go-webauthn · james-d-elliott · Jul 17, 2024 · Apr 28, 2024 · May 1, 2024 · May 14, 2024
@@ -290,10 +290,56 @@ func main() {
 }
 ```
 
+## Credential Record
+
+The WebAuthn Level 3 specification describes the Credential Record which includes several required and optional elements
+that you should store for. See [§ 4 Terminology](https://www.w3.org/TR/webauthn-3/#credential-record) for details.
+
+This section describes this element. 
+
+The fields listed in the specification have corresponding fields in the [webauthn.Credential] struct. See the below
+table for more information. We also include JSON mappings for those that wish to just store these values as JSON.
+
+|    Specification Field    |       Library Field        |         JSON Field         |                                           Notes                                           |
+|:-------------------------:|:--------------------------:|:--------------------------:|:-----------------------------------------------------------------------------------------:|
+|           type            |            N/A             |            N/A             |                       This field is always `publicKey` for WebAuthn                       |
+|            id             |             ID             |             id             |                                                                                           |
+|         publicKey         |         PublicKey          |         publicKey          |                                                                                           |
+|         signCount         |  Authenticator.SignCount   |  authenticator.signCount   |                                                                                           |
+|        transports         |         Transport          |         transport          |                                                                                           |
+|       uvInitialized       |     Flags.UserVerified     |     flags.userVerified     |                                                                                           |
+|      backupEligible       |    Flags.BackupEligible    |    flags.backupEligible    |                                                                                           |
+|        backupState        |     Flags.BackupState      |     flags.backupState      |                                                                                           |
+|     attestationObject     |     Attestation.Object     |     attestation.object     | This field is a composite of the attestationObject and the relevant values to validate it |
+| attestationClientDataJSON | Attestation.ClientDataJSON | attestation.clientDataJSON |                                                                                           |
+
+### Storage
+
+It is also important to note that restoring the [webauthn.Credential] with the correct values will likely affect the
+validity of the [webauthn.Credential], i.e. if some values are not restored the [webauthn.Credential] may fail
+validation in this scenario.
+
+### Verification
+
+As long as the [webauthn.Credential] struct has exactly the same values when restored the [Credential Verify] function 
+can be leveraged to verify the credential against the [metadata.Provider]. This can be either done during registration,
+on every login, or with a audit schedule.
+
+In addition to using the [Credential Verify] function the 
+[webauthn.Config](https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Config) can contain a provider which will
+process all registrations automatically.
+
+At this time no tooling exists to verify the credential automatically outside the registration flow. Implementation of
+this is considered domain logic and beyond the scope of what we provide documentation for; we just provide the necessary
+tooling to implement this yourself.
+
 ## Acknowledgements
 
 We graciously acknowledge the original authors of this library [github.com/duo-labs/webauthn] for their amazing
 implementation. Without their amazing work this library could not exist.
 
 
 [github.com/duo-labs/webauthn]: https://github.com/duo-labs/webauthn
+[webauthn.Credential]: https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Credential
+[metadata.Provider]: https://pkg.go.dev/github.com/go-webauthn/webauthn/metadata#Provider
+[Credential Verify]: https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Credential.Verify
@@ -0,0 +1,35 @@
+package metadata
+
+const (
+	// https://secure.globalsign.com/cacert/root-r3.crt
+	ProductionMDSRoot = "MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9f"
+
+	// Production MDS URL
+	ProductionMDSURL = "https://mds.fidoalliance.org"
+
+	// https://mds3.fido.tools/pki/MDS3ROOT.crt
+	ConformanceMDSRoot = "MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJBgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtFIE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBGQUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMCVVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRhdGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSLTKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8TEirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAWgBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMygX2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc="
+
+	// Example from https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html
+	ExampleMDSRoot = "MIIGGTCCBAGgAwIBAgIUdT9qLX0sVMRe8l0sLmHd3mZovQ0wDQYJKoZIhvcNAQELBQAwgZsxHzAdBgNVBAMMFkVYQU1QTEUgTURTMyBURVNUIFJPT1QxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20xFDASBgNVBAoMC0V4YW1wbGUgT1JHMRAwDgYDVQQLDAdFeGFtcGxlMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTVkxEjAQBgNVBAcMCVdha2VmaWVsZDAeFw0yMTA0MTkxMTM1MDdaFw00ODA5MDQxMTM1MDdaMIGbMR8wHQYDVQQDDBZFWEFNUExFIE1EUzMgVEVTVCBST09UMSIwIAYJKoZIhvcNAQkBFhNleGFtcGxlQGV4YW1wbGUuY29tMRQwEgYDVQQKDAtFeGFtcGxlIE9SRzEQMA4GA1UECwwHRXhhbXBsZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1ZMRIwEAYDVQQHDAlXYWtlZmllbGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDDjF5wyEWuhwDHsZosGdGFTCcI677rW881vV+UfW38J+K2ioFFNeGVsxbcebK6AVOiCDPFj0974IpeD9SFOhwAHoDu/LCfXdQWp8ZgQ91ULYWoW8o7NNSp01nbN9zmaO6/xKNCa0bzjmXoGqglqnP1AtRcWYvXOSKZy1rcPeDv4Dhcpdp6W72fBw0eWIqOhsrItuY2/N8ItBPiG03EX72nACq4nZJ/nAIcUbER8STSFPPzvE97TvShsi1FD8aO6l1WkR/QkreAGjMI++GbB2Qc1nN9Y/VEDbMDhQtxXQRdpFwubTjejkN9hKOtF3B71YrwIrng3V9RoPMFdapWMzSlI+WWHog0oTj1PqwJDDg7+z1I6vSDeVWAMKr9mq1w1OGNzgBopIjd9lRWkRtt2kQSPX9XxqS4E1gDDr8MKbpM3JuubQtNCg9D7Ljvbz6vwvUrbPHH+oREvucsp0PZ5PpizloepGIcLFxDQqCulGY2n7Ahl0JOFXJqOFCaK3TWHwBvZsaY5DgBuUvdUrwtgZNg2eg2omWXEepiVFQn3Fvj43Wh2npPMgIe5P0rwncXvROxaczd4rtajKS1ucoB9b9iKqM2+M1y/FDIgVf1fWEHwK7YdzxMlgOeLdeV/kqRU5PEUlLU9a2EwdOErrPbPKZmIfbs/L4B3k4zejMDH3Y+ZwIDAQABo1MwUTAdBgNVHQ4EFgQU8sWwq1TrurK7xMTwO1dKfeJBbCMwHwYDVR0jBBgwFoAU8sWwq1TrurK7xMTwO1dKfeJBbCMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFw6M1PiIfCPIBQ5EBUPNmRvRFuDpolOmDofnf/+mv63LqwQZAdo/W8tzZ9kOFhq24SiLw0H7fsdG/jeREXiIZMNoW/rA6Uac8sU+FYF7Q+qp6CQLlSQbDcpVMifTQjcBk2xh+aLK9SrrXBqnTAhwS+offGtAW8DpoLuH4tAcQmIjlgMlN65jnELCuqNR/wpA+zch8LZW8saQ2cwRCwdr8mAzZoLbsDSVCHxQF3/kQjPT7Nao1q2iWcY3OYcRmKrieHDP67yeLUbVmetfZis2d6ZlkqHLB4ZW1xX4otsEFkuTJA3HWDRsNyhTwx1YoCLsYut5Zp0myqPNBq28w6qGMyyoJN0Z4RzMEO3R6i/MQNfhK55/8O2HciM6xb5t/aBSuHPKlBDrFWhpRnKYkaNtlUo35qV5IbKGKau3SdZdSRciaXUd/p81YmoF01UlhhMz/Rqr1k2gyA0a9tF8+awCeanYt5izl8YO0FlrOU1SQ5UQw4szqqZqbrf4e8fRuU2TXNx4zk+ImE7WRB44f6mSD746ZCBRogZ/SA5jUBu+OPe4/sEtERWRcQD+fXgce9ZEN0+peyJIKAsl5Rm2Bmgyg5IoyWwSG5W+WekGyEokpslou2Yc6EjUj5ndZWz5EiHAiQ74hNfDoCZIxVVLU3Qbp8a0S1bmsoT2JOsspIbtZUg="
+)
+
+const (
+	HeaderX509URI         = "x5u"
+	HeaderX509Certificate = "x5c"
+)
+
+var (
+	errIntermediateCertRevoked = &MetadataError{
+		Type:    "intermediate_revoked",
+		Details: "Intermediate certificate is on issuers revocation list",
+	}
+	errLeafCertRevoked = &MetadataError{
+		Type:    "leaf_revoked",
+		Details: "Leaf certificate is on issuers revocation list",
+	}
+	errCRLUnavailable = &MetadataError{
+		Type:    "crl_unavailable",
+		Details: "Certificate revocation list is unavailable",
+	}
+)
@@ -0,0 +1,276 @@
+package metadata
+
+import (
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/go-webauthn/x/revoke"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/mitchellh/mapstructure"
+)
+
+// NewDecoder returns a new metadata decoder.
+func NewDecoder(opts ...DecoderOption) (decoder *Decoder, err error) {
+	decoder = &Decoder{
+		client: &http.Client{},
+		parser: jwt.NewParser(),
+		hook:   mapstructure.ComposeDecodeHookFunc(),
+	}
+
+	for _, opt := range opts {
+		if err = opt(decoder); err != nil {
+			return nil, fmt.Errorf("failed to apply decoder option: %w", err)
+		}
+	}
+
+	if decoder.root == "" {
+		decoder.root = ProductionMDSRoot
+	}
+
+	return decoder, nil
+}
+
+// Decoder handles decoding and specialized parsing of the metadata blob.
+type Decoder struct {
+	client                   *http.Client
+	parser                   *jwt.Parser
+	hook                     mapstructure.DecodeHookFunc
+	root                     string
+	ignoreEntryParsingErrors bool
+}
+
+// Parse handles parsing of the raw JSON values of the metadata blob. Should be used after using Decode or DecodeBytes.
+func (d *Decoder) Parse(payload *PayloadJSON) (metadata *Metadata, err error) {
+	metadata = &Metadata{
+		Parsed: Parsed{
+			LegalHeader: payload.LegalHeader,
+			Number:      payload.Number,
+		},
+	}
+
+	if metadata.Parsed.NextUpdate, err = time.Parse(time.DateOnly, payload.NextUpdate); err != nil {
+		return nil, fmt.Errorf("error occurred parsing next update value '%s': %w", payload.NextUpdate, err)
+	}
+
+	var parsed Entry
+
+	for _, entry := range payload.Entries {
+		if parsed, err = entry.Parse(); err != nil {
+			metadata.Unparsed = append(metadata.Unparsed, EntryError{
+				Error:     err,
+				EntryJSON: entry,
+			})
+
+			continue
+		}
+
+		metadata.Parsed.Entries = append(metadata.Parsed.Entries, parsed)
+	}
+
+	if n := len(metadata.Unparsed); n != 0 && !d.ignoreEntryParsingErrors {
+		return metadata, fmt.Errorf("error occurred parsing metadata: %d entries had errors during parsing", n)
+	}
+
+	return metadata, nil
+}
+
+// Decode the blob from an io.ReadCloser. This function will close the io.ReadCloser after completing.
+func (d *Decoder) Decode(r io.ReadCloser) (payload *PayloadJSON, err error) {
+	defer r.Close()
+
+	bytes, err := io.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.DecodeBytes(bytes)
+}
+
+// DecodeBytes handles decoding raw bytes. If you have a read closer it's suggested to use Decode.
+func (d *Decoder) DecodeBytes(bytes []byte) (payload *PayloadJSON, err error) {
+	var token *jwt.Token
+
+	if token, err = d.parser.Parse(string(bytes), func(token *jwt.Token) (any, error) {
+		// 2. If the x5u attribute is present in the JWT Header, then
+		if _, ok := token.Header[HeaderX509URI].([]any); ok {
+			// never seen an x5u here, although it is in the spec
+			return nil, errors.New("x5u encountered in header of metadata TOC payload")
+		}
+
+		// 3. If the x5u attribute is missing, the chain should be retrieved from the x5c attribute.
+		var (
+			x5c, chain []any
+			ok, valid  bool
+		)
+
+		if x5c, ok = token.Header[HeaderX509Certificate].([]any); !ok {
+			// If that attribute is missing as well, Metadata TOC signing trust anchor is considered the TOC signing certificate chain.
+			chain[0] = d.root
+		} else {
+			chain = x5c
+		}
+
+		// The certificate chain MUST be verified to properly chain to the metadata TOC signing trust anchor.
+		if valid, err = validateChain(d.root, chain); !valid || err != nil {
+			return nil, err
+		}
+
+		// Chain validated, extract the TOC signing certificate from the chain. Create a buffer large enough to hold the
+		// certificate bytes.
+		o := make([]byte, base64.StdEncoding.DecodedLen(len(chain[0].(string))))
+
+		var (
+			n    int
+			cert *x509.Certificate
+		)
+
+		// Decode the base64 certificate into the buffer.
+		if n, err = base64.StdEncoding.Decode(o, []byte(chain[0].(string))); err != nil {
+			return nil, err
+		}
+
+		// Parse the certificate from the buffer.
+		if cert, err = x509.ParseCertificate(o[:n]); err != nil {
+			return nil, err
+		}
+
+		// 4. Verify the signature of the Metadata TOC object using the TOC signing certificate chain
+		// jwt.Parse() uses the TOC signing certificate public key internally to verify the signature.
+		return cert.PublicKey, err
+	}); err != nil {
+		return nil, err
+	}
+
+	var decoder *mapstructure.Decoder
+
+	payload = &PayloadJSON{}
+
+	if decoder, err = mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Metadata:   nil,
+		Result:     payload,
+		DecodeHook: d.hook,
+		TagName:    "json",
+	}); err != nil {
+		return nil, err
+	}
+
+	if err = decoder.Decode(token.Claims); err != nil {
+		return payload, err
+	}
+
+	return payload, nil
+}
+
+// DecoderOption is a representation of a function that can set options within a decoder.
+type DecoderOption func(decoder *Decoder) (err error)
+
+// WithIgnoreEntryParsingErrors is a DecoderOption which ignores errors when parsing individual entries. The values for
+// these entries will exist as an unparsed entry.
+func WithIgnoreEntryParsingErrors() DecoderOption {
+	return func(decoder *Decoder) (err error) {
+		decoder.ignoreEntryParsingErrors = true
+
+		return nil
+	}
+}
+
+// WithRootCertificate overrides the root certificate used to validate the authenticity of the metadata payload.
+func WithRootCertificate(value string) DecoderOption {
+	return func(decoder *Decoder) (err error) {
+		decoder.root = value
+
+		return nil
+	}
+}
+
+func validateChain(root string, chain []any) (bool, error) {
+	oRoot := make([]byte, base64.StdEncoding.DecodedLen(len(root)))
+
+	nRoot, err := base64.StdEncoding.Decode(oRoot, []byte(root))
+	if err != nil {
+		return false, err
+	}
+
+	rootcert, err := x509.ParseCertificate(oRoot[:nRoot])
+	if err != nil {
+		return false, err
+	}
+
+	roots := x509.NewCertPool()
+
+	roots.AddCert(rootcert)
+
+	o := make([]byte, base64.StdEncoding.DecodedLen(len(chain[1].(string))))
+
+	n, err := base64.StdEncoding.Decode(o, []byte(chain[1].(string)))
+	if err != nil {
+		return false, err
+	}
+
+	intcert, err := x509.ParseCertificate(o[:n])
+	if err != nil {
+		return false, err
+	}
+
+	if revoked, ok := revoke.VerifyCertificate(intcert); !ok {
+		issuer := intcert.IssuingCertificateURL
+
+		if issuer != nil {
+			return false, errCRLUnavailable
+		}
+	} else if revoked {
+		return false, errIntermediateCertRevoked
+	}
+
+	ints := x509.NewCertPool()
+	ints.AddCert(intcert)
+
+	l := make([]byte, base64.StdEncoding.DecodedLen(len(chain[0].(string))))
+
+	n, err = base64.StdEncoding.Decode(l, []byte(chain[0].(string)))
+	if err != nil {
+		return false, err
+	}
+
+	leafcert, err := x509.ParseCertificate(l[:n])
+	if err != nil {
+		return false, err
+	}
+
+	if revoked, ok := revoke.VerifyCertificate(leafcert); !ok {
+		return false, errCRLUnavailable
+	} else if revoked {
+		return false, errLeafCertRevoked
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:         roots,
+		Intermediates: ints,
+	}
+
+	_, err = leafcert.Verify(opts)
+
+	return err == nil, err
+}
+
+func mdsParseX509Certificate(value string) (certificate *x509.Certificate, err error) {
+	var n int
+
+	raw := make([]byte, base64.StdEncoding.DecodedLen(len(value)))
+
+	if n, err = base64.StdEncoding.Decode(raw, []byte(strings.TrimSpace(value))); err != nil {
+		return nil, fmt.Errorf("error occurred parsing *x509.certificate: error occurred decoding base64 data: %w", err)
+	}
+
+	if certificate, err = x509.ParseCertificate(raw[:n]); err != nil {
+		return nil, err
+	}
+
+	return certificate, nil
+}
@@ -0,0 +1,2 @@
+// Package metadata handles metadata validation instrumentation.
+package metadata
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// Package metadata handles metadata validation instrumentation.
		package metadata