Implement attestation fields in requests and response

follows what was added in w3c/webauthn#1920
1Password · Nov 16, 2023 · 03c0186 · 03c0186
1 parent e49542b
commit 03c0186
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 12 deletions.
diff --git a/passkey-client/src/lib.rs b/passkey-client/src/lib.rs
@@ -331,6 +331,7 @@ where
                 authenticator_data: ctap2_response.auth_data.to_vec().into(),
                 signature: ctap2_response.signature,
                 user_handle: ctap2_response.user.map(|user| user.id),
+                attestation_object: None,
             },
             authenticator_attachment: Some(self.authenticator().attachment_type()),
             client_extension_results: AuthenticationExtensionsClientOutputs {},

diff --git a/passkey-client/src/tests/mod.rs b/passkey-client/src/tests/mod.rs
@@ -24,6 +24,7 @@ fn good_credential_creation_options() -> webauthn::PublicKeyCredentialCreationOp
         exclude_credentials: Default::default(),
         authenticator_selection: Default::default(),
         attestation: Default::default(),
+        attestation_formats: Default::default(),
         extensions: Default::default(),
     }
 }
@@ -41,6 +42,8 @@ fn good_credential_request_options(
             transports: None,
         }]),
         user_verification: Default::default(),
+        attestation: Default::default(),
+        attestation_formats: Default::default(),
         extensions: Default::default(),
     }
 }

diff --git a/passkey-types/src/webauthn/assertion.rs b/passkey-types/src/webauthn/assertion.rs
@@ -6,19 +6,19 @@ use typeshare::typeshare;
 use crate::{
     utils::serde::{ignore_unknown, ignore_unknown_opt_vec, maybe_stringified},
     webauthn::{
-        common::{
-            AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptor,
-            UserVerificationRequirement,
-        },
-        PublicKeyCredential,
+        AttestationConveyancePreference, AttestationStatementFormatIdentifiers,
+        AuthenticationExtensionsClientInputs, PublicKeyCredential, PublicKeyCredentialDescriptor,
+        UserVerificationRequirement,
     },
     Bytes,
 };
 
 #[cfg(doc)]
 use crate::{
-    ctap2::AuthenticatorData,
-    webauthn::{CollectedClientData, PublicKeyCredentialUserEntity},
+    ctap2::{AttestedCredentialData, AuthenticatorData},
+    webauthn::{
+        AuthenticatorAttestationResponse, CollectedClientData, PublicKeyCredentialUserEntity,
+    },
 };
 
 /// The response to the successful authentication of a [`PublicKeyCredential`]
@@ -109,6 +109,32 @@ pub struct PublicKeyCredentialRequestOptions {
     #[serde(default, deserialize_with = "ignore_unknown")]
     pub user_verification: UserVerificationRequirement,
 
+    /// The Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation
+    /// conveyance. Its value SHOULD be a member of [`AttestationConveyancePreference`]. Client platforms
+    /// MUST ignore unknown values, treating an unknown value as if the member does not exist,
+    /// therefore acting as the default value.
+    ///
+    /// The default value is [`AttestationConveyancePreference::None`]
+    #[serde(default, deserialize_with = "ignore_unknown")]
+    pub attestation: AttestationConveyancePreference,
+
+    /// The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation
+    /// statement format used by the authenticator. Values SHOULD be taken from the IANA "WebAuthn
+    /// Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by
+    /// [RFC8809]. Values are ordered from most preferable to least preferable. This parameter is
+    /// advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
+    ///
+    /// The default value is the empty list, which indicates no preference.
+    ///
+    /// [IANA-WebAuthn-Registries]: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids
+    /// [RFC8809]: https://www.rfc-editor.org/rfc/rfc8809
+    #[serde(
+        default,
+        skip_serializing_if = "Option::is_none",
+        deserialize_with = "ignore_unknown_opt_vec"
+    )]
+    pub attestation_formats: Option<Vec<AttestationStatementFormatIdentifiers>>,
+
     /// The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting
     /// additional processing by the client and authenticator.
     ///
@@ -166,4 +192,15 @@ pub struct AuthenticatorAssertionResponse {
     /// This mirrors the [`PublicKeyCredentialUserEntity::id`] field.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub user_handle: Option<Bytes>,
+
+    /// This OPTIONAL attribute contains an attestation object, if the authenticator supports attestation
+    /// in assertions. The attestation object, if present, includes an attestation statement. Unlike
+    /// the [`AuthenticatorAttestationResponse::attestation_object`], it does not contain an `authData`
+    /// key because the authenticator data is provided directly above in
+    /// [`AuthenticatorAssertionResponse::authenticator_data`] structure. For more details on attestation,
+    /// see [Attestation in assertions][1].
+    ///
+    /// [1]: https://w3c.github.io/webauthn/#sctn-attestation-in-assertions
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub attestation_object: Option<Bytes>,
 }
diff --git a/passkey-types/src/webauthn/attestation.rs b/passkey-types/src/webauthn/attestation.rs
@@ -8,11 +8,9 @@ use crate::{
         i64_to_iana, ignore_unknown, ignore_unknown_opt_vec, ignore_unknown_vec, maybe_stringified,
     },
     webauthn::{
-        common::{
-            AuthenticationExtensionsClientInputs, AuthenticatorAttachment, AuthenticatorTransport,
-            PublicKeyCredentialDescriptor, PublicKeyCredentialType, UserVerificationRequirement,
-        },
-        PublicKeyCredential,
+        AuthenticationExtensionsClientInputs, AuthenticatorAttachment, AuthenticatorTransport,
+        PublicKeyCredential, PublicKeyCredentialDescriptor, PublicKeyCredentialType,
+        UserVerificationRequirement,
     },
     Bytes,
 };
@@ -130,6 +128,23 @@ pub struct PublicKeyCredentialCreationOptions {
     #[serde(default, deserialize_with = "ignore_unknown")]
     pub attestation: AttestationConveyancePreference,
 
+    /// The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation
+    /// statement format used by the authenticator. Values SHOULD be taken from the IANA "WebAuthn
+    /// Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by
+    /// [RFC8809]. Values are ordered from most preferable to least preferable. This parameter is
+    /// advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
+    ///
+    /// The default value is the empty list, which indicates no preference.
+    ///
+    /// [IANA-WebAuthn-Registries]: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids
+    /// [RFC8809]: https://www.rfc-editor.org/rfc/rfc8809
+    #[serde(
+        default,
+        skip_serializing_if = "Option::is_none",
+        deserialize_with = "ignore_unknown_opt_vec"
+    )]
+    pub attestation_formats: Option<Vec<AttestationStatementFormatIdentifiers>>,
+
     /// The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting
     /// additional processing by the client and authenticator. For example, the Relying Party may
     /// request that the client returns additional information about the credential that was created.
@@ -414,6 +429,47 @@ pub enum AttestationConveyancePreference {
     Enterprise,
 }
 
+/// Attestation statement formats are identified by a string, called an attestation statement format
+/// identifier, chosen by the author of the attestation statement format. The values defined below
+/// are registed in the [IANA WebAuthn regirsty][1]. See [Attestation Statement Identifiers][2] in
+/// the WebAuthn spec for more information.
+///
+/// [1]: https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids
+/// [2]: https://w3c.github.io/webauthn/#sctn-attstn-fmt-ids
+#[derive(Debug, Default, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+#[typeshare]
+pub enum AttestationStatementFormatIdentifiers {
+    /// The `packed` attestation statement format is a WebAuthn-optimized format for attestation.
+    /// It uses a very compact but still extensible encoding method. This format is implementable by
+    /// authenticators with limited resources (e.g., secure elements).
+    Packed,
+
+    /// The TPM attestation statement format returns an attestation statement in the same format as
+    /// the packed attestation statement format, although the `rawData` and `signature` fields are
+    /// computed differently.
+    Tpm,
+
+    /// Platform authenticators on versions "N", and later, may provide this proprietary
+    /// `hardware attestation` statement.
+    AndroidKey,
+
+    /// Android-based platform authenticators MAY produce an attestation statement based on the
+    /// [Android SafetyNet API](https://developer.android.com/training/safetynet/).
+    AndroidSafetynet,
+
+    /// Used with FIDO U2F authenticators.
+    FidoU2f,
+
+    /// Used with Apple devices' platform authenticators.
+    Apple,
+
+    /// Used to replace any authenticator-provided attestation statement when a WebAuthn Relying
+    /// Party indicates it does not wish to receive attestation information.
+    #[default]
+    None,
+}
+
 /// The type represents the authenticator's response to a client’s request for the creation of a new
 /// [`PublicKeyCredential`]. It contains information about the new credential that can be used to
 /// identify it for later use, and metadata that can be used by the [Relying Party] to assess the

diff --git a/passkey/examples/usage.rs b/passkey/examples/usage.rs
@@ -63,6 +63,7 @@ async fn client_setup(
             exclude_credentials: None,
             authenticator_selection: None,
             attestation: AttestationConveyancePreference::None,
+            attestation_formats: None,
             extensions: None,
         },
     };
@@ -81,6 +82,8 @@ async fn client_setup(
             rp_id: Some(String::from(origin.domain().unwrap())),
             allow_credentials: None,
             user_verification: UserVerificationRequirement::default(),
+            attestation: AttestationConveyancePreference::None,
+            attestation_formats: None,
             extensions: None,
         },
     };

diff --git a/passkey/src/lib.rs b/passkey/src/lib.rs
@@ -133,6 +133,7 @@
 //!         exclude_credentials: None,
 //!         authenticator_selection: None,
 //!         attestation: AttestationConveyancePreference::None,
+//!         attestation_formats: None,
 //!         extensions: None,
 //!     },
 //! };
@@ -151,6 +152,8 @@
 //!         rp_id: Some(String::from(origin.domain().unwrap())),
 //!         allow_credentials: None,
 //!         user_verification: UserVerificationRequirement::default(),
+//!         attestation: AttestationConveyancePreference::None,
+//!         attestation_formats: None,
 //!         extensions: None,
 //!     },
 //! };