[WIP] Web IDL support (make credentials); next: extension parsing

Author: AlfioEmanueleFresta

libwebauthn/Cargo.toml

@@ -66,6 +66,7 @@ snow = { version = "0.10", features = ["use-p256"] }
 ctap-types = { version = "0.4.0" }
 btleplug = "0.11.7"
 thiserror = "2.0.12"
+serde_json = "1.0.141"
 
 
 [dev-dependencies]

libwebauthn/src/ops/webauthn/create.rs

@@ -0,0 +1,67 @@
+use super::idl::Base64UrlString;
+use crate::{
+    ops::webauthn::{ResidentKeyRequirement, UserVerificationRequirement},
+    proto::ctap2::{
+        Ctap2CredentialType, Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
+        Ctap2PublicKeyCredentialUserEntity,
+    },
+};
+
+use serde::Deserialize;
+use serde_json::{Map as JsonMap, Value as JsonValue};
+
+/**
+ * https://www.w3.org/TR/webauthn-3/#sctn-parseCreationOptionsFromJSON
+ */
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct PublicKeyCredentialDescriptorJSON {
+    pub r#type: String,
+    pub id: Base64UrlString,
+    pub transports: Vec<String>,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct PublicKeyCredentialParameters {
+    pub r#type: String,
+    pub alg: i32,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct AuthenticatorSelectionCriteria {
+    #[serde(rename = "authenticatorAttachment")]
+    pub authenticator_attachment: Option<String>,
+    #[serde(rename = "residentKey")]
+    pub resident_key: Option<ResidentKeyRequirement>,
+    #[serde(rename = "requireResidentKey")]
+    #[serde(default)]
+    pub require_resident_key: bool,
+    #[serde(rename = "userVerification")]
+    #[serde(default = "default_user_verification")]
+    pub user_verification: UserVerificationRequirement,
+}
+
+fn default_user_verification() -> UserVerificationRequirement {
+    UserVerificationRequirement::Preferred
+}
+
+type JsonObject = JsonMap<String, JsonValue>;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct PublicKeyCredentialCreationOptionsJSON {
+    pub rp: Ctap2PublicKeyCredentialRpEntity,
+    pub user: Ctap2PublicKeyCredentialUserEntity,
+    pub challenge: Base64UrlString,
+    #[serde(rename = "pubKeyCredParams")]
+    pub params: Vec<Ctap2CredentialType>,
+    pub timeout: u32,
+    #[serde(rename = "excludeCredentials")]
+    pub exclude_credentials: Vec<Ctap2PublicKeyCredentialDescriptor>,
+    #[serde(rename = "authenticatorSelection")]
+    pub authenticator_selection: Option<AuthenticatorSelectionCriteria>,
+    pub hints: Vec<String>,
+    pub attestation: String,
+    #[serde(rename = "attestationFormats")]
+    pub attestation_formats: Vec<String>,
+    pub extensions: JsonObject,
+}

libwebauthn/src/ops/webauthn/get_assertion.rs

@@ -1,3 +1,5 @@
+use super::idl::WebAuthnIDL;
+
 use std::{collections::HashMap, time::Duration};
 
 use serde::{Deserialize, Serialize};
@@ -6,6 +8,11 @@ use tracing::{debug, error, trace};
 
 use crate::{
     fido::AuthenticatorData,
+    ops::webauthn::{
+        create::PublicKeyCredentialCreationOptionsJSON,
+        idl::{FromInnerModel, JsonError},
+        rpid::RelyingPartyId,
+    },
     pin::PinUvAuthProtocol,
     proto::ctap2::{
         Ctap2AttestationStatement, Ctap2GetAssertionResponseExtensions,

libwebauthn/src/ops/webauthn/idl.rs

@@ -0,0 +1,71 @@
+use base64_url;
+use serde::{de::DeserializeOwned, Deserialize, Serialize};
+use serde_json;
+
+use super::rpid::RelyingPartyId;
+
+pub type JsonError = serde_json::Error;
+
+pub trait WebAuthnIDL<E>: Sized
+where
+    E: std::error::Error, // Validation error type.
+    Self: FromInnerModel<Self::InnerModel, E>,
+{
+    /// An error type that can be returned when deserializing from JSON, including
+    /// JSON parsing errors and any additional validation errors.
+    type Error: std::error::Error + From<JsonError> + From<E>;
+
+    /// The JSON model that this IDL can deserialize from.
+    type InnerModel: DeserializeOwned;
+
+    fn from_json(rpid: &RelyingPartyId, json: &str) -> Result<Self, Self::Error> {
+        let inner_model: Self::InnerModel = serde_json::from_str(json)?;
+        Self::from_inner_model(rpid, inner_model).map_err(From::from)
+    }
+}
+
+pub trait FromInnerModel<T, E>: Sized
+where
+    T: DeserializeOwned,
+    E: std::error::Error,
+{
+    fn from_inner_model(rpid: &RelyingPartyId, inner: T) -> Result<Self, E>;
+}
+
+// TODO(afresta): Move to ctap2 module.
+#[derive(Debug, Clone)]
+pub struct Base64UrlString(pub Vec<u8>);
+
+impl<'de> Deserialize<'de> for Base64UrlString {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: serde::Deserializer<'de>,
+    {
+        let s: String = Deserialize::deserialize(deserializer)?;
+        base64_url::decode(&s)
+            .map_err(serde::de::Error::custom)
+            .map(|bytes| Base64UrlString(bytes))
+    }
+}
+
+impl Serialize for Base64UrlString {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        let encoded = base64_url::encode(&self.0);
+        serializer.serialize_str(&encoded)
+    }
+}
+
+impl Into<Vec<u8>> for Base64UrlString {
+    fn into(self) -> Vec<u8> {
+        self.0
+    }
+}
+
+impl Base64UrlString {
+    pub fn as_slice(&self) -> &[u8] {
+        &self.0
+    }
+}

libwebauthn/src/ops/webauthn/make_credential.rs

@@ -7,6 +7,11 @@ use tracing::{debug, instrument, trace};
 
 use crate::{
     fido::AuthenticatorData,
+    ops::webauthn::{
+        create::{AuthenticatorSelectionCriteria, PublicKeyCredentialCreationOptionsJSON},
+        idl::{FromInnerModel, JsonError, WebAuthnIDL},
+        rpid::RelyingPartyId,
+    },
     proto::{
         ctap1::{Ctap1RegisteredKey, Ctap1Version},
         ctap2::{
@@ -149,10 +154,13 @@ impl MakeCredentialsResponseUnsignedExtensions {
     }
 }
 
-#[derive(Debug, Clone, Copy)]
+#[derive(Debug, Clone, Copy, Deserialize)]
 pub enum ResidentKeyRequirement {
+    #[serde(rename = "required")]
     Required,
+    #[serde(rename = "preferred")]
     Preferred,
+    #[serde(rename = "discouraged", other)]
     Discouraged,
 }
 
@@ -175,6 +183,68 @@ pub struct MakeCredentialRequest {
     pub timeout: Duration,
 }
 
+impl FromInnerModel<PublicKeyCredentialCreationOptionsJSON, MakeCredentialRequestParsingError>
+    for MakeCredentialRequest
+{
+    fn from_inner_model(
+        rpid: &RelyingPartyId,
+        inner: PublicKeyCredentialCreationOptionsJSON,
+    ) -> Result<Self, MakeCredentialRequestParsingError> {
+        let resident_key = if inner
+            .authenticator_selection
+            .as_ref()
+            .and_then(|s| Some(s.require_resident_key))
+            == Some(true)
+        {
+            Some(ResidentKeyRequirement::Required)
+        } else {
+            inner.authenticator_selection.and_then(|s| s.resident_key)
+        };
+
+        let user_verification = inner
+            .authenticator_selection
+            .map_or(UserVerificationRequirement::Discouraged, |s| {
+                s.user_verification
+            });
+
+        let exclude = match inner.exclude_credentials[..] {
+            [] => None,
+            _ => Some(inner.exclude_credentials),
+        };
+
+        let extensions = serde_json::from_value(serde_json::Value::Object(inner.extensions))
+            .map_err(MakeCredentialRequestParsingError::ExtensionError)?;
+
+        Ok(Self {
+            hash: inner.challenge.into(),
+            origin: rpid.as_str().to_owned(),
+            relying_party: inner.rp,
+            user: inner.user,
+            resident_key,
+            user_verification,
+            algorithms: inner.params,
+            exclude,
+            extensions,
+            timeout: Duration::from_secs(inner.timeout),
+        })
+    }
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum MakeCredentialRequestParsingError {
+    /// The client must throw an "EncodingError" DOMException.
+    #[error("Invalid JSON format: {0}")]
+    EncodingError(#[from] JsonError),
+
+    #[error("Invalid extension: {0}")]
+    ExtensionError(JsonError),
+}
+
+impl WebAuthnIDL<MakeCredentialRequestParsingError> for MakeCredentialRequest {
+    type Error = MakeCredentialRequestParsingError;
+    type InnerModel = PublicKeyCredentialCreationOptionsJSON;
+}
+
 #[derive(Debug, Default, Clone)]
 pub enum MakeCredentialHmacOrPrfInput {
     #[default]
@@ -315,10 +385,7 @@ impl DowngradableRequest<RegisterRequest> for MakeCredentialRequest {
         }
 
         // Options must not include "rk" set to true.
-        if matches!(
-            self.resident_key,
-            Some(ResidentKeyRequirement::Required)
-        ) {
+        if matches!(self.resident_key, Some(ResidentKeyRequirement::Required)) {
             debug!("Not downgradable: request requires resident key");
             return false;
         }

libwebauthn/src/ops/webauthn.rs renamed to libwebauthn/src/ops/webauthn/mod.rs

@@ -1,5 +1,8 @@
+mod create;
 mod get_assertion;
+pub(crate) mod idl;
 mod make_credential;
+mod rpid;
 
 use super::u2f::{RegisterRequest, SignRequest};
 use crate::webauthn::CtapError;
@@ -17,12 +20,16 @@ pub use make_credential::{
     MakeCredentialResponse, MakeCredentialsRequestExtensions, MakeCredentialsResponseExtensions,
     MakeCredentialsResponseUnsignedExtensions, ResidentKeyRequirement,
 };
+use serde::Deserialize;
 
-#[derive(Debug, Clone, Copy)]
+#[derive(Debug, Clone, Copy, Deserialize)]
 pub enum UserVerificationRequirement {
+    #[serde(rename = "required")]
     Required,
-    Preferred,
+    #[serde(rename = "discouraged")]
     Discouraged,
+    #[serde(rename = "preferred", other)]
+    Preferred,
 }
 
 impl UserVerificationRequirement {

libwebauthn/src/ops/webauthn/rpid.rs

@@ -0,0 +1,47 @@
+use serde::Deserialize;
+use std::convert::TryFrom;
+
+#[derive(Clone, Debug)]
+pub struct RelyingPartyId(pub String);
+
+impl Into<&str> for &RelyingPartyId {
+    fn into(self) -> &str {
+        self.0.as_str()
+    }
+}
+
+impl Into<String> for RelyingPartyId {
+    fn into(self) -> String {
+        self.0
+    }
+}
+
+#[derive(thiserror::Error, Debug, Clone)]
+// TODO(#137): Validate RelyingPartyId
+pub enum Error {
+    #[error("Empty Relying Party ID is not allowed")]
+    EmptyRelyingPartyId,
+}
+
+impl TryFrom<&str> for RelyingPartyId {
+    type Error = Error;
+
+    fn try_from(value: &str) -> Result<Self, Self::Error> {
+        // TODO(#137): Validate RelyingPartyId, including IDNA normalization
+        // and checking for valid characters.
+        match value {
+            "" => Err(Error::EmptyRelyingPartyId),
+            _ => Ok(RelyingPartyId(value.to_string())),
+        }
+    }
+}
+
+impl<'de> Deserialize<'de> for RelyingPartyId {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: serde::Deserializer<'de>,
+    {
+        let s = String::deserialize(deserializer)?;
+        RelyingPartyId::try_from(s.as_str()).map_err(serde::de::Error::custom)
+    }
+}

libwebauthn/src/proto/ctap2/model.rs

@@ -1,3 +1,4 @@
+use crate::ops::webauthn::idl::Base64UrlString;
 use crate::pin::PinUvAuthProtocol;
 use crate::proto::ctap1::Ctap1Transport;
 
@@ -145,7 +146,7 @@ impl From<&Ctap1Transport> for Ctap2Transport {
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Ctap2PublicKeyCredentialDescriptor {
-    pub id: ByteBuf,
+    pub id: Base64UrlString,
     pub r#type: Ctap2PublicKeyCredentialType,
 
     #[serde(skip_serializing_if = "Option::is_none")]