public async Task <AttestationVerificationSuccess> VerifyAsync(CredentialCreateOptions originalOptions, Fido2Configuration config, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, byte[] requestTokenBindingId)
{
// https://www.w3.org/TR/webauthn/#registering-a-new-credential
// 1. Let JSONtext be the result of running UTF-8 decode on the value of response.clientDataJSON.
// 2. Let C, the client data claimed as collected during the credential creation, be the result of running an implementation-specific JSON parser on JSONtext.
// Note: C may be any implementation-specific data structure representation, as long as C’s components are referenceable, as required by this algorithm.
// Above handled in base class constructor
// 3. Verify that the value of C.type is webauthn.create
if (Type != "webauthn.create")
{
throw new VerificationException("AttestationResponse is not type webauthn.create");
}
// 4. Verify that the value of C.challenge matches the challenge that was sent to the authenticator in the create() call.
// 5. Verify that the value of C.origin matches the Relying Party's origin.
// 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained.
// If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.
BaseVerify(config.Origin, originalOptions.Challenge, requestTokenBindingId);
if (Raw.Id == null || Raw.Id.Length == 0)
{
throw new VerificationException("AttestationResponse is missing Id");
}
if (Raw.Type != PublicKeyCredentialType.PublicKey)
{
throw new VerificationException("AttestationResponse is missing type with value 'public-key'");
}
var authData = new AuthenticatorData(AttestationObject.AuthData);
// 7. Compute the hash of response.clientDataJSON using SHA-256.
byte[] clientDataHash, rpIdHash;
using (var sha = CryptoUtils.GetHasher(HashAlgorithmName.SHA256))
{
clientDataHash = sha.ComputeHash(Raw.Response.ClientDataJson);
rpIdHash = sha.ComputeHash(Encoding.UTF8.GetBytes(originalOptions.Rp.Id));
}
// 8. Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.
// Handled in AuthenticatorAttestationResponse::Parse()
// 9. Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party
if (false == authData.RpIdHash.SequenceEqual(rpIdHash))
{
throw new VerificationException("Hash mismatch RPID");
}
// 10. Verify that the User Present bit of the flags in authData is set.
if (false == authData.UserPresent)
{
throw new VerificationException("User Present flag not set in authenticator data");
}
// 11. If user verification is required for this registration, verify that the User Verified bit of the flags in authData is set.
// see authData.UserVerified
// TODO: Make this a configurable option and add check to require
// 12. Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension outputs in the extensions in authData are as expected,
// considering the client extension input values that were given as the extensions option in the create() call. In particular, any extension identifier values
// in the clientExtensionResults and the extensions in authData MUST be also be present as extension identifier values in the extensions member of options, i.e.,
// no extensions are present that were not requested. In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use.
// TODO?: Implement sort of like this: ClientExtensions.Keys.Any(x => options.extensions.contains(x);
if (false == authData.HasAttestedCredentialData)
{
throw new VerificationException("Attestation flag not set on attestation data");
}
// 13. Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values.
// An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the IANA registry of the same name
// https://www.w3.org/TR/webauthn/#defined-attestation-formats
AttestationVerifier verifier = default;
switch (AttestationObject.Fmt)
{
case "none":
verifier = new None(); // https://www.w3.org/TR/webauthn/#none-attestation
break;
case "tpm":
verifier = new Tpm(); // https://www.w3.org/TR/webauthn/#tpm-attestation
break;
case "android-key":
verifier = new AndroidKey(); // https://www.w3.org/TR/webauthn/#android-key-attestation
break;
case "android-safetynet":
verifier = new AndroidSafetyNet(metadataService.TimestampDriftTolerance); // https://www.w3.org/TR/webauthn/#android-safetynet-attestation
break;
case "fido-u2f":
verifier = new FidoU2f(); // https://www.w3.org/TR/webauthn/#fido-u2f-attestation
break;
case "packed":
verifier = new Packed(); // https://www.w3.org/TR/webauthn/#packed-attestation
break;
case "apple":
verifier = new Apple(); // https://www.w3.org/TR/webauthn/#apple-anonymous-attestation
break;
default:
throw new VerificationException("Missing or unknown attestation type");
}
;
// 14. Verify that attStmt is a correct attestation statement, conveying a valid attestation signature,
// by using the attestation statement format fmt’s verification procedure given attStmt, authData and the hash of the serialized client data computed in step 7
(var attType, var trustPath) = verifier.Verify(AttestationObject.AttStmt, AttestationObject.AuthData, clientDataHash);
// 15. If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy.
// For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
var entry = metadataService?.GetEntry(authData.AttestedCredentialData.AaGuid);
// while conformance testing, we must reject any authenticator that we cannot get metadata for
if (metadataService?.ConformanceTesting() == true && null == entry && AttestationType.None != attType && "fido-u2f" != AttestationObject.Fmt)
{
throw new VerificationException("AAGUID not found in MDS test metadata");
}
if (null != trustPath)
{
// If the authenticator is listed as in the metadata as one that should produce a basic full attestation, build and verify the chain
if ((entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_BASIC_FULL.ToEnumMemberValue()) ?? false) ||
(entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_PRIVACY_CA.ToEnumMemberValue()) ?? false))
{
var attestationRootCertificates = entry.MetadataStatement.AttestationRootCertificates
.Select(x => new X509Certificate2(Convert.FromBase64String(x)))
.ToArray();
if (false == CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates))
{
throw new VerificationException("Invalid certificate chain");
}
}
// If the authenticator is not listed as one that should produce a basic full attestation, the certificate should be self signed
if ((!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_BASIC_FULL.ToEnumMemberValue()) ?? false) &&
(!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_PRIVACY_CA.ToEnumMemberValue()) ?? false) &&
(!entry?.MetadataStatement?.AttestationTypes.Contains(MetadataAttestationType.ATTESTATION_ANONCA.ToEnumMemberValue()) ?? false))
{
if (trustPath.FirstOrDefault().Subject != trustPath.FirstOrDefault().Issuer)
{
throw new VerificationException("Attestation with full attestation from authenticator that does not support full attestation");
}
}
}
// Check status resports for authenticator with undesirable status
foreach (var report in entry?.StatusReports ?? Enumerable.Empty <StatusReport>())
{
if (true == Enum.IsDefined(typeof(UndesiredAuthenticatorStatus), (UndesiredAuthenticatorStatus)report.Status))
{
throw new VerificationException("Authenticator found with undesirable status");
}
}
// 16. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
// If self attestation was used, check if self attestation is acceptable under Relying Party policy.
// If ECDAA was used, verify that the identifier of the ECDAA-Issuer public key used is included in the set of acceptable trust anchors obtained in step 15.
// Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key correctly chains up to an acceptable root certificate.
// 17. Check that the credentialId is not yet registered to any other user.
// If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this registration ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration
if (false == await isCredentialIdUniqueToUser(new IsCredentialIdUniqueToUserParams(authData.AttestedCredentialData.CredentialID, originalOptions.User)))
{
throw new VerificationException("CredentialId is not unique to this user");
}
// 18. If the attestation statement attStmt verified successfully and is found to be trustworthy, then register the new credential with the account that was denoted in the options.user passed to create(),
// by associating it with the credentialId and credentialPublicKey in the attestedCredentialData in authData, as appropriate for the Relying Party's system.
var result = new AttestationVerificationSuccess()
{
CredentialId = authData.AttestedCredentialData.CredentialID,
PublicKey = authData.AttestedCredentialData.CredentialPublicKey.GetBytes(),
User = originalOptions.User,
Counter = authData.SignCount,
CredType = AttestationObject.Fmt,
Aaguid = authData.AttestedCredentialData.AaGuid,
};
return(result);
// 19. If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail the registration ceremony.
// This implementation throws if the outputs are not trustworthy for a particular attestation type.
}
public override void Verify()
{
// Verify that attStmt is valid CBOR conforming to the syntax defined above and
// perform CBOR decoding on it to extract the contained fields.
if (0 == attStmt.Keys.Count || 0 == attStmt.Values.Count)
{
throw new Fido2VerificationException("Attestation format packed must have attestation statement");
}
if (null == Sig || CBORType.ByteString != Sig.Type || 0 == Sig.GetByteString().Length)
{
throw new Fido2VerificationException("Invalid packed attestation signature");
}
if (null == Alg || true != Alg.IsNumber)
{
throw new Fido2VerificationException("Invalid packed attestation algorithm");
}
// If x5c is present, this indicates that the attestation type is not ECDAA
if (null != X5c)
{
if (CBORType.Array != X5c.Type || 0 == X5c.Count || null != EcdaaKeyId)
{
throw new Fido2VerificationException("Malformed x5c array in packed attestation statement");
}
var enumerator = X5c.Values.GetEnumerator();
while (enumerator.MoveNext())
{
if (null == enumerator || null == enumerator.Current ||
CBORType.ByteString != enumerator.Current.Type ||
0 == enumerator.Current.GetByteString().Length)
{
throw new Fido2VerificationException("Malformed x5c cert found in packed attestation statement");
}
var x5ccert = new X509Certificate2(enumerator.Current.GetByteString());
if (DateTime.UtcNow < x5ccert.NotBefore || DateTime.UtcNow > x5ccert.NotAfter)
{
throw new Fido2VerificationException("Packed signing certificate expired or not yet valid");
}
}
// The attestation certificate attestnCert MUST be the first element in the array.
var attestnCert = new X509Certificate2(X5c.Values.First().GetByteString());
// 2a. Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash
// using the attestation public key in attestnCert with the algorithm specified in alg
var packedPubKey = attestnCert.GetECDsaPublicKey(); // attestation public key
if (false == CryptoUtils.algMap.ContainsKey(Alg.AsInt32()))
{
throw new Fido2VerificationException("Invalid attestation algorithm");
}
var cpk = new CredentialPublicKey(attestnCert, Alg.AsInt32());
if (true != cpk.Verify(Data, Sig.GetByteString()))
{
throw new Fido2VerificationException("Invalid full packed signature");
}
// Verify that attestnCert meets the requirements in https://www.w3.org/TR/webauthn/#packed-attestation-cert-requirements
// 2b. Version MUST be set to 3
if (3 != attestnCert.Version)
{
throw new Fido2VerificationException("Packed x5c attestation certificate not V3");
}
// Subject field MUST contain C, O, OU, CN
// OU must match "Authenticator Attestation"
if (true != IsValidPackedAttnCertSubject(attestnCert.Subject))
{
throw new Fido2VerificationException("Invalid attestation cert subject");
}
// 2c. If the related attestation root certificate is used for multiple authenticator models,
// the Extension OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as a 16-byte OCTET STRING
// verify that the value of this extension matches the aaguid in authenticatorData
var aaguid = AaguidFromAttnCertExts(attestnCert.Extensions);
if (aaguid != null)
{
if (0 != AttestedCredentialData.FromBigEndian(aaguid).CompareTo(AuthData.AttestedCredentialData.AaGuid))
{
throw new Fido2VerificationException("aaguid present in packed attestation cert exts but does not match aaguid from authData");
}
}
// 2d. The Basic Constraints extension MUST have the CA component set to false
if (IsAttnCertCACert(attestnCert.Extensions))
{
throw new Fido2VerificationException("Attestion certificate has CA cert flag present");
}
// id-fido-u2f-ce-transports
var u2ftransports = U2FTransportsFromAttnCert(attestnCert.Extensions);
var trustPath = X5c.Values
.Select(x => new X509Certificate2(x.GetByteString()))
.ToArray();
var entry = _metadataService?.GetEntry(AuthData.AttestedCredentialData.AaGuid);
// while conformance testing, we must reject any authenticator that we cannot get metadata for
if (_metadataService?.ConformanceTesting() == true && null == entry)
{
throw new Fido2VerificationException("AAGUID not found in MDS test metadata");
}
// If the authenticator is listed as in the metadata as one that should produce a basic full attestation, build and verify the chain
if (entry?.MetadataStatement?.AttestationTypes.Contains((ushort)MetadataAttestationType.ATTESTATION_BASIC_FULL) ?? false)
{
var root = new X509Certificate2(Convert.FromBase64String(entry.MetadataStatement.AttestationRootCertificates.FirstOrDefault()));
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(root);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (trustPath.Length > 1)
{
foreach (var cert in trustPath.Skip(1).Reverse())
{
chain.ChainPolicy.ExtraStore.Add(cert);
}
}
var valid = chain.Build(trustPath[0]);
if (_requireValidAttestationRoot)
{
// because we are using AllowUnknownCertificateAuthority we have to verify that the root matches ourselves
var chainRoot = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
valid = valid && chainRoot.RawData.SequenceEqual(root.RawData);
}
if (false == valid)
{
throw new Fido2VerificationException("Invalid certificate chain in packed attestation");
}
}
// If the authenticator is not listed as one that should produce a basic full attestation, the certificate should be self signed
if (!entry?.MetadataStatement?.AttestationTypes.Contains((ushort)MetadataAttestationType.ATTESTATION_BASIC_FULL) ?? false)
{
if (trustPath.FirstOrDefault().Subject != trustPath.FirstOrDefault().Issuer)
{
throw new Fido2VerificationException("Attestation with full attestation from authenticator that does not support full attestation");
}
}
// Check status resports for authenticator with undesirable status
foreach (var report in entry?.StatusReports ?? Enumerable.Empty <StatusReport>())
{
if (true == Enum.IsDefined(typeof(UndesiredAuthenticatorStatus), (UndesiredAuthenticatorStatus)report.Status))
{
throw new Fido2VerificationException("Authenticator found with undesirable status");
}
}
}
// If ecdaaKeyId is present, then the attestation type is ECDAA
else if (null != EcdaaKeyId)
{
// Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash
// using ECDAA-Verify with ECDAA-Issuer public key identified by ecdaaKeyId
// https://www.w3.org/TR/webauthn/#biblio-fidoecdaaalgorithm
throw new Fido2VerificationException("ECDAA is not yet implemented");
// If successful, return attestation type ECDAA and attestation trust path ecdaaKeyId.
//attnType = AttestationType.ECDAA;
//trustPath = ecdaaKeyId;
}
// If neither x5c nor ecdaaKeyId is present, self attestation is in use
else
{
// Validate that alg matches the algorithm of the credentialPublicKey in authenticatorData
if (false == AuthData.AttestedCredentialData.CredentialPublicKey.IsSameAlg((COSE.Algorithm)Alg.AsInt32()))
{
throw new Fido2VerificationException("Algorithm mismatch between credential public key and authenticator data in self attestation statement");
}
// Verify that sig is a valid signature over the concatenation of authenticatorData and
// clientDataHash using the credential public key with alg
if (true != AuthData.AttestedCredentialData.CredentialPublicKey.Verify(Data, Sig.GetByteString()))
{
throw new Fido2VerificationException("Failed to validate signature");
}
}
}
public override void Verify()
{
// 1. Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the contained fields.
// (handled in base class)
if (null == Sig || CBORType.ByteString != Sig.Type || 0 == Sig.GetByteString().Length)
{
throw new VerificationException("Invalid TPM attestation signature");
}
if ("2.0" != attStmt["ver"].AsString())
{
throw new VerificationException("FIDO2 only supports TPM 2.0");
}
// Verify that the public key specified by the parameters and unique fields of pubArea
// is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData
PubArea pubArea = null;
if (null != attStmt["pubArea"] &&
CBORType.ByteString == attStmt["pubArea"].Type &&
0 != attStmt["pubArea"].GetByteString().Length)
{
pubArea = new PubArea(attStmt["pubArea"].GetByteString());
}
if (null == pubArea || null == pubArea.Unique || 0 == pubArea.Unique.Length)
{
throw new VerificationException("Missing or malformed pubArea");
}
var coseKty = CredentialPublicKey[CBORObject.FromObject(COSE.KeyCommonParameter.KeyType)].AsInt32();
if (3 == coseKty) // RSA
{
var coseMod = CredentialPublicKey[CBORObject.FromObject(COSE.KeyTypeParameter.N)].GetByteString(); // modulus
var coseExp = CredentialPublicKey[CBORObject.FromObject(COSE.KeyTypeParameter.E)].GetByteString(); // exponent
if (!coseMod.ToArray().SequenceEqual(pubArea.Unique.ToArray()))
{
throw new VerificationException("Public key mismatch between pubArea and credentialPublicKey");
}
if ((coseExp[0] + (coseExp[1] << 8) + (coseExp[2] << 16)) != pubArea.Exponent)
{
throw new VerificationException("Public key exponent mismatch between pubArea and credentialPublicKey");
}
}
else if (2 == coseKty) // ECC
{
var curve = CredentialPublicKey[CBORObject.FromObject(COSE.KeyTypeParameter.Crv)].AsInt32();
var X = CredentialPublicKey[CBORObject.FromObject(COSE.KeyTypeParameter.X)].GetByteString();
var Y = CredentialPublicKey[CBORObject.FromObject(COSE.KeyTypeParameter.Y)].GetByteString();
if (pubArea.EccCurve != CoseCurveToTpm[curve])
{
throw new VerificationException("Curve mismatch between pubArea and credentialPublicKey");
}
if (!pubArea.ECPoint.X.SequenceEqual(X))
{
throw new VerificationException("X-coordinate mismatch between pubArea and credentialPublicKey");
}
if (!pubArea.ECPoint.Y.SequenceEqual(Y))
{
throw new VerificationException("Y-coordinate mismatch between pubArea and credentialPublicKey");
}
}
// Concatenate authenticatorData and clientDataHash to form attToBeSigned.
// see data variable
// Validate that certInfo is valid
CertInfo certInfo = null;
if (null != attStmt["certInfo"] &&
CBORType.ByteString == attStmt["certInfo"].Type &&
0 != attStmt["certInfo"].GetByteString().Length)
{
certInfo = new CertInfo(attStmt["certInfo"].GetByteString());
}
if (null == certInfo)
{
throw new VerificationException("CertInfo invalid parsing TPM format attStmt");
}
// 4a. Verify that magic is set to TPM_GENERATED_VALUE
// Handled in CertInfo constructor, see CertInfo.Magic
// 4b. Verify that type is set to TPM_ST_ATTEST_CERTIFY
// Handled in CertInfo constructor, see CertInfo.Type
// 4c. Verify that extraData is set to the hash of attToBeSigned using the hash algorithm employed in "alg"
if (null == Alg || true != Alg.IsNumber)
{
throw new VerificationException("Invalid TPM attestation algorithm");
}
using (var hasher = CryptoUtils.GetHasher(CryptoUtils.HashAlgFromCOSEAlg(Alg.AsInt32())))
{
if (!hasher.ComputeHash(Data).SequenceEqual(certInfo.ExtraData))
{
throw new VerificationException("Hash value mismatch extraData and attToBeSigned");
}
}
// 4d. Verify that attested contains a TPMS_CERTIFY_INFO structure, whose name field contains a valid Name for pubArea, as computed using the algorithm in the nameAlg field of pubArea
using (var hasher = CryptoUtils.GetHasher(CryptoUtils.HashAlgFromCOSEAlg(certInfo.Alg)))
{
if (false == hasher.ComputeHash(pubArea.Raw).SequenceEqual(certInfo.AttestedName))
{
throw new VerificationException("Hash value mismatch attested and pubArea");
}
}
// 4e. Note that the remaining fields in the "Standard Attestation Structure" [TPMv2-Part1] section 31.2, i.e., qualifiedSigner, clockInfo and firmwareVersion are ignored. These fields MAY be used as an input to risk engines.
// 5. If x5c is present, this indicates that the attestation type is not ECDAA
if (null != X5c && CBORType.Array == X5c.Type && 0 != X5c.Count)
{
if (null == X5c.Values || 0 == X5c.Values.Count ||
CBORType.ByteString != X5c.Values.First().Type ||
0 == X5c.Values.First().GetByteString().Length)
{
throw new VerificationException("Malformed x5c in TPM attestation");
}
// 5a. Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
var aikCert = new X509Certificate2(X5c.Values.First().GetByteString());
var cpk = new CredentialPublicKey(aikCert, Alg.AsInt32());
if (true != cpk.Verify(certInfo.Raw, Sig.GetByteString()))
{
throw new VerificationException("Bad signature in TPM with aikCert");
}
// 5b. Verify that aikCert meets the TPM attestation statement certificate requirements
// https://www.w3.org/TR/webauthn/#tpm-cert-requirements
// 5bi. Version MUST be set to 3
if (3 != aikCert.Version)
{
throw new VerificationException("aikCert must be V3");
}
// 5bii. Subject field MUST be set to empty - they actually mean subject name
if (0 != aikCert.SubjectName.Name.Length)
{
throw new VerificationException("aikCert subject must be empty");
}
// 5biii. The Subject Alternative Name extension MUST be set as defined in [TPMv2-EK-Profile] section 3.2.9.
// https://www.w3.org/TR/webauthn/#tpm-cert-requirements
(string tpmManufacturer, string tpmModel, string tpmVersion) = SANFromAttnCertExts(aikCert.Extensions);
// From https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
// "The issuer MUST include TPM manufacturer, TPM part number and TPM firmware version, using the directoryName
// form within the GeneralName structure. The ASN.1 encoding is specified in section 3.1.2 TPM Device
// Attributes. In accordance with RFC 5280[11], this extension MUST be critical if subject is empty
// and SHOULD be non-critical if subject is non-empty"
// Best I can figure to do for now ? // id:49465800 'IFX' Infinion Model and Version are empty
if (string.Empty == tpmManufacturer || string.Empty == tpmModel || string.Empty == tpmVersion)
{
throw new VerificationException("SAN missing TPMManufacturer, TPMModel, or TPMVersion from TPM attestation certificate");
}
if (false == TPMManufacturers.Contains(tpmManufacturer))
{
throw new VerificationException("Invalid TPM manufacturer found parsing TPM attestation");
}
// 5biiii. The Extended Key Usage extension MUST contain the "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.
// OID is 2.23.133.8.3
var EKU = EKUFromAttnCertExts(aikCert.Extensions, "2.23.133.8.3");
if (!EKU)
{
throw new VerificationException("aikCert EKU missing tcg-kp-AIKCertificate OID");
}
// 5biiiii. The Basic Constraints extension MUST have the CA component set to false.
if (IsAttnCertCACert(aikCert.Extensions))
{
throw new VerificationException("aikCert Basic Constraints extension CA component must be false");
}
// 5biiiiii. An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280]
// are both OPTIONAL as the status of many attestation certificates is available through metadata services. See, for example, the FIDO Metadata Service [FIDOMetadataService].
var trustPath = X5c.Values
.Select(x => new X509Certificate2(x.GetByteString()))
.ToArray();
var entry = _metadataService?.GetEntry(AuthData.AttestedCredentialData.AaGuid);
// while conformance testing, we must reject any authenticator that we cannot get metadata for
if (_metadataService?.ConformanceTesting() == true && null == entry)
{
throw new VerificationException("AAGUID not found in MDS test metadata");
}
if (_requireValidAttestationRoot)
{
// If the authenticator is listed as in the metadata as one that should produce a basic full attestation, build and verify the chain
if ((entry?.MetadataStatement?.AttestationTypes.Contains((ushort)MetadataAttestationType.ATTESTATION_BASIC_FULL) ?? false) ||
(entry?.MetadataStatement?.AttestationTypes.Contains((ushort)MetadataAttestationType.ATTESTATION_ATTCA) ?? false) ||
(entry?.MetadataStatement?.AttestationTypes.Contains((ushort)MetadataAttestationType.ATTESTATION_HELLO) ?? false))
{
var attestationRootCertificates = entry.MetadataStatement.AttestationRootCertificates
.Select(x => new X509Certificate2(Convert.FromBase64String(x)))
.ToArray();
if (false == ValidateTrustChain(trustPath, attestationRootCertificates))
{
throw new VerificationException("TPM attestation failed chain validation");
}
}
}
// 5c. If aikCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData
var aaguid = AaguidFromAttnCertExts(aikCert.Extensions);
if ((null != aaguid) &&
(!aaguid.SequenceEqual(Guid.Empty.ToByteArray())) &&
(0 != AttestedCredentialData.FromBigEndian(aaguid).CompareTo(AuthData.AttestedCredentialData.AaGuid)))
{
throw new VerificationException(string.Format("aaguid malformed, expected {0}, got {1}", AuthData.AttestedCredentialData.AaGuid, new Guid(aaguid)));
}
}
// If ecdaaKeyId is present, then the attestation type is ECDAA
else if (null != EcdaaKeyId)
{
// Perform ECDAA-Verify on sig to verify that it is a valid signature over certInfo
// https://www.w3.org/TR/webauthn/#biblio-fidoecdaaalgorithm
throw new VerificationException("ECDAA support for TPM attestation is not yet implemented");
// If successful, return attestation type ECDAA and the identifier of the ECDAA-Issuer public key ecdaaKeyId.
//attnType = AttestationType.ECDAA;
//trustPath = ecdaaKeyId;
}
else
{
throw new VerificationException("Neither x5c nor ECDAA were found in the TPM attestation statement");
}
}