Is your feature request related to a problem? Please describe.
At the moment, if the authenticator counter is equal or lower than the one stored in the DB, the assertion is rejected.
This is useful to prevent clones. But in some cases it will reject legit assertions.
Example:

• The counter in the server DB is 100. The next counter of the authenticator will be 101
• The authenticator is cloned.
• The cloned authenticator allow a user to be authenticated. The counter is updated in DB (now 101).
• The original authenticator is used, but it is rejected because its counter is 101 and the server expect a counter higher than this value.

The cloned authenticator can be used for any subsequent authentications when the original one is now useless.

Describe the solution you'd like
The library should provide a way to allow applications to be warned or to decide to disable the authenticator.

Describe alternatives you've considered
In certain circumstances, the application may decide to continue the authentication process.

Additional context
Lines to be updated: https://github.com/web-auth/webauthn-framework/blob/master/src/webauthn/src/AuthenticatorAssertionResponseValidator.php#L165-L172

Add Android Key Attestation support.

Describe the bug
The documentation examples for web-auth/webauthn-lib miss a couple of things and are wrong in some areas.

In the process of implementing WebAuthn for EGroupware I created a self-contained example app:
https://github.com/ralfbecker/webauthn

I'm happy to contribute it to this project, to save everyone finding and fixing the problems themself.

Here is a list of the problems I run into:

1. to transfer the $publicKeyCredentialCreationOptions from registration or $publicKeyCredentialCreationOptions from login to JavaScript/Browser you use json-encode, which serializes some attributes of the object as base64url and then use window.btoa to decode it again. base64url is not base64 and every couple of requests you get an error trying to decode it. I added a base64url2base64 method to your example code:
   https://github.com/ralfbecker/webauthn/blob/master/register.php#L84

2. Storing the state ($publicKeyCredentialCreationOptions or $publicKeyCredentialCreationOptions objects) in the session is missing

3. No Example for the PublicKeyCredentialsRepo, I added one: https://github.com/ralfbecker/webauthn/blob/master/src/PubkeyCredentialsRepo.php

4. There were a couple more small things and typos I fixed to get a working example.

5. According to https://www.w3.org/TR/webauthn/#conforming-authenticators-u2f u2f token return no userHandle, but the $authenticatorAssertionResponseValidator->check() method requires it. I temporarily worked around it in the example code, as my Yubico Security Key - U2F and Fido2, did not return the userHandle (neither with Chrome nor Firefox): https://github.com/ralfbecker/webauthn/blob/master/login_response.php#L98
   Maybe this needs an option to allow this in the check ...

Ralf

I have an issue concerning register challenge.

When I use this challenge, I have an error "rpId mismatch" (check registration)
{"rp":{"name":"xxxxx"},"pubKeyCredParams":[{"type":"public-key","alg":-7}],"challenge":"XXXXXXXXXXXXX","attestation":"direct","user":{"name":"name","id":"XXXXXXID=","displayName":"XXXX XXXX"},"authenticatorSelection":{"requireResidentKey":false,"userVerification":"preferred"},"extensions":{"loc":true},"timeout":20000}

When I use this challenge with rpId, I have a DOMException during navigator.credentials.create(publicKey).
{"rp":{"name":"xxxxx","id":"xxxxx.net"},"pubKeyCredParams":[{"type":"public-key","alg":-7}],"challenge":"XXXXXXXXXXXXX","attestation":"direct","user":{"name":"name","id":"XXXXXXID=","displayName":"XXXX XXXX"},"authenticatorSelection":{"requireResidentKey":false,"userVerification":"preferred"},"extensions":{"loc":true},"timeout":20000}

Have you an idea ?

Desktop/Smartphone (please complete the following information):

• Device: Smartphone
• OS: Android
• Browser: Chrome
• Version: 76

Is your feature request related to a problem? Please describe.
Currently there are many parameters for __construct() that could be obtained from PublicKeyCredential.

Describe the solution you'd like
Add a method to PublicKeyCredential for creation of PublicKeyCredentialSource

Describe alternatives you've considered
Have __construct ingest PublicKeyCredential for many of its parameters.

Additional context
Currently I'm doing something along the lines of:

$publicKeyCredential           = $publicKeyCredentialLoader->load(json_encode($data));
$publicKeyCredentialDescriptor = $publicKeyCredential->getPublicKeyCredentialDescriptor();
$response                      = $publicKeyCredential->getResponse();

$pkCredentialSource = new PublicKeyCredentialSource(
    $publicKeyCredentialDescriptor->getId(),
    $publicKeyCredentialDescriptor->getType(),
    $publicKeyCredentialDescriptor->getTransports(),
    $response->getAttestationObject()->getAttStmt()->getType(),
    $response->getAttestationObject()->getAttStmt()->getTrustPath(),
    $response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getAaguid(),
    $response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getCredentialPublicKey(),
    $this->getLoggedInUser($request)->_id->__toString(),
    0
);

As you can see, all but the last two parameters could be obtained internally by passing an attested PublicKeyCredential, user ID, and counter (that should be optional and default to 0)

Describe the bug
The TPM Statemnt Support class cannot handle certificates/public keys if ECC, only RSA.
See https://github.com/web-auth/webauthn-framework/blob/v2.1/src/webauthn/src/AttestationStatement/TPMAttestationStatementSupport.php#L103

To Reproduce
Not easy to demonstrate…

Expected behavior
ECC keys should be supported

Screenshots
N/A

Desktop (please complete the following information):

• OS: all
• Browser: all
• Version: all

Smartphone (please complete the following information):

• Device: all
• OS: all
• Browser: all
• Version all

Additional context
fido-alliance/conformance-test-tools-resources#407

Our implementation of WebAuthn using webauthn-lib got broken after running composer update.
We pinpointed the issue to the update of https://github.com/web-auth/cose-lib from 2.0.3 to 2.1.

Problem occurs here https://github.com/web-auth/cose-lib, seems that our key retrurns signature of length 71, while expected is 64. (Using FIDO2 usb key)

Since the signature handling is done compeltely by the library, we are not sure how to deal with this issue.
Temporarely we worked around the issue by manually requiring 2.0.3 in main composer.json.

What are the recommendations for resolving this?

Thank you

Describe the bug
Because of the CBOR Decoder dependency, the framework requires the extensions GMP and BCMath.
These 2 extensions are not necessarily available on plateforms.

Expected behavior
It should be possible to install the framework on a plateform without these extensions.

Is your feature request related to a problem? Please describe.
Android Safety Net statement support requires a http client to verify the Response against Google servers.
The library should be able to first check the signature of the response and, if a client is available, confirm the validity of the response through a dedicated request

Describe the solution you'd like

Describe alternatives you've considered

Additional context

Is your feature request related to a problem? Please describe.
See https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#transport-binding-profile

Is your feature request related to a problem? Please describe.

PublicKeyCredentialLoader->load($data) accepts only JSON encoded string which prevents me using different serialization formats (eg. XML) or in case JSON was already decoded earlier.

Describe the solution you'd like

PublicKeyCredentialLoader->load($data) to support already decoded PHP array object so it's independent of serialization format.

Describe alternatives you've considered
Alternative is extending PublicKeyCredentialLoader and reimplement it myself which isn't nice.

Is your feature request related to a problem? Please describe.
At the moment, the library supports the following attestation types:

• None,
• Basic
• Self
• AttCA

The ECDAA type is not yet supported and the attestation statement formats Packed and TPM may be rejected even if valid.

Describe the solution you'd like
This issue is a reminder for the implementation of this attestation type and allow to close #5 and #4.

Describe alternatives you've considered

Additional context
This attestation type is subject to security considerations.
It should also be note that, at the time of writing (17 January 2019), the status of the Webauthn specification is "Proposed Recommendation"

Is your feature request related to a problem? Please describe.
At the moment, the list of suitable transport methods (usb, nfc...) is always an empty list.

Describe the solution you'd like
The Metadata Statement may contain the supported methods. This information should be used to populate the list.

Thanks for the updates to .gitattributes amongst your repositories (#71), much appreciated

It seems the addition of .github hasn't actually worked correctly, and we're still getting the .github folder in the different libraries

I'm guessing it's the lack of export-ignore after the github lines, and I guess the same for the docs and tests lines too

reedy@ubuntu64-web-esxi:~/composer-test$ composer require web-auth/cose-lib v2.1.5
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 3 installs, 0 updates, 0 removals
  - Installing beberlei/assert (v3.2.3): Loading from cache
  - Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
  - Installing web-auth/cose-lib (v2.1.5): Loading from cache
fgrosse/phpasn1 suggests installing php-curl (For loading OID information from the web if they have not bee defined statically)
Writing lock file
Generating autoload files 
reedy@ubuntu64-web-esxi:~/composer-test$ ls -al vendor/web-auth/cose-lib/
total 32
drwxrwxr-x 5 reedy reedy 4096 Sep  3 13:11 .
drwxrwxr-x 3 reedy reedy 4096 Sep  3 13:11 ..
-rw-rw-r-- 1 reedy reedy 1116 Sep  2 21:01 composer.json
drwxrwxr-x 2 reedy reedy 4096 Sep  2 21:01 .github
-rw-rw-r-- 1 reedy reedy 1068 Sep  2 21:01 LICENSE
-rw-rw-r-- 1 reedy reedy 1130 Sep  2 21:01 README.md
drwxrwxr-x 4 reedy reedy 4096 Sep  2 21:01 src
drwxrwxr-x 3 reedy reedy 4096 Sep  2 21:01 tests
reedy@ubuntu64-web-esxi:~/composer-test$ ls -al vendor/web-auth/cose-lib/.github/
total 20
drwxrwxr-x 2 reedy reedy 4096 Sep  2 21:01 .
drwxrwxr-x 5 reedy reedy 4096 Sep  3 13:11 ..
-rw-rw-r-- 1 reedy reedy  224 Sep  2 21:01 CONTRIBUTING.md
-rw-rw-r-- 1 reedy reedy   25 Sep  2 21:01 FUNDING.yml
-rw-rw-r-- 1 reedy reedy  160 Sep  2 21:01 PULL_REQUEST_TEMPLATE.md

Describe the bug
web-authn/webauth-lib requires ramsey/uuid, but it is not required in composer.json

To Reproduce
Should be obvious.

Ralf

Is your feature request related to a problem? Please describe.
As per the specification section 5.5, the allowCredentials parameter can be set to none (default).

The user identification in the specification is different from what is done in the library:

• The user was identified before the authentication ceremony. The userHandle may be set and then compared. Except the user handle verification, this is already done here
• The user was not identified before the authentication ceremony. The user handle in the response shall be set and the credential is available.

Describe the solution you'd like

1. This library should allow allowCredentials to be set to none.
2. This user identification and the verification of the associated credential ID should be revised.

Describe alternatives you've considered
--none--

Looking through your library and noticed that you require a specific implementation for $request - a Symfony\Component\HttpFoundation\Request object - when doing FIDO2 client credential checking. Yet that object is not actually utilized in anything using TokenBindingInterface. Is this for future development?

I have an application that already has a PSR-7 ServerRequestInterface object (I'm using Zend Expressive middleware) and was wondering why you are asking for a Symfony-specific request object and not a PSR-7 object - especially since it's not really used anyways.

I noticed a curious quirk that PublicKeyCredentialUserEntity will base64 encode/decode $id on JSON serialization. Since the roundtrip works, nothing it broken per se, but I was curious as to the decision to do any encoding that parameter.

User entities are most likely coming from a datastore of some sort, so having a non JSON-safe $id would be rather rare would it not?

Is your feature request related to a problem? Please describe.
See Token Binding feature:

• RFC8471
• RFC8472
• RFC8473

The framework proposes several strategies:

• Ignore: see Webauthn\TokenBinding\IgnoreTokenBindingHandler
• Error: see Webauthn\TokenBinding\TokenBindingNotSupportedHandler
• Sec-Token-Binding: see Webauthn\TokenBinding\SecTokenBindingHandler (not tested)

Describe the solution you'd like
The library should propose a class to fully support this feature

Describe alternatives you've considered
N/A

Additional context

• Supported by Microsoft Edge only.
• Google Chrome removed it from its feature list: see https://www.chromestatus.com/feature/5097603234529280
• No information from Mozilla Firefox (see this page) or from the other browsers

Is your feature request related to a problem? Please describe.
If one want to integrate the bundle in a Symfony project, the script and the data have to be integrated in the twig template.

This step can be difficult and not really easy for newcomers.

Describe the solution you'd like
It could be simple to provide twig helpers to ease the integration.
This could be acheived through a form widget with an associated script.
The form to display could be very simple

Describe alternatives you've considered
If the form is not easy/simple, twig helpers can be provided

Additional context
-NONE-

Add support for packed attestionation format.

• Basic (mandatory)
• AttCA (mandatory)
• Self Attestation (mandatory)
• ECDAA (optional) -- Will be done at a later stage

Geting The certificate in the attestation statement is not valid.
When using Yubi Security Key Series (https://www.yubico.com/products/security-key/)
with PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT

In FidoU2FAttestationStatementSupport::checkCertificate function openssl_pkey_get_details
returns

array(3) {
  ["bits"]=>
  int(256)
  ["key"]=>
  string(178) "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElV3zrfckfTF17/2cxPMaToeOuuGB
CVZhUPs4iy5fZSe/V0CapYGlDQrFLxhEXAoTVIoTU8ik5ZpwTlI7wE3r7Q==
-----END PUBLIC KEY-----"
  ["type"]=>
  int(3)
}

The certificate itself

-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIEdIb9wjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1
YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYG
A1UEAwwfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTk1NTAwMzg0MjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABJVd8633JH0xde/9nMTzGk6HjrrhgQlWYVD7OIsuX2Un
v1dAmqWBpQ0KxS8YRFwKE1SKE1PIpOWacE5SO8BN6+2jbDBqMCIGCSsGAQQBgsQK
AgQVMS4zLjYuMS40LjEuNDE0ODIuMS4xMBMGCysGAQQBguUcAgEBBAQDAgUgMCEG
CysGAQQBguUcAQEEBBIEEPigEfOMCk0VgAYXER+e3H0wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAMVxIgOaaUn44Zom9af0KqG9J655OhUVBVW+q0As6
AIod3AH5bHb2aDYakeIyyBCnnGMHTJtuekbrHbXYXERIn4aKdkPSKlyGLsA/A+WE
i+OAfXrNVfjhrh7iE6xzq0sg4/vVJoywe4eAJx0fS+Dl3axzTTpYl71Nc7p/NX6i
CMmdik0pAuYJegBcTckE3AoYEg4K99AM/JaaKIblsbFh8+3LxnemeNf7UwOczaGG
vjS6UzGVI0Odf9lKcPIwYhuTxM5CaNMXTZQ7xq4/yTfC3kPWtE4hFT34UJJflZBi
LrxG4OsYxkHw/n5vKgmpspB3GfYuYTWhkDKiE8CYtyg87g==
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1955003842 (0x7486fdc2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Yubico U2F Root CA Serial 457200631
        Validity
            Not Before: Aug  1 00:00:00 2014 GMT
            Not After : Sep  4 00:00:00 2050 GMT
        Subject: C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 1955003842
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:95:5d:f3:ad:f7:24:7d:31:75:ef:fd:9c:c4:f3:
                    1a:4e:87:8e:ba:e1:81:09:56:61:50:fb:38:8b:2e:
                    5f:65:27:bf:57:40:9a:a5:81:a5:0d:0a:c5:2f:18:
                    44:5c:0a:13:54:8a:13:53:c8:a4:e5:9a:70:4e:52:
                    3b:c0:4d:eb:ed
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            1.3.6.1.4.1.41482.2: 
                1.3.6.1.4.1.41482.1.1
            1.3.6.1.4.1.45724.2.1.1: 
                ... 
            1.3.6.1.4.1.45724.1.1.4: 
                .......
M........}
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         31:5c:48:80:e6:9a:52:7e:38:66:89:bd:69:fd:0a:a8:6f:49:
         eb:9e:4e:85:45:41:55:6f:aa:d0:0b:3a:00:8a:1d:dc:01:f9:
         6c:76:f6:68:36:1a:91:e2:32:c8:10:a7:9c:63:07:4c:9b:6e:
         7a:46:eb:1d:b5:d8:5c:44:48:9f:86:8a:76:43:d2:2a:5c:86:
         2e:c0:3f:03:e5:84:8b:e3:80:7d:7a:cd:55:f8:e1:ae:1e:e2:
         13:ac:73:ab:4b:20:e3:fb:d5:26:8c:b0:7b:87:80:27:1d:1f:
         4b:e0:e5:dd:ac:73:4d:3a:58:97:bd:4d:73:ba:7f:35:7e:a2:
         08:c9:9d:8a:4d:29:02:e6:09:7a:00:5c:4d:c9:04:dc:0a:18:
         12:0e:0a:f7:d0:0c:fc:96:9a:28:86:e5:b1:b1:61:f3:ed:cb:
         c6:77:a6:78:d7:fb:53:03:9c:cd:a1:86:be:34:ba:53:31:95:
         23:43:9d:7f:d9:4a:70:f2:30:62:1b:93:c4:ce:42:68:d3:17:
         4d:94:3b:c6:ae:3f:c9:37:c2:de:43:d6:b4:4e:21:15:3d:f8:
         50:92:5f:95:90:62:2e:bc:46:e0:eb:18:c6:41:f0:fe:7e:6f:
         2a:09:a9:b2:90:77:19:f6:2e:61:35:a1:90:32:a2:13:c0:98:
         b7:28:3c:ee

I'm thinking maybe it's because of old OpenSSL version for PHP I'm using 🤔

Hi,

PublicKeyCredentialSource does not "fully" serialize correctly; this has already shortly been mentioned here: #57 (comment)

Here's an example to show the problem:

$json0 ='{"publicKeyCredentialId":"5ZYF8upZZUFfw3ot0gkKOqcdIcSlem2P_oOcVrk_fVAhr6SqYFdG5TprFl336gjG-i5fefSsP8S5YFKI9Jee8A","type":"public-key","transports":[],"attestationType":"none","trustPath":{"type":"empty"},"aaguid":"AAAAAAAAAAAAAAAAAAAAAA","credentialPublicKey":"pQECAyYgASFYIHt5_B-asO10TT0pl5RDfljYMoEU_hSXAjxrnup_eX-uIlgg3AuFH37_CH6ntpD61_D8LqUBJ5bVY4vNPml0ZbtTeg4","userHandle":"YW5vdGhlci11bmlxdWUtaWQ","counter":0}';

// ok
$source1 = PublicKeyCredentialSource::createFromArray(json_decode($json0, true));

// workaround:
$source2 = PublicKeyCredentialSource::createFromArray(json_decode(json_encode($source1), true));

// that's how it supposedly should work, but doesn't
$source3 = PublicKeyCredentialSource::createFromArray($source1->jsonSerialize());

It seems like this can easily be fixed by pulling JsonSerializable from AbstractTrustPath to TrustPath, and fixing

to be:
'trustPath' => $this->trustPath->jsonSerialize(),

... but I'm not sure if this would be the preferred solution.

Is your feature request related to a problem? Please describe.
The documentation says a Credential class and associated repository have to be created.

Describe the solution you'd like
The bundle should provide an abstract class for both components and the doctrine mapping.

Describe alternatives you've considered

Additional context
The use in application will become very easy: the repository could be used as default one and the Credential class will only need to implement the getId() method.

Add Android SafetyNet Attestation support.

Is your feature request related to a problem? Please describe.
When residentKey=true and userVerefication="required" are set, the authenticators should be able to authenticate the users even if the allowedCredentials list is empty.

Describe the solution you'd like
An option should be added to allow this use case.
When set, the username should not be asked to the user.

Describe alternatives you've considered

Additional context

Describe the bug
When I add SimpleMetadataStatementRepository to the server and the browser requests the security key data, it fails with

Invalid certificate or certificate chain. Error is: C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 61730834 error 20 at 0 depth lookup: unable to get local issuer certificate

If I do not provide a MDS Repository, the key registers correctly.

$metadataRepo = new SimpleMetadataStatementRepository(new FilesystemAdapter('__test__));

return new Server($rpEntity, $repo, $metadataRepo);

Manually executing the validation via openssl verify also does not work:

openssl verify -verbose /tmp/webauthn-leaf-1sYuxD
error /tmp/webauthn-leaf-1sYuxD: verification failed
C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 61730834
error 20 at 0 depth lookup: unable to get local issuer certificate

EDIT: I should point out that openssl verify -verbose /tmp/webauthn-leaf-1sYuxD is literally the full extent of the command that is being passed to Symfony's Process class. There is no webauthn-untrusted- or webauthn-ca- file.

cat'ing the file shows

-----BEGIN CERTIFICATE-----
<the key>
-----END CERTIFICATE-----

Expected behavior
I expect to not receive that error.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macOS
• Browser: Chrome
• Version: 76

Additional context
I'm running the web server in a Docker container using FROM php:7.3.9-apache-stretch. I have checked /etc/ssl/certs and it contains a bunch of certificates. I have also tried to manually download the curl.haxx.se PEM file and set that as -CAfile when testing the openssl verify command but that also does not work.

Hello!

I notice there is a .gitattributes file in this repo, which is great, but it doesn't seem to get included into sub repos such as webauthn-lib and cose-lib.

This means when they're installed via composer, the various root and dot files still exist in those repos, losing the benefits of the .gitattributes file

I don't know how your build processes work, as such, how code ends up in those "readonly" repos... But if you could include .gitattributes in the files that are copied/pushed across, that'd be really helpful

Thanks!

└── web-auth
    ├── cose-lib
    │   ├── composer.json
    │   ├── LICENSE
    │   ├── phpunit.xml.dist
    │   ├── README.md
    │   ├── src
    │   │   ├── Algorithm
    │   │   │   ├── Algorithm.php
    │   │   │   ├── Mac
    │   │   │   │   ├── Hmac.php
    │   │   │   │   ├── HS256.php
    │   │   │   │   ├── HS256Truncated64.php
    │   │   │   │   ├── HS384.php
    │   │   │   │   ├── HS512.php
    │   │   │   │   └── Mac.php
    │   │   │   ├── Manager.php
    │   │   │   └── Signature
    │   │   │       ├── ECDSA
    │   │   │       │   ├── ECDSA.php
    │   │   │       │   ├── ES256.php
    │   │   │       │   ├── ES384.php
    │   │   │       │   └── ES512.php
    │   │   │       ├── EdDSA
    │   │   │       │   └── EdDSA.php
    │   │   │       ├── RSA
    │   │   │       │   ├── PS256.php
    │   │   │       │   ├── PS384.php
    │   │   │       │   ├── PS512.php
    │   │   │       │   ├── PSSRSA.php
    │   │   │       │   ├── RS1.php
    │   │   │       │   ├── RS256.php
    │   │   │       │   ├── RS384.php
    │   │   │       │   ├── RS512.php
    │   │   │       │   └── RSA.php
    │   │   │       └── Signature.php
    │   │   ├── Algorithms.php
    │   │   ├── Key
    │   │   │   ├── Ec2Key.php
    │   │   │   ├── Key.php
    │   │   │   ├── OkpKey.php
    │   │   │   ├── RsaKey.php
    │   │   │   └── SymmetricKey.php
    │   │   └── Verifier.php
    │   └── tests
    │       └── unit
    │           └── Signature
    │               ├── RSA15SignatureTest.php
    │               └── RSAPSSSignatureTest.php
    └── webauthn-lib
        ├── composer.json
        ├── LICENSE
        ├── phpunit.xml.dist
        ├── README.md
        ├── src
        │   ├── AttestationStatement
        │   │   ├── AndroidKeyAttestationStatementSupport.php
        │   │   ├── AndroidSafetyNetAttestationStatementSupport.php
        │   │   ├── AttestationObjectLoader.php
        │   │   ├── AttestationObject.php
        │   │   ├── AttestationStatement.php
        │   │   ├── AttestationStatementSupportManager.php
        │   │   ├── AttestationStatementSupport.php
        │   │   ├── FidoU2FAttestationStatementSupport.php
        │   │   ├── NoneAttestationStatementSupport.php
        │   │   ├── PackedAttestationStatementSupport.php
        │   │   └── TPMAttestationStatementSupport.php
        │   ├── AttestedCredentialData.php
        │   ├── AuthenticationExtensions
        │   │   ├── AuthenticationExtension.php
        │   │   ├── AuthenticationExtensionsClientInputs.php
        │   │   ├── AuthenticationExtensionsClientOutputsLoader.php
        │   │   ├── AuthenticationExtensionsClientOutputs.php
        │   │   ├── ExtensionOutputCheckerHandler.php
        │   │   ├── ExtensionOutputChecker.php
        │   │   └── ExtensionOutputError.php
        │   ├── AuthenticatorAssertionResponse.php
        │   ├── AuthenticatorAssertionResponseValidator.php
        │   ├── AuthenticatorAttestationResponse.php
        │   ├── AuthenticatorAttestationResponseValidator.php
        │   ├── AuthenticatorData.php
        │   ├── AuthenticatorResponse.php
        │   ├── AuthenticatorSelectionCriteria.php
        │   ├── CertificateToolbox.php
        │   ├── CollectedClientData.php
        │   ├── Credential.php
        │   ├── PublicKeyCredentialCreationOptions.php
        │   ├── PublicKeyCredentialDescriptorCollection.php
        │   ├── PublicKeyCredentialDescriptor.php
        │   ├── PublicKeyCredentialEntity.php
        │   ├── PublicKeyCredentialLoader.php
        │   ├── PublicKeyCredentialParameters.php
        │   ├── PublicKeyCredential.php
        │   ├── PublicKeyCredentialRequestOptions.php
        │   ├── PublicKeyCredentialRpEntity.php
        │   ├── PublicKeyCredentialSource.php
        │   ├── PublicKeyCredentialSourceRepository.php
        │   ├── PublicKeyCredentialUserEntity.php
        │   ├── TokenBinding
        │   │   ├── IgnoreTokenBindingHandler.php
        │   │   ├── TokenBindingHandler.php
        │   │   ├── TokenBindingNotSupportedHandler.php
        │   │   └── TokenBinding.php
        │   └── TrustPath
        │       ├── CertificateTrustPath.php
        │       ├── EcdaaKeyIdTrustPath.php
        │       ├── EmptyTrustPath.php
        │       ├── TrustPathLoader.php
        │       └── TrustPath.php
        └── tests
            ├── certificates
            │   ├── chain
            │   │   ├── 1.crt
            │   │   ├── 1.der
            │   │   ├── 2.crt
            │   │   ├── 2.der
            │   │   ├── 3.crt
            │   │   ├── 3.der
            │   │   ├── 4.crt
            │   │   └── 4.der
            │   ├── frank4dd-cacert.crt
            │   └── yubico.crt
            ├── functional
            │   ├── AbstractTestCase.php
            │   ├── AndroidKeyAttestationStatementTest.php
            │   ├── AndroidSafetyNetAttestationStatementTest.php
            │   ├── AssertionTest.php
            │   ├── AttestationStatementWithTokenBindingTest.php
            │   ├── Fido2AttestationStatementTest.php
            │   ├── NoneAttestationStatementTest.php
            │   ├── PackedAttestationStatementTest.php
            │   ├── SubDomainRelyingPartyTest.php
            │   ├── TPMAttestationStatementTest.php
            │   └── W10Test.php
            └── unit
                ├── AttestationStatement
                │   ├── AndroidKeyAttestationStatementSupportTest.php
                │   ├── AttestationObjectTest.php
                │   ├── AttestationStatementSupportManagerTest.php
                │   ├── AttestationStatementTest.php
                │   ├── FidoU2FAttestationStatementSupportTest.php
                │   └── NoneAttestationStatementSupportTest.php
                ├── AttestedCredentialDataTest.php
                ├── AuthenticationExtensions
                │   ├── AuthenticationExtensionsClientOutputsLoaderTest.php
                │   └── AuthenticationExtensionsClientTest.php
                ├── AuthenticatorAssertionResponseTest.php
                ├── AuthenticatorAttestationResponseTest.php
                ├── AuthenticatorDataTest.php
                ├── AuthenticatorSelectionCriteriaTest.php
                ├── CertificateChainCheckerTest.php
                ├── CollectedClientDataTest.php
                ├── EntityTest.php
                ├── PublicKeyCredentialCreationOptionsTest.php
                ├── PublicKeyCredentialDescriptorTest.php
                ├── PublicKeyCredentialParametersTest.php
                ├── PublicKeyCredentialRequestOptionsTest.php
                ├── TokenBindingTest.php
                └── TrustPath
                    ├── FooTrustPath.php
                    ├── NotAValidTrustPath.php
                    └── TrustPathTest.php

Hey guys. Amazing project. Seems that you are already have implemented everything. Have you thought on passing FIDO conformance tests? https://fidoalliance.org/certification/functional-certification/conformance/

If you do, please let me know and I will mark your project as FIDO Compliant in https://github.com/herrjemand/awesome-webauthn

Is your feature request related to a problem? Please describe.
The RFC8610 describes a schema format for acceptable CBOR data.

Describe the solution you'd like
A validator could be added to the CBOR library. This validator will be used to check if the parsed data is compliant with a given data structure

Is your feature request related to a problem? Please describe.
As explained in the specification, the e-mail addresses should not be used as usernames.

Describe the solution you'd like
A a section in the doc about all security means that can be implemented.
Should be linked to #37

Following on from #71... Can we get the tests directories added to the .gitattributes file too?

Thanks!

Is your feature request related to a problem? Please describe.
It is not possible to login on a Symfony app with the provided firewall when the frontend is a SPA.

Describe the solution you'd like
The firewall should not only rely on forms

Thanks for the great library. It is very useful for classic websites. However for SPAs with REST api, this lib. is not ideal. It requires PHP session for storing assertion during login. See check in Security/Firewall/WebauthnListener.

Ideally this should be abstracted into some kind of common storage system that developer can customize and configure.

Is your feature request related to a problem? Please describe.
It could be interesting to associate the Attestation Metadata to the attestation object returned after the attestation ceremony (registration of the authenticator).

Describe the solution you'd like
The Attestation Metdata is already retrieved by the attestation statement supports (except none). This should be easy to move all of the logic to the attestation loader and check it in the attestation response validator.
This will deprecate the use of the attestation metadata repository in the attestation statement supports.

Describe alternatives you've considered
-NONE-

Additional context
Closes #77 as more or less similar

Describe the bug
It is no possible to use Windows 10 as authenticator. When CBOR public key is loaded, an exception is thrown:

InvalidArgumentException : Out of range. Expected: 598, read: 261.

To Reproduce
Steps to reproduce the behavior:

1. Register a new key using the demo with W10 and builtin authenticator on Edge with the demo at https://webauthn.spomky-labs.com/
2. Try to authenticate

Desktop/Smartphone (please complete the following information):

• Device: does not matter
• OS: Windows 10
• Browser Edge

Additional context

Example of public key (base64 encoded): pAEDAzkBACBZAla/lVRaOlEYG+nbNrCJfYkoL1ZIO9XGUt+o2pTURix03qI2DXoUUX/QQeS3u0nP3CTALcLHm9gXJuVTDtQXmbypLnv05wZGO9voweP4xAW44oKijAExj9WO4X5NPXh14oy5a1KFPYwJpvWC1+eS4YCURy7YIBK8DC1sQ8pnYmRqi5ZZoneEM5hNdZiAKC0zkOqqc30lRmNeuCYB9ALzZJiHpkBX4xDazhEbaM/928S3bfmgVIiSvckSqFK1C8n4IWaNWTrugW2h9whJrHjgLKcJ3Yuvz2KdZTUHQnBIHWjK4s+rkcJC5KYV53+mIaNV8WAJs3S0JcmQAa5+QNcTcnjFIUMBAAE=

Result during decoding:

Map(4)
  Unsigned Integer(1) //Key type
    Unsigned Integer(3) // RSA
  Unsigned Integer(3) // Alg
    Signed Integer(-257) // RS256
  Signed Integer(-1) // RSA modulus n
    Byte string(598)
    //Fails here when trying to read the 598 bytes

The decoding fails using other tools (e.g. http://cbor.me/) with the same error (Out of bytes to decode (need at least 337 bytes more)). It looks like the error comes from the encoding of the byte string length and not from spomky-labs/cbor-php.

The length is 0x256 i.e. 598. When replaced with 0x100 (256), the decoding works fine.

Is your feature request related to a problem? Please describe.
See https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html

This feature should implement a command or service that will perform http calls to the metadata service, retrieve and store the last dataset for all registered authenticators.
As the data from the MDS should not evolved often, the data should stay in a cache or a persistent storage to avoid unnecessary calls.

Is your feature request related to a problem? Please describe.
The MDS repository does not have any cache support and only rely on an hypothetical cache mechanism on the http client side.

Describe the solution you'd like
Add an optional PSR cache parameter to the repository

Describe alternatives you've considered

Additional context

Describe the bug

Call to private Jose\Component\Core\AlgorithmManager::__construct() from context 'Webauthn\AttestationStatement\AndroidSafetyNetAttestationStatementSupport'

To Reproduce
Steps to reproduce the behavior:
Just look in AndroidSafetyNetAttestationStatementSupport in any decent IDE:

Is your feature request related to a problem? Please describe.
The CredentialRepository has several methods that could be simplified:

• public function has(string $credentialId): bool;
• public function get(string $credentialId): AttestedCredentialData;
• public function getUserHandleFor(string $credentialId): string;
• public function getCounterFor(string $credentialId): int;
• public function updateCounterFor(string $credentialId, int $newCounter): void;

The Webauthn specification has a Public Key Credential Source where the information is stored.
It could be useful to have something similar on application side.

Describe the solution you'd like
A Credential object could be added with the following method:

• id
• type
• attestated credential data
• userHandle
• counter
• attestation statement (including trust path)

The CredentialRepository would return only Credential objects and simplified: getUserHandleFor, getCounterFor and updateCounterFor could be removed in favor of public function save(Credential $credential): void;.

The nice side effect is that you will query the repository only once instead of three times with current configuration. This will be limit the DB overhead.

Is your feature request related to a problem? Please describe.
The method createFromJson() by its name would seem to indicate that you pass JSON to it, but in actuality you need to pass an array.

Describe the solution you'd like
Either allow method to consume either array or JSON string, or only string

Is your feature request related to a problem? Please describe.
This framework contains lot of classes and it may be hard for newcomers to clearly understand what to do.
The documentation is quite complicated.

Describe the solution you'd like
This framework should provide helper classes to ease the integration for basic features.
The default configuration should only ask for the minimal mandotory information.

Describe alternatives you've considered

Additional context
Add any other context or screenshots about the feature request here.

Is your feature request related to a problem? Please describe.
At the moment ther are 3 bundles. 2 of them are firewalls.
The symfony-security-bundle is now useless as the responses from symfony-json-security-bundle can be altered.
Additionally, symfony-json-security-bundle could be merged with the main bundle for a better consistency and DX/UX.

Describe the solution you'd like

1. Mark symfony-security-bundle as deprecated in v1.x
2. Mark symfony-json-security-bundle as deprecated in v1.x
3. Merge symfony-json-security-bundle into the main bundle in v2.0

Is your feature request related to a problem? Please describe.
I would like to be able to view and verify the AAGUID (when applicable) of an authenticator. The AAGUID is created by the authenticator manufacturer in UUIDv4 format:

^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i

It's stored in the certificate in CBOR (Major Type 3) format. I've tried to use your decoder, but I can't seem to get the right info out.

$aaguidStream = new StringStream($response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getAaguid());
$aaguidDecoded = $decoder->decode($aaguidStream);
$aaguid = bin2hex($aaguid->getNormalizedData());

While this obviously doesn't insert the hyphens, but it doesn't create a hex string long enough to be valid even with hyphens.

Add TPM Attestation format support.

• AttCA
• ECDAA -- Will be done at a later stage

Is your feature request related to a problem? Please describe.
At the moment, the firewall triggers an error when a username does not exist. This could be used by an attacker to find usernames and associated key descriptors.

Describe the solution you'd like
No error should be triggered if the username does not exist.
A list of fake key descriptors should be generated. This list should be always the same for a given username.

The library only supports EC signatures and may support RSA ones.
The algorithms supported by this library should be extensible and new algorithms should be easily added if needed.

At the moment, the public key credential is just a binary string.
It could be easier for implementers to get a dedicated object that represent that key.

This object could be of type RsaKey/EcKey implementing an interface (e.g. PublicKeyCredential).

I've tried to implement solution, written in examples of two steps.
Actually, everything works great except the one step, the last and main :)

To Reproduce
I create my own CredentialRepository class with such method:

public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
    {
        $user = MongoUser::getByFieldValue(
            'webauthn_pkc_source.publicKeyCredentialId',
            Base64Url::encode($publicKeyCredentialId)
        );

        if ($user !== null) {
            $credentials = $user->webauthn_pkc_source;
            $res = PublicKeyCredentialSource::createFromArray($credentials);
        }

        return $res;
    }

So, my created Public Key Credential Source object writes to users account in MongoDB and finds from DB in this method, if finded - returns as PublicKeyCredentialSource object.

In credentials validation procedure I run method check():

// Check the response against the attestation request
            $authenticatorAssertionResponseValidator->check(
                $publicKeyCredential->getRawId(),
                $publicKeyCredential->getResponse(),
                $publicKeyCredentialRequestOptions,
                $psr7Request,
                null // User handle
            );

and in returns an error of step 7.2.16 of checkings, $this->algorithmManager is null

Expected behavior
Of course, I've expected that check() returns true and authentication completes.

Desktop/Smartphone (please complete the following information):

• OS: Mac OS Mojave 10.14.4
• Browser Chrome
• Version 74.0.3729.169

Additional context
I suppose that, may by, I send to check procedure the wrong saved object. I save this object with credential info on second step of making credentials, actually:

        // You can get the Public Key Credential Source. This object should be persisted using the Public Key Credential Source repository
        $publicKeyCredentialSource = \Webauthn\PublicKeyCredentialSource::createFromPublicKeyCredential(
            $publicKeyCredential,
            $publicKeyCredentialCreationOptions->getUser()->getId()
        );

        MongoUser::update(
            (int)$publicKeyCredentialCreationOptions->getUser()->getId(),
            array_merge(
                ['webauthn_pkc_source' => json_decode(json_encode($publicKeyCredentialSource), true)]
            )
        );

Just a small typo in your docs. The specification talks about a Relying Party, but you have Relaying Party. It makes a difference in understanding the workflow. Google Translate seems to have an issue with these words. C'est la différence entre "la partie se fiant" (relying party) et "la partie relais" (relaying party).

And yes, I seem to be using quite a few of your projects!