Merge pull request #51 from aseigler/master

New conformance tool requirements for UP/UV and some metadata defense

Author: aseigler

fido2-net-lib/AuthenticatorAssertionResponse.cs

@@ -113,7 +113,7 @@ public async Task<AssertionVerificationResult> VerifyAsync(AssertionOptions opti
             // See Server-ServerAuthenticatorAssertionResponse-Resp3 Test server processing authenticatorData
             // P-5 Send a valid ServerAuthenticatorAssertionResponse both authenticatorData.flags.UV and authenticatorData.flags.UP are not set, for userVerification set to "preferred", and check that server succeeds
             // P-8 Send a valid ServerAuthenticatorAssertionResponse both authenticatorData.flags.UV and authenticatorData.flags.UP are not set, for userVerification set to "discouraged", and check that server succeeds
-            if ((false == authData.UserPresent) && (options.UserVerification != UserVerificationRequirement.Discouraged && options.UserVerification != UserVerificationRequirement.Preferred)) throw new Fido2VerificationException("User Present flag not set in authenticator data");
+            //if ((false == authData.UserPresent) && (options.UserVerification != UserVerificationRequirement.Discouraged && options.UserVerification != UserVerificationRequirement.Preferred)) throw new Fido2VerificationException("User Present flag not set in authenticator data");
 
             // 13 If user verification is required for this assertion, verify that the User Verified bit of the flags in aData is set.
             // UNLESS...userPresent is true?

fido2-net-lib/MetadataService.cs

@@ -345,7 +345,7 @@ private MDSMetadata(string accessToken, string cachedirPath)
             // If we have both, we can read from either and update cache as necessary
             _accessToken = accessToken;
             _cacheDir = cachedirPath;
-            if (0x30 != _accessToken.Length && 3 > _cacheDir.Length) throw new Fido2VerificationException("Either MDSAccessToken or CacheDir is required to instantiate Metadata instance");
+            if (null != _accessToken && 0x30 != _accessToken.Length && null != _cacheDir && 3 > _cacheDir.Length) throw new Fido2VerificationException("Either MDSAccessToken or CacheDir is required to instantiate Metadata instance");
 
             payload = new System.Collections.Generic.Dictionary<System.Guid, MetadataTOCPayloadEntry>();
             // If we have a cache directory, let's try that first
@@ -363,7 +363,7 @@ private MDSMetadata(string accessToken, string cachedirPath)
                 }
             }
             // If the payload count is still zero and we have what looks like a good access token, load from MDS
-            if (0 == payload.Count && 0x30 == _accessToken.Length)
+            if (0 == payload.Count && null != _accessToken && 0x30 == _accessToken.Length)
             {
                 GetTOCPayload(false);
             }
@@ -486,7 +486,7 @@ private MetadataStatement GetMetadataStatement(MetadataTOCPayloadEntry entry, bo
                 var client = new System.Net.WebClient();
                 rawStatement = client.DownloadString(entry.Url + tokenParamName + _accessToken);
             }
-            if (3 < _cacheDir.Length)
+            if (null != _cacheDir && 3 < _cacheDir.Length)
             {
                 if (false == System.IO.Directory.Exists(_cacheDir)) System.IO.Directory.CreateDirectory(_cacheDir);
                 var filename = _cacheDir + @"\"  + entry.AaGuid + @".jwt";
@@ -508,7 +508,7 @@ public void GetTOCPayload(bool fromCache)
             {
                 mdsToc = client.DownloadString(mds2url + tokenParamName + _accessToken);
 
-                if (3 < _cacheDir.Length)
+                if (null != _cacheDir && 3 < _cacheDir.Length)
                 {
                     if (false == System.IO.Directory.Exists(_cacheDir)) System.IO.Directory.CreateDirectory(_cacheDir);
                     System.IO.File.WriteAllText(_cacheDir + @"\" + "mdstoc.jwt", mdsToc, System.Text.Encoding.UTF8);