[PM-4167] Add PRF attestation flow during passkey registration (#3339)

* [PM-4167] feat: add support for `SupportsPrf` * [PM-4167] feat: add `prfStatus` property * [PM-4167] feat: add support for storing PRF keys * [PM-4167] fix: allow credentials to be created without encryption support * [PM-4167] fix: broken test * [PM-4167] chore: remove whitespace * [PM-4167] fix: controller test * [PM-4167] chore: improve readability of `GetPrfStatus` * [PM-4167] fix: make prf optional * [PM-4167] fix: commit missing controller change * [PM-4167] fix: tests
2025-07-03 00:52:49 -05:00 · 2023-11-07 16:59:51 +01:00
parent 8256b58e00
commit e401fc0983
9 changed files with 58 additions and 10 deletions
--- a/src/Core/Auth/Entities/WebAuthnCredential.cs
+++ b/src/Core/Auth/Entities/WebAuthnCredential.cs
@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Utilities;

@ -18,8 +19,11 @@ public class WebAuthnCredential : ITableObject<Guid>
    [MaxLength(20)]
    public string Type { get; set; }
    public Guid AaGuid { get; set; }
+    [MaxLength(2000)]
    public string EncryptedUserKey { get; set; }
+    [MaxLength(2000)]
    public string EncryptedPrivateKey { get; set; }
+    [MaxLength(2000)]
    public string EncryptedPublicKey { get; set; }
    public bool SupportsPrf { get; set; }
    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
@ -29,4 +33,19 @@ public class WebAuthnCredential : ITableObject<Guid>
    {
        Id = CoreHelpers.GenerateComb();
    }
+
+    public WebAuthnPrfStatus GetPrfStatus()
+    {
+        if (!SupportsPrf)
+        {
+            return WebAuthnPrfStatus.Unsupported;
+        }
+
+        if (EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
+        {
+            return WebAuthnPrfStatus.Enabled;
+        }
+
+        return WebAuthnPrfStatus.Supported;
+    }
 }
--- a/src/Core/Auth/Enums/WebAuthnPrfStatus.cs
+++ b/src/Core/Auth/Enums/WebAuthnPrfStatus.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum WebAuthnPrfStatus
+{
+    Enabled = 0,
+    Supported = 1,
+    Unsupported = 2
+}
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -28,7 +28,7 @@ public interface IUserService
    Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
    Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
    Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
-    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
+    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf, string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null);
    Task<AssertionOptions> StartWebAuthnLoginAssertionAsync(User user);
    Task<string> CompleteWebAuthLoginAssertionAsync(AuthenticatorAssertionRawResponse assertionResponse, User user);
    Task SendEmailVerificationAsync(User user);
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -552,9 +552,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
        return options;
    }

-    public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name,
-        CredentialCreateOptions options,
-        AuthenticatorAttestationRawResponse attestationResponse)
+    public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options,
+        AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf,
+        string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null)
    {
        var existingCredentials = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
        if (existingCredentials.Count >= 5)
@ -575,7 +575,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
            Type = success.Result.CredType,
            AaGuid = success.Result.Aaguid,
            Counter = (int)success.Result.Counter,
-            UserId = user.Id
+            UserId = user.Id,
+            SupportsPrf = supportsPrf,
+            EncryptedUserKey = encryptedUserKey,
+            EncryptedPublicKey = encryptedPublicKey,
+            EncryptedPrivateKey = encryptedPrivateKey
        };

        await _webAuthnCredentialRepository.CreateAsync(credential);