Make verifyAuthenticationResponse async

author: Matthew Miller <matthew@millerti.me> 2022-08-16 00:01:37 -0700
committer: Matthew Miller <matthew@millerti.me> 2022-08-16 00:01:37 -0700
commit: efc69d854b169095c31ec44d2c20dbc7ad2e0250 (patch)
tree: 2d8c1a71e7adace667dd05a8070489bcef1c5f8b /packages/server/src
parent: 8c076f275940519d7fb6d7b0273f48a4a81ee058 (diff)
2 files changed, 62 insertions, 169 deletions
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
index 8a5b2fa..bb12818 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.test.ts
@@ -22,8 +22,8 @@ afterEach(() => {
   mockParseAuthData.mockRestore();
 });
 
-test('should verify an assertion response', () => {
-  const verification = verifyAuthenticationResponse({
+test('should verify an assertion response', async () => {
+  const verification = await verifyAuthenticationResponse({
     credential: assertionResponse,
     expectedChallenge: assertionChallenge,
     expectedOrigin: assertionOrigin,
@@ -34,8 +34,8 @@ test('should verify an assertion response', () => {
   expect(verification.verified).toEqual(true);
 });
 
-test('should return authenticator info after verification', () => {
-  const verification = verifyAuthenticationResponse({
+test('should return authenticator info after verification', async () => {
+  const verification = await verifyAuthenticationResponse({
     credential: assertionResponse,
     expectedChallenge: assertionChallenge,
     expectedOrigin: assertionOrigin,
@@ -47,31 +47,31 @@ test('should return authenticator info after verification', () => {
   expect(verification.authenticationInfo.credentialID).toEqual(authenticator.credentialID);
 });
 
-test('should throw when response challenge is not expected value', () => {
-  expect(() => {
+test('should throw when response challenge is not expected value', async () => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: 'shouldhavebeenthisvalue',
       expectedOrigin: 'https://different.address',
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/authentication response challenge/i);
+    }),
+  ).rejects.toThrow(/authentication response challenge/i);
 });
 
-test('should throw when response origin is not expected value', () => {
-  expect(() => {
+test('should throw when response origin is not expected value', async () => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: 'https://different.address',
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/authentication response origin/i);
+    }),
+  ).rejects.toThrow(/authentication response origin/i);
 });
 
-test('should throw when assertion type is not webauthn.create', () => {
+test('should throw when assertion type is not webauthn.create', async () => {
   // @ts-ignore 2345
   mockDecodeClientData.mockReturnValue({
     origin: assertionOrigin,
@@ -79,35 +79,35 @@ test('should throw when assertion type is not webauthn.create', () => {
     challenge: assertionChallenge,
   });
 
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: assertionOrigin,
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/authentication response type/i);
+    }),
+  ).rejects.toThrow(/authentication response type/i);
 });
 
-test('should throw error if user was not present', () => {
+test('should throw error if user was not present', async () => {
   mockParseAuthData.mockReturnValue({
     rpIdHash: toHash(Buffer.from('dev.dontneeda.pw', 'ascii')),
     flags: 0,
   });
 
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: assertionOrigin,
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/not present/i);
+    }),
+  ).rejects.toThrow(/not present/i);
 });
 
-test('should throw error if previous counter value is not less than in response', () => {
+test('should throw error if previous counter value is not less than in response', async () => {
   // This'll match the `counter` value in `assertionResponse`, simulating a potential replay attack
   const badCounter = 144;
   const badDevice = {
@@ -115,36 +115,36 @@ test('should throw error if previous counter value is not less than in response'
     counter: badCounter,
   };
 
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: assertionOrigin,
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: badDevice,
-    });
-  }).toThrow(/counter value/i);
+    }),
+  ).rejects.toThrow(/counter value/i);
 });
 
-test('should throw error if assertion RP ID is unexpected value', () => {
+test('should throw error if assertion RP ID is unexpected value', async () => {
   mockParseAuthData.mockReturnValue({
     rpIdHash: toHash(Buffer.from('bad.url', 'ascii')),
     flags: 0,
   });
 
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: assertionOrigin,
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/rp id/i);
+    })
+  ).rejects.toThrow(/rp id/i);
 });
 
-test('should not compare counters if both are 0', () => {
-  const verification = verifyAuthenticationResponse({
+test('should not compare counters if both are 0', async () => {
+  const verification = await verifyAuthenticationResponse({
     credential: assertionFirstTimeUsedResponse,
     expectedChallenge: assertionFirstTimeUsedChallenge,
     expectedOrigin: assertionFirstTimeUsedOrigin,
@@ -155,7 +155,7 @@ test('should not compare counters if both are 0', () => {
   expect(verification.verified).toEqual(true);
 });
 
-test('should throw an error if user verification is required but user was not verified', () => {
+test('should throw an error if user verification is required but user was not verified', async () => {
   const actualData = esmParseAuthenticatorData.parseAuthenticatorData(
     base64url.toBuffer(assertionResponse.response.authenticatorData),
   );
@@ -168,7 +168,7 @@ test('should throw an error if user verification is required but user was not ve
     },
   });
 
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
@@ -176,15 +176,15 @@ test('should throw an error if user verification is required but user was not ve
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
       requireUserVerification: true,
-    });
-  }).toThrow(/user could not be verified/i);
+    }),
+  ).rejects.toThrow(/user could not be verified/i);
 });
 
 // TODO: Get a real TPM authentication response in here
-test.skip('should verify TPM assertion', () => {
+test.skip('should verify TPM assertion', async () => {
   const expectedChallenge = 'dG90YWxseVVuaXF1ZVZhbHVlRXZlcnlBc3NlcnRpb24';
   jest.spyOn(base64url, 'encode').mockReturnValueOnce(expectedChallenge);
-  const verification = verifyAuthenticationResponse({
+  const verification = await verifyAuthenticationResponse({
     credential: {
       id: 'YJ8FMM-AmcUt73XPX341WXWd7ypBMylGjjhu0g3VzME',
       rawId: 'YJ8FMM-AmcUt73XPX341WXWd7ypBMylGjjhu0g3VzME',
@@ -212,8 +212,8 @@ test.skip('should verify TPM assertion', () => {
   expect(verification.verified).toEqual(true);
 });
 
-test('should support multiple possible origins', () => {
-  const verification = verifyAuthenticationResponse({
+test('should support multiple possible origins', async () => {
+  const verification = await verifyAuthenticationResponse({
     credential: assertionResponse,
     expectedChallenge: assertionChallenge,
     expectedOrigin: ['https://simplewebauthn.dev', assertionOrigin],
@@ -225,19 +225,19 @@ test('should support multiple possible origins', () => {
 });
 
 test('should throw an error if origin not in list of expected origins', async () => {
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: ['https://simplewebauthn.dev', 'https://fizz.buzz'],
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/unexpected authentication response origin/i);
+    }),
+  ).rejects.toThrow(/unexpected authentication response origin/i);
 });
 
 test('should support multiple possible RP IDs', async () => {
-  const verification = verifyAuthenticationResponse({
+  const verification = await verifyAuthenticationResponse({
     credential: assertionResponse,
     expectedChallenge: assertionChallenge,
     expectedOrigin: assertionOrigin,
@@ -249,19 +249,19 @@ test('should support multiple possible RP IDs', async () => {
 });
 
 test('should throw an error if RP ID not in list of possible RP IDs', async () => {
-  expect(() => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: assertionChallenge,
       expectedOrigin: assertionOrigin,
       expectedRPID: ['simplewebauthn.dev'],
       authenticator: authenticator,
-    });
-  }).toThrow(/unexpected rp id/i);
+    }),
+  ).rejects.toThrow(/unexpected rp id/i);
 });
 
-test('should pass verification if custom challenge verifier returns true', () => {
-  const verification = verifyAuthenticationResponse({
+test('should pass verification if custom challenge verifier returns true', async () => {
+  const verification = await verifyAuthenticationResponse({
     credential: {
       id: 'AaIBxnYfL2pDWJmIii6CYgHBruhVvFGHheWamphVioG_TnEXxKA9MW4FWnJh21zsbmRpRJso9i2JmAtWOtXfVd4oXTgYVusXwhWWsA',
       rawId:
@@ -299,26 +299,26 @@ test('should pass verification if custom challenge verifier returns true', () =>
   expect(verification.verified).toEqual(true);
 });
 
-test('should fail verification if custom challenge verifier returns false', () => {
-  expect(() => {
+test('should fail verification if custom challenge verifier returns false', async () => {
+  await expect(
     verifyAuthenticationResponse({
       credential: assertionResponse,
       expectedChallenge: challenge => challenge === 'willNeverMatch',
       expectedOrigin: assertionOrigin,
       expectedRPID: 'dev.dontneeda.pw',
       authenticator: authenticator,
-    });
-  }).toThrow(/custom challenge verifier returned false/i);
+    }),
+  ).rejects.toThrow(/custom challenge verifier returned false/i);
 });
 
 test('should return authenticator extension output', async () => {
-  const verification = verifyAuthenticationResponse({
+  const verification = await verifyAuthenticationResponse({
     credential: {
       response: {
         clientDataJSON:
           'eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaVpzVkN6dHJEVzdEMlVfR0hDSWxZS0x3VjJiQ3NCVFJxVlFVbkpYbjlUayIsIm9yaWdpbiI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOmd4N3NxX3B4aHhocklRZEx5ZkcwcHhLd2lKN2hPazJESlE0eHZLZDQzOFEiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uZmlkby5leGFtcGxlLmZpZG8yYXBpZXhhbXBsZSJ9',
         authenticatorData:
-          'DXX8xWP9p3nbLjQ-6kiYiHWLeFSdSTpP2-oc2WqjHMSFAAAAAKFsZGV2aWNlUHViS2V5pWNkcGtYTaUBAgMmIAEhWCCZGqvtneQnGp7erYgG-dyW1tzNDEdiU6VRBInsg3m-WyJYIKCXPP3tu3nif-9O50gWc_szElBN3KVDTP0jQx1q0p7aY3NpZ1hHMEUCIElSbNKK72tOYhp9WTbStQSVL8CuIxOk8DV6r_-uqWR0AiEAnVE6yu-wsyx2Wq5v66jClGhe_2P_HL8R7PIQevT-uPhlbm9uY2VAZXNjb3BlQQBmYWFndWlkULk_2WHy5kYvsSKCACJH3ng',
+          'DXX8xWP9p3nbLjQ-6kiYiHWLeFSdSTpP2-oc2WqjHMSFAAAAAKFvZGV2aWNlUHVibGljS2V5pWNkcGtYTaUBAgMmIAEhWCCZGqvtneQnGp7erYgG-dyW1tzNDEdiU6VRBInsg3m-WyJYIKCXPP3tu3nif-9O50gWc_szElBN3KVDTP0jQx1q0p7aY3NpZ1hHMEUCIElSbNKK72tOYhp9WTbStQSVL8CuIxOk8DV6r_-uqWR0AiEAnVE6yu-wsyx2Wq5v66jClGhe_2P_HL8R7PIQevT-uPhlbm9uY2VAZXNjb3BlQQBmYWFndWlkULk_2WHy5kYvsSKCACJH3ng=',
         signature:
           'MEYCIQDlRuxY7cYre0sb3T6TovQdfYIUb72cRZYOQv_zS9wN_wIhAOvN-fwjtyIhWRceqJV4SX74-z6oALERbC7ohk8EdVPO',
         userHandle: 'b2FPajFxcmM4MWo3QkFFel9RN2lEakh5RVNlU2RLNDF0Sl92eHpQYWV5UQ==',
@@ -343,7 +343,7 @@ test('should return authenticator extension output', async () => {
   });
 
   expect(verification.authenticationInfo?.authenticatorExtensionResults).toMatchObject({
-    devicePubKey: {
+    devicePublicKey: {
       dpk: Buffer.from(
         'A5010203262001215820991AABED9DE4271A9EDEAD8806F9DC96D6DCCD0C476253A5510489EC8379BE5B225820A0973CFDEDBB79E27FEF4EE7481673FB3312504DDCA5434CFD23431D6AD29EDA',
         'hex',
@@ -360,7 +360,7 @@ test('should return authenticator extension output', async () => {
 });
 
 test('should return credential backup info', async () => {
-  const verification = verifyAuthenticationResponse({
+  const verification = await verifyAuthenticationResponse({
     credential: assertionResponse,
     expectedChallenge: assertionChallenge,
     expectedOrigin: assertionOrigin,
@@ -372,115 +372,6 @@ test('should return credential backup info', async () => {
   expect(verification.authenticationInfo?.credentialBackedUp).toEqual(false);
 });
 
-test('[FIDO Conformance] should verify if user verification is required and user was verified but not present', () => {
-  const actualData = esmParseAuthenticatorData.parseAuthenticatorData(
-    base64url.toBuffer(assertionResponse.response.authenticatorData),
-  );
-
-  mockParseAuthData.mockReturnValue({
-    ...actualData,
-    flags: {
-      up: false,
-      uv: true,
-    },
-  });
-
-  const verification = verifyAuthenticationResponse({
-    credential: assertionResponse,
-    expectedChallenge: assertionChallenge,
-    expectedOrigin: assertionOrigin,
-    expectedRPID: 'dev.dontneeda.pw',
-    authenticator: authenticator,
-    advancedFIDOConfig: {
-      userVerification: 'required',
-    }
-  });
-
-  expect(verification.verified).toEqual(true);
-});
-
-test('[FIDO Conformance] should verify if user verification is preferred and user was not verified or present', () => {
-  const actualData = esmParseAuthenticatorData.parseAuthenticatorData(
-    base64url.toBuffer(assertionResponse.response.authenticatorData),
-  );
-
-  mockParseAuthData.mockReturnValue({
-    ...actualData,
-    flags: {
-      up: false,
-      uv: false,
-    },
-  });
-
-  const verification = verifyAuthenticationResponse({
-    credential: assertionResponse,
-    expectedChallenge: assertionChallenge,
-    expectedOrigin: assertionOrigin,
-    expectedRPID: 'dev.dontneeda.pw',
-    authenticator: authenticator,
-    requireUserVerification: false,
-    advancedFIDOConfig: {
-      userVerification: 'preferred',
-    },
-  });
-
-  expect(verification.verified).toEqual(true);
-});
-
-test('[FIDO Conformance] should verify if user verification is discouraged and user was verified but not present', () => {
-  const actualData = esmParseAuthenticatorData.parseAuthenticatorData(
-    base64url.toBuffer(assertionResponse.response.authenticatorData),
-  );
-
-  mockParseAuthData.mockReturnValue({
-    ...actualData,
-    flags: {
-      up: false,
-      uv: true,
-    },
-  });
-
-  const verification = verifyAuthenticationResponse({
-    credential: assertionResponse,
-    expectedChallenge: assertionChallenge,
-    expectedOrigin: assertionOrigin,
-    expectedRPID: 'dev.dontneeda.pw',
-    authenticator: authenticator,
-    advancedFIDOConfig: {
-      userVerification: 'discouraged',
-    },
-  });
-
-  expect(verification.verified).toEqual(true);
-});
-
-test('[FIDO Conformance] should verify if user verification is discouraged and user was not verified or present', () => {
-  const actualData = esmParseAuthenticatorData.parseAuthenticatorData(
-    base64url.toBuffer(assertionResponse.response.authenticatorData),
-  );
-
-  mockParseAuthData.mockReturnValue({
-    ...actualData,
-    flags: {
-      up: false,
-      uv: false,
-    },
-  });
-
-  const verification = verifyAuthenticationResponse({
-    credential: assertionResponse,
-    expectedChallenge: assertionChallenge,
-    expectedOrigin: assertionOrigin,
-    expectedRPID: 'dev.dontneeda.pw',
-    authenticator: authenticator,
-    advancedFIDOConfig: {
-      userVerification: 'discouraged',
-    },
-  });
-
-  expect(verification.verified).toEqual(true);
-});
-
 /**
  * Assertion examples below
  */
diff --git a/packages/server/src/authentication/verifyAuthenticationResponse.ts b/packages/server/src/authentication/verifyAuthenticationResponse.ts
index f6a437e..adf15e3 100644
--- a/packages/server/src/authentication/verifyAuthenticationResponse.ts
+++ b/packages/server/src/authentication/verifyAuthenticationResponse.ts
@@ -8,7 +8,6 @@ import {
 
 import { decodeClientDataJSON } from '../helpers/decodeClientDataJSON';
 import { toHash } from '../helpers/toHash';
-import { convertPublicKeyToPEM } from '../helpers/convertPublicKeyToPEM';
 import { verifySignature } from '../helpers/verifySignature';
 import { parseAuthenticatorData } from '../helpers/parseAuthenticatorData';
 import { isBase64URLString } from '../helpers/isBase64URLString';
@@ -46,9 +45,9 @@ export type VerifyAuthenticationResponseOpts = {
  * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
  * unless this value is `"required"`
  */
-export function verifyAuthenticationResponse(
+export async function verifyAuthenticationResponse(
   options: VerifyAuthenticationResponseOpts,
-): VerifiedAuthenticationResponse {
+): Promise<VerifiedAuthenticationResponse> {
   const {
     credential,
     expectedChallenge,
@@ -199,7 +198,6 @@ export function verifyAuthenticationResponse(
   const clientDataHash = toHash(base64url.toBuffer(response.clientDataJSON));
   const signatureBase = Buffer.concat([authDataBuffer, clientDataHash]);
 
-  const publicKey = convertPublicKeyToPEM(authenticator.credentialPublicKey);
   const signature = base64url.toBuffer(response.signature);
 
   if ((counter > 0 || authenticator.counter > 0) && counter <= authenticator.counter) {
@@ -215,7 +213,11 @@ export function verifyAuthenticationResponse(
   const { credentialDeviceType, credentialBackedUp } = parseBackupFlags(flags);
 
   const toReturn = {
-    verified: verifySignature(signature, signatureBase, publicKey),
+    verified: await verifySignature({
+      signature,
+      signatureBase,
+      credentialPublicKey: authenticator.credentialPublicKey,
+    }),
     authenticationInfo: {
       newCounter: counter,
       credentialID: authenticator.credentialID,
author	Matthew Miller <matthew@millerti.me>	2022-08-16 00:01:37 -0700
committer	Matthew Miller <matthew@millerti.me>	2022-08-16 00:01:37 -0700
commit	efc69d854b169095c31ec44d2c20dbc7ad2e0250 (patch)
tree	2d8c1a71e7adace667dd05a8070489bcef1c5f8b /packages/server/src
parent	8c076f275940519d7fb6d7b0273f48a4a81ee058 (diff)