Simplify make_credential() and verify_assertion()

Get rid of the consumed_at column and the UPDATE setting it.
Instead, rely on the unique constraints on challenge,
which will cause the INSERT to fail for a replay attack.

Also:

* Create and use ENUMs from the WebAuthn specification:
  - credential_type
  - user_verification_requirement
* Parameterize txAuthSimple and txAuthGeneric
* Check timeout is not exceeded by comparing against created_at
* Check the user_handle must match the credential’s user_id, or be NULL
* Implement and test userVerification semantics
* Add COMMENTS on all tables and their columns

Author: joelonsql

ENUMS/credential_type.sql

@@ -0,0 +1,5 @@
+CREATE TYPE webauthn.credential_type AS ENUM (
+  'public-key'
+);
+
+COMMENT ON TYPE webauthn.credential_type IS 'https://www.w3.org/TR/webauthn-2/#enum-credentialType';

ENUMS/user_verification_requirement.sql

@@ -0,0 +1,7 @@
+CREATE TYPE webauthn.user_verification_requirement AS ENUM (
+  'required',
+  'preferred',
+  'discouraged'
+);
+
+COMMENT ON TYPE webauthn.user_verification_requirement IS 'https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement';

FUNCTIONS/get_credentials.sql

@@ -2,36 +2,67 @@ CREATE OR REPLACE FUNCTION webauthn.get_credentials(
   challenge bytea,
   relying_party_id text,
   user_name text,
-  timeout interval
+  timeout interval,
+  user_verification webauthn.user_verification_requirement DEFAULT 'preferred',
+  tx_auth_simple text DEFAULT NULL,
+  tx_auth_generic_content_type text DEFAULT NULL,
+  tx_auth_generic_content bytea DEFAULT NULL
 )
 RETURNS jsonb
 LANGUAGE sql
 AS $$
-WITH new_challenge AS (
-  INSERT INTO webauthn.assertion_challenges (challenge, relying_party_id, user_name, timeout)
-  VALUES (challenge, relying_party_id, user_name, timeout)
-  RETURNING challenge
+WITH store_challenge AS (
+  INSERT INTO webauthn.assertion_challenges
+         (challenge, relying_party_id, user_name, timeout, user_verification, tx_auth_simple, tx_auth_generic_content_type, tx_auth_generic_content)
+  VALUES (challenge, relying_party_id, user_name, timeout, user_verification, tx_auth_simple, tx_auth_generic_content_type, tx_auth_generic_content)
+  RETURNING *
 )
 SELECT jsonb_build_object(
   'publicKey', jsonb_build_object(
-    'userVerification', 'required',
-    'extensions', jsonb_build_object(
-      'txAuthSimple', ''
-    ),
+    'userVerification', store_challenge.user_verification,
     'allowCredentials', jsonb_agg(
       jsonb_build_object(
-        'type', 'public-key',
+        'type', credentials.credential_type,
         'id', webauthn.base64url_encode(credentials.credential_id)
       )
     ORDER BY credentials.credential_id),
-    'timeout', (extract(epoch from get_credentials.timeout)*1000)::bigint, -- milliseconds
-    'challenge', webauthn.base64url_encode(new_challenge.challenge),
-    'rpId', get_credentials.relying_party_id
+    'timeout', (extract(epoch from store_challenge.timeout)*1000)::bigint, -- milliseconds
+    'challenge', webauthn.base64url_encode(store_challenge.challenge),
+    'rpId', store_challenge.relying_party_id
+  ) ||
+  jsonb_strip_nulls(
+    jsonb_build_object(
+      'extensions',
+      NULLIF(
+        jsonb_strip_nulls(jsonb_build_object(
+          'txAuthSimple',
+          store_challenge.tx_auth_simple
+        )) ||
+        jsonb_strip_nulls(jsonb_build_object(
+            'txAuthGeneric',
+            NULLIF(jsonb_strip_nulls(
+              jsonb_build_object(
+                'contentType',
+                store_challenge.tx_auth_generic_content_type,
+                'content',
+                webauthn.base64url_encode(store_challenge.tx_auth_generic_content)
+              )
+            ), '{}')
+        )),
+        '{}'
+      )
+    )
   )
 )
-FROM new_challenge
-JOIN webauthn.credential_challenges ON credential_challenges.relying_party_id = get_credentials.relying_party_id
-                                   AND credential_challenges.user_name         = get_credentials.user_name
+FROM store_challenge
+JOIN webauthn.credential_challenges ON credential_challenges.relying_party_id = store_challenge.relying_party_id
+                                   AND credential_challenges.user_name        = store_challenge.user_name
 JOIN webauthn.credentials ON credentials.challenge = credential_challenges.challenge
-GROUP BY new_challenge.challenge, get_credentials.relying_party_id, get_credentials.timeout
+GROUP BY store_challenge.challenge,
+         store_challenge.relying_party_id,
+         store_challenge.timeout,
+         store_challenge.user_verification,
+         store_challenge.tx_auth_simple,
+         store_challenge.tx_auth_generic_content_type,
+         store_challenge.tx_auth_generic_content
 $$;

FUNCTIONS/init_credential.sql

@@ -5,18 +5,20 @@ CREATE OR REPLACE FUNCTION webauthn.init_credential(
   user_name text,
   user_id bytea,
   user_display_name text,
-  timeout interval
+  timeout interval,
+  user_verification webauthn.user_verification_requirement DEFAULT 'preferred',
+  tx_auth_simple text DEFAULT NULL,
+  tx_auth_generic_content_type text DEFAULT NULL,
+  tx_auth_generic_content bytea DEFAULT NULL
 )
 RETURNS jsonb
 LANGUAGE sql
 AS $$
--- https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions
-WITH new_challenge AS (
-  INSERT INTO webauthn.credential_challenges (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout)
-  VALUES (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout)
-  RETURNING TRUE
-)
-SELECT jsonb_build_object(
+INSERT INTO webauthn.credential_challenges
+       (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout, user_verification, tx_auth_simple, tx_auth_generic_content_type, tx_auth_generic_content)
+VALUES (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout, user_verification, tx_auth_simple, tx_auth_generic_content_type, tx_auth_generic_content)
+RETURNING 
+jsonb_build_object(
   'publicKey', jsonb_build_object(
     'rp', jsonb_build_object(
       'name', relying_party_name,
@@ -36,13 +38,33 @@ SELECT jsonb_build_object(
     ),
     'authenticatorSelection', jsonb_build_object(
       'requireResidentKey', false,
-      'userVerification', 'discouraged'
-    ),
-    'timeout', (extract(epoch from timeout)*1000)::bigint, -- milliseconds
-    'extensions', jsonb_build_object(
-      'txAuthSimple', ''
+      'userVerification', user_verification
     ),
+    'timeout', (extract(epoch from timeout)*1000)::bigint,
     'attestation', 'none'
+  ) ||
+  jsonb_strip_nulls(
+    jsonb_build_object(
+      'extensions',
+      NULLIF(
+        jsonb_strip_nulls(jsonb_build_object(
+          'txAuthSimple',
+          tx_auth_simple
+        )) ||
+        jsonb_strip_nulls(jsonb_build_object(
+            'txAuthGeneric',
+            NULLIF(jsonb_strip_nulls(
+              jsonb_build_object(
+                'contentType',
+                tx_auth_generic_content_type,
+                'content',
+                webauthn.base64url_encode(tx_auth_generic_content)
+              )
+            ), '{}')
+        )),
+        '{}'
+      )
+    )
   )
-) FROM new_challenge
+)
 $$;

FUNCTIONS/make_credential.sql

@@ -1,32 +1,27 @@
 CREATE OR REPLACE FUNCTION webauthn.make_credential(
   OUT user_id bytea,
   credential_id text,
-  credential_type text,
+  credential_type webauthn.credential_type,
   attestation_object text,
   client_data_json text,
   relying_party_id text
 )
 RETURNS bytea
 LANGUAGE sql
 AS $$
-WITH
-consume_challenge AS (
-  UPDATE webauthn.credential_challenges SET
-    consumed_at = now()
-  WHERE credential_challenges.relying_party_id = make_credential.relying_party_id
-  AND credential_challenges.challenge = webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge')
-  AND credential_challenges.consumed_at IS NULL
-  AND credential_challenges.created_at + credential_challenges.timeout > now()
-  RETURNING challenge, user_id
-)
-INSERT INTO webauthn.credentials (credential_id,challenge,credential_type,attestation_object,client_data_json,user_id)
+INSERT INTO webauthn.credentials (credential_id, challenge, credential_type, attestation_object, client_data_json, user_id, user_verification)
 SELECT
   webauthn.base64url_decode(credential_id),
-  consume_challenge.challenge,
+  challenge,
   credential_type,
   webauthn.base64url_decode(attestation_object),
   webauthn.base64url_decode(client_data_json),
-  consume_challenge.user_id
-FROM consume_challenge
+  user_id,
+  user_verification
+FROM webauthn.credential_challenges
+WHERE credential_challenges.relying_party_id = make_credential.relying_party_id
+AND challenge = webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge')
+AND ((webauthn.parse_attestation_object(webauthn.base64url_decode(attestation_object))).user_verified OR credential_challenges.user_verification <> 'required')
+AND created_at + timeout > now()
 RETURNING credentials.user_id
 $$;

FUNCTIONS/parse_attestation_object.sql

@@ -1,9 +1,9 @@
 CREATE OR REPLACE FUNCTION webauthn.parse_attestation_object(
 OUT rp_id_hash bytea,
-OUT user_presence boolean,
-OUT user_verification boolean,
-OUT attested_credential_data boolean,
-OUT extension_data boolean,
+OUT user_present boolean,
+OUT user_verified boolean,
+OUT attested_credential_data_included boolean,
+OUT extension_data_included boolean,
 OUT sign_count bigint,
 OUT aaguid bytea,
 OUT credential_id bytea,

FUNCTIONS/parse_authenticator_data.sql

@@ -1,9 +1,9 @@
 CREATE OR REPLACE FUNCTION webauthn.parse_authenticator_data(
 OUT rp_id_hash bytea,
-OUT user_presence boolean,
-OUT user_verification boolean,
-OUT attested_credential_data boolean,
-OUT extension_data boolean,
+OUT user_present boolean,
+OUT user_verified boolean,
+OUT attested_credential_data_included boolean,
+OUT extension_data_included boolean,
 OUT sign_count bigint,
 authenticator_data bytea
 )

FUNCTIONS/verify_assertion.sql

@@ -1,7 +1,7 @@
 CREATE OR REPLACE FUNCTION webauthn.verify_assertion(
   OUT user_id bytea,
   credential_id text,
-  credential_type text,
+  credential_type webauthn.credential_type,
   authenticator_data text,
   client_data_json text,
   signature text,
@@ -18,30 +18,28 @@ decoded_input AS (
     credential_type,
     webauthn.base64url_decode(authenticator_data) AS authenticator_data,
     webauthn.base64url_decode(client_data_json) AS client_data_json,
+    webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge') AS challenge,
     webauthn.base64url_decode(signature) AS signature,
-    webauthn.base64url_decode(user_handle) AS user_id
-),
-consume_challenge AS (
-  UPDATE webauthn.assertion_challenges SET
-    consumed_at = now()
-  WHERE assertion_challenges.challenge = webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge')
-  AND assertion_challenges.relying_party_id = verify_assertion.relying_party_id
-  AND assertion_challenges.consumed_at IS NULL
-  RETURNING challenge
+    -- https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle
+    webauthn.base64url_decode(NULLIF(user_handle,'')) AS user_id,
+    relying_party_id
 )
 INSERT INTO webauthn.assertions (signature, credential_id, challenge, authenticator_data, client_data_json, user_id)
 SELECT
   decoded_input.signature,
   credentials.credential_id,
-  consume_challenge.challenge,
+  decoded_input.challenge,
   decoded_input.authenticator_data,
   decoded_input.client_data_json,
   credentials.user_id
-FROM consume_challenge
-CROSS JOIN decoded_input
-JOIN webauthn.credentials ON credentials.credential_id = decoded_input.credential_id
+FROM webauthn.assertion_challenges
+JOIN decoded_input ON decoded_input.challenge        = assertion_challenges.challenge
+                  AND decoded_input.relying_party_id = assertion_challenges.relying_party_id
+                  AND ((webauthn.parse_authenticator_data(decoded_input.authenticator_data)).user_verified OR assertion_challenges.user_verification <> 'required')
+JOIN webauthn.credentials ON credentials.credential_id   = decoded_input.credential_id
                          AND credentials.credential_type = decoded_input.credential_type
-                         AND credentials.user_id = decoded_input.user_id
+                         -- https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle
+                         AND credentials.user_id         = COALESCE(decoded_input.user_id,credentials.user_id)
 WHERE ecdsa_verify(
   public_key := credentials.public_key,
   input_data := substring(decoded_input.authenticator_data,1,37) || digest(decoded_input.client_data_json,'sha256'),

Makefile

@@ -1,6 +1,6 @@
 EXTENSION = webauthn
 DATA = webauthn--1.0.sql
-REGRESS = valid_signature invalid_signature invalid_base64url base64url
+REGRESS = valid_signature invalid_signature invalid_base64url credential_user_verification_failure assertion_user_verification_failure base64url
 EXTRA_CLEAN = webauthn--1.0.sql
 
 PG_CONFIG = pg_config
@@ -10,7 +10,9 @@ include $(PGXS)
 all: webauthn--1.0.sql
 
 SQL_SRC = \
-  FUNCTIONS/complain_header.sql \
+  complain_header.sql \
+	ENUMS/credential_type.sql \
+	ENUMS/user_verification_requirement.sql \
   FUNCTIONS/base64url_decode.sql \
   FUNCTIONS/base64url_encode.sql \
   FUNCTIONS/decode_cbor.sql \

TABLES/assertion_challenges.sql

@@ -3,10 +3,25 @@ challenge bytea NOT NULL,
 relying_party_id text NOT NULL,
 user_name text NOT NULL,
 timeout interval NOT NULL,
+user_verification webauthn.user_verification_requirement NOT NULL,
+tx_auth_simple text,
+tx_auth_generic_content_type text,
+tx_auth_generic_content bytea,
 created_at timestamptz NOT NULL DEFAULT now(),
-consumed_at timestamptz,
 PRIMARY KEY (challenge),
-CHECK(timeout >= '0'::interval)
+CHECK (timeout >= '0'::interval),
+CHECK ((tx_auth_generic_content_type IS NULL) = (tx_auth_generic_content IS NULL))
 );
 
 SELECT pg_catalog.pg_extension_config_dump('assertion_challenges', '');
+
+COMMENT ON TABLE webauthn.assertion_challenges IS 'Used by webauthn.get_credentials() to store the challenge, which is then consumed by webauthn.verify_assertion().';
+
+COMMENT ON COLUMN webauthn.assertion_challenges.challenge IS 'https://www.w3.org/TR/webauthn-2/#dom-collectedclientdata-challenge';
+COMMENT ON COLUMN webauthn.assertion_challenges.relying_party_id IS 'https://www.w3.org/TR/webauthn-2/#relying-party-identifier';
+COMMENT ON COLUMN webauthn.assertion_challenges.user_name IS 'https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-user';
+COMMENT ON COLUMN webauthn.assertion_challenges.timeout IS 'https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout';
+COMMENT ON COLUMN webauthn.assertion_challenges.tx_auth_simple IS 'https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/extensions';
+COMMENT ON COLUMN webauthn.assertion_challenges.tx_auth_generic_content_type IS 'https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/extensions';
+COMMENT ON COLUMN webauthn.assertion_challenges.tx_auth_generic_content IS 'https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions/extensions';
+COMMENT ON COLUMN webauthn.assertion_challenges.created_at IS 'Timestamp of when the challenge was created by webauthn.get_credentials()';