add test for user handle secret rotation

Author: benbjurstrom

tests/Feature/Actions/VerifyPasskeyTest.php

@@ -31,12 +31,10 @@
         'credential' => json_decode(WebAuthn::toJson($source), true),
     ]);
 
-    $assertionResponse = Mockery::mock(AuthenticatorAssertionResponse::class);
-
-    $credential = PublicKeyCredential::create(
+    $assertion = PublicKeyCredential::create(
         type: 'public-key',
         rawId: $credentialId,
-        response: $assertionResponse
+        response: Mockery::mock(AuthenticatorAssertionResponse::class),
     );
 
     $options = createRequestOptions();
@@ -51,7 +49,7 @@
         ->andReturn($updatedSource)
         ->getMock();
 
-    $result = $action($credential, $options);
+    $result = $action($assertion, $options);
 
     expect($result)->toBeInstanceOf(Passkey::class);
     expect($result->id)->toBe($passkey->id);
@@ -64,31 +62,23 @@
 });
 
 it('throws exception when response is not an assertion response', function (): void {
-    $attestationResponse = Mockery::mock(AuthenticatorAttestationResponse::class);
-
-    $credential = PublicKeyCredential::create(
+    $assertion = PublicKeyCredential::create(
         type: 'public-key',
         rawId: 'test-raw-id',
-        response: $attestationResponse
+        response: Mockery::mock(AuthenticatorAttestationResponse::class),
     );
 
-    $options = createRequestOptions();
-
-    app(VerifyPasskey::class)($credential, $options);
+    app(VerifyPasskey::class)($assertion, createRequestOptions());
 })->throws(InvalidPasskeyException::class, 'Unable to verify passkey');
 
 it('throws exception when passkey is not found', function (): void {
-    $assertionResponse = Mockery::mock(AuthenticatorAssertionResponse::class);
-
-    $credential = PublicKeyCredential::create(
+    $assertion = PublicKeyCredential::create(
         type: 'public-key',
         rawId: random_bytes(16),
-        response: $assertionResponse
+        response: Mockery::mock(AuthenticatorAssertionResponse::class),
     );
 
-    $options = createRequestOptions();
-
-    app(VerifyPasskey::class)($credential, $options);
+    app(VerifyPasskey::class)($assertion, createRequestOptions());
 })->throws(InvalidPasskeyException::class, 'Passkey not recognized');
 
 it('throws exception when passkey does not belong to expected user', function (): void {
@@ -112,22 +102,48 @@
         'credential' => json_decode(WebAuthn::toJson($source), true),
     ]);
 
-    $assertionResponse = Mockery::mock(AuthenticatorAssertionResponse::class);
-
-    $credential = PublicKeyCredential::create(
+    $assertion = PublicKeyCredential::create(
         type: 'public-key',
         rawId: $credentialId,
-        response: $assertionResponse
+        response: Mockery::mock(AuthenticatorAssertionResponse::class),
     );
 
-    $options = createRequestOptions();
-
     $action = Mockery::mock(VerifyPasskey::class)
         ->makePartial()
         ->shouldAllowMockingProtectedMethods()
         ->shouldReceive('validate')
         ->never()
         ->getMock();
 
-    $action($credential, $options, $otherUser);
+    $action($assertion, createRequestOptions(), $otherUser);
 })->throws(InvalidPasskeyException::class, 'Passkey not recognized');
+
+it('verifies an existing passkey after user handle secret rotation', function (): void {
+    config()->set('passkeys.allowed_origins', ['https://localhost']);
+    config()->set('passkeys.relying_party_id', 'localhost');
+    config()->set('passkeys.user_handle_secret', 'initial-user-handle-secret');
+
+    $user = User::create(['name' => 'John Doe', 'email' => 'john@example.com']);
+    $credentialId = random_bytes(16);
+    $initialUserHandle = $user->getPasskeyUserHandle();
+
+    $passkey = $user->passkeys()->create([
+        'name' => 'My MacBook',
+        'credential_id' => Base64UrlSafe::encodeUnpadded($credentialId),
+        'credential' => json_decode(WebAuthn::toJson(createCredentialSource($initialUserHandle, $credentialId)), true),
+    ]);
+
+    config()->set('passkeys.user_handle_secret', 'rotated-user-handle-secret');
+
+    $options = createRequestOptions();
+    $assertion = PublicKeyCredential::create(
+        type: 'public-key',
+        rawId: $credentialId,
+        response: createSignedAssertionResponse($options->challenge, 'https://localhost', signCount: 6, rpId: 'localhost'),
+    );
+
+    $result = app(VerifyPasskey::class)($assertion, $options, $user);
+
+    expect($result->id)->toBe($passkey->id);
+    expect(Base64UrlSafe::decodeNoPadding($result->refresh()->credential['userHandle']))->toBe($initialUserHandle);
+});

tests/Pest.php

@@ -4,16 +4,50 @@
 use Laravel\Passkeys\Tests\User;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Component\Uid\Uuid;
+use Webauthn\AuthenticatorAssertionResponse;
 use Webauthn\AuthenticatorData;
+use Webauthn\CollectedClientData;
 use Webauthn\PublicKeyCredentialCreationOptions;
 use Webauthn\PublicKeyCredentialRequestOptions;
 use Webauthn\PublicKeyCredentialRpEntity;
 use Webauthn\PublicKeyCredentialSource;
 use Webauthn\PublicKeyCredentialUserEntity;
 use Webauthn\TrustPath\EmptyTrustPath;
+use Webauthn\U2FPublicKey;
 
 pest()->extend(TestCase::class)->in('Feature');
 
+/**
+ * @return array{private_key_pem: string, cose_public_key: string}
+ */
+function fixtureEcKeypair(): array
+{
+    static $keypair = null;
+
+    if (is_array($keypair)) {
+        return $keypair;
+    }
+
+    $privateKeyPem = <<<'PEM'
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIExwigMuj7pGzk+XVIKVp72gYQc6AU//5HlUHb3X5HGRoAoGCCqGSM49
+AwEHoUQDQgAE53mVK/HTD1mPae7VZ8uzETJC7ZLmAyWKa75YyZ9lNbHFl8oSKWJe
+RYf/wGQSBmBTBSaU+rRuRbuVAx2zexNCzQ==
+-----END EC PRIVATE KEY-----
+PEM;
+
+    $ec = openssl_pkey_get_details(openssl_pkey_get_private($privateKeyPem))['ec'];
+
+    $u2fPublicKey = "\x04".str_pad($ec['x'], 32, "\0", STR_PAD_LEFT).str_pad($ec['y'], 32, "\0", STR_PAD_LEFT);
+
+    $keypair = [
+        'private_key_pem' => $privateKeyPem,
+        'cose_public_key' => U2FPublicKey::convertToCoseKey($u2fPublicKey),
+    ];
+
+    return $keypair;
+}
+
 function createCredentialSource(string $userHandle, ?string $credentialId = null, int $counter = 0): PublicKeyCredentialSource
 {
     return PublicKeyCredentialSource::create(
@@ -23,12 +57,57 @@ function createCredentialSource(string $userHandle, ?string $credentialId = null
         attestationType: 'none',
         trustPath: EmptyTrustPath::create(),
         aaguid: Uuid::v4(),
-        credentialPublicKey: random_bytes(77),
+        credentialPublicKey: fixtureEcKeypair()['cose_public_key'],
         userHandle: $userHandle,
         counter: $counter,
     );
 }
 
+function createSignedAssertionResponse(
+    string $challenge,
+    string $origin,
+    int $signCount,
+    ?string $rpId = null,
+): AuthenticatorAssertionResponse {
+    $clientDataPayload = [
+        'type' => 'webauthn.get',
+        'challenge' => Base64UrlSafe::encodeUnpadded($challenge),
+        'origin' => $origin,
+    ];
+
+    $clientDataRaw = json_encode($clientDataPayload);
+    $clientData = CollectedClientData::create($clientDataRaw, $clientDataPayload);
+
+    $rpId ??= parse_url($origin, PHP_URL_HOST);
+
+    if (! is_string($rpId) || $rpId === '') {
+        throw new InvalidArgumentException('Unable to determine RP ID for assertion response fixture.');
+    }
+
+    $rpIdHash = hash('sha256', $rpId, binary: true);
+    $flags = chr(AuthenticatorData::FLAG_UP);
+    $authDataRaw = $rpIdHash.$flags.pack('N', $signCount);
+
+    $authenticatorData = AuthenticatorData::create(
+        authData: $authDataRaw,
+        rpIdHash: $rpIdHash,
+        flags: $flags,
+        signCount: $signCount,
+    );
+
+    $payload = $authDataRaw.hash('sha256', $clientDataRaw, binary: true);
+    $signature = '';
+    $keypair = fixtureEcKeypair();
+    openssl_sign($payload, $signature, $keypair['private_key_pem'], OPENSSL_ALGO_SHA256);
+
+    return AuthenticatorAssertionResponse::create(
+        clientDataJSON: $clientData,
+        authenticatorData: $authenticatorData,
+        signature: $signature,
+        userHandle: null,
+    );
+}
+
 function createRegistrationOptions(User $user): PublicKeyCredentialCreationOptions
 {
     return PublicKeyCredentialCreationOptions::create(