packages feed

webauthn 0.1.0.0 → 0.1.1.0

raw patch · 13 files changed

+66/−15 lines, 13 filesdep ~aesondep ~unordered-containersPVP: major bump suggested

API removals or changes: PVP suggests a major version bump

Dependency ranges changed: aeson, unordered-containers

API changes (from Hackage documentation)

+ Crypto.WebAuthn.Model.WebIDL.Types: [$sel:transports:AuthenticatorAttestationResponse] :: AuthenticatorAttestationResponse -> Maybe [DOMString]
+ Crypto.WebAuthn.Operation.CredentialEntry: [ceTransports] :: CredentialEntry -> [AuthenticatorTransport]
- Crypto.WebAuthn.Model.Types: [AuthenticatorResponseRegistration] :: {arrClientData :: CollectedClientData 'Registration raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson) This attribute, inherited from `[AuthenticatorResponse](https://www.w3.org/TR/webauthn-2/#authenticatorresponse)`, contains the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data) (see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation)) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the [hash of the serialized client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data) has been computed over it.", arrAttestationObject :: AttestationObject raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject) This attribute contains an [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object), which is opaque to, and cryptographically protected against tampering by, the client. The [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object) contains both [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) and an [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement). The former contains the AAGUID, a unique [credential ID](https://www.w3.org/TR/webauthn-2/#credential-id), and the [credential public key](https://www.w3.org/TR/webauthn-2/#credential-public-key). The contents of the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement) are determined by the [attestation statement format](https://www.w3.org/TR/webauthn-2/#attestation-statement-format) used by the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator). It also contains any additional information that the [Relying Party](https://www.w3.org/TR/webauthn-2/#relying-party)'s server requires to validate the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement), as well as to decode and validate the [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) along with the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data). For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation), [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object), and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs)."} -> AuthenticatorResponse 'Registration raw
+ Crypto.WebAuthn.Model.Types: [AuthenticatorResponseRegistration] :: {arrClientData :: CollectedClientData 'Registration raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson) This attribute, inherited from `[AuthenticatorResponse](https://www.w3.org/TR/webauthn-2/#authenticatorresponse)`, contains the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data) (see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation)) passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the [hash of the serialized client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data) has been computed over it.", arrAttestationObject :: AttestationObject raw " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject) This attribute contains an [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object), which is opaque to, and cryptographically protected against tampering by, the client. The [attestation object](https://www.w3.org/TR/webauthn-2/#attestation-object) contains both [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) and an [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement). The former contains the AAGUID, a unique [credential ID](https://www.w3.org/TR/webauthn-2/#credential-id), and the [credential public key](https://www.w3.org/TR/webauthn-2/#credential-public-key). The contents of the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement) are determined by the [attestation statement format](https://www.w3.org/TR/webauthn-2/#attestation-statement-format) used by the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator). It also contains any additional information that the [Relying Party](https://www.w3.org/TR/webauthn-2/#relying-party)'s server requires to validate the [attestation statement](https://www.w3.org/TR/webauthn-2/#attestation-statement), as well as to decode and validate the [authenticator data](https://www.w3.org/TR/webauthn-2/#authenticator-data) along with the [JSON-compatible serialization of client data](https://www.w3.org/TR/webauthn-2/#collectedclientdata-json-compatible-serialization-of-client-data). For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation), [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object), and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs).", arrTransports :: [AuthenticatorTransport] " [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports) This [internal slot](https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots) contains a sequence of zero or more unique `[DOMString](https://heycam.github.io/webidl/#idl-DOMString)`s in lexicoaraphical order. These values are the transports that the [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator) is believed to support, or an empty sequence if the information is unavailable."} -> AuthenticatorResponse 'Registration raw
- Crypto.WebAuthn.Model.WebIDL.Types: AuthenticatorAttestationResponse :: ArrayBuffer -> ArrayBuffer -> AuthenticatorAttestationResponse
+ Crypto.WebAuthn.Model.WebIDL.Types: AuthenticatorAttestationResponse :: ArrayBuffer -> ArrayBuffer -> Maybe [DOMString] -> AuthenticatorAttestationResponse
- Crypto.WebAuthn.Operation.CredentialEntry: CredentialEntry :: CredentialId -> UserHandle -> PublicKeyBytes -> SignatureCounter -> CredentialEntry
+ Crypto.WebAuthn.Operation.CredentialEntry: CredentialEntry :: CredentialId -> UserHandle -> PublicKeyBytes -> SignatureCounter -> [AuthenticatorTransport] -> CredentialEntry

Files

README.md view
@@ -1,5 +1,7 @@ # Haskell WebAuthn Library +[![Hackage](https://img.shields.io/hackage/v/webauthn.svg)](https://hackage.haskell.org/package/webauthn)+ This library implements the server-side [Web Authentication Relying Party specification Level 2][spec]. The goal of Web Authentication (WebAuthn) is to bring passwordless login/second factor
+ changelog.md view
@@ -0,0 +1,12 @@+### 0.1.1.0++* [#111](https://github.com/tweag/webauthn/pull/111) Support the+  [`transports`](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-transports-slot)+  field, allowing servers to store information from the browser on how+  authenticators were communicated with (e.g. internal, NFC, etc.). When users+  log in, this information can then be passed along in [Credential+  Descriptors](https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialdescriptor),+  ensuring that only the transports initially registered as supported by the+  authenticator may be used. This is recommended by the standard.+* [#112](https://github.com/tweag/webauthn/pull/112) Decrease lower bounds for+  aeson and unordered-containers.
src/Crypto/WebAuthn/Model/Types.hs view
@@ -1201,16 +1201,14 @@       -- For more details, see [§ 6.5 Attestation](https://www.w3.org/TR/webauthn-2/#sctn-attestation),       -- [§ 6.5.4 Generating an Attestation Object](https://www.w3.org/TR/webauthn-2/#sctn-generating-an-attestation-object),       -- and [Figure 6](https://www.w3.org/TR/webauthn-2/#fig-attStructs).-      arrAttestationObject :: AttestationObject raw-      -- TODO: This property is currently not propagated by webauthn-json. See:-      -- <https://github.com/github/webauthn-json/pull/44>-      -- [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports)+      arrAttestationObject :: AttestationObject raw,+      -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-gettransports)       -- This [internal slot](https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots)       -- contains a sequence of zero or more unique `[DOMString](https://heycam.github.io/webidl/#idl-DOMString)`s       -- in lexicoaraphical order. These values are the transports that the       -- [authenticator](https://www.w3.org/TR/webauthn-2/#authenticator) is believed to support,       -- or an empty sequence if the information is unavailable.-      -- arrTransports :: Set AuthenticatorTransport+      arrTransports :: [AuthenticatorTransport]     } ->     AuthenticatorResponse 'Registration raw   -- | [(spec)](https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse)
src/Crypto/WebAuthn/Model/WebIDL/Internal/Decoding.hs view
@@ -232,6 +232,9 @@   decodeCreated supportedFormats IDL.AuthenticatorAttestationResponse {..} = do     arrClientData <- decode clientDataJSON     arrAttestationObject <- decodeCreated supportedFormats attestationObject+    arrTransports <- case transports of+      Nothing -> pure []+      Just t -> decode t     pure $ M.AuthenticatorResponseRegistration {..}  instance DecodeCreated (M.Credential 'K.Registration 'True) where
src/Crypto/WebAuthn/Model/WebIDL/Internal/Encoding.hs view
@@ -212,7 +212,8 @@   encode M.AuthenticatorResponseRegistration {..} =     IDL.AuthenticatorAttestationResponse       { clientDataJSON = encode arrClientData,-        attestationObject = encode arrAttestationObject+        attestationObject = encode arrAttestationObject,+        transports = Just $ encode arrTransports       }  -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject)
src/Crypto/WebAuthn/Model/WebIDL/Types.hs view
@@ -180,7 +180,11 @@   { -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson)     clientDataJSON :: IDL.ArrayBuffer,     -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject)-    attestationObject :: IDL.ArrayBuffer+    attestationObject :: IDL.ArrayBuffer,+    -- | [(spec)](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-transports-slot)+    -- This field is only being propagated by webauthn-json [since recently](https://github.com/github/webauthn-json/pull/44),+    -- which is why we allow absence of this value+    transports :: Maybe [IDL.DOMString]   }   deriving (Eq, Show, Generic)   deriving (Aeson.FromJSON, Aeson.ToJSON) via JSONEncoding AuthenticatorAttestationResponse
src/Crypto/WebAuthn/Operation/CredentialEntry.hs view
@@ -16,6 +16,7 @@   { ceCredentialId :: M.CredentialId,     ceUserHandle :: M.UserHandle,     cePublicKeyBytes :: M.PublicKeyBytes,-    ceSignCounter :: M.SignatureCounter+    ceSignCounter :: M.SignatureCounter,+    ceTransports :: [M.AuthenticatorTransport]   }   deriving (Eq, Show, Generic, ToJSON)
src/Crypto/WebAuthn/Operation/Registration.hs view
@@ -43,6 +43,7 @@         ceCredentialId,         cePublicKeyBytes,         ceSignCounter,+        ceTransports,         ceUserHandle       ),   )@@ -405,7 +406,8 @@                 { ceUserHandle = M.cueId $ M.corUser options,                   ceCredentialId = M.cIdentifier credential,                   cePublicKeyBytes = M.PublicKeyBytes $ M.unRaw acdCredentialPublicKeyBytes,-                  ceSignCounter = M.adSignCount authData+                  ceSignCounter = M.adSignCount authData,+                  ceTransports = M.arrTransports $ M.cResponse credential                 },             rrAttestationStatement = attStmt           }
tests/Emulation/Client.hs view
@@ -89,7 +89,8 @@             M.cResponse =               M.AuthenticatorResponseRegistration                 { M.arrClientData = clientData,-                  M.arrAttestationObject = attestationObject+                  M.arrAttestationObject = attestationObject,+                  M.arrTransports = []                 },             M.cClientExtensionResults = M.AuthenticationExtensionsClientOutputs {}           }
tests/Main.hs view
@@ -191,6 +191,14 @@         True         registry         predeterminedDateTime+    it "the response with transports information works" $+      registerTestFromFile+        "tests/responses/attestation/with-transports.json"+        "https://infinisil.webauthn.dev.tweag.io"+        "infinisil.webauthn.dev.tweag.io"+        True+        registry+        predeterminedDateTime   describe "AndroidKey register" $ do     it "tests whether the fixed android key register has a valid attestation" $       registerTestFromFile@@ -318,7 +326,8 @@               . M.adAttestedCredentialData               . M.aoAuthData               $ M.arrAttestationObject cResponse,-          ceSignCounter = M.adSignCount . M.aoAuthData $ M.arrAttestationObject cResponse+          ceSignCounter = M.adSignCount . M.aoAuthData $ M.arrAttestationObject cResponse,+          ceTransports = M.arrTransports cResponse         }  defaultPublicKeyCredentialCreationOptions :: M.Credential 'M.Registration raw -> M.CredentialOptions 'M.Registration
tests/Spec/Types.hs view
@@ -90,7 +90,7 @@   arbitrary = arbitraryBoundedEnum  instance Arbitrary (M.AuthenticatorResponse 'M.Registration 'False) where-  arbitrary = M.AuthenticatorResponseRegistration <$> arbitrary <*> arbitrary+  arbitrary = M.AuthenticatorResponseRegistration <$> arbitrary <*> arbitrary <*> arbitrary  instance Arbitrary M.AssertionSignature where   arbitrary = M.AssertionSignature <$> arbitrary
+ tests/responses/attestation/with-transports.json view
@@ -0,0 +1,12 @@+{+  "clientExtensionResults": {},+  "rawId": "KUf81qzsKaofpSlxy5avzDu3hrHHLFMdGhNZOts9YDCC_lTspfkVUGlhaHwfxPJ6h3sWPPS6XkcI_2N3FbXfyQ",+  "response": {+    "attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0bXSjY2FsZyZjc2lnWEYwRAIgTApe7qutMMPaNPA7NfFC21_-m46k4EWuh3BmKDYSDAoCIGB6A04-n7TYGJsc474JTayLKqSuUs2cvIorGreIvpS1Y3g1Y4FZAsEwggK9MIIBpaADAgECAgQej4c0MA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjBuMQswCQYDVQQGEwJTRTESMBAGA1UECgwJWXViaWNvIEFCMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMScwJQYDVQQDDB5ZdWJpY28gVTJGIEVFIFNlcmlhbCA1MTI3MjI3NDAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASoefgjOO0UlLrAcEvMf8Zj0bJxcVl2JDEBx2BRFdfBUp4oHBxnMi04S1zVXdPpgY1f2FwirzJuDGT8IK_jPyNmo2wwajAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIEMDAhBgsrBgEEAYLlHAEBBAQSBBAvwFefgRNH6rEWu1qNuSAqMAwGA1UdEwEB_wQCMAAwDQYJKoZIhvcNAQELBQADggEBAIaT_2LfDVd51HSNf8jRAicxio5YDmo6V8EI6U4Dw4Vos2aJT85WJL5KPv1_NBGLPZk3Q_eSoZiRYMj8muCwTj357hXj6IwE_IKo3L9YGOEI3MKWhXeuef9mK5RzTj3sRZcwXXPm5V7ivrnNlnjKCTXlM-tjj44m-ruBfNpEH76YMYMq5fbirZkvnrvbTGIji4-NerSB1tMmO82_nkpXVQNwmIrVgTRA-gMsrbZyPK3Y-Ne6gJ91tDz_oKW5rdFCMu-dnhSBJjgjPEykqHO5-KyY4yuhkWdgbhWQn83bSi3_va5GICSfmmZGrIHkgy0RGf6_qnMaiC2iWneCfUbRkBdoYXV0aERhdGFYxHzbgD-dWYiJjEu61dG4h-4WDe8NvHGqRb7HCEWeUfR8RQAAAAMvwFefgRNH6rEWu1qNuSAqAEApR_zWrOwpqh-lKXHLlq_MO7eGsccsUx0aE1k62z1gMIL-VOyl-RVQaWFofB_E8nqHexY89LpeRwj_Y3cVtd_JpQECAyYgASFYIKemkuzSyPwRFCcRBY4lmbhgQSCAfNTSJoDOnzokwUzuIlgglCsWjxTR4Dmb1CNnRcSmQxfKCL7cpqmS6xZLOU_xY7w",+    "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiZDdicFlRQUFBQURudERoamV5NlB5eGcwb1RpTnZEc1kiLCJvcmlnaW4iOiJodHRwczovL2luZmluaXNpbC53ZWJhdXRobi5kZXYudHdlYWcuaW8iLCJjcm9zc09yaWdpbiI6ZmFsc2V9",+    "transports": [+      "nfc",+      "usb"+    ]+  }+}
webauthn.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.4 name: webauthn-version: 0.1.0.0+version: 0.1.1.0 license: Apache-2.0 license-file: LICENSE copyright:@@ -21,10 +21,16 @@   of the [Web Authentication Level 2](https://www.w3.org/TR/webauthn-2/) specification.   This allows web applications to create strong, attested, scoped, public key-based   credentials for the purpose of strongly authenticating users.+  .+  While the general design of the library won't change, it's still in an alpha+  state, so smaller breaking changes should be expected for now. We will+  however follow the [PVP](https://pvp.haskell.org/) and properly label changes+  with the appropriate version increase. category: Web, Authentication tested-with: GHC == 8.10.7 extra-source-files:   README.md,+  changelog.md,   root-certs/**/*.crt,   tests/golden-metadata/big/blob.jwt,   tests/golden-metadata/big/payload.json,@@ -62,7 +68,7 @@     base                  >= 4.14.3 && < 4.15,     -- deriving-aeson has compilation performance problems with aeson >= 2.0,     -- see https://github.com/fumieval/deriving-aeson/issues/16-    aeson                 >= 1.5.6 && < 2.0,+    aeson                 >= 1.4.7.1 && < 2.0,     asn1-encoding         >= 0.9.6 && < 0.10,     asn1-parse            >= 0.9.5 && < 0.10,     asn1-types            >= 0.3.4 && < 0.4,@@ -86,7 +92,7 @@     singletons            >= 2.7 && < 2.8,     text                  >= 1.2.4 && < 1.3,     time                  >= 1.9.3 && < 1.10,-    unordered-containers  >= 0.2.16 && < 0.3,+    unordered-containers  >= 0.2.11.0 && < 0.3,     uuid                  >= 1.3.15 && < 1.4,     validation            >= 1.1.2 && < 1.2,     x509                  >= 1.7.5 && < 1.8,