feature: Add clientExtensionResults to attestation and assertion and transports to attestation responses for WebAuthn Level 3 compatibility (#80)

Author: ninjapanzer

README.md

@@ -12,6 +12,7 @@ Check the [test](test/webauthn_test.go) for a working example on how to use this
 - Generate [attestation](https://www.w3.org/TR/webauthn-2/#authenticatorattestationresponse) and [assertion](https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse) responses
 - Supports `EC2` and `RSA` keys with `SHA256`
 - Supports `packed` attestation format
+- Supports WebAuthn Level 3 compatible responses with `clientExtensionResults`
 
 ## Usage
 

assertion.go

@@ -51,7 +51,13 @@ func ParseAssertionOptions(str string) (assertionOptions *AssertionOptions, err
 
 /// Response
 
+// CreateAssertionResponse creates an assertion response with default empty clientExtensionResults
 func CreateAssertionResponse(rp RelyingParty, auth Authenticator, cred Credential, options AssertionOptions) string {
+	return CreateAssertionResponseWithExtensions(rp, auth, cred, options, map[string]interface{}{})
+}
+
+// CreateAssertionResponseWithExtensions creates an assertion response with custom clientExtensionResults
+func CreateAssertionResponseWithExtensions(rp RelyingParty, auth Authenticator, cred Credential, options AssertionOptions, clientExtensionResults map[string]interface{}) string {
 	clientData := clientData{
 		Type:      "webauthn.get",
 		Challenge: base64.RawURLEncoding.EncodeToString(options.Challenge),
@@ -101,10 +107,11 @@ func CreateAssertionResponse(rp RelyingParty, auth Authenticator, cred Credentia
 	}
 
 	assertionResult := assertionResult{
-		Type:     "public-key",
-		ID:       credIDEncoded,
-		RawID:    credIDEncoded,
-		Response: assertionResponse,
+		Type:                   "public-key",
+		ID:                     credIDEncoded,
+		RawID:                  credIDEncoded,
+		Response:               assertionResponse,
+		ClientExtensionResults: clientExtensionResults,
 	}
 
 	assertionResultBytes, err := json.Marshal(assertionResult)
@@ -137,8 +144,9 @@ type assertionResponse struct {
 }
 
 type assertionResult struct {
-	Type     string            `json:"type"`
-	ID       string            `json:"id"`
-	RawID    string            `json:"rawId"`
-	Response assertionResponse `json:"response"`
+	Type                   string                 `json:"type"`
+	ID                     string                 `json:"id"`
+	RawID                  string                 `json:"rawId"`
+	Response               assertionResponse      `json:"response"`
+	ClientExtensionResults map[string]interface{} `json:"clientExtensionResults"`
 }

attestation.go

@@ -65,7 +65,13 @@ func ParseAttestationOptions(str string) (attestationOptions *AttestationOptions
 
 /// Response
 
+// CreateAttestationResponse creates an attestation response with default empty clientExtensionResults and Default Transports (Hybrid and Internal)
 func CreateAttestationResponse(rp RelyingParty, auth Authenticator, cred Credential, options AttestationOptions) string {
+	return CreateAttestationResponseWithExtensions(rp, auth, cred, options, map[string]interface{}{}, []Transport{TransportHybrid, TransportInternal})
+}
+
+// CreateAttestationResponseWithExtensions creates an attestation response with custom clientExtensionResults and transports
+func CreateAttestationResponseWithExtensions(rp RelyingParty, auth Authenticator, cred Credential, options AttestationOptions, clientExtensionResults map[string]interface{}, transports []Transport) string {
 	clientData := clientData{
 		Type:      "webauthn.create",
 		Challenge: base64.RawURLEncoding.EncodeToString(options.Challenge),
@@ -133,16 +139,20 @@ func CreateAttestationResponse(rp RelyingParty, auth Authenticator, cred Credent
 
 	credIDEncoded := base64.RawURLEncoding.EncodeToString(cred.ID)
 
+	translatedTransports := translateTransports(transports)
+
 	attestationResponse := attestationResponse{
 		AttestationObject: attestationObjectEncoded,
 		ClientDataJSON:    clientDataJSONEncoded,
+		Transports:        translatedTransports,
 	}
 
 	attestationResult := attestationResult{
-		Type:     "public-key",
-		ID:       credIDEncoded,
-		RawID:    credIDEncoded,
-		Response: attestationResponse,
+		Type:                   "public-key",
+		ID:                     credIDEncoded,
+		RawID:                  credIDEncoded,
+		Response:               attestationResponse,
+		ClientExtensionResults: clientExtensionResults,
 	}
 
 	attestationResultBytes, err := json.Marshal(attestationResult)
@@ -191,13 +201,15 @@ type attestationObject struct {
 }
 
 type attestationResponse struct {
-	AttestationObject string `json:"attestationObject"`
-	ClientDataJSON    string `json:"clientDataJSON"`
+	AttestationObject string   `json:"attestationObject"`
+	ClientDataJSON    string   `json:"clientDataJSON"`
+	Transports        []string `json:"transports"`
 }
 
 type attestationResult struct {
-	Type     string              `json:"type"`
-	ID       string              `json:"id"`
-	RawID    string              `json:"rawId"`
-	Response attestationResponse `json:"response"`
+	Type                   string                 `json:"type"`
+	ID                     string                 `json:"id"`
+	RawID                  string                 `json:"rawId"`
+	Response               attestationResponse    `json:"response"`
+	ClientExtensionResults map[string]interface{} `json:"clientExtensionResults"`
 }

constants.go

@@ -0,0 +1,21 @@
+package virtualwebauthn
+
+type Transport int
+
+const (
+	TransportUSB Transport = iota
+	TransportNFC
+	TransportBLE
+	TransportSmartCard
+	TransportHybrid
+	TransportInternal
+)
+
+var Transports = map[Transport]string{
+	TransportUSB:       "usb",
+	TransportNFC:       "nfc",
+	TransportBLE:       "ble",
+	TransportSmartCard: "smart-card",
+	TransportHybrid:    "hybrid",
+	TransportInternal:  "internal",
+}

test/client_extension_results_test.go

@@ -0,0 +1,144 @@
+package test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/descope/virtualwebauthn"
+	"github.com/stretchr/testify/require"
+)
+
+// TestAttestationClientExtensionResults verifies that attestation responses include
+// an empty clientExtensionResults map
+func TestAttestationClientExtensionResults(t *testing.T) {
+	// Create a mock relying party, mock authenticator and a mock credential
+	rp := virtualwebauthn.RelyingParty{Name: WebauthnDisplayName, ID: WebauthnDomain, Origin: WebauthnOrigin}
+	authenticator := virtualwebauthn.NewAuthenticator()
+	cred := virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2)
+
+	// Start an attestation request
+	attestation := startWebauthnRegister(t)
+
+	// Parse the attestation options
+	attestationOptions, err := virtualwebauthn.ParseAttestationOptions(attestation.Options)
+	require.NoError(t, err)
+	require.NotNil(t, attestationOptions)
+
+	// Create an attestation response
+	attestationResponse := virtualwebauthn.CreateAttestationResponse(rp, authenticator, cred, *attestationOptions)
+	require.NotEmpty(t, attestationResponse)
+
+	// Parse the response to verify clientExtensionResults
+	var response map[string]interface{}
+	err = json.Unmarshal([]byte(attestationResponse), &response)
+	require.NoError(t, err)
+
+	// Verify clientExtensionResults exists
+	clientExtensionResults, exists := response["clientExtensionResults"]
+	require.True(t, exists, "clientExtensionResults should exist in attestation response")
+	require.NotNil(t, clientExtensionResults, "clientExtensionResults should not be nil")
+
+	// Verify clientExtensionResults is an empty map
+	clientExtensionResultsMap, ok := clientExtensionResults.(map[string]interface{})
+	require.True(t, ok, "clientExtensionResults should be a map")
+	require.Empty(t, clientExtensionResultsMap, "clientExtensionResults should be an empty map")
+}
+
+// TestAssertionClientExtensionResults verifies that assertion responses include
+// the empty clientExtensionResults map
+func TestAssertionClientExtensionResults(t *testing.T) {
+	// Create a mock relying party, mock authenticator and a mock credential
+	rp := virtualwebauthn.RelyingParty{Name: WebauthnDisplayName, ID: WebauthnDomain, Origin: WebauthnOrigin}
+	authenticator := virtualwebauthn.NewAuthenticator()
+	cred := virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2)
+
+	// Register the credential first
+	attestation := startWebauthnRegister(t)
+	attestationOptions, err := virtualwebauthn.ParseAttestationOptions(attestation.Options)
+	require.NoError(t, err)
+
+	attestationResponse := virtualwebauthn.CreateAttestationResponse(rp, authenticator, cred, *attestationOptions)
+	webauthnCredential := finishWebauthnRegister(t, attestation, attestationResponse)
+
+	authenticator.Options.UserHandle = []byte(UserID)
+	authenticator.AddCredential(cred)
+
+	// Start an assertion request
+	assertion := startWebauthnLogin(t, webauthnCredential, cred.ID)
+
+	// Parse the assertion options
+	assertionOptions, err := virtualwebauthn.ParseAssertionOptions(assertion.Options)
+	require.NoError(t, err)
+	require.NotNil(t, assertionOptions)
+
+	// Create an assertion response
+	assertionResponse := virtualwebauthn.CreateAssertionResponse(rp, authenticator, cred, *assertionOptions)
+	require.NotEmpty(t, assertionResponse)
+
+	// Parse the response to verify clientExtensionResults
+	var response map[string]interface{}
+	err = json.Unmarshal([]byte(assertionResponse), &response)
+	require.NoError(t, err)
+
+	// Verify clientExtensionResults exists
+	clientExtensionResults, exists := response["clientExtensionResults"]
+	require.True(t, exists, "clientExtensionResults should exist in assertion response")
+	require.NotNil(t, clientExtensionResults, "clientExtensionResults should not be nil")
+
+	// Verify clientExtensionResults is an empty map
+	clientExtensionResultsMap, ok := clientExtensionResults.(map[string]interface{})
+	require.True(t, ok, "clientExtensionResults should be a map")
+	require.Empty(t, clientExtensionResultsMap, "clientExtensionResults should be an empty map")
+}
+
+// TestBothKeyTypesWithClientExtensionResults verifies that both EC2 and RSA key types
+// work correctly with clientExtensionResults
+func TestBothKeyTypesWithClientExtensionResults(t *testing.T) {
+	// Test EC2 key
+	t.Run("EC2 Key", func(t *testing.T) {
+		testKeyTypeWithClientExtensionResults(t, virtualwebauthn.KeyTypeEC2)
+	})
+
+	// Test RSA key
+	t.Run("RSA Key", func(t *testing.T) {
+		testKeyTypeWithClientExtensionResults(t, virtualwebauthn.KeyTypeRSA)
+	})
+}
+
+func testKeyTypeWithClientExtensionResults(t *testing.T, keyType virtualwebauthn.KeyType) {
+	// Create a mock relying party, mock authenticator and a mock credential
+	rp := virtualwebauthn.RelyingParty{Name: WebauthnDisplayName, ID: WebauthnDomain, Origin: WebauthnOrigin}
+	authenticator := virtualwebauthn.NewAuthenticator()
+	cred := virtualwebauthn.NewCredential(keyType)
+
+	// Test attestation
+	attestation := startWebauthnRegister(t)
+	attestationOptions, err := virtualwebauthn.ParseAttestationOptions(attestation.Options)
+	require.NoError(t, err)
+
+	attestationResponse := virtualwebauthn.CreateAttestationResponse(rp, authenticator, cred, *attestationOptions)
+	webauthnCredential := finishWebauthnRegister(t, attestation, attestationResponse)
+
+	// Verify attestation response has clientExtensionResults
+	var attestationResponseMap map[string]interface{}
+	err = json.Unmarshal([]byte(attestationResponse), &attestationResponseMap)
+	require.NoError(t, err)
+	require.Contains(t, attestationResponseMap, "clientExtensionResults")
+
+	// Test assertion
+	authenticator.Options.UserHandle = []byte(UserID)
+	authenticator.AddCredential(cred)
+
+	assertion := startWebauthnLogin(t, webauthnCredential, cred.ID)
+	assertionOptions, err := virtualwebauthn.ParseAssertionOptions(assertion.Options)
+	require.NoError(t, err)
+
+	assertionResponse := virtualwebauthn.CreateAssertionResponse(rp, authenticator, cred, *assertionOptions)
+	finishWebauthnLogin(t, assertion, assertionResponse)
+
+	// Verify assertion response has clientExtensionResults
+	var assertionResponseMap map[string]interface{}
+	err = json.Unmarshal([]byte(assertionResponse), &assertionResponseMap)
+	require.NoError(t, err)
+	require.Contains(t, assertionResponseMap, "clientExtensionResults")
+}

utils.go

@@ -65,3 +65,11 @@ func authenticatorDataFlags(userPresent, userVerified, backupEligible, backupSta
 	}
 	return flags
 }
+
+func translateTransports(transports []Transport) []string {
+	encodedTransports := make([]string, 0, len(transports))
+	for _, t := range transports {
+		encodedTransports = append(encodedTransports, Transports[t])
+	}
+	return encodedTransports
+}