Extension handling and type fixes (#105)

* extension handling + type fixes

* test

* -test

* reverted dist

* reverted dist #2

* reverted dist #3

* code tests for extensions

- extension tests (with and without AT-Flag)
- fixed missing Uint8Array for extension processing

* Update dependencies + Revert package name, fixing PR (#2)

* Revert package name to fido2-lib

* Update dependencies

* Re-fix versions to patch

Co-authored-by: Hexagon <robinnilsson@gmail.com>

Author: HSMDBC

deno-lock.json

@@ -4,7 +4,7 @@
 
         "std/": "https://deno.land/std@0.136.0/",
 
-        "@hexagon/base64": "https://deno.land/x/b64@1.1.21/dist/base64.min.mjs",
+        "@hexagon/base64": "https://deno.land/x/b64@1.1.23/dist/base64.min.mjs",
 
         "sinon": "https://unpkg.com/sinon@14.0.0/pkg/sinon-esm.js",
         "test_suite": "https://deno.land/x/test_suite@0.16.1/mod.ts",

import_map.dist.json

@@ -1,13 +1,13 @@
 {
     "imports": {
-        "tldts": "https://unpkg.com/tldts@5.7.82/dist/index.esm.min.js",
+        "tldts": "https://unpkg.com/tldts@5.7.90/dist/index.esm.min.js",
         "punycode": "https://deno.land/x/punycode@v2.1.1/punycode.js",
-        "jose": "https://deno.land/x/jose@v4.8.3/index.ts?module",
+        "jose": "https://deno.land/x/jose@v4.9.1/index.ts?module",
         "asn1js": "https://unpkg.com/asn1js@3.0.5?module",
-        "cbor-x": "https://deno.land/x/cbor@v1.3.1/index.js?module",
+        "cbor-x": "https://deno.land/x/cbor@v1.4.0/index.js?module",
         "std/": "https://deno.land/std@0.136.0/",
-        "pkijs": "https://unpkg.com/pkijs@3.0.5?module",
-        "@hexagon/base64": "https://deno.land/x/b64@1.1.21/dist/base64.min.mjs",
+        "pkijs": "https://unpkg.com/pkijs@3.0.7?module",
+        "@hexagon/base64": "https://deno.land/x/b64@1.1.23/dist/base64.min.mjs",
 
         "sinon": "https://unpkg.com/sinon@14.0.0/pkg/sinon-esm.js",
         "test_suite": "https://deno.land/x/test_suite@0.16.1/mod.ts",

import_map.json

@@ -407,7 +407,17 @@ class PublicKey {
 
 		let parsedCose;
 		try {
-			parsedCose = tools.cbor.decode(new Uint8Array(cose));
+			// In the current state, the "cose" parameter can contain not only the actual cose (= public key) but also extensions.
+			// Both are CBOR encoded entries, so you can treat and evaluate the "cose" parameter accordingly.
+			// "fromCose" is called from a context that contains an active AT flag (attestation), so the first CBOR entry is the actual cose.
+			// "tools.cbor.decode" will fail when multiple entries are provided (e.g. cose + at least one extension), so "decodeMultiple" is the sollution.
+			tools.cbor.decodeMultiple(
+				new Uint8Array(cose),
+				cborObject => {
+					parsedCose = cborObject;
+					return false;
+				}
+			);
 		} catch (err) {
 			throw new Error(
 				"couldn't parse authenticator.authData.attestationData CBOR: " +

lib/keyUtils.js

@@ -41,7 +41,7 @@ class Fido2Lib {
 	 * @param {String} [opts.rpName="Anonymous Service"] The name of the server
 	 * @param {String} [opts.rpIcon] A URL for the service's icon. Can be a [RFC 2397]{@link https://tools.ietf.org/html/rfc2397} data URL.
 	 * @param {Number} [opts.challengeSize=64] The number of bytes to use for the challenge
-	 * @param {Object} [opts.authenticatorSelectionCriteria] An object describing what types of authenticators are allowed to register with the service.
+	 * @param {Object} [opts.authenticatorSelection] An object describing what types of authenticators are allowed to register with the service.
 	 * See [AuthenticatorSelectionCriteria]{@link https://w3.org/TR/webauthn/#authenticatorSelection} in the WebAuthn spec for details.
 	 * @param {String} [opts.authenticatorAttachment] Indicates whether authenticators should be part of the OS ("platform"), or can be roaming authenticators ("cross-platform")
 	 * @param {Boolean} [opts.authenticatorRequireResidentKey] Indicates whether authenticators must store the key internally (true) or if they can use a KDF to generate keys
@@ -645,13 +645,13 @@ class Fido2Lib {
 		 * @property {Array} [pubKeyCredParams] A list of PublicKeyCredentialParameters objects, based on the `cryptoParams` that was passed to the constructor.
 		 * @property {Number} [timeout] The amount of time that the call should take before returning an error
 		 * @property {String} [attestation] Whether the client should request attestation from the authenticator or not
-		 * @property {Object} [authenticatorSelectionCriteria] A object describing which authenticators are preferred for registration
-		 * @property {String} [authenticatorSelectionCriteria.attachment] What type of attachement is acceptable for new authenticators.
+		 * @property {Object} [authenticatorSelection] A object describing which authenticators are preferred for registration
+		 * @property {String} [authenticatorSelection.attachment] What type of attachement is acceptable for new authenticators.
 		 * Allowed values are "platform", meaning that the authenticator is embedded in the operating system, or
 		 * "cross-platform", meaning that the authenticator is removeable (e.g. USB, NFC, or BLE).
-		 * @property {Boolean} [authenticatorSelectionCriteria.requireResidentKey] Indicates whether authenticators must store the keys internally, or if they can
+		 * @property {Boolean} [authenticatorSelection.requireResidentKey] Indicates whether authenticators must store the keys internally, or if they can
 		 * store them externally (using a KDF or key wrapping)
-		 * @property {String} [authenticatorSelectionCriteria.userVerification] Indicates whether user verification is required for authenticators. User verification
+		 * @property {String} [authenticatorSelection.userVerification] Indicates whether user verification is required for authenticators. User verification
 		 * means that an authenticator will validate a use through their biometrics (e.g. fingerprint) or knowledge (e.g. PIN). Allowed
 		 * values for `userVerification` are "required", meaning that registration will fail if no authenticator provides user verification;
 		 * "preferred", meaning that if multiple authenticators are available, the one(s) that provide user verification should be used; or

lib/main.js

@@ -337,15 +337,25 @@ async function parseAuthenticatorData(authnrDataArrayBuffer) {
 			authnrDataBuf.buffer.slice(offset, authnrDataBuf.buffer.byteLength),
 		);
 
+		// TODO: does not only contain the COSE if the buffer contains extensions
 		ret.set("credentialPublicKeyCose", await publicKey.toCose());
 		ret.set("credentialPublicKeyJwk", await publicKey.toJwk());
 		ret.set("credentialPublicKeyPem", await publicKey.toPem());
 	}
 
-	// TODO: parse extensions
 	if (extensions) {
-		// extensionStart = offset
-		throw new Error("authenticator extensions not supported");
+		const cborObjects = tools.cbor.decodeMultiple(new Uint8Array(authnrDataBuf.buffer.slice(offset, authnrDataBuf.buffer.byteLength)));
+
+		// skip publicKey if present
+		if (attestation) {
+			cborObjects.shift();
+		}
+
+		if (cborObjects.length === 0) {
+			throw new Error("extensions missing");
+		}
+
+		ret.set("webAuthnExtensions", cborObjects);
 	}
 
 	return ret;

lib/parser.js

@@ -1,6 +1,6 @@
 {
 	"name": "fido2-lib",
-	"version": "3.2.5",
+	"version": "3.3.0",
 	"description": "A library for performing FIDO 2.0 / WebAuthn functionality",
 	"type": "module",
 	"main": "dist/main.cjs",
@@ -49,13 +49,13 @@
 		"sinon": "^14.0.0"
 	},
 	"dependencies": {
-		"@hexagon/base64": "~1.1.21",
+		"@hexagon/base64": "~1.1.23",
 		"@peculiar/webcrypto": "~1.4.0",
 		"asn1js": "~3.0.2",
-		"cbor-x": "~1.3.1",
-		"jose": "~4.8.3",
-		"pkijs": "~3.0.5",
-		"tldts": "~5.7.82"
+		"cbor-x": "~1.4.0",
+		"jose": "~4.9.1",
+		"pkijs": "~3.0.7",
+		"tldts": "~5.7.90"
 	},
 	"eslintConfig": {
 		"root": true,

package-lock.json

@@ -28,10 +28,12 @@ const tests = [
 	"test/parseClientData.test.js",
 	"test/parseExpectations.test.js",
 	"test/parseNoneAttestationData.test.js",
+	"test/parseNoneAttestationDataExtensions.test.js",
 	"test/parsePackedAttestationData.test.js",
 	"test/parsePackedSelfAttestationData.test.js",
 	"test/parseTpmAttestationData.test.js",
 	"test/parseU2fAttestationData.test.js",
+	"test/parseJustExtensions.test.js",
 	"test/parseAppleAttestationData.test.js",
 	"test/response.test.js",
 	"test/toolbox.test.js",

package.json

@@ -186,6 +186,20 @@ const challengeResponseAttestationNoneMsgB64Url = {
 	},
 };
 
+const challengeResponseNoneAttestationDataExtensionsMsgB64Url = {
+	response: {
+		attestationObject:
+			"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBNkmWDeWIDoxodDQXD2R2YFuP5K65ooYyx5lc87qDHZdjwQAAAAAAAAAAAAAAAAAAAAAAAAAAAKIACKLdXqwahqjNbtNs1piUlonluvxOsF9Feeh9k7qXay5zdrm239cW4WQUD_l5ptTzRLU9bSbghnv0FLaRA7tly7La9_QRKDXwZMsbWajlhKQh2ovYnjh6C37qtyPs151ITDFr-67FRgG0c2dJCoOa2hQB8z0tJYuXrkGMpVk0ZSn1qjfeYxJ1V9BDRsfN7r0lVC8sF_w5OJlSomw64qampRylAQIDJiABIVgguxHN3W6ehp0VWXKaMNie1J82MVJCFZYScau74o17cx8iWCDb1jkTLi7lYZZbgwUwpqAk8QmIiPMTVQUVkhGEyGrKw7kAAWtjcmVkUHJvdGVjdAE",
+	},
+};
+
+const challengeResponseJustExtensionsMsgB64Url = {
+	response: {
+		attestationObject:
+			"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkANUmWDeWIDoxodDQXD2R2YFuP5K65ooYyx5lc87qDHZdjgQAAAAC5AAFrY3JlZFByb3RlY3QB",
+	},
+};
+
 const getOptionsRequest = {
 	username: "bubba",
 	displayName: "Bubba Smith",
@@ -484,6 +498,26 @@ const makeCredentialAttestationSafetyNetResponse = {
 	},
 };
 
+const makeNoneAttestationDataExtensionsResponse = {
+	response: {
+		attestationObject: base64.toArrayBuffer(
+			challengeResponseNoneAttestationDataExtensionsMsgB64Url.response
+				.attestationObject,
+			true,
+		),
+	},
+};
+
+const makeJustExtensionsResponse = {
+	response: {
+		attestationObject: base64.toArrayBuffer(
+			challengeResponseJustExtensionsMsgB64Url.response
+				.attestationObject,
+			true,
+		),
+	},
+};
+
 const assertionResponse = {
 	id: assertionResponseMsgB64Url.id,
 	rawId: base64.toArrayBuffer(assertionResponseMsgB64Url.rawId, true),
@@ -549,6 +583,8 @@ const lib = {
 	makeCredentialAttestationPackedResponseWindowsHello,
 	makeCredentialAttestationTpmResponse,
 	makeCredentialAttestationSafetyNetResponse,
+	makeNoneAttestationDataExtensionsResponse,
+	makeJustExtensionsResponse,
 	assertionResponse,
 	assertionResponseWindowsHello,
 	assnPublicKey,