feat: add support for credProps.rk extension

bitwarden · Apr 3, 2024 · 827766a · 827766a
1 parent 856a084
commit 827766a
Show file tree

Hide file tree

Showing 8 changed files with 136 additions and 14 deletions.
diff --git a/src/Core/Services/Fido2ClientService.cs b/src/Core/Services/Fido2ClientService.cs
@@ -4,6 +4,7 @@
 using Bit.Core.Enums;
 using Bit.Core.Utilities;
 using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities.Fido2.Extensions;
 
 namespace Bit.Core.Services
 {
@@ -124,6 +125,15 @@ public async Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2
             {
                 var makeCredentialResult = await _fido2AuthenticatorService.MakeCredentialAsync(makeCredentialParams, _makeCredentialUserInterface);
 
+                Fido2CredPropsResult credProps = null;
+                if (createCredentialParams.Extensions?.CredProps == true)
+                {
+                    credProps = new Fido2CredPropsResult
+                    {
+                        Rk = makeCredentialParams.RequireResidentKey
+                    };
+                }
+
                 return new Fido2ClientCreateCredentialResult
                 {
                     CredentialId = makeCredentialResult.CredentialId,
@@ -132,7 +142,11 @@ public async Task<Fido2ClientCreateCredentialResult> CreateCredentialAsync(Fido2
                     ClientDataJSON = clientDataJSONBytes,
                     PublicKey = makeCredentialResult.PublicKey,
                     PublicKeyAlgorithm = makeCredentialResult.PublicKeyAlgorithm,
-                    Transports = createCredentialParams.Rp.Id == "google.com" ? new string[] { "internal", "usb" } : new string[] { "internal" } // workaround for a bug on Google's side
+                    Transports = createCredentialParams.Rp.Id == "google.com" ? new string[] { "internal", "usb" } : new string[] { "internal" }, // workaround for a bug on Google's side
+                    Extensions = new Fido2CreateCredentialExtensionsResult
+                    {
+                        CredProps = credProps
+                    }
                 };
             }
             catch (InvalidStateError)
@@ -249,7 +263,8 @@ public async Task<Fido2ClientAssertCredentialResult> AssertCredentialAsync(Fido2
             Fido2ClientAssertCredentialParams assertCredentialParams,
             byte[] cliendDataHash)
         {
-            return new Fido2AuthenticatorGetAssertionParams {
+            return new Fido2AuthenticatorGetAssertionParams
+            {
                 RpId = assertCredentialParams.RpId,
                 Challenge = assertCredentialParams.Challenge,
                 AllowCredentialDescriptorList = assertCredentialParams.AllowCredentials,

diff --git a/src/Core/Utilities/Fido2/Extensions/Fido2CreateCredentialExtensionsParams.cs b/src/Core/Utilities/Fido2/Extensions/Fido2CreateCredentialExtensionsParams.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2.Extensions
+{
+#nullable enable
+
+    public class Fido2CreateCredentialExtensionsParams
+    {
+        public bool CredProps { get; set; } = false;
+    }
+}
diff --git a/src/Core/Utilities/Fido2/Extensions/Fido2CreateCredentialExtensionsResult.cs b/src/Core/Utilities/Fido2/Extensions/Fido2CreateCredentialExtensionsResult.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2.Extensions
+{
+#nullable enable
+
+    public class Fido2CreateCredentialExtensionsResult
+    {
+        public Fido2CredPropsResult? CredProps { get; set; }
+    }
+}
diff --git a/src/Core/Utilities/Fido2/Extensions/Fido2CredPropsResult.cs b/src/Core/Utilities/Fido2/Extensions/Fido2CredPropsResult.cs
@@ -0,0 +1,9 @@
+namespace Bit.Core.Utilities.Fido2.Extensions
+{
+#nullable enable
+
+    public class Fido2CredPropsResult
+    {
+        public bool? Rk { get; set; } = false;
+    }
+}
diff --git a/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs b/src/Core/Utilities/Fido2/Fido2AuthenticatorMakeCredentialParams.cs
@@ -36,7 +36,7 @@ public class Fido2AuthenticatorMakeCredentialParams
         /// The effective user verification preference for assertion, provided by the client.
         /// </summary>
         public Fido2UserVerificationPreference UserVerificationPreference { get; set; }
-        
+
         /// <summary>
         /// CTAP2 authenticators support setting this to false, but we only support the WebAuthn authenticator model which does not have that option.
         /// </summary>

diff --git a/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs b/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialParams.cs
@@ -1,6 +1,8 @@
+using Bit.Core.Utilities.Fido2.Extensions;
+
 namespace Bit.Core.Utilities.Fido2
 {
-    #nullable enable
+#nullable enable
 
     /// <summary>
     /// Parameters for creating a new credential.
@@ -42,9 +44,8 @@ public class Fido2ClientCreateCredentialParams
 
         /// <summary>
         /// This member contains additional parameters requesting additional processing by the client and authenticator.
-        /// Not currently supported.
         /// </summary>
-        public object? Extensions { get; set; }
+        public Fido2CreateCredentialExtensionsParams? Extensions { get; set; }
 
         /// <summary>
         /// This member contains information about the desired properties of the credential to be created.

diff --git a/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialResult.cs b/src/Core/Utilities/Fido2/Fido2ClientCreateCredentialResult.cs
@@ -1,3 +1,5 @@
+using Bit.Core.Utilities.Fido2.Extensions;
+
 namespace Bit.Core.Utilities.Fido2
 {
     /// <summary>
@@ -15,5 +17,6 @@ public class Fido2ClientCreateCredentialResult
         public byte[] PublicKey { get; set; }
         public int PublicKeyAlgorithm { get; set; }
         public string[] Transports { get; set; }
+        public Fido2CreateCredentialExtensionsResult Extensions { get; set; }
     }
 }
diff --git a/test/Core.Test/Services/Fido2ClientCreateCredentialTests.cs b/test/Core.Test/Services/Fido2ClientCreateCredentialTests.cs
@@ -8,6 +8,7 @@
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.Core.Utilities.Fido2;
+using Bit.Core.Utilities.Fido2.Extensions;
 using Bit.Test.Common.AutoFixture;
 using NSubstitute;
 using NSubstitute.ExceptionExtensions;
@@ -20,6 +21,7 @@ public class Fido2ClientCreateCredentialTests : IDisposable
         private readonly SutProvider<Fido2ClientService> _sutProvider = new SutProvider<Fido2ClientService>().Create();
 
         private Fido2ClientCreateCredentialParams _params;
+        private Fido2AuthenticatorMakeCredentialResult _authenticatorResult;
 
         public Fido2ClientCreateCredentialTests()
         {
@@ -37,22 +39,33 @@ public Fido2ClientCreateCredentialTests()
                         Alg = (int) Fido2AlgorithmIdentifier.ES256
                     }
                 },
-                Rp = new PublicKeyCredentialRpEntity {
+                Rp = new PublicKeyCredentialRpEntity
+                {
                     Id = "bitwarden.com",
                     Name = "Bitwarden"
                 },
-                User = new PublicKeyCredentialUserEntity {
+                User = new PublicKeyCredentialUserEntity
+                {
                     Id = RandomBytes(32),
                     Name = "user@bitwarden.com",
                     DisplayName = "User"
                 }
             };
 
+            _authenticatorResult = new Fido2AuthenticatorMakeCredentialResult
+            {
+                CredentialId = RandomBytes(32),
+                AttestationObject = RandomBytes(32),
+                AuthData = RandomBytes(32),
+                PublicKey = RandomBytes(32),
+                PublicKeyAlgorithm = (int)Fido2AlgorithmIdentifier.ES256,
+            };
+
             _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns(Task.FromResult(new List<string>()));
             _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(true);
         }
 
-        public void Dispose() 
+        public void Dispose()
         {
         }
 
@@ -69,7 +82,7 @@ public async Task CreateCredentialAsync_ThrowsNotAllowedError_SameOriginWithAnce
             // Assert
             Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
         }
-        
+
         [Fact]
         // Spec: If the length of options.user.id is not between 1 and 64 bytes (inclusive) then return a TypeError.
         public async Task CreateCredentialAsync_ThrowsTypeError_UserIdIsTooSmall()
@@ -198,16 +211,18 @@ public async Task CreateCredentialAsync_ThrowsNotSupportedError_CredTypesAndPubK
         public async Task CreateCredentialAsync_ReturnsNewCredential()
         {
             // Arrange
-            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria {
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria
+            {
                 ResidentKey = "required",
                 UserVerification = "required"
             };
-            var authenticatorResult = new Fido2AuthenticatorMakeCredentialResult {
+            var authenticatorResult = new Fido2AuthenticatorMakeCredentialResult
+            {
                 CredentialId = RandomBytes(32),
                 AttestationObject = RandomBytes(32),
                 AuthData = RandomBytes(32),
                 PublicKey = RandomBytes(32),
-                PublicKeyAlgorithm = (int) Fido2AlgorithmIdentifier.ES256,
+                PublicKeyAlgorithm = (int)Fido2AlgorithmIdentifier.ES256,
             };
             _sutProvider.GetDependency<IFido2AuthenticatorService>()
                 .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>(), _sutProvider.GetDependency<IFido2MakeCredentialUserInterface>())
@@ -246,7 +261,8 @@ await _sutProvider.GetDependency<IFido2AuthenticatorService>()
         public async Task CreateCredentialAsync_ThrowsInvalidStateError_AuthenticatorThrowsInvalidStateError()
         {
             // Arrange
-            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria {
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria
+            {
                 ResidentKey = "required",
                 UserVerification = "required"
             };
@@ -304,6 +320,66 @@ public async Task CreateCredentialAsync_ThrowsNotAllowedError_OriginIsBitwardenV
             Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
         }
 
+        [Fact]
+        public async Task CreateCredentialAsync_ReturnsCredPropsRkTrue_WhenCreatingDiscoverableCredential()
+        {
+            // Arrange
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria
+            {
+                ResidentKey = "required"
+            };
+            _params.Extensions = new Fido2CreateCredentialExtensionsParams { CredProps = true };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>(), _sutProvider.GetDependency<IFido2MakeCredentialUserInterface>())
+                .Returns(_authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.CreateCredentialAsync(_params);
+
+            // Assert
+            Assert.True(result.Extensions.CredProps?.Rk);
+        }
+
+        [Fact]
+        public async Task CreateCredentialAsync_ReturnsCredPropsRkFalse_WhenCreatingNonDiscoverableCredential()
+        {
+            // Arrange
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria
+            {
+                ResidentKey = "discouraged"
+            };
+            _params.Extensions = new Fido2CreateCredentialExtensionsParams { CredProps = true };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>(), _sutProvider.GetDependency<IFido2MakeCredentialUserInterface>())
+                .Returns(_authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.CreateCredentialAsync(_params);
+
+            // Assert
+            Assert.False(result.Extensions.CredProps?.Rk);
+        }
+
+        [Fact]
+        public async Task CreateCredentialAsync_ReturnsCredPropsUndefined_WhenExtensionIsNotRequested()
+        {
+            // Arrange
+            _params.AuthenticatorSelection = new AuthenticatorSelectionCriteria
+            {
+                ResidentKey = "required"
+            };
+            _params.Extensions = new Fido2CreateCredentialExtensionsParams();
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .MakeCredentialAsync(Arg.Any<Fido2AuthenticatorMakeCredentialParams>(), _sutProvider.GetDependency<IFido2MakeCredentialUserInterface>())
+                .Returns(_authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.CreateCredentialAsync(_params);
+
+            // Assert
+            Assert.Null(result.Extensions.CredProps);
+        }
+
         private byte[] RandomBytes(int length)
         {
             var bytes = new byte[length];