert
|
|
await Assert.ThrowsAsync<UnknownError>(() => _sutProvider.Sut.GetAssertionAsync(_params, _userInterface));
|
|
}
|
|
|
|
#endregion
|
|
|
|
private byte[] RandomBytes(int length)
|
|
{
|
|
var bytes = new byte[length];
|
|
new Random().NextBytes(bytes);
|
|
return bytes;
|
|
}
|
|
|
|
private ECDsa GenerateKeyPair()
|
|
{
|
|
var dsa = ECDsa.Create();
|
|
dsa.GenerateKey(ECCurve.NamedCurves.nistP256);
|
|
|
|
return dsa;
|
|
}
|
|
|
|
#nullable enable
|
|
private CipherView CreateCipherView(string credentialId, string? rpId, bool? discoverable, bool reprompt = false)
|
|
{
|
|
return new CipherView {
|
|
Type = CipherType.Login,
|
|
Id = Guid.NewGuid().ToString(),
|
|
Reprompt = reprompt ? CipherRepromptType.Password : CipherRepromptType.None,
|
|
Login = new LoginView {
|
|
Fido2Credentials = new List<Fido2CredentialView> {
|
|
new Fido2CredentialView {
|
|
CredentialId = credentialId,
|
|
RpId = rpId ?? "bitwarden.com",
|
|
Discoverable = discoverable.HasValue ? discoverable.ToString() : "true",
|
|
UserHandleValue = RandomBytes(32),
|
|
KeyValue = "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgO4wC7AlY4eJP7uedRUJGYsAIJAd6gN1Vp7uJh6xXAp6hRANCAARGvr56F_t27DEG1Tzl-qJRhrTUtC7jOEbasAEEZcE3TiMqoWCan0sxKDPylhRYk-1qyrBC_feN1UtGWH57sROa"
|
|
}
|
|
}
|
|
}
|
|
};
|
|
}
|
|
|
|
private Fido2AuthenticatorGetAssertionParams CreateParams(string? rpId = null, byte[]? hash = null, PublicKeyCredentialDescriptor[]? allowCredentialDescriptorList = null, bool? requireUserPresence = null, bool? requireUserVerification = null)
|
|
{
|
|
return new Fido2AuthenticatorGetAssertionParams {
|
|
RpId = rpId ?? "bitwarden.com",
|
|
Hash = hash ?? RandomBytes(32),
|
|
AllowCredentialDescriptorList = allowCredentialDescriptorList ?? null,
|
|
RequireUserVerification = requireUserPresence ?? false
|
|
};
|
|
}
|
|
}
|
|
}
|