fido2-net-lib icon indicating copy to clipboard operation
fido2-net-lib copied to clipboard

Published 20 hours ago verified publisher icon passwordless-lib

Support for additional extensions

Open MichaelGrafnetter opened this issue 5 years ago • 3 comments

Hello, I would like to ask whether the following extensions are supported by this library:

extensions:
{
    "hmacCreateSecret": true,
    "credentialProtectionPolicy": "userVerificationOptional"
}

Is there please any sample code available for reading/writing these extensions? I am trying to exactly mimic the behavior of login.microsoft.com.

MichaelGrafnetter avatar Oct 13 '20 07:10 MichaelGrafnetter

Adding this type of stuff has long been on my list of things to do. Check https://webauthntest.azurewebsites.net and the code behind it, https://github.com/microsoft/webauthntest. Those particular extensions are very different from the small handful of extensions that are actually functional today in this library.

aseigler avatar Oct 14 '20 12:10 aseigler

In the meantime, I have implemented those extensions by deriving from Fido2.Model classes in my project. Feel free to integrate it into the base classes, after some code review:

/// <summary>
/// Defines the credential protection policy.
/// </summary>
[JsonConverter(typeof(StringEnumConverter))]
public enum UserVerification
{
    /// <summary>
    /// This reflects "FIDO_2_0" semantics. In this configuration, user verification is optional with or without credentialID list. This is the default state of the credential if the extension is not specified and the authenticator does not report a defaultCredProtect value in the authenticatorGetInfo response.
    /// </summary>
    [EnumMember(Value = "userVerificationOptional")]
    Optional,

    /// <summary>
    /// In this configuration, credential is discovered only when its credentialID is provided by the platform or when user verification is performed.
    /// </summary>
    [EnumMember(Value = "userVerificationOptionalWithCredentialIDList")]
    OptionalWithCredentialIDList,

    /// <summary>
    /// This reflects that discovery and usage of the credential MUST be preceeded by user verification.
    /// </summary>
    [EnumMember(Value = "userVerificationRequired")]
    Required
}

public class WinExtensionsIn : Fido2NetLib.Objects.AuthenticationExtensionsClientInputs
{
    private bool _enforceCredProtect;
    private bool _hmacSecret;

    /// <summary>
    /// This extension is used by the platform to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data using that symmetric secret. This symmetric secret is scoped to a credential. The authenticator and the platform each only have the part of the complete secret to prevent offline attacks. This extension can be used to maintain different secrets on different machines.
    /// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-hmac-secret-extension
    /// </summary>
    [JsonProperty("hmacCreateSecret", NullValueHandling = NullValueHandling.Ignore)]
    public bool? HmacSecret
    {
        get
        {
            // Treat false as null, so that it is not serialized.
            return _hmacSecret ? true : (bool?)null;
        }
        set
        {
            _hmacSecret = (value == true);
        }
    }

    /// <summary>
    /// This extension indicates that the authenticator supports enhanced protection mode for the credentials created on the authenticator.
    /// If present, verify that the credentialProtectionPolicy value is one of following values: userVerificationOptional, userVerificationOptionalWithCredentialIDList, userVerificationRequired
    /// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
    /// </summary>
    [JsonProperty("credentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
    public UserVerification? CredProtect { get; set; }

    /// <summary>
    /// Controls whether it is better to fail to create a credential rather than ignore the protection policy. When enforceCredentialProtectionPolicy is true, and credentialProtectionPolicy is either userVerificationOptionalWithCredentialIDList or userVerificationRequired, the platform SHOULD NOT create the credential in a way that does not implement the requested protection policy.
    /// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
    /// </summary>
    [JsonProperty("enforceCredentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
    public bool? EnforceCredProtect
    {
        get
        {
            // Treat false as null, so that it is not serialized.
            return _hmacSecret ? true : (bool?)null;
        }
        set
        {
            _enforceCredProtect = (value == true);
        }
    }

public class WinExtensionsOut : Fido2NetLib.Objects.AuthenticationExtensionsClientOutputs
{
    private bool _hmacSecret;

    /// <summary>
    /// This extension is used by the platform to retrieve a symmetric secret from the authenticator when it needs to encrypt or decrypt data using that symmetric secret. This symmetric secret is scoped to a credential. The authenticator and the platform each only have the part of the complete secret to prevent offline attacks. This extension can be used to maintain different secrets on different machines.
    /// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-hmac-secret-extension
    /// </summary>
    [JsonProperty("hmacCreateSecret", NullValueHandling = NullValueHandling.Ignore)]
    public bool? HmacSecret
    {
        get
        {
            // Treat false as null, so that it is not serialized.
            return _hmacSecret ? true : (bool?)null;
        }
        set
        {
            _hmacSecret = (value == true);
        }
    }

    /// <summary>
    /// This extension indicates that the authenticator supports enhanced protection mode for the credentials created on the authenticator.
    /// If present, verify that the credentialProtectionPolicy value is one of following values: userVerificationOptional, userVerificationOptionalWithCredentialIDList, userVerificationRequired
    /// https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension
    /// </summary>
    [JsonProperty("credentialProtectionPolicy", NullValueHandling = NullValueHandling.Ignore)]
    public UserVerification? CredProtect { get; set; }
}

MichaelGrafnetter avatar Oct 14 '20 12:10 MichaelGrafnetter

@aseigler any chance this could be added? I believe hmac-secret is not meant for web directly, and PRF (https://github.com/passwordless-lib/fido2-net-lib/pull/390) should be used instead.

But the credProtect extension has hardware support and would be useful to me.

dbeinder avatar Jun 30 '23 12:06 dbeinder