Support device public key and passkeys (#356)

* Start DPK and passkey support

* Cleanup

* Finish merge

* Additional cleanup

* Make BE and BS config options plumb them into attestation and assertion flows

* Update DPK verification names to match current spec verbiage

* Remove token binding

* Set default to allow backed up credentials

* Switch BE/BS config options from bool to enum
Update BE/BS policy logic
Add more assertion tests, move more error strings to error messages
Get metadata into assertion flow for DPK

Author: aseigler

Demo/Controller.cs

@@ -71,10 +71,12 @@ public JsonResult MakeCredentialOptions([FromForm] string username,
             if (!string.IsNullOrEmpty(authType))
                 authenticatorSelection.AuthenticatorAttachment = authType.ToEnum<AuthenticatorAttachment>();
 
-            var exts = new AuthenticationExtensionsClientInputs() 
-            { 
-                Extensions = true, 
-                UserVerificationMethod = true, 
+            var exts = new AuthenticationExtensionsClientInputs()
+            {
+                Extensions = true,
+                UserVerificationMethod = true,
+                DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs() { Attestation = attType },
+                CredProps = true
             };
 
             var options = _fido2.RequestNewCredential(user, existingKeys, authenticatorSelection, attType.ToEnum<AttestationConveyancePreference>(), exts);
@@ -117,19 +119,23 @@ public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestation
             // 3. Store the credentials in db
             DemoStorage.AddCredentialToUser(options.User, new StoredCredential
             {
+                Type = success.Result.Type,
+                Id = success.Result.Id,
                 Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId),
                 PublicKey = success.Result.PublicKey,
                 UserHandle = success.Result.User.Id,
-                SignatureCounter = success.Result.Counter,
+                SignCount = success.Result.Counter,
                 CredType = success.Result.CredType,
                 RegDate = DateTime.Now,
-                AaGuid = success.Result.AaGuid
+                AaGuid = success.Result.AaGuid,
+                Transports = success.Result.Transports,
+                BE = success.Result.BE,
+                BS = success.Result.BS,
+                AttestationObject = success.Result.AttestationObject,
+                AttestationClientDataJSON = success.Result.AttestationClientDataJSON,
+                DevicePublicKeys = new List<byte[]>() { success.Result.DevicePublicKey }
             });
 
-            // Remove Certificates from success because System.Text.Json cannot serialize them properly. See https://github.com/passwordless-lib/fido2-net-lib/issues/328
-            success.Result.AttestationCertificate = null;
-            success.Result.AttestationCertificateChain = null;
-
             // 4. return "ok" to the client
             return Json(success);
         }
@@ -157,8 +163,10 @@ public ActionResult AssertionOptionsPost([FromForm] string username, [FromForm]
             }
 
             var exts = new AuthenticationExtensionsClientInputs()
-            { 
-                UserVerificationMethod = true 
+            {
+                Extensions = true,
+                UserVerificationMethod = true,
+                DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs()
             };
 
             // 3. Create options
@@ -206,11 +214,14 @@ public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRaw
             };
 
             // 5. Make the assertion
-            var res = await _fido2.MakeAssertionAsync(clientResponse, options, creds.PublicKey, storedCounter, callback, cancellationToken: cancellationToken);
+            var res = await _fido2.MakeAssertionAsync(clientResponse, options, creds.PublicKey, creds.DevicePublicKeys, storedCounter, callback, cancellationToken: cancellationToken);
 
             // 6. Store the updated counter
             DemoStorage.UpdateCounter(res.CredentialId, res.Counter);
 
+            if (res.DevicePublicKey is not null)
+                creds.DevicePublicKeys.Add(res.DevicePublicKey);
+
             // 7. return OK to client
             return Json(res);
         }

Demo/Startup.cs

@@ -1,6 +1,6 @@
 using System;
 using System.Collections.Generic;
-
+using Fido2NetLib;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -52,6 +52,8 @@ public void ConfigureServices(IServiceCollection services)
             options.Origins = Configuration.GetSection("fido2:origins").Get<HashSet<string>>();
             options.TimestampDriftTolerance = Configuration.GetValue<int>("fido2:timestampDriftTolerance");
             options.MDSCacheDirPath = Configuration["fido2:MDSCacheDirPath"];
+            options.BackupEligibleCredentialPolicy = Configuration.GetValue<Fido2Configuration.CredentialBackupPolicy>("fido2:backupEligibleCredentialPolicy");
+            options.BackedUpCredentialPolicy = Configuration.GetValue<Fido2Configuration.CredentialBackupPolicy>("fido2:backedUpCredentialPolicy");
         })
         .AddCachedMetadataService(config =>
         {

Demo/TestController.cs

@@ -18,7 +18,7 @@ namespace Fido2Demo;
 public class TestController : Controller
 {
     /* CONFORMANCE TESTING ENDPOINTS */
-    private static readonly DevelopmentInMemoryStore DemoStorage = new ();
+    private static readonly DevelopmentInMemoryStore _demoStorage = new ();
 
     private readonly IFido2 _fido2;
     private readonly string _origin;
@@ -56,15 +56,15 @@ public JsonResult MakeCredentialOptionsTest([FromBody] TEST_MakeCredentialParams
         }
 
         // 1. Get user from DB by username (in our example, auto create missing users)
-        var user = DemoStorage.GetOrAddUser(opts.Username, () => new Fido2User
+        var user = _demoStorage.GetOrAddUser(opts.Username, () => new Fido2User
         {
             DisplayName = opts.DisplayName,
             Name = opts.Username,
             Id = username // byte representation of userID is required
         });
 
         // 2. Get user existing keys by username
-        var existingKeys = DemoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();
+        var existingKeys = _demoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();
 
         //var exts = new AuthenticationExtensionsClientInputs() { Extensions = true, UserVerificationIndex = true, Location = true, UserVerificationMethod = true, BiometricAuthenticatorPerformanceBounds = new AuthenticatorBiometricPerfBounds { FAR = float.MaxValue, FRR = float.MaxValue } };
         var exts = new AuthenticationExtensionsClientInputs() { };
@@ -83,7 +83,7 @@ public JsonResult MakeCredentialOptionsTest([FromBody] TEST_MakeCredentialParams
 
     [HttpPost]
     [Route("/attestation/result")]
-    public async Task<JsonResult> MakeCredentialResultTest([FromBody] AuthenticatorAttestationRawResponse attestationResponse, CancellationToken cancellationToken)
+    public async Task<JsonResult> MakeCredentialResultTestAsync([FromBody] AuthenticatorAttestationRawResponse attestationResponse, CancellationToken cancellationToken)
     {
 
         // 1. get the options we sent the client
@@ -93,20 +93,20 @@ public async Task<JsonResult> MakeCredentialResultTest([FromBody] AuthenticatorA
         // 2. Create callback so that lib can verify credential id is unique to this user
         IsCredentialIdUniqueToUserAsyncDelegate callback = static async (args, cancellationToken) =>
         {
-            var users = await DemoStorage.GetUsersByCredentialIdAsync(args.CredentialId, cancellationToken);
+            var users = await _demoStorage.GetUsersByCredentialIdAsync(args.CredentialId, cancellationToken);
             return users.Count <= 0;
         };
 
         // 2. Verify and make the credentials
         var success = await _fido2.MakeNewCredentialAsync(attestationResponse, options, callback, cancellationToken: cancellationToken);
 
         // 3. Store the credentials in db
-        DemoStorage.AddCredentialToUser(options.User, new StoredCredential
+        _demoStorage.AddCredentialToUser(options.User, new StoredCredential
         {
             Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId),
             PublicKey = success.Result.PublicKey,
             UserHandle = success.Result.User.Id,
-            SignatureCounter = success.Result.Counter
+            SignCount = success.Result.Counter
         });
 
         // 4. return "ok" to the client
@@ -119,12 +119,12 @@ public IActionResult AssertionOptionsTest([FromBody] TEST_AssertionClientParams
     {
         var username = assertionClientParams.Username;
         // 1. Get user from DB
-        var user = DemoStorage.GetUser(username);
+        var user = _demoStorage.GetUser(username);
         if (user == null)
             return NotFound("username was not registered");
 
         // 2. Get registered credentials from database
-        var existingCredentials = DemoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();
+        var existingCredentials = _demoStorage.GetCredentialsByUser(user).Select(c => c.Descriptor).ToList();
 
         var uv = assertionClientParams.UserVerification;
         if (null != assertionClientParams.authenticatorSelection)
@@ -154,30 +154,33 @@ public IActionResult AssertionOptionsTest([FromBody] TEST_AssertionClientParams
 
     [HttpPost]
     [Route("/assertion/result")]
-    public async Task<JsonResult> MakeAssertionTest([FromBody] AuthenticatorAssertionRawResponse clientResponse, CancellationToken cancellationToken)
+    public async Task<JsonResult> MakeAssertionTestAsync([FromBody] AuthenticatorAssertionRawResponse clientResponse, CancellationToken cancellationToken)
     {
         // 1. Get the assertion options we sent the client
         var jsonOptions = HttpContext.Session.GetString("fido2.assertionOptions");
         var options = AssertionOptions.FromJson(jsonOptions);
 
         // 2. Get registered credential from database
-        var creds = DemoStorage.GetCredentialById(clientResponse.Id);
+        var creds = _demoStorage.GetCredentialById(clientResponse.Id);
 
         // 3. Get credential counter from database
         var storedCounter = creds.SignatureCounter;
 
         // 4. Create callback to check if userhandle owns the credentialId
         IsUserHandleOwnerOfCredentialIdAsync callback = static async (args, cancellationToken) =>
         {
-            var storedCreds = await DemoStorage.GetCredentialsByUserHandleAsync(args.UserHandle, cancellationToken);
+            var storedCreds = await _demoStorage.GetCredentialsByUserHandleAsync(args.UserHandle, cancellationToken);
             return storedCreds.Exists(c => c.Descriptor.Id.SequenceEqual(args.CredentialId));
         };
 
         // 5. Make the assertion
-        var res = await _fido2.MakeAssertionAsync(clientResponse, options, creds.PublicKey, storedCounter, callback, cancellationToken: cancellationToken);
+        var res = await _fido2.MakeAssertionAsync(clientResponse, options, creds.PublicKey, creds.DevicePublicKeys, storedCounter, callback, cancellationToken: cancellationToken);
 
         // 6. Store the updated counter
-        DemoStorage.UpdateCounter(res.CredentialId, res.Counter);
+        _demoStorage.UpdateCounter(res.CredentialId, res.Counter);
+
+        if (res.DevicePublicKey is not null)
+            creds.DevicePublicKeys.Add(res.DevicePublicKey);
 
         var testRes = new
         {

Demo/appsettings.json

@@ -2,7 +2,9 @@
   "fido2": {
     "serverDomain": "localhost",
     "origins": [ "https://localhost:44329" ],
-    "timestampDriftTolerance": 300000
+    "timestampDriftTolerance": 300000,
+    "backupEligibleCredentialPolicy": "allowed",
+    "backedUpCredentialPolicy": "allowed"
   },  
   "Logging": {
     "IncludeScopes": false,

Demo/wwwroot/js/custom.register.js

@@ -125,8 +125,9 @@ async function registerNewCredential(newCredential) {
         extensions: newCredential.getClientExtensionResults(),
         response: {
             AttestationObject: coerceToBase64Url(attestationObject),
-            clientDataJSON: coerceToBase64Url(clientDataJSON)
-        }
+            clientDataJson: coerceToBase64Url(clientDataJSON),
+            transports: newCredential.response.getTransports(),
+        },
     };
 
     let response;

Src/Fido2.Models/AuthenticatorAssertionRawResponse.cs

@@ -42,9 +42,13 @@ public class AssertionResponse
         [JsonConverter(typeof(Base64UrlConverter))]
         [JsonPropertyName("clientDataJSON")]
         public byte[] ClientDataJson { get; set; }
-
+#nullable enable
         [JsonPropertyName("userHandle")]
         [JsonConverter(typeof(Base64UrlConverter))]
-        public byte[] UserHandle { get; set; }
+        public byte[]? UserHandle { get; set; }
+
+        [JsonPropertyName("attestationObject")]
+        [JsonConverter(typeof(Base64UrlConverter))]
+        public byte[]? AttestationObject { get; set; }
     }
 }

Src/Fido2.Models/AuthenticatorAttestationRawResponse.cs

@@ -15,7 +15,7 @@ public sealed class AuthenticatorAttestationRawResponse
     public byte[] RawId { get; set; }
 
     [JsonPropertyName("type")]
-    public PublicKeyCredentialType? Type { get; set; }
+    public PublicKeyCredentialType Type { get; set; } = PublicKeyCredentialType.PublicKey;
 
     [JsonPropertyName("response")]
     public ResponseData Response { get; set; }

Src/Fido2.Models/Exceptions/Fido2ErrorCode.cs

@@ -32,5 +32,9 @@ public enum Fido2ErrorCode
     InvalidAuthenticatorResponseChallenge,
     NonUniqueCredentialId,
     AaGuidNotFound,
-    UnimplementedAlgorithm
+    UnimplementedAlgorithm,
+    BackupEligibilityRequirementNotMet,
+    BackupStateRequirementNotMet,
+    CredentialAlgorithmRequirementNotMet,
+    DevicePublicKeyAuthentication
 }

Src/Fido2.Models/Fido2Configuration.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Runtime.Serialization;
 
 namespace Fido2NetLib;
 
@@ -113,4 +114,35 @@ public ISet<string> FullyQualifiedOrigins
         AuthenticatorStatus.USER_KEY_PHYSICAL_COMPROMISE,
         AuthenticatorStatus.REVOKED
     };
+
+    /// <summary>
+    /// Whether or not to accept a backup eligible credential
+    /// </summary>
+    public CredentialBackupPolicy BackupEligibleCredentialPolicy { get; set; } = CredentialBackupPolicy.Allowed;
+
+    /// <summary>
+    /// Whether or not to accept a backed up credential
+    /// </summary>
+    public CredentialBackupPolicy BackedUpCredentialPolicy { get; set; } = CredentialBackupPolicy.Allowed;
+
+    public enum CredentialBackupPolicy
+    {
+        /// <summary>
+        /// This value indicates that the Relying Party requires backup eligible or backed up credentials.
+        /// </summary>
+        [EnumMember(Value = "required")]
+        Required,
+
+        /// <summary>
+        /// This value indicates that the Relying Party allows backup eligible or backed up credentials.
+        /// </summary>
+        [EnumMember(Value = "allowed")]
+        Allowed,
+
+        /// <summary>
+        /// This value indicates that the Relying Party does not allow backup eligible or backed up credentials.
+        /// </summary>
+        [EnumMember(Value = "disallowed")]
+        Disallowed
+    }
 }

Src/Fido2.Models/Objects/AssertionVerificationResult.cs

@@ -8,4 +8,19 @@ public class AssertionVerificationResult : Fido2ResponseBase
     public byte[] CredentialId { get; set; }
 
     public uint Counter { get; set; }
+
+    /// <summary>
+    /// The latest value of the signature counter in the authenticator data from any ceremony using the public key credential source.
+    /// </summary>
+    public uint SignCount { get; set; }
+
+    /// <summary>
+    /// The latest value of the BS flag in the authenticator data from any ceremony using the public key credential source.
+    /// </summary>
+    public bool BS { get; set; }
+
+    /// <summary>
+    /// The public key portion of a hardware-bound device key pair
+    /// </summary>
+    public byte[] DevicePublicKey { get; set; }
 }