Clean up get credential

chrome-key · Blobonat · Jul 1, 2020 · Jul 1, 2020 · Jul 2, 2020 · Jul 3, 2020
commit 102fc8197292e8787dc5df940f76be516bdd67fe
diff --git a/src/webauthn_authenticator.ts b/src/webauthn_authenticator.ts
@@ -50,6 +50,7 @@ export class Authenticator {
         let isRecovery: [boolean, string] = [false, ""];
         let credentialOptions: PublicKeyCredentialSource[] = [];
         if (allowCredentialDescriptorList) {
+            // Simplified credential lookup
             for (let i = 0; i < allowCredentialDescriptorList.length; i++) {
                 const rawCredId = allowCredentialDescriptorList[i].id as ArrayBuffer;
                 const credId = byteArrayToBase64(new Uint8Array(rawCredId), true);
@@ -59,6 +60,7 @@ export class Authenticator {
                 }
             }
         } else {
+            // If no credentials were supplied, load all credentials associated to the RPID
             credentialOptions = credentialOptions.concat(await CredentialsMap.load(rpId));
         }
         if (credentialOptions.length == 0) {
@@ -75,6 +77,7 @@ export class Authenticator {
                 }
             }
             if (!isRecovery[0]) {
+                // No recovery and no associated credential found
                 throw new Error(`Container does not manage any related credentials`);
             }
         }
@@ -84,7 +87,6 @@ export class Authenticator {
             credSource = credentialOptions[0];
         }
 
-
         const userConsent = await userConsentCallback;
         if (!userConsent) {
             throw new Error(`no user consent`);
@@ -93,15 +95,13 @@ export class Authenticator {
         // Step 8
         let processedExtensions = undefined;
         if (extensions) {
-            log.debug(extensions);
             if (extensions.has(PSK_EXTENSION_IDENTIFIER)) {
                 log.debug('Get: PSK requested');
                 if (!isRecovery[0]) {
                     throw new Error('PSK extension requested, but no matching recovery key available');
                 }
                 const rawPskInput = base64ToByteArray(extensions.get(PSK_EXTENSION_IDENTIFIER), true);
                 const pskInput = await CBOR.decode(new Buffer(rawPskInput));
-                log.debug('Get: PSK input', pskInput);
                 const [newCredId, pskOutput] = await PSK.authenticatorGetCredentialExtensionOutput(isRecovery[1], pskInput.hash, rpId);
                 processedExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, pskOutput]]);
                 credSource = await CredentialsMap.lookup(rpId, newCredId);

diff --git a/src/webauthn_client.ts b/src/webauthn_client.ts
@@ -113,11 +113,18 @@ export async function createPublicKeyCredential(origin: string, options: Credent
 }
 
 export async function getPublicKeyCredential(origin: string, options: CredentialRequestOptions, sameOriginWithAncestors: boolean, userConsentCallback: Promise<boolean>) {
+    // Step 1
+    if (!options.publicKey) {
+        throw new Error('options missing');
+    }
+
     // Step 2
     if (!sameOriginWithAncestors) {
         throw new Error(`sameOriginWithAncestors has to be true`);
     }
 
+    // No timeout
+
     // Step 7
     const rpID = options.publicKey.rpId || getDomainFromOrigin(origin);
 
@@ -136,6 +143,8 @@ export async function getPublicKeyCredential(origin: string, options: Credential
                 const authenticatorExtensionInput = new Uint8Array(CBOR.encodeCanonical({hash: customClientDataHash}));
                 authenticatorExtensions = new Map([[PSK_EXTENSION_IDENTIFIER, byteArrayToBase64(authenticatorExtensionInput, true)]]);
                 // clientExtensions = {[PSK_EXTENSION_IDENTIFIER]: {clientDataJSON: customClientDataJSON}}; // ToDo  Add to response
+            } else {
+                log.warn('PSK client extension processing failed. Wrong input.');
             }
         }
     }
@@ -147,21 +156,29 @@ export async function getPublicKeyCredential(origin: string, options: Credential
     const clientDataHashDigest = await window.crypto.subtle.digest('SHA-256', new TextEncoder().encode(JSON.stringify(clientDataJSON)));
     const clientDataHash = new Uint8Array(clientDataHashDigest);
 
-    // Step 18: Simplified, just for 1 authenticator
+    // Handle only 1 authenticator
+    // Step 18
+    if (options.publicKey.userVerification && (options.publicKey.userVerification === 'required')) {
+        throw new Error(`cKey does not support user verification`);
+    }
+
     const userVerification = options.publicKey.userVerification === "required";
     const userPresence = !userVerification;
+
+    const allowCredentialDescriptorList = options.publicKey.allowCredentials; // No filtering
+
     const assertionCreationData = await Authenticator.authenticatorGetAssertion(userConsentCallback,
         rpID,
         clientDataHash,
         userPresence,
         userVerification,
-        options.publicKey.allowCredentials,
+        allowCredentialDescriptorList,
         authenticatorExtensions);
 
     log.debug('Received assertion response');
 
     return {
-        getClientExtensionResults: () => ({}),
+        getClientExtensionResults: () => (clientExtensions), // ToDo Add client extension output
         id: assertionCreationData.credentialId,
         rawId: base64ToByteArray(assertionCreationData.credentialId, true),
         response: {