Refactored away from bool to enum.

passwordless-lib · Oct 18, 2024 · dfa6f72 · dfa6f72
1 parent 5aa4881
commit dfa6f72
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 9 deletions.
diff --git a/Src/Fido2/AuthenticatorAttestationResponse.cs b/Src/Fido2/AuthenticatorAttestationResponse.cs
@@ -153,7 +153,7 @@ public async Task<RegisteredPublicKeyCredential> VerifyAsync(
         if (metadataService?.ConformanceTesting() is true && metadataEntry is null && attType != AttestationType.None && AttestationObject.Fmt is not "fido-u2f")
             throw new Fido2VerificationException(Fido2ErrorCode.AaGuidNotFound, "AAGUID not found in MDS test metadata");
 
-        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true);
+        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true ? FidoValidationMode.FidoConformance2024 : FidoValidationMode.Default);
 
         // 22. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
         //     If self attestation was used, check if self attestation is acceptable under Relying Party policy.
@@ -257,7 +257,7 @@ private async Task<byte[]> DevicePublicKeyRegistrationAsync(
         if (metadataService?.ConformanceTesting() is true && metadataEntry is null && attType != AttestationType.None && devicePublicKeyAuthenticatorOutput.Fmt is not "fido-u2f")
             throw new Fido2VerificationException(Fido2ErrorCode.AaGuidNotFound, "AAGUID not found in MDS test metadata");
 
-        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true);
+        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true ? FidoValidationMode.FidoConformance2024 : FidoValidationMode.Default);
 
         // Check status reports for authenticator with undesirable status
         var latestStatusReport = metadataEntry?.GetLatestStatusReport();

diff --git a/Src/Fido2/Extensions/CryptoUtils.cs b/Src/Fido2/Extensions/CryptoUtils.cs
@@ -49,7 +49,7 @@ public static HashAlgorithmName HashAlgFromCOSEAlg(COSE.Algorithm alg)
         };
     }
 
-    public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certificate2[] attestationRootCertificates, bool conformance = false)
+    public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certificate2[] attestationRootCertificates, FidoValidationMode validationMode = FidoValidationMode.Default)
     {
         // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-statement-v2.0-id-20180227.html#widl-MetadataStatement-attestationRootCertificates
 
@@ -102,10 +102,10 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
             chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
 
             // if the attestation cert has a CDP extension, go ahead and turn on online revocation checking
-            if (!string.IsNullOrEmpty(CDPFromCertificateExts(trustPath[0].Extensions)) && !conformance)
-                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
-
-            // don't allow unknown root now that we have a custom root
+            if (!string.IsNullOrEmpty(CDPFromCertificateExts(trustPath[0].Extensions)) && validationMode != FidoValidationMode.FidoConformance2024)
+                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+
+            // don't allow unknown root now that we have a custom root
             chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
 
             // now, verify chain again with all checks turned on

diff --git a/Src/Fido2/FidoValidationMode.cs b/Src/Fido2/FidoValidationMode.cs
@@ -0,0 +1,6 @@
+public enum FidoValidationMode
+{
+    WebAuthNLevel3,
+    FidoConformance2024,
+    Default = WebAuthNLevel3
+}
diff --git a/Src/Fido2/TrustAnchor.cs b/Src/Fido2/TrustAnchor.cs
@@ -8,7 +8,7 @@ namespace Fido2NetLib;
 
 public static class TrustAnchor
 {
-    public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, bool conformance)
+    public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, FidoValidationMode validationMode = FidoValidationMode.Default)
     {
         if (trustPath != null && metadataEntry?.MetadataStatement?.AttestationTypes is not null)
         {
@@ -34,7 +34,7 @@ static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAtte
                     throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);
                 }
 
-                if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, conformance))
+                if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, validationMode))
                 {
                     throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);
                 }