From 914d6e520d34770e1db0a6ce4061e6630c728a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:58:47 +1100 Subject: [PATCH 1/6] build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 (#332) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.10.1 to 2.10.2. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/91182cccc01eb5e619899d80e4e971d6181294a7...0080882f6c36860b6ba35c610c98ce87d4e2f26f) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/go.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 67434071..f6d4638f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 955b3b3f..7c997cfd 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index f80935a8..a17a92b7 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -20,7 +20,7 @@ jobs: fail-fast: false steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index c50d9bc4..ddecb469 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit From 17b6f81726df44223683a33df913a8e43b4af551 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 08:53:57 +1100 Subject: [PATCH 2/6] build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#333) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.4 to 3.27.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ea9e4e37992a54ee68a9622e985e60c8e8f12d9f...f09c1c0a94de965c15400f5634aa42fac8fb8f88) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f6d4638f..5b261e00 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index ddecb469..ccfa232e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif From 3f658e7f542692f8eece2ae151cfe39b4dd260ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 08:44:42 +1100 Subject: [PATCH 3/6] build(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0 (#334) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.4.0 to 4.5.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/4081bf99e2866ebe428fc0477b69eb4fcda7220a...3b139cfc5fae8b618d3eae3675e383bb1769c019) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7c997cfd..21a469b1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 From 77b369a546a9c4c1f55124cdcd325e1a49762d10 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 24 Nov 2024 00:13:45 +1100 Subject: [PATCH 4/6] build(deps): update module github.com/stretchr/testify to v1.10.0 (#336) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2f4bd610..9c94ffba 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/google/go-tpm v0.9.1 github.com/google/uuid v1.6.0 github.com/mitchellh/mapstructure v1.5.0 - github.com/stretchr/testify v1.9.0 + github.com/stretchr/testify v1.10.0 ) require ( diff --git a/go.sum b/go.sum index 4a7bf6cd..340d7510 100644 --- a/go.sum +++ b/go.sum @@ -14,8 +14,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= From 0cd5289b7b22eec7fe40e62a7aac80e868b389e4 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Tue, 26 Nov 2024 15:10:42 +0800 Subject: [PATCH 5/6] refactor: adjust comment and remove 1.12 support (#338) --- protocol/base64.go | 5 ++-- protocol/webauthncose/ed25519.go | 2 -- protocol/webauthncose/ed25519_go112.go | 37 -------------------------- 3 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 protocol/webauthncose/ed25519_go112.go diff --git a/protocol/base64.go b/protocol/base64.go index 8e291094..86f36b6a 100644 --- a/protocol/base64.go +++ b/protocol/base64.go @@ -22,9 +22,8 @@ func (e *URLEncodedBase64) UnmarshalJSON(data []byte) error { return nil } - // TODO: Investigate this line. It is commented as trimming the leading spaces but appears to trim the leading and trailing double quotes instead. - // Trim the leading spaces. - data = bytes.Trim(data, "\"") + // Trim the leading and trailing quotes from raw JSON data (the whole value part) + data = bytes.Trim(data, `"`) // Trim the trailing equal characters. data = bytes.TrimRight(data, "=") diff --git a/protocol/webauthncose/ed25519.go b/protocol/webauthncose/ed25519.go index b3dc1f83..d84c73cb 100644 --- a/protocol/webauthncose/ed25519.go +++ b/protocol/webauthncose/ed25519.go @@ -1,5 +1,3 @@ -//go:build go1.13 - package webauthncose import ( diff --git a/protocol/webauthncose/ed25519_go112.go b/protocol/webauthncose/ed25519_go112.go deleted file mode 100644 index 4b063fc8..00000000 --- a/protocol/webauthncose/ed25519_go112.go +++ /dev/null @@ -1,37 +0,0 @@ -//go:build !go1.13 - -package webauthncose - -import ( - "crypto/ed25519" - "crypto/x509/pkix" - "encoding/asn1" -) - -var oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112} - -type pkixPublicKey struct { - Algo pkix.AlgorithmIdentifier - BitString asn1.BitString -} - -// marshalEd25519PublicKey is a backport of the functionality introduced in -// Go v1.13. -// Ref: https://golang.org/doc/go1.13#crypto/ed25519 -// Ref: https://golang.org/doc/go1.13#crypto/x509 -func marshalEd25519PublicKey(pub ed25519.PublicKey) ([]byte, error) { - publicKeyBytes := pub - var publicKeyAlgorithm pkix.AlgorithmIdentifier - publicKeyAlgorithm.Algorithm = oidSignatureEd25519 - - pkix := pkixPublicKey{ - Algo: publicKeyAlgorithm, - BitString: asn1.BitString{ - Bytes: publicKeyBytes, - BitLength: 8 * len(publicKeyBytes), - }, - } - - ret, _ := asn1.Marshal(pkix) - return ret, nil -} From e5657ab773ac20ed803c03138bb3cd854fca7852 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Tue, 26 Nov 2024 19:22:10 +1100 Subject: [PATCH 6/6] feat(webauthn): include new credential flags func (#337) This adds a new function NewCredentialFlags which is leveraged by us to derive the flags that the spec requires implementers store. The addition of this function ensures that added functionality or flags that need to be stored can relatively easily and painlessly be stored and restored by third parties. --- README.md | 59 ++++++++++++++++++++++++++++++++++++++++++ webauthn/credential.go | 28 +++++++++++++++----- 2 files changed, 81 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7296f74b..202c1775 100644 --- a/README.md +++ b/README.md @@ -313,6 +313,65 @@ table for more information. We also include JSON mappings for those that wish to | attestationObject | Attestation.Object | attestation.object | This field is a composite of the attestationObject and the relevant values to validate it | | attestationClientDataJSON | Attestation.ClientDataJSON | attestation.clientDataJSON | | +### Flags + +It's important to note that the recommendations and requirements for flag storage have changed over the course of the +evolution of the WebAuthn specification. We at the present time only make the flags classified like this available for +easy storage however we also make the Protocol Value available. At such a time as these recommendations or requirements +change we will adapt accordingly. The Protocol Value is a raw representation of the flags and as such is resistant to +breaking changes whereas the other flags or lack thereof may not be. + +Implementers are therefore encouraged to use +[func (CredentialFlags) ProtocolValue](https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#CredentialFlags.ProtocolValue) +to retrieve the raw value and +[webauthn.NewCredentialFlags](https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#NewCredentialFlags) to +restore it; and instead of using the individual flags to store the value store the Protocol Value, and only store the +individual flags as a means to perform compliance related decisions. + +#### Notable Changes + +This contains some notable changes to the flags over the life of the library. + +##### v0.11.0 + +In v0.11.0 we started validating the backup related flags to ensure that they were in a valid state as per the +requirements in the spec. This introduced issues for some users as they had not been storing them and at least at one +point the flag values were difficult to obtain. + +This has lead to an effective breaking change and a state where some credentials cannot be validated. The resolution to +this particular issue is to adapt current storage methods so that the values of the flags or each individual flag default +to a null-like value and manually perform an update to the storage and struct when a credential with null-like values is +observed. + +The values can be obtained prior to validating the parsed response similar to the example below: + +```go +package example + +import ( + "net/http" + + "github.com/go-webauthn/webauthn/protocol" + "github.com/go-webauthn/webauthn/webauthn" +) + +func FinishLogin(w http.ResponseWriter, r *http.Request) { + // Abstract Business Logic: Get the WebAuthn User. + user := datastore.GetUser() + + // Abstract Business Logic: Get the WebAuthn Session Data. + session := datastore.GetSession() + + parsedResponse, err := protocol.ParseCredentialRequestResponse(r) + if err != nil { + // Handle Error and return. + return + } + + // Handle updating the appropriate credential using the flags value. + flags := webauthn.NewCredentialFlags(parsedResponse.Response.AuthenticatorData.Flags) +} +``` ### Storage It is also important to note that restoring the [webauthn.Credential] with the correct values will likely affect the diff --git a/webauthn/credential.go b/webauthn/credential.go index 19e45f94..51b4fa4d 100644 --- a/webauthn/credential.go +++ b/webauthn/credential.go @@ -35,6 +35,19 @@ type Credential struct { Attestation CredentialAttestation `json:"attestation"` } +// NewCredentialFlags is a utility function that is used to derive the Credential's Flags field. This allows +// implementers to solely save the Raw field of the CredentialFlags to restore them appropriately for appropriate +// processing without concern that changes forced upon implementers by the W3C will introduce breaking changes. +func NewCredentialFlags(flags protocol.AuthenticatorFlags) CredentialFlags { + return CredentialFlags{ + UserPresent: flags.HasUserPresent(), + UserVerified: flags.HasUserVerified(), + BackupEligible: flags.HasBackupEligible(), + BackupState: flags.HasBackupState(), + raw: flags, + } +} + type CredentialFlags struct { // Flag UP indicates the users presence. UserPresent bool `json:"userPresent"` @@ -48,6 +61,14 @@ type CredentialFlags struct { // Flag BS indicates the credential has been backed up and/or sync'd. This value can change but it's recommended // that RP's keep track of this value. BackupState bool `json:"backupState"` + + raw protocol.AuthenticatorFlags +} + +// ProtocolValue returns the underlying protocol.AuthenticatorFlags provided this CredentialFlags was created using +// NewCredentialFlags. +func (f CredentialFlags) ProtocolValue() protocol.AuthenticatorFlags { + return f.raw } type CredentialAttestation struct { @@ -75,12 +96,7 @@ func NewCredential(clientDataHash []byte, c *protocol.ParsedCredentialCreationDa PublicKey: c.Response.AttestationObject.AuthData.AttData.CredentialPublicKey, AttestationType: c.Response.AttestationObject.Format, Transport: c.Response.Transports, - Flags: CredentialFlags{ - UserPresent: c.Response.AttestationObject.AuthData.Flags.HasUserPresent(), - UserVerified: c.Response.AttestationObject.AuthData.Flags.HasUserVerified(), - BackupEligible: c.Response.AttestationObject.AuthData.Flags.HasBackupEligible(), - BackupState: c.Response.AttestationObject.AuthData.Flags.HasBackupState(), - }, + Flags: NewCredentialFlags(c.Response.AttestationObject.AuthData.Flags), Authenticator: Authenticator{ AAGUID: c.Response.AttestationObject.AuthData.AttData.AAGUID, SignCount: c.Response.AttestationObject.AuthData.Counter,