fix: encode hashes as hex (#6)

This encodes the RP hashes as hexidecimal and properly handles a few other errors/checks.
go-webauthn · Mar 1, 2022 · 4697513 · 4697513
1 parent 497fae3
commit 4697513
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/protocol/assertion.go b/protocol/assertion.go
@@ -124,7 +124,7 @@ func (p *ParsedCredentialAssertionData) Verify(storedChallenge string, relyingPa
  // Handle steps 11 through 14, verifying the authenticator data.
  validError = p.Response.AuthenticatorData.Verify(rpIDHash[:], appIDHash[:], verifyUser)
  if validError != nil {
- return ErrAuthData.WithInfo(validError.Error())
+ return validError
  }
 
  // allowedUserCredentialIDs := session.AllowedCredentialIDs
@@ -150,9 +150,14 @@ func (p *ParsedCredentialAssertionData) Verify(storedChallenge string, relyingPa
  key, err = webauthncose.ParseFIDOPublicKey(credentialBytes)
  }
 
+ if err != nil {
+ return ErrAssertionSignature.WithDetails(fmt.Sprintf("Error parsing the assertion public key: %+v", err))
+ }
+
  valid, err := webauthncose.VerifySignature(key, sigData, p.Response.Signature)
- if !valid {
+ if !valid || err != nil {
  return ErrAssertionSignature.WithDetails(fmt.Sprintf("Error validating the assertion signature: %+v\n", err))
  }
+
  return nil
 }
diff --git a/protocol/authenticator.go b/protocol/authenticator.go
@@ -224,7 +224,7 @@ func (a *AuthenticatorData) Verify(rpIdHash []byte, appIDHash []byte, userVerifi
  // Verify that the RP ID hash in authData is indeed the SHA-256
  // hash of the RP ID expected by the RP.
  if !bytes.Equal(a.RPIDHash[:], rpIdHash) && !bytes.Equal(a.RPIDHash[:], appIDHash) {
- return ErrVerification.WithInfo(fmt.Sprintf("RP Hash mismatch. Expected %s and Received %s\n", a.RPIDHash, rpIdHash))
+ return ErrVerification.WithInfo(fmt.Sprintf("RP Hash mismatch. Expected %x and Received %x\n", a.RPIDHash, rpIdHash))
  }
 
  // Registration Step 10 & Assertion Step 12

diff --git a/protocol/client.go b/protocol/client.go
@@ -1,6 +1,7 @@
 package protocol
 
 import (
+ "crypto/subtle"
  "fmt"
  "net/url"
  "strings"
@@ -77,7 +78,7 @@ func (c *CollectedClientData) Verify(storedChallenge string, ceremony CeremonyTy
  // passed to the get() call.
 
  challenge := c.Challenge
- if 0 != strings.Compare(storedChallenge, challenge) {
+ if subtle.ConstantTimeCompare([]byte(storedChallenge), []byte(challenge)) == 1 {
  err := ErrVerification.WithDetails("Error validating challenge")
  return err.WithInfo(fmt.Sprintf("Expected b Value: %#v\nReceived b: %#v\n", storedChallenge, challenge))
  }