Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(pcd/webauthn-pcd): base64 encode expected challenge #2186

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(pcd/webauthn-pcd): base64 encode expected challenge #2186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c0e9059
feat(apps/consumer-client): adds reproducible WebAuthn PCD bug
arthurgousset Dec 11, 2024
47398f3
chore(pcd/webauthn-pcd): temporarily enables any credential
arthurgousset Dec 11, 2024
bee43e3
fix(pcd/webauthn-pcd): base64 encode expected challenge
arthurgousset Dec 11, 2024
13a07fc
test(pcd/webauthn-pcd): base64 encode challenge
arthurgousset Dec 11, 2024
44bbaf0
Merge branch 'main' into arthurgousset/fix/webauthn-pcd
arthurgousset Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 152 additions & 0 deletions apps/consumer-client/src/pages/examples/add-pcd.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ export default function Page(): JSX.Element {
const [podFolder, setPODFolder] = useState("Test PODs");
const [podFolder2, setPODFolder2] = useState("Test PODs");
const [gpcFolder, setGPCFolder] = useState("Test GPCs");
const [webAuthnInfo, setWebAuthnInfo] = useState<WebAuthnInfo | null>(null);
const [serializedWebAuthnPCD, setSerializedWebAuthnPCD] = useState<
string | null
>(null);

return (
<div>
Expand Down Expand Up @@ -381,6 +385,74 @@ export default function Page(): JSX.Element {
add a GPC Proof to Zupass
</button>
</ExampleContainer>
<ExampleContainer>
Webauthn example: <br />
<button
onClick={async () => {
try {
const info = await registerWebAuthnCredential();
setWebAuthnInfo(info);
console.log("WebAuthn credential created successfully:", info);
} catch (err) {
console.error("Error creating WebAuthn credential:", err);
}
}}
>
Register new WebAuthn credential
</button>
<br />
Example data to sign: <br />
<br />
<textarea
cols={45}
rows={15}
value={podContent}
onChange={(e): void => {
setPODContent(e.target.value);
}}
/>
<br />
<button
onClick={async () => {
if (!webAuthnInfo) {
alert("Please register a WebAuthn credential first");
return;
}
try {
console.log("Data to sign:", JSON.stringify(podContent));
const pcd = await signWithWebAuthn(
JSON.stringify(podContent),
webAuthnInfo
);
setSerializedWebAuthnPCD(pcd);
console.log("Signed successfully with WebAuthn");
} catch (err) {
console.error("Error signing with WebAuthn:", err);
}
}}
disabled={!webAuthnInfo}
>
Sign PCD with WebAuthn
</button>
<br />
<button
onClick={async () => {
if (!serializedWebAuthnPCD) {
alert("Please sign a message first");
return;
}
try {
await verifyWebAuthnPCD(serializedWebAuthnPCD);
console.log("Verified successfully with WebAuthn");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This message seems to be incorrect in the case where verifyWebAuthnPCD did not succeed. However, since it returns Promise<void>, there's no way to know here if the PCD was verified or not.

This can cause confusing messages like this:

image

} catch (err) {
console.error("Error verifying with WebAuthn:", err);
}
}}
disabled={!serializedWebAuthnPCD}
>
Verify PCD with WebAuthn
</button>
</ExampleContainer>
</div>
);
}
Expand Down Expand Up @@ -685,6 +757,86 @@ async function addIdentityPCD(): Promise<void> {
sendZupassRequest(url);
}

type WebAuthnInfo = {
credentialID: Uint8Array;
credentialPublicKey: Uint8Array;
counter: number;
};

async function registerWebAuthnCredential(): Promise<WebAuthnInfo> {
// Register a new WebAuthn credential for testing.
const generatedRegistrationOptions = await generateRegistrationOptions({
rpName: "consumer-client",
rpID: window.location.hostname,
userID: "user-id",
userName: "user",
attestationType: "direct",
challenge: "challenge",
supportedAlgorithmIDs: [-7]
});
const startRegistrationResponse = await startRegistration(
generatedRegistrationOptions
);
const verificationResponse = await verifyRegistrationResponse({
response: startRegistrationResponse,
expectedOrigin: window.location.origin,
expectedChallenge: generatedRegistrationOptions.challenge,
supportedAlgorithmIDs: [-7] // support ES256 signing algorithm
});

console.log(`verificationResponse`, verificationResponse);
if (!verificationResponse.registrationInfo) {
throw new Error("Registration failed the return correct response.");
}

// Get relevant credential arguments from registration response.
const { credentialID, credentialPublicKey, counter } =
verificationResponse.registrationInfo;

return { credentialID, credentialPublicKey, counter };
}

async function signWithWebAuthn(
dataToSign: string,
webAuthnInfo: WebAuthnInfo
): Promise<string> {
const { credentialID, credentialPublicKey, counter } = webAuthnInfo;

try {
// Create new WebAuthn PCD
const PCD = await WebAuthnPCDPackage.prove({
challenge: dataToSign, // arbitrary challenge to be signed
origin: window.location.origin,
rpID: window.location.hostname,
authenticator: {
credentialID,
credentialPublicKey,
counter
}
});

console.log("WebAuthn PCD created:", PCD);

const serializedPCD = await WebAuthnPCDPackage.serialize(PCD);

console.log("Serialized PCD:", serializedPCD);

return JSON.stringify(serializedPCD);
} catch (err) {
console.error("Error creating WebAuthn credential:", err);
throw err;
}
}

async function verifyWebAuthnPCD(serializedPCD: string): Promise<void> {
const parsed = JSON.parse(serializedPCD) as SerializedPCD;
console.log("Parsed serializedPCD:", parsed);
const pcd = await WebAuthnPCDPackage.deserialize(parsed.pcd);
console.log("Deserialized PCD:", pcd);
const verified = await WebAuthnPCDPackage.verify(pcd);
console.log("WebAuthn PCD verified:", verified);
}

async function addWebAuthnPCD(): Promise<void> {
// Register a new WebAuthn credential for testing.
const generatedRegistrationOptions = await generateRegistrationOptions({
Expand Down
12 changes: 7 additions & 5 deletions packages/pcd/webauthn-pcd/src/WebAuthnPCDPackage.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ export async function prove(args: WebAuthnPCDArgs): Promise<WebAuthnPCD> {
rpID: args.rpID,
challenge: args.challenge,
allowCredentials: [
{
id: args.authenticator.credentialID,
type: "public-key"
}
// {
// id: args.authenticator.credentialID,
// type: "public-key"
// }
]
});
const authenticationResponseJSON = await startAuthentication(
Expand All @@ -50,7 +50,9 @@ export async function prove(args: WebAuthnPCDArgs): Promise<WebAuthnPCD> {
export async function verify(pcd: WebAuthnPCD): Promise<boolean> {
const { verified } = await verifyAuthenticationResponse({
response: pcd.proof,
expectedChallenge: pcd.claim.challenge,
expectedChallenge: Buffer.from(pcd.claim.challenge)
.toString("base64")
.replace(/=+$/, ""),
expectedOrigin: pcd.claim.origin,
expectedRPID: pcd.claim.rpID,
authenticator: {
Expand Down
4 changes: 3 additions & 1 deletion packages/pcd/webauthn-pcd/test/WebAuthnPCD.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,9 @@ jest.mock("@simplewebauthn/server", () => ({
verifyAuthenticationResponse: async ({
expectedChallenge
}: VerifyAuthenticationResponseOpts): Promise<{ verified: boolean }> => ({
verified: expectedChallenge === "valid_challenge"
verified:
expectedChallenge ===
Buffer.from("valid_challenge").toString("base64").replace(/=+$/, "")
})
}));

Expand Down