Drop support for device public key (dpk) (#567)

* Removed DevicePubKey p1 * Removed DevicePubkey p2 * Clean up crumbs * format * Add the comment back in * format
passwordless-lib · Oct 30, 2024 · ea6cd8f · ea6cd8f
1 parent 0d38438
commit ea6cd8f
Show file tree

Hide file tree

Showing 20 changed files with 30 additions and 515 deletions.
diff --git a/BlazorWasmDemo/Server/Controllers/UserController.cs b/BlazorWasmDemo/Server/Controllers/UserController.cs
@@ -112,11 +112,7 @@ public CredentialCreateOptions GetCredentialOptions(
                 {
                     Extensions = true,
                     UserVerificationMethod = true,
-                    CredProps = true,
-                    DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs
-                    {
-                        Attestation = attestationType?.ToString() ?? AttestationConveyancePreference.None.ToString()
-                    },
+                    CredProps = true
                 }
             );
 
@@ -168,7 +164,6 @@ public async Task<string> CreateCredentialAsync([FromRoute] string username, [Fr
                 SignCount = credential.SignCount,
                 RegDate = DateTimeOffset.UtcNow,
                 AaGuid = credential.AaGuid,
-                DevicePublicKeys = [credential.DevicePublicKey],
                 Transports = credential.Transports,
                 IsBackupEligible = credential.IsBackupEligible,
                 IsBackedUp = credential.IsBackedUp,
@@ -213,8 +208,7 @@ public AssertionOptions MakeAssertionOptions([FromRoute] string? username, [From
             var exts = new AuthenticationExtensionsClientInputs
             {
                 UserVerificationMethod = true,
-                Extensions = true,
-                DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs()
+                Extensions = true
             };
 
             // 2. Create options (usernameless users will be prompted by their device to select a credential from their own list)
@@ -277,16 +271,11 @@ public async Task<string> MakeAssertionAsync([FromBody] AuthenticatorAssertionRa
                 OriginalOptions = options,
                 StoredPublicKey = creds.PublicKey,
                 StoredSignatureCounter = creds.SignCount,
-                IsUserHandleOwnerOfCredentialIdCallback = UserHandleOwnerOfCredentialIdAsync,
-                StoredDevicePublicKeys = creds.DevicePublicKeys
+                IsUserHandleOwnerOfCredentialIdCallback = UserHandleOwnerOfCredentialIdAsync
             }, cancellationToken: cancellationToken);
 
             // 4. Store the updated counter
             _demoStorage.UpdateCounter(res.CredentialId, res.SignCount);
-            if (res.DevicePublicKey is not null)
-            {
-                creds.DevicePublicKeys.Add(res.DevicePublicKey);
-            }
 
 
             // 5. return result to client

diff --git a/Demo/Controller.cs b/Demo/Controller.cs
@@ -67,7 +67,6 @@ public JsonResult MakeCredentialOptions([FromForm] string username,
             {
                 Extensions = true,
                 UserVerificationMethod = true,
-                DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs() { Attestation = attType },
                 CredProps = true
             };
 
@@ -127,8 +126,7 @@ public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestation
                 IsBackupEligible = credential.IsBackupEligible,
                 IsBackedUp = credential.IsBackedUp,
                 AttestationObject = credential.AttestationObject,
-                AttestationClientDataJson = credential.AttestationClientDataJson,
-                DevicePublicKeys = [credential.DevicePublicKey]
+                AttestationClientDataJson = credential.AttestationClientDataJson
             });
 
             // 4. return "ok" to the client
@@ -160,8 +158,7 @@ public ActionResult AssertionOptionsPost([FromForm] string username, [FromForm]
             var exts = new AuthenticationExtensionsClientInputs()
             {
                 Extensions = true,
-                UserVerificationMethod = true,
-                DevicePubKey = new AuthenticationExtensionsDevicePublicKeyInputs()
+                UserVerificationMethod = true
             };
 
             // 3. Create options
@@ -215,16 +212,12 @@ public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRaw
                 OriginalOptions = options,
                 StoredPublicKey = creds.PublicKey,
                 StoredSignatureCounter = storedCounter,
-                IsUserHandleOwnerOfCredentialIdCallback = callback,
-                StoredDevicePublicKeys = creds.DevicePublicKeys
+                IsUserHandleOwnerOfCredentialIdCallback = callback
             }, cancellationToken: cancellationToken);
 
             // 6. Store the updated counter
             DemoStorage.UpdateCounter(res.CredentialId, res.SignCount);
 
-            if (res.DevicePublicKey is not null)
-                creds.DevicePublicKeys.Add(res.DevicePublicKey);
-
             // 7. return OK to client
             return Json(res);
         }

diff --git a/Demo/TestController.cs b/Demo/TestController.cs
@@ -188,16 +188,12 @@ public async Task<JsonResult> MakeAssertionTestAsync([FromBody] AuthenticatorAss
             OriginalOptions = options,
             StoredPublicKey = creds.PublicKey,
             StoredSignatureCounter = storedCounter,
-            IsUserHandleOwnerOfCredentialIdCallback = callback,
-            StoredDevicePublicKeys = creds.DevicePublicKeys
+            IsUserHandleOwnerOfCredentialIdCallback = callback
         }, cancellationToken: cancellationToken);
 
         // 6. Store the updated counter
         _demoStorage.UpdateCounter(res.CredentialId, res.SignCount);
 
-        if (res.DevicePublicKey is not null)
-            creds.DevicePublicKeys.Add(res.DevicePublicKey);
-
         // 7. return OK to client
         return Json(new
         {

diff --git a/Src/Fido2.Development/StoredCredential.cs b/Src/Fido2.Development/StoredCredential.cs
@@ -48,8 +48,6 @@ public class StoredCredential
     /// </summary>
     public byte[] AttestationClientDataJson { get; set; }
 
-    public List<byte[]> DevicePublicKeys { get; set; }
-
     public byte[] UserId { get; set; }
 
     /// <summary>

diff --git a/Src/Fido2.Models/Exceptions/Fido2ErrorCode.cs b/Src/Fido2.Models/Exceptions/Fido2ErrorCode.cs
@@ -33,6 +33,5 @@ public enum Fido2ErrorCode
     UnimplementedAlgorithm,
     BackupEligibilityRequirementNotMet,
     BackupStateRequirementNotMet,
-    CredentialAlgorithmRequirementNotMet,
-    DevicePublicKeyAuthentication
+    CredentialAlgorithmRequirementNotMet
 }
diff --git a/Src/Fido2.Models/Objects/AuthenticationExtensionsClientInputs.cs b/Src/Fido2.Models/Objects/AuthenticationExtensionsClientInputs.cs
@@ -40,14 +40,6 @@ public sealed class AuthenticationExtensionsClientInputs
     public bool? UserVerificationMethod { private get; set; }
 
 #nullable enable
-    /// <summary>
-    /// This extension enables use of a user verification method.
-    /// https://www.w3.org/TR/webauthn/#sctn-uvm-extension
-    /// </summary>
-    [JsonPropertyName("devicePubKey")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public AuthenticationExtensionsDevicePublicKeyInputs? DevicePubKey { get; set; }
-
     /// <summary>
     /// This client registration extension facilitates reporting certain credential properties known by the client to the requesting WebAuthn Relying Party upon creation of a public key credential source as a result of a registration ceremony.
     /// </summary>

diff --git a/Src/Fido2.Models/Objects/AuthenticationExtensionsClientOutputs.cs b/Src/Fido2.Models/Objects/AuthenticationExtensionsClientOutputs.cs
@@ -36,14 +36,6 @@ public class AuthenticationExtensionsClientOutputs
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
     public ulong[][]? UserVerificationMethod { get; set; }
 
-    /// <summary>
-    /// This authenticator registration extension and authentication extension provides a Relying Party with a "device continuity" signal for backup eligible credentials.
-    /// https://w3c.github.io/webauthn/#sctn-device-publickey-extension
-    /// </summary>
-    [JsonPropertyName("devicePubKey")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public AuthenticationExtensionsDevicePublicKeyOutputs? DevicePubKey { get; set; }
-
     /// <summary>
     /// This client registration extension facilitates reporting certain credential properties known by the client to the requesting WebAuthn Relying Party upon creation of a public key credential source as a result of a registration ceremony.
     /// </summary>

diff --git a/Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyInputs.cs b/Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyInputs.cs
diff --git a/Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyOutputs.cs b/Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyOutputs.cs
diff --git a/Src/Fido2.Models/Objects/RegisteredPublicKeyCredential.cs b/Src/Fido2.Models/Objects/RegisteredPublicKeyCredential.cs
@@ -43,11 +43,6 @@ public class RegisteredPublicKeyCredential
     /// </summary>
     public bool IsBackedUp { get; init; }
 
-    /// <summary>
-    /// The public key portion of a hardware-bound device key pair
-    /// </summary>
-    public byte[] DevicePublicKey { get; init; }
-
     public Guid AaGuid { get; init; }
 
     public Fido2User User { get; init; }

diff --git a/Src/Fido2.Models/Objects/VerifyAssertionResult.cs b/Src/Fido2.Models/Objects/VerifyAssertionResult.cs
@@ -16,9 +16,4 @@ public class VerifyAssertionResult
     /// The latest value of the BS flag in the authenticator data from any ceremony using the public key credential source.
     /// </summary>
     public bool IsBackedUp { get; init; }
-
-    /// <summary>
-    /// The public key portion of a hardware-bound device key pair
-    /// </summary>
-    public byte[] DevicePublicKey { get; init; }
 }