forked from daimo-eth/p256-verifier
-
Notifications
You must be signed in to change notification settings - Fork 2
/
WebAuthn.sol
170 lines (153 loc) · 7.06 KB
/
WebAuthn.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
// SPDX-License-Identifier: MIT
pragma solidity 0.8.21;
import "./utils/Base64URL.sol";
import "./P256.sol";
/**
* Helper library for external contracts to verify WebAuthn signatures.
**/
library WebAuthn {
/// Checks whether substr occurs in str starting at a given byte offset.
function contains(
string memory substr,
string memory str,
uint256 location
) internal pure returns (bool) {
bytes memory substrBytes = bytes(substr);
bytes memory strBytes = bytes(str);
uint256 substrLen = substrBytes.length;
uint256 strLen = strBytes.length;
for (uint256 i = 0; i < substrLen; i++) {
if (location + i >= strLen) {
return false;
}
if (substrBytes[i] != strBytes[location + i]) {
return false;
}
}
return true;
}
bytes1 constant AUTH_DATA_FLAGS_UP = 0x01; // Bit 0
bytes1 constant AUTH_DATA_FLAGS_UV = 0x04; // Bit 2
bytes1 constant AUTH_DATA_FLAGS_BE = 0x08; // Bit 3
bytes1 constant AUTH_DATA_FLAGS_BS = 0x10; // Bit 4
/// Verifies the authFlags in authenticatorData. Numbers in inline comment
/// correspond to the same numbered bullets in
/// https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion.
function checkAuthFlags(
bytes1 flags,
bool requireUserVerification
) internal pure returns (bool) {
// 17. Verify that the UP bit of the flags in authData is set.
if (flags & AUTH_DATA_FLAGS_UP != AUTH_DATA_FLAGS_UP) {
return false;
}
// 18. If user verification was determined to be required, verify that
// the UV bit of the flags in authData is set. Otherwise, ignore the
// value of the UV flag.
if (
requireUserVerification &&
(flags & AUTH_DATA_FLAGS_UV) != AUTH_DATA_FLAGS_UV
) {
return false;
}
// 19. If the BE bit of the flags in authData is not set, verify that
// the BS bit is not set.
if (flags & AUTH_DATA_FLAGS_BE != AUTH_DATA_FLAGS_BE) {
if (flags & AUTH_DATA_FLAGS_BS == AUTH_DATA_FLAGS_BS) {
return false;
}
}
return true;
}
/**
* Verifies a Webauthn P256 signature (Authentication Assertion) as described
* in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion. We do not
* verify all the steps as described in the specification, only ones relevant
* to our context. Please carefully read through this list before usage.
* Specifically, we do verify the following:
* - Verify that authenticatorData (which comes from the authenticator,
* such as iCloud Keychain) indicates a well-formed assertion. If
* requireUserVerification is set, checks that the authenticator enforced
* user verification. User verification should be required if,
* and only if, options.userVerification is set to required in the request
* - Verifies that the client JSON is of type "webauthn.get", i.e. the client
* was responding to a request to assert authentication.
* - Verifies that the client JSON contains the requested challenge.
* - Finally, verifies that (r, s) constitute a valid signature over both
* the authenicatorData and client JSON, for public key (x, y).
*
* We make some assumptions about the particular use case of this verifier,
* so we do NOT verify the following:
* - Does NOT verify that the origin in the clientDataJSON matches the
* Relying Party's origin: It is considered the authenticator's
* responsibility to ensure that the user is interacting with the correct
* RP. This is enforced by most high quality authenticators properly,
* particularly the iCloud Keychain and Google Password Manager were
* tested.
* - Does NOT verify That c.topOrigin is well-formed: We assume c.topOrigin
* would never be present, i.e. the credentials are never used in a
* cross-origin/iframe context. The website/app set up should disallow
* cross-origin usage of the credentials. This is the default behaviour for
* created credentials in common settings.
* - Does NOT verify that the rpIdHash in authData is the SHA-256 hash of an
* RP ID expected by the Relying Party: This means that we rely on the
* authenticator to properly enforce credentials to be used only by the
* correct RP. This is generally enforced with features like Apple App Site
* Association and Google Asset Links. To protect from edge cases in which
* a previously-linked RP ID is removed from the authorised RP IDs,
* we recommend that messages signed by the authenticator include some
* expiry mechanism.
* - Does NOT verify the credential backup state: This assumes the credential
* backup state is NOT used as part of Relying Party business logic or
* policy.
* - Does NOT verify the values of the client extension outputs: This assumes
* that the Relying Party does not use client extension outputs.
* - Does NOT verify the signature counter: Signature counters are intended
* to enable risk scoring for the Relying Party. This assumes risk scoring
* is not used as part of Relying Party business logic or policy.
* - Does NOT verify the attestation object: This assumes that
* response.attestationObject is NOT present in the response, i.e. the
* RP does not intend to verify an attestation.
*/
function verifySignature(
bytes memory challenge,
bytes memory authenticatorData,
bool requireUserVerification,
string memory clientDataJSON,
uint256 challengeLocation,
uint256 responseTypeLocation,
uint256 r,
uint256 s,
uint256 x,
uint256 y
) internal view returns (bool) {
// Check that authenticatorData has good flags
if (
authenticatorData.length < 37 ||
!checkAuthFlags(authenticatorData[32], requireUserVerification)
) {
return false;
}
// Check that response is for an authentication assertion
string memory responseType = '"type":"webauthn.get"';
if (!contains(responseType, clientDataJSON, responseTypeLocation)) {
return false;
}
// Check that challenge is in the clientDataJSON
string memory challengeB64url = Base64URL.encode(challenge);
string memory challengeProperty = string.concat(
'"challenge":"',
challengeB64url,
'"'
);
if (!contains(challengeProperty, clientDataJSON, challengeLocation)) {
return false;
}
// Check that the public key signed sha256(authenticatorData || sha256(clientDataJSON))
bytes32 clientDataJSONHash = sha256(bytes(clientDataJSON));
bytes32 messageHash = sha256(
abi.encodePacked(authenticatorData, clientDataJSONHash)
);
return P256.verifySignature(messageHash, r, s, x, y);
}
}