1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
package webauthn
import (
"github.com/go-webauthn/webauthn/protocol"
)
type Authenticator struct {
// The AAGUID of the authenticator. An AAGUID is defined as an array containing the globally unique
// identifier of the authenticator model being sought.
AAGUID []byte `json:"AAGUID"`
// SignCount -Upon a new login operation, the Relying Party compares the stored signature counter value
// with the new signCount value returned in the assertion’s authenticator data. If this new
// signCount value is less than or equal to the stored value, a cloned authenticator may
// exist, or the authenticator may be malfunctioning.
SignCount uint32 `json:"signCount"`
// CloneWarning - This is a signal that the authenticator may be cloned, i.e. at least two copies of the
// credential private key may exist and are being used in parallel. Relying Parties should incorporate
// this information into their risk scoring. Whether the Relying Party updates the stored signature
// counter value in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.
CloneWarning bool `json:"cloneWarning"`
// Attachment is the authenticatorAttachment value returned by the request.
Attachment protocol.AuthenticatorAttachment `json:"attachment"`
}
// SelectAuthenticator allow for easy marshaling of authenticator options that are provided to the user.
func SelectAuthenticator(att string, rrk *bool, uv string) protocol.AuthenticatorSelection {
return protocol.AuthenticatorSelection{
AuthenticatorAttachment: protocol.AuthenticatorAttachment(att),
RequireResidentKey: rrk,
UserVerification: protocol.UserVerificationRequirement(uv),
}
}
// UpdateCounter updates the authenticator and either sets the clone warning value or the sign count.
//
// Step 17 of §7.2. about verifying attestation. If the signature counter value authData.signCount
// is nonzero or the value stored in conjunction with credential’s id attribute is nonzero, then
// run the following sub-step:
//
// If the signature counter value authData.signCount is
//
// → Greater than the signature counter value stored in conjunction with credential’s id attribute.
// Update the stored signature counter value, associated with credential’s id attribute, to be the value of
// authData.signCount.
//
// → Less than or equal to the signature counter value stored in conjunction with credential’s id attribute.
// This is a signal that the authenticator may be cloned, see CloneWarning above for more information.
func (a *Authenticator) UpdateCounter(authDataCount uint32) {
if authDataCount <= a.SignCount && (authDataCount != 0 || a.SignCount != 0) {
a.CloneWarning = true
return
}
a.SignCount = authDataCount
}
|
