webauthn 0.1.0.0 → 0.1.1.0
raw patch · 13 files changed
+66/−15 lines, 13 filesdep ~aesondep ~unordered-containersPVP: major bump suggested
API removals or changes: PVP suggests a major version bump
Dependency ranges changed: aeson, unordered-containers
API changes (from Hackage documentation)
+ Crypto.WebAuthn.Model.WebIDL.Types: [$sel:transports:AuthenticatorAttestationResponse] :: AuthenticatorAttestationResponse -> Maybe [DOMString]
+ Crypto.WebAuthn.Operation.CredentialEntry: [ceTransports] :: CredentialEntry -> [AuthenticatorTransport]
- Crypto.WebAuthn.Model.Types: [AuthenticatorResponseRegistration] :: {arrClientData :: CollectedClientData 'Registration raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson) This attribute, inherited from `[AuthenticatorResponse](https://www.w3.org/TR/webauthn-2/#authenticatorresponse)`, contains the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data) (see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation)) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the [hash of the serialized client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data) has been computed over it.", arrAttestationObject :: AttestationObject raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject) This attribute contains an [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object), which is opaque to, and cryptographically protected against tampering by, the client. The [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object) contains both [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) and an [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement). The former contains the AAGUID, a unique [credential ID](https://www.w3.org/TR/webauthn-2/#credential-id), and the [credential public key](https://www.w3.org/TR/webauthn-2/#credential-public-key). The contents of the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement) are determined by the [attestation statement format](https://www.w3.org/TR/webauthn-2/#attestation-statement-format) used by the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator). It also contains any additional information that the [Relying Party](https://www.w3.org/TR/webauthn-2/#relying-party)'s server requires to validate the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement), as well as to decode and validate the [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) along with the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data). For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation), [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object), and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs)."} -> AuthenticatorResponse 'Registration raw
+ Crypto.WebAuthn.Model.Types: [AuthenticatorResponseRegistration] :: {arrClientData :: CollectedClientData 'Registration raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson) This attribute, inherited from `[AuthenticatorResponse](https://www.w3.org/TR/webauthn-2/#authenticatorresponse)`, contains the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data) (see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation)) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the [hash of the serialized client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data) has been computed over it.", arrAttestationObject :: AttestationObject raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject) This attribute contains an [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object), which is opaque to, and cryptographically protected against tampering by, the client. The [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object) contains both [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) and an [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement). The former contains the AAGUID, a unique [credential ID](https://www.w3.org/TR/webauthn-2/#credential-id), and the [credential public key](https://www.w3.org/TR/webauthn-2/#credential-public-key). The contents of the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement) are determined by the [attestation statement format](https://www.w3.org/TR/webauthn-2/#attestation-statement-format) used by the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator). It also contains any additional information that the [Relying Party](https://www.w3.org/TR/webauthn-2/#relying-party)'s server requires to validate the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement), as well as to decode and validate the [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) along with the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data). For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation), [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object), and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs).", arrTransports :: [AuthenticatorTransport] " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports) This [internal slot](https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots) contains a sequence of zero or more unique `[DOMString](https://heycam.github.io/webidl/#idl-DOMString)`s in lexicoaraphical order. These values are the transports that the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator) is believed to support, or an empty sequence if the information is unavailable."} -> AuthenticatorResponse 'Registration raw
- Crypto.WebAuthn.Model.WebIDL.Types: AuthenticatorAttestationResponse :: ArrayBuffer -> ArrayBuffer -> AuthenticatorAttestationResponse
+ Crypto.WebAuthn.Model.WebIDL.Types: AuthenticatorAttestationResponse :: ArrayBuffer -> ArrayBuffer -> Maybe [DOMString] -> AuthenticatorAttestationResponse
- Crypto.WebAuthn.Operation.CredentialEntry: CredentialEntry :: CredentialId -> UserHandle -> PublicKeyBytes -> SignatureCounter -> CredentialEntry
+ Crypto.WebAuthn.Operation.CredentialEntry: CredentialEntry :: CredentialId -> UserHandle -> PublicKeyBytes -> SignatureCounter -> [AuthenticatorTransport] -> CredentialEntry
Files
- README.md +2/−0
- changelog.md +12/−0
- src/Crypto/WebAuthn/Model/Types.hs +3/−5
- src/Crypto/WebAuthn/Model/WebIDL/Internal/Decoding.hs +3/−0
- src/Crypto/WebAuthn/Model/WebIDL/Internal/Encoding.hs +2/−1
- src/Crypto/WebAuthn/Model/WebIDL/Types.hs +5/−1
- src/Crypto/WebAuthn/Operation/CredentialEntry.hs +2/−1
- src/Crypto/WebAuthn/Operation/Registration.hs +3/−1
- tests/Emulation/Client.hs +2/−1
- tests/Main.hs +10/−1
- tests/Spec/Types.hs +1/−1
- tests/responses/attestation/with-transports.json +12/−0
- webauthn.cabal +9/−3
README.md view
@@ -1,5 +1,7 @@ # Haskell WebAuthn Library +[](https://hackage.haskell.org/package/webauthn)+ This library implements the server-side [Web Authentication Relying Party specification Level 2][spec]. The goal of Web Authentication (WebAuthn) is to bring passwordless login/second factor
+ changelog.md view
@@ -0,0 +1,12 @@+### 0.1.1.0++* [#111](https://github.com/tweag/webauthn/pull/111) Support the+ [`transports`](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-transports-slot)+ field, allowing servers to store information from the browser on how+ authenticators were communicated with (e.g. internal, NFC, etc.). When users+ log in, this information can then be passed along in [Credential+ Descriptors](https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialdescriptor),+ ensuring that only the transports initially registered as supported by the+ authenticator may be used. This is recommended by the standard.+* [#112](https://github.com/tweag/webauthn/pull/112) Decrease lower bounds for+ aeson and unordered-containers.
src/Crypto/WebAuthn/Model/Types.hs view
@@ -1201,16 +1201,14 @@ -- For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation), -- [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object), -- and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs).- arrAttestationObject :: AttestationObject raw- -- TODO: This property is currently not propagated by webauthn-json. See:- -- <https://github.com/github/webauthn-json/pull/44>- -- [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports)+ arrAttestationObject :: AttestationObject raw,+ -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports) -- This [internal slot](https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots) -- contains a sequence of zero or more unique `[DOMString](https://heycam.github.io/webidl/#idl-DOMString)`s -- in lexicoaraphical order. These values are the transports that the -- [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator) is believed to support, -- or an empty sequence if the information is unavailable.- -- arrTransports :: Set AuthenticatorTransport+ arrTransports :: [AuthenticatorTransport] } -> AuthenticatorResponse 'Registration raw -- | [(spec)](https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse)
src/Crypto/WebAuthn/Model/WebIDL/Internal/Decoding.hs view
@@ -232,6 +232,9 @@ decodeCreated supportedFormats IDL.AuthenticatorAttestationResponse {..} = do arrClientData <- decode clientDataJSON arrAttestationObject <- decodeCreated supportedFormats attestationObject+ arrTransports <- case transports of+ Nothing -> pure []+ Just t -> decode t pure $ M.AuthenticatorResponseRegistration {..} instance DecodeCreated (M.Credential 'K.Registration 'True) where
src/Crypto/WebAuthn/Model/WebIDL/Internal/Encoding.hs view
@@ -212,7 +212,8 @@ encode M.AuthenticatorResponseRegistration {..} = IDL.AuthenticatorAttestationResponse { clientDataJSON = encode arrClientData,- attestationObject = encode arrAttestationObject+ attestationObject = encode arrAttestationObject,+ transports = Just $ encode arrTransports } -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject)
src/Crypto/WebAuthn/Model/WebIDL/Types.hs view
@@ -180,7 +180,11 @@ { -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson) clientDataJSON :: IDL.ArrayBuffer, -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject)- attestationObject :: IDL.ArrayBuffer+ attestationObject :: IDL.ArrayBuffer,+ -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-transports-slot)+ -- This field is only being propagated by webauthn-json [since recently](https://github.com/github/webauthn-json/pull/44),+ -- which is why we allow absence of this value+ transports :: Maybe [IDL.DOMString] } deriving (Eq, Show, Generic) deriving (Aeson.FromJSON, Aeson.ToJSON) via JSONEncoding AuthenticatorAttestationResponse
src/Crypto/WebAuthn/Operation/CredentialEntry.hs view
@@ -16,6 +16,7 @@ { ceCredentialId :: M.CredentialId, ceUserHandle :: M.UserHandle, cePublicKeyBytes :: M.PublicKeyBytes,- ceSignCounter :: M.SignatureCounter+ ceSignCounter :: M.SignatureCounter,+ ceTransports :: [M.AuthenticatorTransport] } deriving (Eq, Show, Generic, ToJSON)
src/Crypto/WebAuthn/Operation/Registration.hs view
@@ -43,6 +43,7 @@ ceCredentialId, cePublicKeyBytes, ceSignCounter,+ ceTransports, ceUserHandle ), )@@ -405,7 +406,8 @@ { ceUserHandle = M.cueId $ M.corUser options, ceCredentialId = M.cIdentifier credential, cePublicKeyBytes = M.PublicKeyBytes $ M.unRaw acdCredentialPublicKeyBytes,- ceSignCounter = M.adSignCount authData+ ceSignCounter = M.adSignCount authData,+ ceTransports = M.arrTransports $ M.cResponse credential }, rrAttestationStatement = attStmt }
tests/Emulation/Client.hs view
@@ -89,7 +89,8 @@ M.cResponse = M.AuthenticatorResponseRegistration { M.arrClientData = clientData,- M.arrAttestationObject = attestationObject+ M.arrAttestationObject = attestationObject,+ M.arrTransports = [] }, M.cClientExtensionResults = M.AuthenticationExtensionsClientOutputs {} }
tests/Main.hs view
@@ -191,6 +191,14 @@ True registry predeterminedDateTime+ it "the response with transports information works" $+ registerTestFromFile+ "tests/responses/attestation/with-transports.json"+ "https://infinisil.webauthn.dev.tweag.io"+ "infinisil.webauthn.dev.tweag.io"+ True+ registry+ predeterminedDateTime describe "AndroidKey register" $ do it "tests whether the fixed android key register has a valid attestation" $ registerTestFromFile@@ -318,7 +326,8 @@ . M.adAttestedCredentialData . M.aoAuthData $ M.arrAttestationObject cResponse,- ceSignCounter = M.adSignCount . M.aoAuthData $ M.arrAttestationObject cResponse+ ceSignCounter = M.adSignCount . M.aoAuthData $ M.arrAttestationObject cResponse,+ ceTransports = M.arrTransports cResponse } defaultPublicKeyCredentialCreationOptions :: M.Credential 'M.Registration raw -> M.CredentialOptions 'M.Registration
tests/Spec/Types.hs view
@@ -90,7 +90,7 @@ arbitrary = arbitraryBoundedEnum instance Arbitrary (M.AuthenticatorResponse 'M.Registration 'False) where- arbitrary = M.AuthenticatorResponseRegistration <$> arbitrary <*> arbitrary+ arbitrary = M.AuthenticatorResponseRegistration <$> arbitrary <*> arbitrary <*> arbitrary instance Arbitrary M.AssertionSignature where arbitrary = M.AssertionSignature <$> arbitrary
+ tests/responses/attestation/with-transports.json view
@@ -0,0 +1,12 @@+{+ "clientExtensionResults": {},+ "rawId": "KUf81qzsKaofpSlxy5avzDu3hrHHLFMdGhNZOts9YDCC_lTspfkVUGlhaHwfxPJ6h3sWPPS6XkcI_2N3FbXfyQ",+ "response": {+ "attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgTApe7qutMMPaNPA7NfFC21_-m46k4EWuh3BmKDYSDAoCIGB6A04-n7TYGJsc474JTayLKqSuUs2cvIorGreIvpS1Y3g1Y4FZAsEwggK9MIIBpaADAgECAgQej4c0MA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjBuMQswCQYDVQQGEwJTRTESMBAGA1UECgwJWXViaWNvIEFCMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMScwJQYDVQQDDB5ZdWJpY28gVTJGIEVFIFNlcmlhbCA1MTI3MjI3NDAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASoefgjOO0UlLrAcEvMf8Zj0bJxcVl2JDEBx2BRFdfBUp4oHBxnMi04S1zVXdPpgY1f2FwirzJuDGT8IK_jPyNmo2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIEMDAhBgsrBgEEAYLlHAEBBAQSBBAvwFefgRNH6rEWu1qNuSAqMAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBAIaT_2LfDVd51HSNf8jRAicxio5YDmo6V8EI6U4Dw4Vos2aJT85WJL5KPv1_NBGLPZk3Q_eSoZiRYMj8muCwTj357hXj6IwE_IKo3L9YGOEI3MKWhXeuef9mK5RzTj3sRZcwXXPm5V7ivrnNlnjKCTXlM-tjj44m-ruBfNpEH76YMYMq5fbirZkvnrvbTGIji4-NerSB1tMmO82_nkpXVQNwmIrVgTRA-gMsrbZyPK3Y-Ne6gJ91tDz_oKW5rdFCMu-dnhSBJjgjPEykqHO5-KyY4yuhkWdgbhWQn83bSi3_va5GICSfmmZGrIHkgy0RGf6_qnMaiC2iWneCfUbRkBdoYXV0aERhdGFYxHzbgD-dWYiJjEu61dG4h-4WDe8NvHGqRb7HCEWeUfR8RQAAAAMvwFefgRNH6rEWu1qNuSAqAEApR_zWrOwpqh-lKXHLlq_MO7eGsccsUx0aE1k62z1gMIL-VOyl-RVQaWFofB_E8nqHexY89LpeRwj_Y3cVtd_JpQECAyYgASFYIKemkuzSyPwRFCcRBY4lmbhgQSCAfNTSJoDOnzokwUzuIlgglCsWjxTR4Dmb1CNnRcSmQxfKCL7cpqmS6xZLOU_xY7w",+ "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiZDdicFlRQUFBQURudERoamV5NlB5eGcwb1RpTnZEc1kiLCJvcmlnaW4iOiJodHRwczovL2luZmluaXNpbC53ZWJhdXRobi5kZXYudHdlYWcuaW8iLCJjcm9zc09yaWdpbiI6ZmFsc2V9",+ "transports": [+ "nfc",+ "usb"+ ]+ }+}
webauthn.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.4 name: webauthn-version: 0.1.0.0+version: 0.1.1.0 license: Apache-2.0 license-file: LICENSE copyright:@@ -21,10 +21,16 @@ of the [Web Authentication Level 2](https://www.w3.org/TR/webauthn-2/) specification. This allows web applications to create strong, attested, scoped, public key-based credentials for the purpose of strongly authenticating users.+ .+ While the general design of the library won't change, it's still in an alpha+ state, so smaller breaking changes should be expected for now. We will+ however follow the [PVP](https://pvp.haskell.org/) and properly label changes+ with the appropriate version increase. category: Web, Authentication tested-with: GHC == 8.10.7 extra-source-files: README.md,+ changelog.md, root-certs/**/*.crt, tests/golden-metadata/big/blob.jwt, tests/golden-metadata/big/payload.json,@@ -62,7 +68,7 @@ base >= 4.14.3 && < 4.15, -- deriving-aeson has compilation performance problems with aeson >= 2.0, -- see https://github.com/fumieval/deriving-aeson/issues/16- aeson >= 1.5.6 && < 2.0,+ aeson >= 1.4.7.1 && < 2.0, asn1-encoding >= 0.9.6 && < 0.10, asn1-parse >= 0.9.5 && < 0.10, asn1-types >= 0.3.4 && < 0.4,@@ -86,7 +92,7 @@ singletons >= 2.7 && < 2.8, text >= 1.2.4 && < 1.3, time >= 1.9.3 && < 1.10,- unordered-containers >= 0.2.16 && < 0.3,+ unordered-containers >= 0.2.11.0 && < 0.3, uuid >= 1.3.15 && < 1.4, validation >= 1.1.2 && < 1.2, x509 >= 1.7.5 && < 1.8,