From 5ef9b21c8e9f8a817e524ac93290d08a9f065b33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Semmler?=
 <13363655+jirkasemmler@users.noreply.github.com>
Date: Fri, 18 Feb 2022 08:13:44 +0100
Subject: [PATCH] U2F support (#208)

* Create COSE from u2f public key
* add u2f key class
* rpId hash assert
---
 ...uthenticatorAssertionResponseValidator.php | 10 +++-
 src/U2FPublicKey.php                          | 46 +++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 src/U2FPublicKey.php

diff --git a/src/AuthenticatorAssertionResponseValidator.php b/src/AuthenticatorAssertionResponseValidator.php
index 6b0f0f9..7550243 100644
--- a/src/AuthenticatorAssertionResponseValidator.php
+++ b/src/AuthenticatorAssertionResponseValidator.php
@@ -62,10 +62,12 @@ class AuthenticatorAssertionResponseValidator
      * @var Manager|null
      */
     private $algorithmManager;
+
     /**
      * @var CounterChecker
      */
     private $counterChecker;
+
     /**
      * @var LoggerInterface|null
      */
@@ -127,6 +129,10 @@ public function check(string $credentialId, AuthenticatorAssertionResponse $auth
             }
 
             $credentialPublicKey = $attestedCredentialData->getCredentialPublicKey();
+            $isU2F = U2FPublicKey::isU2FKey($credentialPublicKey);
+            if ($isU2F) {
+                $credentialPublicKey = U2FPublicKey::createCOSEKey($credentialPublicKey);
+            }
             Assertion::notNull($credentialPublicKey, 'No public key available.');
             $stream = new StringStream($credentialPublicKey);
             $credentialPublicKeyStream = $this->decoder->decode($stream);
@@ -165,8 +171,10 @@ public function check(string $credentialId, AuthenticatorAssertionResponse $auth
                 $this->tokenBindingHandler->check($C->getTokenBinding(), $request);
             }
 
+            $expectedRpIdHash = $isU2F ? $C->getOrigin() : $facetId;
+            // u2f response has full origin in rpIdHash
             /** @see 7.2.11 */
-            $rpIdHash = hash('sha256', $facetId, true);
+            $rpIdHash = hash('sha256', $expectedRpIdHash, true);
             Assertion::true(hash_equals($rpIdHash, $authenticatorAssertionResponse->getAuthenticatorData()->getRpIdHash()), 'rpId hash mismatch.');
 
             /** @see 7.2.12 */
diff --git a/src/U2FPublicKey.php b/src/U2FPublicKey.php
new file mode 100644
index 0000000..2bba514
--- /dev/null
+++ b/src/U2FPublicKey.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Webauthn;
+
+use CBOR\ByteStringObject;
+use CBOR\MapItem;
+use CBOR\MapObject;
+use CBOR\NegativeIntegerObject;
+use CBOR\UnsignedIntegerObject;
+
+class U2FPublicKey
+{
+    public static function isU2FKey($publicKey): bool
+    {
+        return $publicKey[0] === "\x04";
+    }
+
+    public static function createCOSEKey($publicKey): string
+    {
+
+        $mapObject = new MapObject([
+            1 => MapItem::create(
+                new UnsignedIntegerObject(1, null),
+                new UnsignedIntegerObject(2, null)
+            ),
+            3 => MapItem::create(
+                new UnsignedIntegerObject(3, null),
+                new NegativeIntegerObject(6, null)
+            ),
+            -1 => MapItem::create(
+                new NegativeIntegerObject(0, null),
+                new UnsignedIntegerObject(1, null)
+            ),
+            -2 => MapItem::create(
+                new NegativeIntegerObject(1, null),
+                new ByteStringObject(substr($publicKey, 1, 32))
+            ),
+            -3 => MapItem::create(
+                new NegativeIntegerObject(2, null),
+                new ByteStringObject(substr($publicKey, 33))
+            ),
+        ]);
+
+        return $mapObject->__toString();
+    }
+}