mirror of
https://github.com/onsonr/sonr.git
synced 2025-03-10 21:09:11 +00:00
Prad Nukala
96e6486c43
* feat: add new supported attestation formats to genesis * feat: refactor keyType to keytype enum * refactor: remove unused imports and code * refactor: update main.go to use src package * refactor: move web-related structs from to * refactor: move client middleware package to root * refactor: remove unused IndexedDB dependency * feat: update worker implementation to use * feat: add Caddyfile and Caddy configuration for vault service * refactor(config): move keyshare and address to Motr config * fix: validate service origin in AllocateVault * chore: remove IndexedDB configuration * feat: add support for IPNS-based vault access
335 lines
13 KiB
Go
335 lines
13 KiB
Go
package orm
|
||
|
||
import (
|
||
"github.com/onsonr/sonr/x/did/types"
|
||
)
|
||
|
||
type (
|
||
AuthenticatorAttachment string
|
||
AuthenticatorTransport string
|
||
)
|
||
|
||
const (
|
||
// Platform represents a platform authenticator is attached using a client device-specific transport, called
|
||
// platform attachment, and is usually not removable from the client device. A public key credential bound to a
|
||
// platform authenticator is called a platform credential.
|
||
Platform AuthenticatorAttachment = "platform"
|
||
|
||
// CrossPlatform represents a roaming authenticator is attached using cross-platform transports, called
|
||
// cross-platform attachment. Authenticators of this class are removable from, and can "roam" among, client devices.
|
||
// A public key credential bound to a roaming authenticator is called a roaming credential.
|
||
CrossPlatform AuthenticatorAttachment = "cross-platform"
|
||
)
|
||
|
||
func ParseAuthenticatorAttachment(s string) AuthenticatorAttachment {
|
||
switch s {
|
||
case "platform":
|
||
return Platform
|
||
default:
|
||
return CrossPlatform
|
||
}
|
||
}
|
||
|
||
const (
|
||
// USB indicates the respective authenticator can be contacted over removable USB.
|
||
USB AuthenticatorTransport = "usb"
|
||
|
||
// NFC indicates the respective authenticator can be contacted over Near Field Communication (NFC).
|
||
NFC AuthenticatorTransport = "nfc"
|
||
|
||
// BLE indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
|
||
BLE AuthenticatorTransport = "ble"
|
||
|
||
// SmartCard indicates the respective authenticator can be contacted over ISO/IEC 7816 smart card with contacts.
|
||
//
|
||
// WebAuthn Level 3.
|
||
SmartCard AuthenticatorTransport = "smart-card"
|
||
|
||
// Hybrid indicates the respective authenticator can be contacted using a combination of (often separate)
|
||
// data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using
|
||
// a smartphone.
|
||
//
|
||
// WebAuthn Level 3.
|
||
Hybrid AuthenticatorTransport = "hybrid"
|
||
|
||
// Internal indicates the respective authenticator is contacted using a client device-specific transport, i.e., it
|
||
// is a platform authenticator. These authenticators are not removable from the client device.
|
||
Internal AuthenticatorTransport = "internal"
|
||
)
|
||
|
||
func ParseAuthenticatorTransport(s string) AuthenticatorTransport {
|
||
switch s {
|
||
case "usb":
|
||
return USB
|
||
case "nfc":
|
||
return NFC
|
||
case "ble":
|
||
return BLE
|
||
case "smart-card":
|
||
return SmartCard
|
||
case "hybrid":
|
||
return Hybrid
|
||
default:
|
||
return Internal
|
||
}
|
||
}
|
||
|
||
type AuthenticatorFlags byte
|
||
|
||
const (
|
||
// FlagUserPresent Bit 00000001 in the byte sequence. Tells us if user is present. Also referred to as the UP flag.
|
||
FlagUserPresent AuthenticatorFlags = 1 << iota // Referred to as UP
|
||
|
||
// FlagRFU1 is a reserved for future use flag.
|
||
FlagRFU1
|
||
|
||
// FlagUserVerified Bit 00000100 in the byte sequence. Tells us if user is verified
|
||
// by the authenticator using a biometric or PIN. Also referred to as the UV flag.
|
||
FlagUserVerified
|
||
|
||
// FlagBackupEligible Bit 00001000 in the byte sequence. Tells us if a backup is eligible for device. Also referred
|
||
// to as the BE flag.
|
||
FlagBackupEligible // Referred to as BE
|
||
|
||
// FlagBackupState Bit 00010000 in the byte sequence. Tells us if a backup state for device. Also referred to as the
|
||
// BS flag.
|
||
FlagBackupState
|
||
|
||
// FlagRFU2 is a reserved for future use flag.
|
||
FlagRFU2
|
||
|
||
// FlagAttestedCredentialData Bit 01000000 in the byte sequence. Indicates whether
|
||
// the authenticator added attested credential data. Also referred to as the AT flag.
|
||
FlagAttestedCredentialData
|
||
|
||
// FlagHasExtensions Bit 10000000 in the byte sequence. Indicates if the authenticator data has extensions. Also
|
||
// referred to as the ED flag.
|
||
FlagHasExtensions
|
||
)
|
||
|
||
type AttestationFormat string
|
||
|
||
const (
|
||
// AttestationFormatPacked is the "packed" attestation statement format is a WebAuthn-optimized format for
|
||
// attestation. It uses a very compact but still extensible encoding method. This format is implementable by
|
||
// authenticators with limited resources (e.g., secure elements).
|
||
AttestationFormatPacked AttestationFormat = "packed"
|
||
|
||
// AttestationFormatTPM is the TPM attestation statement format returns an attestation statement in the same format
|
||
// as the packed attestation statement format, although the rawData and signature fields are computed differently.
|
||
AttestationFormatTPM AttestationFormat = "tpm"
|
||
|
||
// AttestationFormatAndroidKey is the attestation statement format for platform authenticators on versions "N", and
|
||
// later, which may provide this proprietary "hardware attestation" statement.
|
||
AttestationFormatAndroidKey AttestationFormat = "android-key"
|
||
|
||
// AttestationFormatAndroidSafetyNet is the attestation statement format that Android-based platform authenticators
|
||
// MAY produce an attestation statement based on the Android SafetyNet API.
|
||
AttestationFormatAndroidSafetyNet AttestationFormat = "android-safetynet"
|
||
|
||
// AttestationFormatFIDOUniversalSecondFactor is the attestation statement format that is used with FIDO U2F
|
||
// authenticators.
|
||
AttestationFormatFIDOUniversalSecondFactor AttestationFormat = "fido-u2f"
|
||
|
||
// AttestationFormatApple is the attestation statement format that is used with Apple devices' platform
|
||
// authenticators.
|
||
AttestationFormatApple AttestationFormat = "apple"
|
||
|
||
// AttestationFormatNone is the attestation statement format that is used to replace any authenticator-provided
|
||
// attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information.
|
||
AttestationFormatNone AttestationFormat = "none"
|
||
)
|
||
|
||
func ExtractAttestationFormats(p *types.Params) []AttestationFormat {
|
||
var formats []AttestationFormat
|
||
for _, v := range p.AttestationFormats {
|
||
formats = append(formats, parseAttestationFormat(v))
|
||
}
|
||
return formats
|
||
}
|
||
|
||
func parseAttestationFormat(s string) AttestationFormat {
|
||
switch s {
|
||
case "packed":
|
||
return AttestationFormatPacked
|
||
case "tpm":
|
||
return AttestationFormatTPM
|
||
case "android-key":
|
||
return AttestationFormatAndroidKey
|
||
case "android-safetynet":
|
||
return AttestationFormatAndroidSafetyNet
|
||
case "fido-u2f":
|
||
return AttestationFormatFIDOUniversalSecondFactor
|
||
case "apple":
|
||
return AttestationFormatApple
|
||
case "none":
|
||
return AttestationFormatNone
|
||
default:
|
||
return AttestationFormatPacked
|
||
}
|
||
}
|
||
|
||
type CredentialType string
|
||
|
||
const (
|
||
CredentialTypePublicKeyCredential CredentialType = "public-key"
|
||
)
|
||
|
||
type ConveyancePreference string
|
||
|
||
const (
|
||
// PreferNoAttestation is a ConveyancePreference value.
|
||
//
|
||
// This value indicates that the Relying Party is not interested in authenticator attestation. For example, in order
|
||
// to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to
|
||
// save a round trip to an Attestation CA or Anonymization CA.
|
||
//
|
||
// This is the default value.
|
||
//
|
||
// Specification: §5.4.7. Attestation Conveyance Preference Enumeration (https://www.w3.org/TR/webauthn/#dom-attestationconveyancepreference-none)
|
||
PreferNoAttestation ConveyancePreference = "none"
|
||
|
||
// PreferIndirectAttestation is a ConveyancePreference value.
|
||
//
|
||
// This value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation
|
||
// statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the
|
||
// authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in
|
||
// order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a
|
||
// heterogeneous ecosystem.
|
||
//
|
||
// Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case.
|
||
// For example, in the case that the authenticator employs self attestation.
|
||
//
|
||
// Specification: §5.4.7. Attestation Conveyance Preference Enumeration (https://www.w3.org/TR/webauthn/#dom-attestationconveyancepreference-indirect)
|
||
PreferIndirectAttestation ConveyancePreference = "indirect"
|
||
|
||
// PreferDirectAttestation is a ConveyancePreference value.
|
||
//
|
||
// This value indicates that the Relying Party wants to receive the attestation statement as generated by the
|
||
// authenticator.
|
||
//
|
||
// Specification: §5.4.7. Attestation Conveyance Preference Enumeration (https://www.w3.org/TR/webauthn/#dom-attestationconveyancepreference-direct)
|
||
PreferDirectAttestation ConveyancePreference = "direct"
|
||
|
||
// PreferEnterpriseAttestation is a ConveyancePreference value.
|
||
//
|
||
// This value indicates that the Relying Party wants to receive an attestation statement that may include uniquely
|
||
// identifying information. This is intended for controlled deployments within an enterprise where the organization
|
||
// wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless
|
||
// the user agent or authenticator configuration permits it for the requested RP ID.
|
||
//
|
||
// If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise
|
||
// attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying
|
||
// Party.
|
||
//
|
||
// Specification: §5.4.7. Attestation Conveyance Preference Enumeration (https://www.w3.org/TR/webauthn/#dom-attestationconveyancepreference-enterprise)
|
||
PreferEnterpriseAttestation ConveyancePreference = "enterprise"
|
||
)
|
||
|
||
func ExtractConveyancePreference(p *types.Params) ConveyancePreference {
|
||
switch p.ConveyancePreference {
|
||
case "none":
|
||
return PreferNoAttestation
|
||
case "indirect":
|
||
return PreferIndirectAttestation
|
||
case "direct":
|
||
return PreferDirectAttestation
|
||
case "enterprise":
|
||
return PreferEnterpriseAttestation
|
||
default:
|
||
return PreferNoAttestation
|
||
}
|
||
}
|
||
|
||
type PublicKeyCredentialHints string
|
||
|
||
const (
|
||
// PublicKeyCredentialHintSecurityKey is a PublicKeyCredentialHint that indicates that the Relying Party believes
|
||
// that users will satisfy this request with a physical security key. For example, an enterprise Relying Party may
|
||
// set this hint if they have issued security keys to their employees and will only accept those authenticators for
|
||
// registration and authentication.
|
||
//
|
||
// For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the
|
||
// authenticatorAttachment SHOULD be set to cross-platform.
|
||
PublicKeyCredentialHintSecurityKey PublicKeyCredentialHints = "security-key"
|
||
|
||
// PublicKeyCredentialHintClientDevice is a PublicKeyCredentialHint that indicates that the Relying Party believes
|
||
// that users will satisfy this request with a platform authenticator attached to the client device.
|
||
//
|
||
// For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the
|
||
// authenticatorAttachment SHOULD be set to platform.
|
||
PublicKeyCredentialHintClientDevice PublicKeyCredentialHints = "client-device"
|
||
|
||
// PublicKeyCredentialHintHybrid is a PublicKeyCredentialHint that indicates that the Relying Party believes that
|
||
// users will satisfy this request with general-purpose authenticators such as smartphones. For example, a consumer
|
||
// Relying Party may believe that only a small fraction of their customers possesses dedicated security keys. This
|
||
// option also implies that the local platform authenticator should not be promoted in the UI.
|
||
//
|
||
// For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the
|
||
// authenticatorAttachment SHOULD be set to cross-platform.
|
||
PublicKeyCredentialHintHybrid PublicKeyCredentialHints = "hybrid"
|
||
)
|
||
|
||
func ParsePublicKeyCredentialHints(s string) PublicKeyCredentialHints {
|
||
switch s {
|
||
case "security-key":
|
||
return PublicKeyCredentialHintSecurityKey
|
||
case "client-device":
|
||
return PublicKeyCredentialHintClientDevice
|
||
case "hybrid":
|
||
return PublicKeyCredentialHintHybrid
|
||
default:
|
||
return ""
|
||
}
|
||
}
|
||
|
||
type AttestedCredentialData struct {
|
||
AAGUID []byte `json:"aaguid"`
|
||
CredentialID []byte `json:"credential_id"`
|
||
|
||
// The raw credential public key bytes received from the attestation data.
|
||
CredentialPublicKey []byte `json:"public_key"`
|
||
}
|
||
|
||
type ResidentKeyRequirement string
|
||
|
||
const (
|
||
// ResidentKeyRequirementDiscouraged indicates the Relying Party prefers creating a server-side credential, but will
|
||
// accept a client-side discoverable credential. This is the default.
|
||
ResidentKeyRequirementDiscouraged ResidentKeyRequirement = "discouraged"
|
||
|
||
// ResidentKeyRequirementPreferred indicates to the client we would prefer a discoverable credential.
|
||
ResidentKeyRequirementPreferred ResidentKeyRequirement = "preferred"
|
||
|
||
// ResidentKeyRequirementRequired indicates the Relying Party requires a client-side discoverable credential, and is
|
||
// prepared to receive an error if a client-side discoverable credential cannot be created.
|
||
ResidentKeyRequirementRequired ResidentKeyRequirement = "required"
|
||
)
|
||
|
||
func ParseResidentKeyRequirement(s string) ResidentKeyRequirement {
|
||
switch s {
|
||
case "discouraged":
|
||
return ResidentKeyRequirementDiscouraged
|
||
case "preferred":
|
||
return ResidentKeyRequirementPreferred
|
||
default:
|
||
return ResidentKeyRequirementRequired
|
||
}
|
||
}
|
||
|
||
type (
|
||
AuthenticationExtensions map[string]any
|
||
UserVerificationRequirement string
|
||
)
|
||
|
||
const (
|
||
// VerificationRequired User verification is required to create/release a credential
|
||
VerificationRequired UserVerificationRequirement = "required"
|
||
|
||
// VerificationPreferred User verification is preferred to create/release a credential
|
||
VerificationPreferred UserVerificationRequirement = "preferred" // This is the default
|
||
|
||
// VerificationDiscouraged The authenticator should not verify the user for the credential
|
||
VerificationDiscouraged UserVerificationRequirement = "discouraged"
|
||
)
|