Swappable MDS

Author: abergs

Fido2Demo/Controller.cs

@@ -26,11 +26,12 @@ public class MyController : Controller
 
         public MyController(IConfiguration config)
         {
-            _lib = new Fido2(new Fido2.Configuration
+            _lib = new Fido2(new Fido2.Configuration()
             {
                 ServerDomain = config["fido2:serverDomain"],
                 ServerName = "Fido2 test",
-                Origin = config["fido2:origin"]
+                Origin = config["fido2:origin"],
+                MetadataService = MDSMetadata.Instance(config["fido2:MDSAccessKey"], config["fido2:MDSCacheDir"])
             });
         }
 

Fido2Demo/TestController.cs

@@ -30,11 +30,12 @@ public class TestController : Controller
 
         public TestController(IConfiguration config)
         {
-            _lib = new Fido2(new Fido2NetLib.Fido2.Configuration
+            _lib = new Fido2(new Fido2NetLib.Fido2.Configuration()
             {
                 ServerDomain = config["fido2:serverDomain"],
                 ServerName = "Fido2 test",
-                Origin = config["fido2:origin"]
+                Origin = config["fido2:origin"],
+                MetadataService = MDSMetadata.Instance(config["fido2:MDSAccessKey"], config["fido2:MDSCacheDir"])
             });
         }
 

fido2-net-lib.Test/UnitTest1.cs

@@ -103,14 +103,8 @@ public async Task TestFido2AssertionAsync()
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./AttestationNoneOptions.json"));
             var response = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./AttestationNoneResponse.json"));
 
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration()
-            {
-                ServerDomain = "localhost",
-                Origin = "https://localhost:44329",
-            });
-
             var o = AuthenticatorAttestationResponse.Parse(response);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
 
             var credId = "F1-3C-7F-08-3C-A2-29-E0-B4-03-E8-87-34-6E-FC-7F-98-53-10-3A-30-91-75-67-39-7A-D1-D8-AF-87-04-61-87-EF-95-31-85-60-F3-5A-1A-2A-CF-7D-B0-1D-06-B9-69-F9-AB-F4-EC-F3-07-3E-CF-0F-71-E8-84-E8-41-20";
             var allowedCreds = new List<PublicKeyCredentialDescriptor>() {
@@ -142,9 +136,8 @@ public async Task TestParsingAsync()
 
             Assert.NotNull(jsonPost);
 
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", isCredentialIdUniqueToUser: (x) => Task.FromResult(true), requestTokenBindingId: null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
         }
 
         [Fact]
@@ -162,58 +155,52 @@ public async Task TestU2FAttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationResultsU2F.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationOptionsU2F.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
             byte[] ad = o.AttestationObject.AuthData;
         }
         [Fact]
         public async Task TestPackedAttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationResultsPacked.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationOptionsPacked.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
             byte[] ad = o.AttestationObject.AuthData;
         }
         [Fact]
         public async Task TestNoneAttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationResultsNone.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationOptionsNone.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
         }
         [Fact]
         public async Task TestTPMSHA256AttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationTPMSHA256Response.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationTPMSHA256Options.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
             byte[] ad = o.AttestationObject.AuthData;
         }
         [Fact]
         public async Task TestTPMSHA1AttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationTPMSHA1Response.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationTPMSHA1Options.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
             byte[] ad = o.AttestationObject.AuthData;
         }
         [Fact]
         public async Task TestAndroidKeyAttestationAsync()
         {
             var jsonPost = JsonConvert.DeserializeObject<AuthenticatorAttestationRawResponse>(File.ReadAllText("./attestationAndroidKeyResponse.json"));
             var options = JsonConvert.DeserializeObject<CredentialCreateOptions>(File.ReadAllText("./attestationAndroidKeyOptions.json"));
-            var fido2 = new Fido2NetLib.Fido2(new Fido2NetLib.Fido2.Configuration());
             var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null);
+            await o.VerifyAsync(options, "https://localhost:44329", (x) => Task.FromResult(true), null, null);
             byte[] ad = o.AttestationObject.AuthData;
         }
         //public void TestHasCorrentAAguid()

fido2-net-lib/AuthenticatorAttestationResponse.cs

@@ -61,7 +61,7 @@ public static AuthenticatorAttestationResponse Parse(AuthenticatorAttestationRaw
             return response;
         }
 
-        public async Task<AttestationVerificationSuccess> VerifyAsync(CredentialCreateOptions originalOptions, string expectedOrigin, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, byte[] requestTokenBindingId)
+        public async Task<AttestationVerificationSuccess> VerifyAsync(CredentialCreateOptions originalOptions, string expectedOrigin, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, byte[] requestTokenBindingId)
         {
             AttestationType attnType;
             X509Certificate2[] trustPath = null;
@@ -532,14 +532,10 @@ public async Task<AttestationVerificationSuccess> VerifyAsync(CredentialCreateOp
             // use aaguid (authData.AttData.Aaguid) to find root certs in metadata
             // use root plus trustPath to build trust chain
 
-            MetadataTOCPayloadEntry entry = null;
-            var metadata = MDSMetadata.Instance();
-            if (null != metadata)
+            if (null != metadataService)
             {
-                if (true == metadata.payload.ContainsKey(authData.AttData.GuidAaguid))
-                { 
-                    entry = metadata.payload[authData.AttData.GuidAaguid];
-                }
+                MetadataTOCPayloadEntry entry = metadataService.GetEntry(authData.AttData.GuidAaguid);
+                
                 if (null != entry)
                 {
                     if (entry.Hash != entry.MetadataStatement.Hash) throw new Fido2VerificationException("Authenticator metadata statement has invalid hash");

fido2-net-lib/Fido2NetLib.cs

@@ -43,6 +43,23 @@ public class Configuration
             /// Server origin, including protocol host and port.
             /// </summary>
             public string Origin { get; set; }
+
+            /// <summary>
+            /// MetdataService to verify metadata statements https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html
+            /// </summary>
+            public IMetadataService MetadataService { get; set; }
+
+            /// <summary>
+            /// Create the configuration for Fido2
+            /// </summary>
+            public Configuration()
+            {
+            }
+
+            public Configuration(IMetadataService metadataService)
+            {
+                MetadataService = metadataService;
+            }
         }
 
         private Configuration Config { get; }
@@ -90,7 +107,7 @@ public CredentialCreateOptions RequestNewCredential(User user, List<PublicKeyCre
         public async Task<CredentialMakeResult> MakeNewCredentialAsync(AuthenticatorAttestationRawResponse attestationResponse, CredentialCreateOptions origChallenge, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, byte[] requestTokenBindingId = null)
         {
             var parsedResponse = AuthenticatorAttestationResponse.Parse(attestationResponse);
-            var success = await parsedResponse.VerifyAsync(origChallenge, Config.Origin, isCredentialIdUniqueToUser, requestTokenBindingId);
+            var success = await parsedResponse.VerifyAsync(origChallenge, Config.Origin, isCredentialIdUniqueToUser, Config.MetadataService, requestTokenBindingId);
 
             // todo: Set Errormessage etc.
             return new CredentialMakeResult { Status = "ok", ErrorMessage = string.Empty, Result = success };

fido2-net-lib/MetadataService.cs

@@ -1,4 +1,5 @@
-using System.Linq;
+using System;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Configuration;
@@ -303,42 +304,47 @@ public class MetadataStatement
         public ExtensionDescriptor[] SupportedExtensions { get; set; }
         public string Hash { get; set; }
     }
-    public sealed class MDSMetadata
+
+    public interface IMetadataService
+    {
+        MetadataTOCPayloadEntry GetEntry(Guid aaguid);
+    }
+
+    public sealed class MDSMetadata : IMetadataService
     {
         private static volatile MDSMetadata mDSMetadata;
         private static object syncRoot = new System.Object();
-        public Microsoft.Extensions.Configuration.IConfiguration Configuration { get; }
         public static readonly string mds1url = "https://mds.fidoalliance.org";
         public static readonly string mds2url = "https://mds2.fidoalliance.org";
         public static readonly string tokenParamName = "/?token=";
         private static string _accessToken;
         private static string _cacheDir;
         private string tocAlg;
 
-        private MDSMetadata()
+        private MDSMetadata(string accessToken, string cachedirPath)
         {
-            // Extract app secrets for development
-            // https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-2.1&tabs=windows
-            string env = System.Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
-            if (string.IsNullOrWhiteSpace(env))
-            {
-                env = "Development";
-            }
+            //// Extract app secrets for development
+            //// https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-2.1&tabs=windows
+            //string env = System.Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
+            //if (string.IsNullOrWhiteSpace(env))
+            //{
+            //    env = "Development";
+            //}
 
-            var builder = new Microsoft.Extensions.Configuration.ConfigurationBuilder();
+            //var builder = new Microsoft.Extensions.Configuration.ConfigurationBuilder();
 
-            if (env == "Development")
-            {
-                builder.AddUserSecrets<MDSMetadata>();
-            }
-            Configuration = builder.Build();
+            //if (env == "Development")
+            //{
+            //    builder.AddUserSecrets<MDSMetadata>();
+            //}
+            //Configuration = builder.Build();
 
             // We need either an access token or a cache directory, but prefer both
             // If we have only an access token, we can get metadata from directly from MDS and only cache in memory
             // If we have only a cache directory, we can read cached data (as long as it is not expired)
             // If we have both, we can read from either and update cache as necessary
-            _accessToken = Configuration["MDSAccessToken"];
-            _cacheDir = Configuration["CacheDir"];
+            _accessToken = accessToken;
+            _cacheDir = cachedirPath;
             if (0x30 != _accessToken.Length && 3 > _cacheDir.Length) throw new Fido2VerificationException("Either MDSAccessToken or CacheDir is required to instantiate Metadata instance");
 
             payload = new System.Collections.Generic.Dictionary<System.Guid, MetadataTOCPayloadEntry>();
@@ -364,14 +370,14 @@ private MDSMetadata()
             // If the payload count is zero, we've failed to load metadata
             if (0 == payload.Count) throw new Fido2VerificationException("Failed to load MDS metadata");
         }
-        public static MDSMetadata Instance()
+        public static IMetadataService Instance(string accesskey, string cachedir)
         {
             if (null == mDSMetadata)
             {
                 lock (syncRoot)
                 {
                     if (null == mDSMetadata)
-                        mDSMetadata = new MDSMetadata();
+                        mDSMetadata = new MDSMetadata(accesskey, cachedir);
                 }
             }
             return mDSMetadata;
@@ -534,5 +540,11 @@ public void CustomTOCPayloadFromCache()
                 }
             }
         }
+
+        public MetadataTOCPayloadEntry GetEntry(Guid aaguid)
+        {
+            mDSMetadata.payload.TryGetValue(aaguid, out var entry);
+            return entry;
+        }
     }
 }