Allow customised pubKeyCredParams (#579)

* Allow customised pubKeyCredParams

* format

Author: abergs

Demo/TestController.cs

@@ -74,10 +74,12 @@ public OkObjectResult MakeCredentialOptionsTest([FromBody] TEST_MakeCredentialPa
             ExcludeCredentials = existingKeys,
             AuthenticatorSelection = opts.AuthenticatorSelection,
             AttestationPreference = opts.Attestation,
-            Extensions = exts
-        });
-
-        // 4. Temporarily store options, session/in-memory cache/redis/db
+            Extensions = exts,
+            // Conformance tools requires RS1, but it's deprecated
+            PubKeyCredParams = [.. PubKeyCredParam.Defaults, PubKeyCredParam.RS1]
+        });
+
+        // 4. Temporarily store options, session/in-memory cache/redis/db
         HttpContext.Session.SetString("fido2.attestationOptions", options.ToJson());
 
         // 5. return options to client

Src/Fido2.Models/CredentialCreateOptions.cs

@@ -35,7 +35,7 @@ public sealed class CredentialCreateOptions
     /// This member contains information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it can.
     /// </summary>
     [JsonPropertyName("pubKeyCredParams")]
-    public List<PubKeyCredParam> PubKeyCredParams { get; set; }
+    public IReadOnlyList<PubKeyCredParam> PubKeyCredParams { get; set; }
 
     /// <summary>
     /// This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the platform.
@@ -122,29 +122,17 @@ public static CredentialCreateOptions Create(
         AuthenticatorSelection authenticatorSelection,
         AttestationConveyancePreference attestationConveyancePreference,
         IReadOnlyList<PublicKeyCredentialDescriptor> excludeCredentials,
-        AuthenticationExtensionsClientInputs extensions)
+        AuthenticationExtensionsClientInputs extensions,
+        IReadOnlyList<PubKeyCredParam> pubKeyCredParams)
+
     {
         return new CredentialCreateOptions
         {
             Challenge = challenge,
             Rp = new PublicKeyCredentialRpEntity(config.ServerDomain, config.ServerName, config.ServerIcon),
             Timeout = config.Timeout,
             User = user,
-            PubKeyCredParams =
-            [
-                // Add additional as appropriate
-                PubKeyCredParam.Ed25519,
-                PubKeyCredParam.ES256,
-                PubKeyCredParam.RS256,
-                PubKeyCredParam.PS256,
-                PubKeyCredParam.ES384,
-                PubKeyCredParam.RS384,
-                PubKeyCredParam.PS384,
-                PubKeyCredParam.ES512,
-                PubKeyCredParam.RS512,
-                PubKeyCredParam.PS512,
-                PubKeyCredParam.RS1
-            ],
+            PubKeyCredParams = pubKeyCredParams,
             AuthenticatorSelection = authenticatorSelection,
             Attestation = attestationConveyancePreference,
             ExcludeCredentials = excludeCredentials,
@@ -195,7 +183,25 @@ public sealed class PubKeyCredParam(
     public static readonly PubKeyCredParam PS384 = new(COSE.Algorithm.PS384);
     public static readonly PubKeyCredParam PS512 = new(COSE.Algorithm.PS512);
     public static readonly PubKeyCredParam Ed25519 = new(COSE.Algorithm.EdDSA);
-    public static readonly PubKeyCredParam RS1 = new(COSE.Algorithm.RS1);
+    public static readonly PubKeyCredParam RS1 = new(COSE.Algorithm.RS1);
+
+    /// <summary>
+    /// The default algorithms supported by the library
+    /// </summary>
+    public static IReadOnlyList<PubKeyCredParam> Defaults =>
+    [
+        // Add additional as appropriate
+        Ed25519,
+        ES256,
+        RS256,
+        PS256,
+        ES384,
+        RS384,
+        PS384,
+        ES512,
+        RS512,
+        PS512
+    ];
 }
 
 /// <summary>

Src/Fido2/Fido2.cs

@@ -31,7 +31,7 @@ public Fido2(
     public CredentialCreateOptions RequestNewCredential(RequestNewCredentialParams requestNewCredentialParams)
     {
         var challenge = RandomNumberGenerator.GetBytes(_config.ChallengeSize);
-        return CredentialCreateOptions.Create(_config, challenge, requestNewCredentialParams.User, requestNewCredentialParams.AuthenticatorSelection, requestNewCredentialParams.AttestationPreference, requestNewCredentialParams.ExcludeCredentials, requestNewCredentialParams.Extensions);
+        return CredentialCreateOptions.Create(_config, challenge, requestNewCredentialParams.User, requestNewCredentialParams.AuthenticatorSelection, requestNewCredentialParams.AttestationPreference, requestNewCredentialParams.ExcludeCredentials, requestNewCredentialParams.Extensions, requestNewCredentialParams.PubKeyCredParams);
 
     }
 

Src/Fido2/RequestNewCredentialParams.cs

@@ -34,4 +34,9 @@ public sealed class RequestNewCredentialParams
     /// The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator. For example, the Relying Party may request that the client returns additional information about the credential that was created.
     /// </summary>
     public AuthenticationExtensionsClientInputs? Extensions { get; init; }
+
+    /// <summary>
+    /// For advanced use cases. This member lists the key types and signature algorithms the Relying Party supports, ordered from most preferred to least preferred. The client and authenticator make a best-effort to create a credential of the most preferred type possible. If none of the listed types can be created, the create() operation fails.
+    /// </summary>
+    public IReadOnlyList<PubKeyCredParam> PubKeyCredParams { get; init; } = PubKeyCredParam.Defaults;
 }

Tests/Fido2.Tests/Fido2Tests.cs

@@ -611,7 +611,6 @@ public async Task TestPackedAttestationAsync()
         var jsonPost = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationResultsPacked.json"));
         var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationOptionsPacked.json"));
         var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-        options.PubKeyCredParams.Add(new PubKeyCredParam(COSE.Algorithm.RS1, PublicKeyCredentialType.PublicKey));
         await o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), _metadataService, null, CancellationToken.None);
         var authData = o.AttestationObject.AuthData;
         var acdBytes = authData.AttestedCredentialData.ToByteArray();
@@ -644,7 +643,6 @@ public async Task TestTPMSHA1AttestationAsync()
         var jsonPost = JsonSerializer.Deserialize<AuthenticatorAttestationRawResponse>(await File.ReadAllTextAsync("./attestationTPMSHA1Response.json"));
         var options = JsonSerializer.Deserialize<CredentialCreateOptions>(await File.ReadAllTextAsync("./attestationTPMSHA1Options.json"));
         var o = AuthenticatorAttestationResponse.Parse(jsonPost);
-        options.PubKeyCredParams.Add(new PubKeyCredParam(COSE.Algorithm.RS1, PublicKeyCredentialType.PublicKey));
         await o.VerifyAsync(options, _config, (x, cancellationToken) => Task.FromResult(true), _metadataService, null, CancellationToken.None);
     }
 

Tests/Fido2.Tests/TestFiles/attestationOptionsPacked.json

@@ -15,6 +15,10 @@
     {
       "type": "public-key",
       "alg": -7
+    },
+    {
+      "type": "public-key",
+      "alg": -65535
     }
   ],
   "timeout": 0

Tests/Fido2.Tests/TestFiles/attestationTPMSHA1Options.json

@@ -19,7 +19,11 @@
     {
       "type": "public-key",
       "alg": -257
-    }
+    },
+    {
+      "type": "public-key",
+      "alg": -65535
+    }    
   ],
   "timeout": 60000,
   "attestation": "direct",