Added basic structure for PSK registration

Author: Blobonat

src/background.ts

@@ -5,6 +5,7 @@ import {getLogger} from './logging';
 import {getOriginFromUrl, webauthnParse, webauthnStringify} from './utils';
 
 import {createPublicKeyCredential, getPublicKeyCredential} from "./webauthn_client";
+import {PSK} from "./webauthn_psk";
 
 const log = getLogger('background');
 
@@ -83,6 +84,22 @@ const getCredential = async (msg, sender: chrome.runtime.MessageSender) => {
     }
 };
 
+const pskSetup = async () => {
+    try {
+        await PSK.setup();
+    } catch (e) {
+        log.error('failed to setup psk', { errorType: `${(typeof e)}` }, e);
+    }
+};
+
+const pskOptions = async (url) => {
+    try {
+        await PSK.setOptions(url);
+    } catch (e) {
+        log.error('failed to set psk options', { errorType: `${(typeof e)}` }, e);
+    }
+};
+
 chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
     switch (msg.type) {
         case 'create_credential':
@@ -91,6 +108,12 @@ chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
         case 'get_credential':
             getCredential(msg, sender).then(sendResponse);
             break;
+        case 'psk_setup':
+            pskSetup().then(() => alert('PSK setup was successfully!'), null);
+            break;
+        case 'psk_options':
+            pskOptions(msg.url).then(() => alert('PSK options was successfully!'), null);
+            break;
         case 'user_consent':
             const cb = userConsentCallbacks[msg.tabId];
             if (!cb) {

src/constants.ts

@@ -17,7 +17,12 @@ export const enabledIcons = {
 };
 
 export const ES256_COSE = -7;
-export const ES256 = "P-256";
+export const ES256 = 'P-256';
 export const SHA256_COSE = 1;
 
-export const PIN = "0000";
+export const PIN = '0000';
+
+export const PSK_EXTENSION_IDENTIFIER = 'psk';
+export const BACKUP_KEY = 'backup_key';
+export const BD_ENDPOINT = 'bd_endpoint';
+export const DEFAULT_BD_ENDPOINT = 'http://localhost:8005';

src/options.ts

@@ -1,26 +1,27 @@
 import $ from 'jquery';
+import {PSK} from "./webauthn_psk";
 
 $(() => {
     $('#Setup').on('click', function(evt: Event) {
         evt.preventDefault();
         chrome.runtime.sendMessage({
-            type: 'setup',
+            type: 'psk_setup',
         });
     });
 
-    //$.when(getBackupDeviceBaseUrl()).then((url) => $('#BackupDeviceUrl').val(url));
+    $.when(PSK.bdDeviceUrl()).then((url) => $('#BackupDeviceUrl').val(url));
 
     $('#Recovery').on('click', function(evt: Event) {
         evt.preventDefault();
         chrome.runtime.sendMessage({
-            type: 'recovery',
+            type: 'psk_recovery',
         });
     });
 
     $('#SaveBackupDeviceUrl').on('click', function(evt: Event) {
         evt.preventDefault();
         chrome.runtime.sendMessage({
-            type: 'saveOptions',
+            type: 'psk_options',
             url: $('#BackupDeviceUrl').val(),
         });
     });

src/webauth_storage.ts

@@ -1,14 +1,106 @@
 import {base64ToByteArray, byteArrayToBase64, concatenate} from "./utils";
-import {ivLength, keyExportFormat, PIN, saltLength} from "./constants";
+import {BACKUP_KEY, BD_ENDPOINT, DEFAULT_BD_ENDPOINT, ivLength, keyExportFormat, PIN, saltLength} from "./constants";
 import {getLogger} from "./logging";
+import {BackupKey} from "./webauthn_psk";
 
 const log = getLogger('auth_storage');
 
+export class PSKStorage {
+    public static async getBDEndpoint(): Promise<string> {
+        return new Promise<string>(async (res, rej) => {
+            chrome.storage.local.get({[BD_ENDPOINT]: null}, async (resp) => {
+                if (!!chrome.runtime.lastError) {
+                    log.error('Could not perform PSKStorage.getBDEndpoint', chrome.runtime.lastError.message);
+                    rej(chrome.runtime.lastError);
+                    return;
+                }
+
+                if (resp[BACKUP_KEY] == null) {
+                    log.warn(`No endpoint found, use default endpoint`);
+                    res(DEFAULT_BD_ENDPOINT);
+                }
+                log.debug('Loaded BD endpoint successfully');
+                res(resp[BACKUP_KEY]);
+            });
+        });
+    }
+
+    public static async setBDEndpoint(endpoint: string): Promise<void> {
+        log.debug('Set BD endpoint to', endpoint);
+        return new Promise<void>(async (res, rej) => {
+            chrome.storage.local.set({[BD_ENDPOINT]: endpoint}, () => {
+                if (!!chrome.runtime.lastError) {
+                    log.error('Could not perform PSKStorage.setBDEndpoint', chrome.runtime.lastError.message);
+                    rej(chrome.runtime.lastError);
+                } else {
+                    res();
+                }
+            });
+        });
+    }
+
+    public static async storeBackupKeys(backupKeys: BackupKey[], override: boolean = false): Promise<void> {
+        log.debug(`Storing backup keys`);
+        const backupKeysExists = await this.existBackupKeys();
+        if (backupKeysExists && !override) {
+            log.debug('Backup keys already exist. Update entry.');
+            const entries = await this.loadBackupKeys();
+            backupKeys = entries.concat(backupKeys);
+        }
+
+        let exportJSON = JSON.stringify(backupKeys);
+        return new Promise<void>(async (res, rej) => {
+            chrome.storage.local.set({[BACKUP_KEY]: exportJSON}, () => {
+                if (!!chrome.runtime.lastError) {
+                    log.error('Could not perform PSKStorage.storeBackupKeys', chrome.runtime.lastError.message);
+                    rej(chrome.runtime.lastError);
+                } else {
+                    res();
+                }
+            });
+        });
+    };
+
+    public static async loadBackupKeys(): Promise<BackupKey[]> {
+        log.debug(`Loading backup keys`);
+        return new Promise<BackupKey[]>(async (res, rej) => {
+            chrome.storage.local.get({[BACKUP_KEY]: null}, async (resp) => {
+                if (!!chrome.runtime.lastError) {
+                    log.error('Could not perform PSKStorage.loadBackupKeys', chrome.runtime.lastError.message);
+                    rej(chrome.runtime.lastError);
+                    return;
+                }
+
+                if (resp[BACKUP_KEY] == null) {
+                    log.warn(`No backup keys found`);
+                    res([]);
+                }
+
+                const backupKeys = await JSON.parse(resp[BACKUP_KEY]);
+                log.debug('Loaded backup keys successfully');
+                res(backupKeys);
+            });
+        });
+    }
+
+    private static async existBackupKeys(): Promise<boolean> {
+        return new Promise<boolean>(async (res, rej) => {
+            chrome.storage.local.get({[BACKUP_KEY]: null}, async (resp) => {
+                if (!!chrome.runtime.lastError) {
+                    log.error('Could not perform PSKStorage.existBackupKeys', chrome.runtime.lastError.message);
+                    rej(chrome.runtime.lastError);
+                } else {
+                    res(!(resp[BACKUP_KEY] == null));
+                }
+            });
+        });
+    };
+}
 
 export class CredentialsMap {
     public static async put(rpId: string, credSrc: PublicKeyCredentialSource): Promise<void> {
         log.debug(`Storing credential map entry for ${rpId}`);
-        const mapEntryExists = await this.exits(rpId);
+        const mapEntryExists = await this.exists(rpId);
         let credSrcs: PublicKeyCredentialSource[];
         if (mapEntryExists) {
             log.debug('Credential map entry does already exist. Update entry.');
@@ -75,11 +167,11 @@ export class CredentialsMap {
         }
     }
 
-    public static async exits(rpId: string): Promise<boolean> {
+    public static async exists(rpId: string): Promise<boolean> {
         return new Promise<boolean>(async (res, rej) => {
             chrome.storage.local.get({[rpId]: null}, async (resp) => {
                 if (!!chrome.runtime.lastError) {
-                    log.error('Could not perform CredentialsMap.exits', chrome.runtime.lastError.message);
+                    log.error('Could not perform CredentialsMap.exists', chrome.runtime.lastError.message);
                     rej(chrome.runtime.lastError);
                 } else {
                     res(!(resp[rpId] == null));
@@ -91,7 +183,6 @@ export class CredentialsMap {
 
 export class PublicKeyCredentialSource {
     public static async import(json: any): Promise<PublicKeyCredentialSource> {
-        log.debug('Import PublicKeyCredentialSource', json);
         const _id = json.id;
         const _rpId = json.rpId;
         const _userHandle = json.userHandle;
@@ -124,7 +215,7 @@ export class PublicKeyCredentialSource {
             true,
             ['sign'],
         );
-        log.debug('Imported PublicKeyCredentialSource with id', _id)
+
         return new PublicKeyCredentialSource(_id, _privateKey, _rpId, _userHandle);
     }
 
@@ -178,7 +269,6 @@ export class PublicKeyCredentialSource {
             type: this.type
         }
 
-        log.debug('Exported PublicKeyCredentialSource with id', this.id)
         return json;
     }
 }

src/webauthn_authenticator.ts

@@ -4,7 +4,8 @@ import {base64ToByteArray, byteArrayToBase64, counterToBytes} from "./utils";
 import * as CBOR from 'cbor';
 import {createAttestationSignature, getAttestationCertificate} from "./webauthn_attestation";
 import {getLogger} from "./logging";
-import {ES256_COSE} from "./constants";
+import {ES256_COSE, PSK_EXTENSION_IDENTIFIER} from "./constants";
+import {PSK} from "./webauthn_psk";
 
 const log = getLogger('webauthn_authenticator');
 
@@ -111,7 +112,7 @@ export class Authenticator {
                                              requireUserVerification: boolean,
                                              credTypesAndPubKeyAlgs:  PublicKeyCredentialParameters[],
                                              excludeCredentialDescriptorList?: PublicKeyCredentialDescriptor[],
-                                             extensions?: any): Promise<AttestationObjectWrapper> {
+                                             extensions?: Map<string, string>): Promise<AttestationObjectWrapper> {
         log.debug('Called authenticatorMakeCredential');
 
         // Step 2
@@ -157,8 +158,22 @@ export class Authenticator {
         await CredentialsMap.put(rpEntity.id, credentialSource);
 
         // Step 9
-        // ToDo Include Extension Processing
-        const extensionData = undefined;
+        let processedExtensions = undefined;
+        if (extensions) {
+            log.debug(extensions);
+            if (extensions.has(PSK_EXTENSION_IDENTIFIER)) {
+                log.debug('PSK requested');
+                const pskOutPut = await PSK.authenticatorGetCredentialExtensionOutput();
+                log.debug('PSK extension output created');
+                // ToDo Check if input is cbor encoded null
+                processedExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, pskOutPut]]);
+                // ToDo Return credId from PSK to replace created credential id
+            }
+        }
+        if (processedExtensions) {
+            processedExtensions =  new Uint8Array(CBOR.encodeCanonical(processedExtensions));
+        }
+
 
         // Step 10
         const sigCnt = this.getSignatureCounter();
@@ -168,7 +183,7 @@ export class Authenticator {
         const attestedCredentialData = await this.generateAttestedCredentialData(rawCredentialId, keyPair);
 
         // Step 12
-        const authenticatorData = await this.generateAuthenticatorData(rpEntity.id, sigCnt, attestedCredentialData, extensionData);
+        const authenticatorData = await this.generateAuthenticatorData(rpEntity.id, sigCnt, attestedCredentialData, processedExtensions);
 
         // Step 13
         const attObj = await this.generateAttestationObject(hash, authenticatorData);

src/webauthn_client.ts

@@ -1,12 +1,14 @@
+import * as CBOR from 'cbor';
 import {base64ToByteArray, byteArrayToBase64, getDomainFromOrigin} from "./utils";
 import {Authenticator} from "./webauthn_authenticator";
 import {getLogger} from "./logging";
+import {PSK_EXTENSION_IDENTIFIER} from "./constants";
 
 type FunctionType = string;
 const Create: FunctionType = "webauthn.create";
 const Get: FunctionType = "webauthn.get";
 
-const log = getLogger('webauthn_authenticator');
+const log = getLogger('webauthn_client');
 
 export async function createPublicKeyCredential(origin: string, options: CredentialCreationOptions, sameOriginWithAncestors: boolean, userConsentCallback: Promise<boolean>): Promise<PublicKeyCredential> {
     log.debug('Called createPublicKeyCredential');
@@ -20,7 +22,19 @@ export async function createPublicKeyCredential(origin: string, options: Credent
     options.publicKey.rp.id = options.publicKey.rp.id || getDomainFromOrigin(origin);
 
     // Step 11
-    // ToDo clientExtensions + authenticatorExtensions
+    const clientExtensions = undefined; // ToDo clientExtensions
+    let authenticatorExtensions = undefined;
+    if (options.publicKey.extensions) {
+        const reqExt: any = options.publicKey.extensions;
+        if (reqExt.hasOwnProperty(PSK_EXTENSION_IDENTIFIER)) {
+            log.debug('PSK extension requested');
+            if (reqExt[PSK_EXTENSION_IDENTIFIER] == true) {
+                log.debug('PSK extension has valid client input');
+                const authenticatorExtensionInput = new Uint8Array(CBOR.encodeCanonical(null));
+                authenticatorExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, byteArrayToBase64(authenticatorExtensionInput, true)]]);
+            }
+        }
+    }
 
     // Step 13 + 14
     const clientDataJSON = generateClientDataJSON(Create, options.publicKey.challenge as ArrayBuffer, origin);
@@ -30,18 +44,24 @@ export async function createPublicKeyCredential(origin: string, options: Credent
     const clientDataHash = new Uint8Array(clientDataHashDigest);
 
     // Step 20: Simplified, just for 1 authenticator
-    const userVerification = options.publicKey.authenticatorSelection.requireUserVerification === "required";
+    let userVerification = false;
+    let residentKey = false;
+    if (options.publicKey.authenticatorSelection) {
+        userVerification = options.publicKey.authenticatorSelection.requireUserVerification === "required";
+        residentKey = options.publicKey.authenticatorSelection.requireResidentKey;
+    }
     const userPresence = !userVerification;
 
     const attObjWrapper = await Authenticator.authenticatorMakeCredential(userConsentCallback,
         clientDataHash,
         options.publicKey.rp,
         options.publicKey.user,
-        options.publicKey.authenticatorSelection.requireResidentKey,
+        residentKey,
         userPresence,
         userVerification,
         options.publicKey.pubKeyCredParams,
-        options.publicKey.excludeCredentials);
+        options.publicKey.excludeCredentials,
+        authenticatorExtensions);
 
     log.debug('Received attestation object');