Make API deterministic by passing random challenge values as input

Also:

* Use base64url instead of base64 as mandated by spec
* Pass timeout value as input instead of hard-coded value
* Check timeout value is not exceeded
* Split "challenges" into two new tables
  - credential_challenges: used by init_credential() and make_credential()
  - assertion_challenges: used by get_credentials() and verify_assertion()

Author: joelonsql

FUNCTIONS/base64_url_decode.sql FUNCTIONS/base64url_decode.sqlFUNCTIONS/base64_url_decode.sql renamed to FUNCTIONS/base64url_decode.sql

@@ -1,4 +1,4 @@
-CREATE OR REPLACE FUNCTION webauthn.base64_url_decode(text)
+CREATE OR REPLACE FUNCTION webauthn.base64url_decode(text)
 RETURNS bytea
 IMMUTABLE
 LANGUAGE sql AS $$

FUNCTIONS/base64url_encode.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE FUNCTION webauthn.base64url_encode(bytea)
+RETURNS text
+IMMUTABLE
+LANGUAGE sql AS $$
+SELECT translate(trim(trailing '=' from replace(encode($1,'base64'),E'\n','')),'+/','-_')
+$$;

FUNCTIONS/get_credentials.sql

@@ -1,10 +1,15 @@
-CREATE OR REPLACE FUNCTION webauthn.get_credentials(username text, relaying_party text)
+CREATE OR REPLACE FUNCTION webauthn.get_credentials(
+  challenge bytea,
+  relying_party_id text,
+  user_name text,
+  timeout interval
+)
 RETURNS jsonb
 LANGUAGE sql
 AS $$
 WITH new_challenge AS (
-  INSERT INTO webauthn.challenges (username, relaying_party)
-  VALUES (username, relaying_party)
+  INSERT INTO webauthn.assertion_challenges (challenge, relying_party_id, user_name, timeout)
+  VALUES (challenge, relying_party_id, user_name, timeout)
   RETURNING challenge
 )
 SELECT jsonb_build_object(
@@ -16,17 +21,17 @@ SELECT jsonb_build_object(
     'allowCredentials', jsonb_agg(
       jsonb_build_object(
         'type', 'public-key',
-        'id', encode(credentials.credential_raw_id,'base64')
+        'id', webauthn.base64url_encode(credentials.credential_id)
       )
-    ORDER BY credentials.credential_id DESC),
-    'timeout', 60000,
-    'challenge', encode(new_challenge.challenge,'base64'),
-    'rpId', relaying_party
+    ORDER BY credentials.credential_id),
+    'timeout', (extract(epoch from get_credentials.timeout)*1000)::bigint, -- milliseconds
+    'challenge', webauthn.base64url_encode(new_challenge.challenge),
+    'rpId', get_credentials.relying_party_id
   )
 )
 FROM new_challenge
-JOIN webauthn.challenges ON challenges.username       = get_credentials.username
-                        AND challenges.relaying_party = get_credentials.relaying_party
-JOIN webauthn.credentials ON credentials.challenge_id = challenges.challenge_id
-GROUP BY new_challenge.challenge, relaying_party
+JOIN webauthn.credential_challenges ON credential_challenges.relying_party_id = get_credentials.relying_party_id
+                                   AND credential_challenges.user_name         = get_credentials.user_name
+JOIN webauthn.credentials ON credentials.challenge = credential_challenges.challenge
+GROUP BY new_challenge.challenge, get_credentials.relying_party_id, get_credentials.timeout
 $$;

FUNCTIONS/init_credential.sql

@@ -1,24 +1,33 @@
-CREATE OR REPLACE FUNCTION webauthn.init_credential(username text, relaying_party text)
+CREATE OR REPLACE FUNCTION webauthn.init_credential(
+  challenge bytea,
+  relying_party_name text,
+  relying_party_id text,
+  user_name text,
+  user_id bytea,
+  user_display_name text,
+  timeout interval
+)
 RETURNS jsonb
 LANGUAGE sql
 AS $$
+-- https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions
 WITH new_challenge AS (
-  INSERT INTO webauthn.challenges (username, challenge, relaying_party)
-  VALUES (username, gen_random_bytes(32), relaying_party)
-  RETURNING challenge
+  INSERT INTO webauthn.credential_challenges (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout)
+  VALUES (challenge, relying_party_name, relying_party_id, user_name, user_id, user_display_name, timeout)
+  RETURNING TRUE
 )
 SELECT jsonb_build_object(
   'publicKey', jsonb_build_object(
-    'challenge', encode(challenge,'base64'),
     'rp', jsonb_build_object(
-      'name', relaying_party,
-      'id', relaying_party
+      'name', relying_party_name,
+      'id', relying_party_id
     ),
     'user', jsonb_build_object(
-      'name', username,
-      'displayName', username,
-      'id', encode(username::bytea,'base64')
+      'name', user_name,
+      'displayName', user_display_name,
+      'id', webauthn.base64url_encode(user_id)
     ),
+    'challenge', webauthn.base64url_encode(challenge),
     'pubKeyCredParams', jsonb_build_array(
       jsonb_build_object(
         'type', 'public-key',
@@ -29,7 +38,7 @@ SELECT jsonb_build_object(
       'requireResidentKey', false,
       'userVerification', 'discouraged'
     ),
-    'timeout', 60000,
+    'timeout', (extract(epoch from timeout)*1000)::bigint, -- milliseconds
     'extensions', jsonb_build_object(
       'txAuthSimple', ''
     ),

FUNCTIONS/make_credential.sql

@@ -1,25 +1,30 @@
-CREATE OR REPLACE FUNCTION webauthn.make_credential(username text, challenge text, credential_raw_id text, credential_type text, attestation_object text, client_data_json text, relaying_party text)
-RETURNS bigint
+CREATE OR REPLACE FUNCTION webauthn.make_credential(
+  credential_id text,
+  credential_type text,
+  attestation_object text,
+  client_data_json text,
+  relying_party_id text
+)
+RETURNS boolean
 LANGUAGE sql
 AS $$
 WITH
 consume_challenge AS (
-  UPDATE webauthn.challenges SET
+  UPDATE webauthn.credential_challenges SET
     consumed_at = now()
-  WHERE challenges.username = make_credential.username
-  AND challenges.relaying_party = make_credential.relaying_party
-  AND challenges.challenge = decode(make_credential.challenge,'base64')
-  AND challenges.challenge = webauthn.base64_url_decode(webauthn.from_utf8(decode(client_data_json,'base64'))::jsonb->>'challenge')
-  AND challenges.consumed_at IS NULL
-  RETURNING challenge_id
+  WHERE credential_challenges.relying_party_id = make_credential.relying_party_id
+  AND credential_challenges.challenge = webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge')
+  AND credential_challenges.consumed_at IS NULL
+  AND credential_challenges.created_at + credential_challenges.timeout > now()
+  RETURNING challenge
 )
-INSERT INTO webauthn.credentials (challenge_id,credential_raw_id,credential_type,attestation_object,client_data_json)
+INSERT INTO webauthn.credentials (credential_id,challenge,credential_type,attestation_object,client_data_json)
 SELECT
-  consume_challenge.challenge_id,
-  decode(credential_raw_id,'base64'),
+  webauthn.base64url_decode(credential_id),
+  consume_challenge.challenge,
   credential_type,
-  decode(attestation_object,'base64'),
-  decode(client_data_json,'base64')
+  webauthn.base64url_decode(attestation_object),
+  webauthn.base64url_decode(client_data_json)
 FROM consume_challenge
-RETURNING credential_id
+RETURNING TRUE
 $$;

FUNCTIONS/verify_assertion.sql

@@ -1,43 +1,52 @@
-CREATE OR REPLACE FUNCTION webauthn.verify_assertion(credential_raw_id text, credential_type text, authenticator_data text, client_data_json text, signature text, user_handle text, relaying_party text)
-RETURNS bigint
+CREATE OR REPLACE FUNCTION webauthn.verify_assertion(
+  credential_id text,
+  credential_type text,
+  authenticator_data text,
+  client_data_json text,
+  signature text,
+  user_handle text,
+  relying_party_id text
+)
+RETURNS boolean
 LANGUAGE sql
 AS $$
 WITH
-input AS (
+decoded_input AS (
   SELECT
-    decode(credential_raw_id,'base64') AS credential_raw_id,
+    webauthn.base64url_decode(credential_id) AS credential_id,
     credential_type,
-    decode(authenticator_data,'base64') AS authenticator_data,
-    decode(client_data_json,'base64') AS client_data_json,
-    decode(signature,'base64') AS signature,
-    decode(user_handle,'base64') AS user_handle
+    webauthn.base64url_decode(authenticator_data) AS authenticator_data,
+    webauthn.base64url_decode(client_data_json) AS client_data_json,
+    webauthn.base64url_decode(signature) AS signature,
+    webauthn.base64url_decode(user_handle) AS user_id
 ),
 consume_challenge AS (
-  UPDATE webauthn.challenges SET
+  UPDATE webauthn.assertion_challenges SET
     consumed_at = now()
-  WHERE challenges.challenge = webauthn.base64_url_decode(webauthn.from_utf8(decode(client_data_json,'base64'))::jsonb->>'challenge')
-  AND challenges.relaying_party = verify_assertion.relaying_party
-  AND challenges.consumed_at IS NULL
-  RETURNING challenge_id
+  WHERE assertion_challenges.challenge = webauthn.base64url_decode(webauthn.from_utf8(webauthn.base64url_decode(client_data_json))::jsonb->>'challenge')
+  AND assertion_challenges.relying_party_id = verify_assertion.relying_party_id
+  AND assertion_challenges.consumed_at IS NULL
+  RETURNING challenge
 )
-INSERT INTO webauthn.assertions (credential_id, challenge_id, authenticator_data, client_data_json, signature, user_handle)
+INSERT INTO webauthn.assertions (credential_id, challenge, authenticator_data, client_data_json, signature)
 SELECT
   credentials.credential_id,
-  consume_challenge.challenge_id,
-  input.authenticator_data,
-  input.client_data_json,
-  input.signature,
-  input.user_handle
+  consume_challenge.challenge,
+  decoded_input.authenticator_data,
+  decoded_input.client_data_json,
+  decoded_input.signature
 FROM consume_challenge
-CROSS JOIN input
-JOIN webauthn.credentials ON credentials.credential_raw_id = input.credential_raw_id
-                         AND credentials.credential_type = input.credential_type
+CROSS JOIN decoded_input
+JOIN webauthn.credentials ON credentials.credential_id = decoded_input.credential_id
+                         AND credentials.credential_type = decoded_input.credential_type
+JOIN webauthn.credential_challenges ON credential_challenges.challenge = credentials.challenge
+                                   AND credential_challenges.user_id = decoded_input.user_id
 WHERE ecdsa_verify(
   public_key := credentials.public_key,
-  input_data := substring(input.authenticator_data,1,37) || digest(input.client_data_json,'sha256'),
-  signature := webauthn.decode_asn1_der_signature(input.signature),
+  input_data := substring(decoded_input.authenticator_data,1,37) || digest(decoded_input.client_data_json,'sha256'),
+  signature := webauthn.decode_asn1_der_signature(decoded_input.signature),
   hash_func := 'sha256',
   curve_name := 'secp256r1'
 )
-RETURNING assertions.assertion_id
+RETURNING TRUE
 $$;

Makefile

@@ -1,6 +1,6 @@
 EXTENSION = webauthn
 DATA = webauthn--1.0.sql
-REGRESS = valid_signature invalid_signature invalid_base64
+REGRESS = valid_signature invalid_signature invalid_base64url base64url
 EXTRA_CLEAN = webauthn--1.0.sql
 
 PG_CONFIG = pg_config
@@ -11,16 +11,18 @@ all: webauthn--1.0.sql
 
 SQL_SRC = \
   FUNCTIONS/complain_header.sql \
-  FUNCTIONS/base64_url_decode.sql \
+  FUNCTIONS/base64url_decode.sql \
+  FUNCTIONS/base64url_encode.sql \
   FUNCTIONS/decode_cbor.sql \
   FUNCTIONS/cbor_to_json.sql \
   FUNCTIONS/cose_ecdha_to_pkcs.sql \
   FUNCTIONS/decode_asn1_der_signature.sql \
   FUNCTIONS/from_utf8.sql \
   FUNCTIONS/parse_authenticator_data.sql \
   FUNCTIONS/parse_attestation_object.sql \
-  TABLES/challenges.sql \
+  TABLES/credential_challenges.sql \
   TABLES/credentials.sql \
+  TABLES/assertion_challenges.sql \
   TABLES/assertions.sql \
   FUNCTIONS/init_credential.sql \
   FUNCTIONS/make_credential.sql \