/// <summary>
/// Initialize method implementation
/// </summary>
public override void Initialize(BaseProviderParams externalsystem)
{
try
{
if (!_isinitialized)
{
Trace.WriteLine("WebAuthNProvider Initialize");
if (externalsystem is WebAuthNProviderParams)
{
WebAuthNProviderParams param = externalsystem as WebAuthNProviderParams;
Config = param.Config;
Enabled = param.Enabled;
IsRequired = param.IsRequired;
WizardEnabled = param.EnrollWizard;
ForceEnrollment = param.ForceWizard;
PinRequired = param.PinRequired;
PinRequirements = param.PinRequirements;
DirectLogin = param.DirectLogin;
ConveyancePreference = param.Options.AttestationConveyancePreference;
Attachement = param.Options.AuthenticatorAttachment;
Extentions = param.Options.Extensions;
Location = param.Options.Location;
UserVerificationIndex = param.Options.UserVerificationIndex;
UserVerificationMethod = param.Options.UserVerificationMethod;
UserVerificationRequirement = param.Options.UserVerificationRequirement;
RequireResidentKey = param.Options.RequireResidentKey;
ChallengeSize = param.Configuration.ChallengeSize;
HmacSecret = param.Options.HmacSecret;
CredProtect = (UserVerification?)param.Options.CredProtect;
EnforceCredProtect = param.Options.EnforceCredProtect;
IdentityModelEventSource.ShowPII = param.Configuration.ShowPII;
Fido2Configuration fido = new Fido2Configuration()
{
ServerDomain = param.Configuration.ServerDomain,
ServerName = param.Configuration.ServerName,
Origin = param.Configuration.Origin,
Timeout = param.Configuration.Timeout,
TimestampDriftTolerance = param.Configuration.TimestampDriftTolerance,
ChallengeSize = param.Configuration.ChallengeSize,
RequireValidAttestationRoot = param.Configuration.RequireValidAttestationRoot
};
Trace.WriteLine("WebAuthNAdapter Create");
_webathn = new WebAuthNAdapter(fido, _simplemetadataservice);
_isinitialized = true;
Trace.WriteLine("WebAuthNAdapter Created");
Trace.WriteLine("WebAuthNProvider Initialized");
return;
}
else
{
throw new InvalidCastException("Invalid WebAuthN Provider !");
}
}
}
catch (Exception ex)
{
this.Enabled = false;
throw ex;
}
}
/// <summary>
/// Create static method implementation
/// </summary>
public static RegisterCredentialOptions Create(Fido2Configuration config, byte[] challenge, Fido2User user, AuthenticatorSelection authenticatorSelection, AttestationConveyancePreference attestationConveyancePreference, List <PublicKeyCredentialDescriptor> excludeCredentials, AuthenticationExtensionsClientInputs extensions)
{
return(new RegisterCredentialOptions
{
Status = "ok",
ErrorMessage = string.Empty,
Challenge = challenge,
Rp = new PublicKeyCredentialRpEntity(config.ServerDomain, config.ServerName, config.ServerIcon),
Timeout = config.Timeout,
User = user,
PubKeyCredParams = new List <PubKeyCredParam>()
{
// Add additional as appropriate
ES256,
RS256,
PS256,
ES384,
RS384,
PS384,
ES512,
RS512,
PS512,
},
AuthenticatorSelection = authenticatorSelection,
Attestation = attestationConveyancePreference,
ExcludeCredentials = excludeCredentials ?? new List <PublicKeyCredentialDescriptor>(),
Extensions = extensions
});
}
/// <summary>
/// WebAuthNAdapter constructor
/// </summary>
public WebAuthNAdapter(Fido2Configuration config, IMetadataService metadataService = null)
{
_config = config;
_crypto = RandomNumberGenerator.Create();
_metadataService = metadataService;
_metadataService.Timeout = config.Timeout;
_metadataService.TimestampDriftTolerance = config.TimestampDriftTolerance;
}
/// <summary>
/// Initialize method implementation
/// </summary>
public override void Initialize(BaseProviderParams externalsystem)
{
try
{
if (!_isinitialized)
{
Trace.WriteLine("WebAuthNProvider Initialize");
if (externalsystem is WebAuthNProviderParams)
{
WebAuthNProviderParams param = externalsystem as WebAuthNProviderParams;
Config = param.Config;
Enabled = param.Enabled;
IsRequired = param.IsRequired;
WizardEnabled = param.EnrollWizard;
WizardDisabled = param.EnrollWizardDisabled;
ForceEnrollment = param.ForceWizard;
PinRequired = param.PinRequired;
PinRequirements = param.PinRequirements;
DirectLogin = param.DirectLogin;
ConveyancePreference = param.Options.AttestationConveyancePreference;
Attachement = param.Options.AuthenticatorAttachment;
Extentions = param.Options.Extensions;
UserVerificationMethod = param.Options.UserVerificationMethod;
UserVerificationRequirement = param.Options.UserVerificationRequirement.ToEnum <UserVerificationRequirement>();
RequireResidentKey = param.Options.RequireResidentKey;
ChallengeSize = param.Configuration.ChallengeSize;
ForbiddenBrowsers = param.Configuration.ForbiddenBrowsers;
InitiatedBrowsers = param.Configuration.InitiatedBrowsers;
NoCounterBrowsers = param.Configuration.NoCounterBrowsers;
Fido2Configuration fido = new Fido2Configuration()
{
ServerDomain = param.Configuration.ServerDomain,
ServerName = param.Configuration.ServerName,
Origin = param.Configuration.Origin,
Timeout = param.Configuration.Timeout,
TimestampDriftTolerance = param.Configuration.TimestampDriftTolerance,
ChallengeSize = param.Configuration.ChallengeSize
};
Trace.WriteLine("WebAuthNAdapter Create");
_webathn = new WebAuthNAdapter(fido, _metadataservice);
Trace.WriteLine("WebAuthNAdapter Created");
_isinitialized = true;
Trace.WriteLine("WebAuthNProvider Initialized");
return;
}
else
{
throw new InvalidCastException("Invalid WebAuthN Provider !");
}
}
}
catch (Exception ex)
{
this.Enabled = false;
throw ex;
}
}
/// <summary>
/// Initialize method implementation
/// </summary>
public override void Initialize(BaseProviderParams externalsystem)
{
try
{
if (!_isinitialized)
{
if (externalsystem is WebAuthNProviderParams)
{
WebAuthNProviderParams param = externalsystem as WebAuthNProviderParams;
Config = param.Config;
Enabled = param.Enabled;
IsRequired = param.IsRequired;
WizardEnabled = param.EnrollWizard;
ForceEnrollment = param.ForceWizard;
PinRequired = param.PinRequired;
DirectLogin = param.DirectLogin;
ConveyancePreference = param.Options.AttestationConveyancePreference;
Attachement = param.Options.AuthenticatorAttachment;
Extentions = param.Options.Extensions;
Location = param.Options.Location;
UserVerificationIndex = param.Options.UserVerificationIndex;
UserVerificationMethod = param.Options.UserVerificationMethod;
UserVerificationRequirement = param.Options.UserVerificationRequirement;
RequireResidentKey = param.Options.RequireResidentKey;
ChallengeSize = param.Configuration.ChallengeSize;
IdentityModelEventSource.ShowPII = param.Configuration.ShowPII;
Fido2Configuration fido = new Fido2Configuration()
{
ServerDomain = param.Configuration.ServerDomain,
ServerName = param.Configuration.ServerName,
Origin = param.Configuration.Origin,
Timeout = param.Configuration.Timeout,
TimestampDriftTolerance = param.Configuration.TimestampDriftTolerance,
ChallengeSize = param.Configuration.ChallengeSize,
RequireValidAttestationRoot = param.Configuration.RequireValidAttestationRoot
};
_webathn = new WebAuthNAdapter(fido, new SimpleMetadataService(new List <IMetadataRepository> {
new StaticMetadataRepository(DateTime.Now.AddMinutes(1).ToUniversalTime())
}));
_isinitialized = true;
return;
}
else
{
throw new InvalidCastException("Invalid WebAuthN Provider !");
}
}
}
catch (Exception ex)
{
this.Enabled = false;
throw ex;
}
}
public static AssertionOptions Create(Fido2Configuration config, byte[] challenge, IEnumerable<PublicKeyCredentialDescriptor> allowedCredentials, UserVerificationRequirement? userVerification, AuthenticationExtensionsClientInputs extensions)
{
return new AssertionOptions()
{
Status = "ok",
ErrorMessage = string.Empty,
Challenge = challenge,
Timeout = config.Timeout,
RpId = config.ServerDomain,
AllowCredentials = allowedCredentials ?? new List<PublicKeyCredentialDescriptor>(),
UserVerification = userVerification,
Extensions = extensions
};
}
public AttestationVerificationSuccess VerifyCredentialCreateOptions(RegisterCredentialOptions originalOptions, Fido2Configuration config, IsCredentialIdUniqueToUserDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, byte[] requestTokenBindingId)
{
BaseVerify(config.Origin, originalOptions.Challenge, requestTokenBindingId);
// verify challenge is same as we expected
// verify origin
// done in baseclass
if (Type != "webauthn.create")
{
throw new VerificationException("AttestationResponse is not type webauthn.create");
}
if (Raw.Id == null || Raw.Id.Length == 0)
{
throw new VerificationException("AttestationResponse is missing Id");
}
if (Raw.Type != PublicKeyCredentialType.PublicKey)
{
throw new VerificationException("AttestationResponse is missing type with value 'public-key'");
}
if (null == AttestationObject.AuthData || 0 == AttestationObject.AuthData.Length)
{
throw new VerificationException("Missing or malformed authData");
}
var authData = new AuthenticatorData(AttestationObject.AuthData);
// 6
//todo: Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection
// over which the assertion was obtained.If Token Binding was used on that TLS connection,
// also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.
// This is done in BaseVerify.
// TODO: test that implmentation
// 7
// Compute the hash of response.clientDataJSON using SHA - 256.
byte[] clientDataHash, rpIdHash;
using (var sha = CryptoUtils.GetHasher(HashAlgorithmName.SHA256))
{
clientDataHash = sha.ComputeHash(Raw.Response.ClientDataJson);
rpIdHash = sha.ComputeHash(Encoding.UTF8.GetBytes(originalOptions.Rp.Id));
}
// 9
// Verify that the RP ID hash in authData is indeed the SHA - 256 hash of the RP ID expected by the RP.
if (false == authData.RpIdHash.SequenceEqual(rpIdHash))
{
throw new VerificationException("Hash mismatch RPID");
}
// 10
// Verify that the User Present bit of the flags in authData is set.
if (false == authData.UserPresent)
{
throw new VerificationException("User Present flag not set in authenticator data");
}
// 11
// If user verification is required for this registration, verify that the User Verified bit of the flags in authData is set.
// see authData.UserVerified
// 12
// Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension outputs in the extensions in authData are as expected
// todo: Implement sort of like this: ClientExtensions.Keys.Any(x => options.extensions.contains(x);
if (false == authData.HasAttestedCredentialData)
{
throw new VerificationException("Attestation flag not set on attestation data");
}
// 13
// Determine the attestation statement format by performing a US ASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values. The up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the in the IANA registry of the same name [WebAuthn-Registries].
// https://www.w3.org/TR/webauthn/#defined-attestation-formats
AttestationFormat.AttestationFormat verifier;
switch (AttestationObject.Fmt)
{
// 14
// validate the attStmt
case "none":
// https://www.w3.org/TR/webauthn/#none-attestation
verifier = new None(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash);
break;
case "tpm":
// https://www.w3.org/TR/webauthn/#tpm-attestation
verifier = new Tpm(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash, config.RequireValidAttestationRoot);
break;
case "android-key":
// https://www.w3.org/TR/webauthn/#android-key-attestation
verifier = new AndroidKey(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash);
break;
case "android-safetynet":
// https://www.w3.org/TR/webauthn/#android-safetynet-attestation
verifier = new AndroidSafetyNet(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash, config.TimestampDriftTolerance);
break;
case "fido-u2f":
// https://www.w3.org/TR/webauthn/#fido-u2f-attestation
verifier = new FidoU2f(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash, metadataService, config.RequireValidAttestationRoot);
break;
case "packed":
// https://www.w3.org/TR/webauthn/#packed-attestation
verifier = new Packed(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash, metadataService, config.RequireValidAttestationRoot);
break;
default: throw new VerificationException("Missing or unknown attestation type");
}
verifier.Verify();
/*
* 15
* If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys)
* for that attestation type and attestation statement format fmt, from a trusted source or from policy.
* For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information,
* using the aaguid in the attestedCredentialData in authData.
* */
/*
* 16
* Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows: https://www.w3.org/TR/webauthn/#registering-a-new-credential
* */
// use aaguid (authData.AttData.Aaguid) to find root certs in metadata
// use root plus trustPath to build trust chain
// implemented for AttestationObject.Fmt == "packed" in packed specific verifier
/*
* 17
* Check that the credentialId is not yet registered to any other user.
* If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this registration ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.
* */
if (false == isCredentialIdUniqueToUser(new IsCredentialIdUniqueToUserParams(authData.AttestedCredentialData.CredentialID, originalOptions.User)))
{
throw new VerificationException("CredentialId is not unique to this user");
}
/*
* 18
* If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new credential with the account that was denoted in the options.user passed to create(), by associating it with the credentialId and credentialPublicKey in the attestedCredentialData in authData, as appropriate for the Relying Party's system.
* */
// This is handled by code att call site and result object.
/*
* 19
* If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail the registration ceremony.
* NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the credential as one with self attestation (see §6.3.3 Attestation Types). If doing so, the Relying Party is asserting there is no cryptographic proof that the public key credential has been generated by a particular authenticator model. See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.
* */
var result = new AttestationVerificationSuccess()
{
CredentialId = authData.AttestedCredentialData.CredentialID,
PublicKey = authData.AttestedCredentialData.CredentialPublicKey.GetBytes(),
User = originalOptions.User,
Counter = authData.SignCount,
CredType = AttestationObject.Fmt,
Aaguid = authData.AttestedCredentialData.AaGuid,
};
return(result);
}
public async Task <AttestationVerificationSuccess> VerifyAsync(CredentialCreateOptions originalOptions, Fido2Configuration config, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, byte[] requestTokenBindingId)
{
// https://www.w3.org/TR/webauthn/#registering-a-new-credential
// 1. Let JSONtext be the result of running UTF-8 decode on the value of response.clientDataJSON.
// 2. Let C, the client data claimed as collected during the credential creation, be the result of running an implementation-specific JSON parser on JSONtext.
// Note: C may be any implementation-specific data structure representation, as long as C’s components are referenceable, as required by this algorithm.
// Above handled in base class constructor
// 3. Verify that the value of C.type is webauthn.create
if (Type != "webauthn.create")
{
throw new VerificationException("AttestationResponse is not type webauthn.create");
}
// 4. Verify that the value of C.challenge matches the challenge that was sent to the authenticator in the create() call.
// 5. Verify that the value of C.origin matches the Relying Party's origin.
// 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained.
// If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.
BaseVerify(config.Origin, originalOptions.Challenge, requestTokenBindingId);
if (Raw.Id == null || Raw.Id.Length == 0)
{
throw new VerificationException("AttestationResponse is missing Id");
}
if (Raw.Type != PublicKeyCredentialType.PublicKey)
{
throw new VerificationException("AttestationResponse is missing type with value 'public-key'");
}
var authData = new AuthenticatorData(AttestationObject.AuthData);
// 7. Compute the hash of response.clientDataJSON using SHA-256.
byte[] clientDataHash, rpIdHash;
using (var sha = CryptoUtils.GetHasher(HashAlgorithmName.SHA256))
{
clientDataHash = sha.ComputeHash(Raw.Response.ClientDataJson);
rpIdHash = sha.ComputeHash(Encoding.UTF8.GetBytes(originalOptions.Rp.Id));
}
// 8. Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.
// Handled in AuthenticatorAttestationResponse::Parse()
// 9. Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party
if (false == authData.RpIdHash.SequenceEqual(rpIdHash))
{
throw new VerificationException("Hash mismatch RPID");
}
// 10. Verify that the User Present bit of the flags in authData is set.
if (false == authData.UserPresent)
{
throw new VerificationException("User Present flag not set in authenticator data");
}
// 11. If user verification is required for this registration, verify that the User Verified bit of the flags in authData is set.
// see authData.UserVerified
// TODO: Make this a configurable option and add check to require
// 12. Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension outputs in the extensions in authData are as expected,
// considering the client extension input values that were given as the extensions option in the create() call. In particular, any extension identifier values
// in the clientExtensionResults and the extensions in authData MUST be also be present as extension identifier values in the extensions member of options, i.e.,
// no extensions are present that were not requested. In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use.
// TODO?: Implement sort of like this: ClientExtensions.Keys.Any(x => options.extensions.contains(x);
if (false == authData.HasAttestedCredentialData)
{
throw new VerificationException("Attestation flag not set on attestation data");
}
// 13. Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values.
// An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the IANA registry of the same name
// https://www.w3.org/TR/webauthn/#defined-attestation-formats
AttestationVerifier verifier = default;
switch (AttestationObject.Fmt)
{
case "none":
verifier = new None(); // https://www.w3.org/TR/webauthn/#none-attestation
break;
case "tpm":
verifier = new Tpm(); // https://www.w3.org/TR/webauthn/#tpm-attestation
break;
case "android-key":
verifier = new AndroidKey(); // https://www.w3.org/TR/webauthn/#android-key-attestation
break;
case "android-safetynet":
verifier = new AndroidSafetyNet(metadataService.TimestampDriftTolerance); // https://www.w3.org/TR/webauthn/#android-safetynet-attestation
break;
case "fido-u2f":
verifier = new FidoU2f(); // https://www.w3.org/TR/webauthn/#fido-u2f-attestation
break;
case "packed":
verifier = new Packed(); // https://www.w3.org/TR/webauthn/#packed-attestation
break;
case "apple":
verifier = new Apple(); // https://www.w3.org/TR/webauthn/#apple-anonymous-attestation
break;
default:
throw new VerificationException("Missing or unknown attestation type");
}
;
// 14. Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
// by using the attestation statement format fmt’s verification procedure given attStmt, authData and the hash of the serialized client data computed in step 7
(var attType, var trustPath) = verifier.Verify(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash);
// 15. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy.
// For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
var entry = metadataService?.GetEntry(authData.AttestedCredentialData.AaGuid);
// while conformance testing, we must reject any authenticator that we cannot get metadata for
if (metadataService?.ConformanceTesting() == true && null == entry && AttestationType.None != attType && "fido-u2f" != AttestationObject.Fmt)
{
throw new VerificationException("AAGUID not found in MDS test metadata");
}
if (null != trustPath)
{
// If the authenticator is listed as in the metadata as one that should produce a basic full attestation, build and verify the chain
if ((entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_BASIC_FULL.ToEnumMemberValue()) ?? false) ||
(entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_PRIVACY_CA.ToEnumMemberValue()) ?? false))
{
var attestationRootCertificates = entry.MetadataStatement.AttestationRootCertificates
.Select(x => new X509Certificate2(Convert.FromBase64String(x)))
.ToArray();
if (false == CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates))
{
throw new VerificationException("Invalid certificate chain");
}
}
// If the authenticator is not listed as one that should produce a basic full attestation, the certificate should be self signed
if ((!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_BASIC_FULL.ToEnumMemberValue()) ?? false) &&
(!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_PRIVACY_CA.ToEnumMemberValue()) ?? false) &&
(!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_ANONCA.ToEnumMemberValue()) ?? false))
{
if (trustPath.FirstOrDefault().Subject != trustPath.FirstOrDefault().Issuer)
{
throw new VerificationException("Attestation with full attestation from authenticator that does not support full attestation");
}
}
}
// Check status resports for authenticator with undesirable status
foreach (var report in entry?.StatusReports ?? Enumerable.Empty <StatusReport>())
{
if (true == Enum.IsDefined(typeof(UndesiredAuthenticatorStatus), (UndesiredAuthenticatorStatus)report.Status))
{
throw new VerificationException("Authenticator found with undesirable status");
}
}
// 16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
// If self attestation was used, check if self attestation is acceptable under Relying Party policy.
// If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15.
// Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.
// 17. Check that the credentialId is not yet registered to any other user.
// If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this registration ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration
if (false == await isCredentialIdUniqueToUser(new IsCredentialIdUniqueToUserParams(authData.AttestedCredentialData.CredentialID, originalOptions.User)))
{
throw new VerificationException("CredentialId is not unique to this user");
}
// 18. If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new credential with the account that was denoted in the options.user passed to create(),
// by associating it with the credentialId and credentialPublicKey in the attestedCredentialData in authData, as appropriate for the Relying Party's system.
var result = new AttestationVerificationSuccess()
{
CredentialId = authData.AttestedCredentialData.CredentialID,
PublicKey = authData.AttestedCredentialData.CredentialPublicKey.GetBytes(),
User = originalOptions.User,
Counter = authData.SignCount,
CredType = AttestationObject.Fmt,
Aaguid = authData.AttestedCredentialData.AaGuid,
};
return(result);
// 19. If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail the registration ceremony.
// This implementation throws if the outputs are not trustworthy for a particular attestation type.
}
/// <summary>
/// WebAuthNAdapter constructor
/// </summary>
public WebAuthNAdapter(Fido2Configuration config, IMetadataService metadataService = null)
{
_config = config;
_crypto = RandomNumberGenerator.Create();
_metadataService = metadataService;
}
