Release version 2.0.0

[abergs]

This PR bumps the version to 2.0.0.

The reason for the major version is because the large number of changes, some that in theory could be breaking.

Preview releases are up on NuGet: https://www.nuget.org/packages/Fido2/2.0.0-preview2

Release notes:

Changes

💥 Breaking change

• Improved API consistency for response parsing @Cooke (Improved API consistency for response parsing #150)
• Core 3.0 Support @abergs (Core 3.0 Support #145)
• MDS refactoring @mackie1001 (MDS refactoring #125)
• Moved Models and Public classes to Fido2NetLib.Models project @abergs (Moved Models and Public classes to Fido2NetLib.Models project #103)

🚀 Features and enhancements

• Make TPM attestation format verifier work more like packed with regard to X5C @aseigler (Make TPM attestation format verifier work more like packed with regard to X5C #180)
• Switch remaining manual ASN.1 decoding to using the AsnElt library @aseigler (Switch remaining manual ASN.1 decoding to using the AsnElt library #176)
• Switch to using NSec.Cryptography v20.2.0 for Ed25519 @aseigler (Switch to using NSec.Cryptography v20.2.0 for Ed25519 #169)
• Upgrade PeterO.Cbor package to v4.1.2 @aseigler (Upgrade PeterO.Cbor package to v4.1.2 #168)
• Add code coverage and codecov reporting @abergs (Add code coverage and codecov reporting #170)
• Fix SafetyNet attestation verification, add unit tests @aseigler (Fix SafetyNet attestation verification, add unit tests #165)
• Add optional validation of attestation root certs @AdamUCF (Add optional validation of attestation root certs #164)
• Add many unit tests for nearly all attestation types @aseigler (Add many unit tests for nearly all attestation types #162)
• adding solo tap and somu metadata to static metadata repository @AdamUCF (adding solo tap and somu metadata to static metadata repository #157)
• Fix for issue Upgrade to System.IdentityModel.Tokens.Jwt 6.5.0 has broken the Fido2MetadataServiceRepository #153 - System.IdentityModel.Tokens.Jwt version upgrade an associated fixes @mackie1001 (Fix for issue #153 - System.IdentityModel.Tokens.Jwt version upgrade an associated fixes #156)
• Fixed challenge replay attack issue in examples @Cooke (Fixed challenge replay attack issue in examples #151)
• Improved API consistency for response parsing @Cooke (Improved API consistency for response parsing #150)
• Core 3.0 Support @abergs (Core 3.0 Support #145)
• Add MDS configuration to Fido2Configuration @damienbod (Add MDS configuration to Fido2Configuration #134)
• Remove CNG dependencies to allow cross platform scenarios @aseigler (Remove CNG dependencies to allow cross platform scenarios #132)
• Code cleanup @Shtong (Code cleanup #127)
• MDS refactoring @mackie1001 (MDS refactoring #125)
• Moved Models and Public classes to Fido2NetLib.Models project @abergs (Moved Models and Public classes to Fido2NetLib.Models project #103)
• Refactor AuthenticatorData, and subcomponents @aseigler (Refactor AuthenticatorData, and subcomponents #104)
• Redesign @abergs (Redesign #102)
• Continue redesign of AuthenticatorData, AttestedCredentialData, and CredentialPublicKey @aseigler (Continue redesign of AuthenticatorData, AttestedCredentialData, and CredentialPublicKey #100)
• Begin redesign of AuthenticatorData, AttestedCredentialData, and Cred… @aseigler (Begin redesign of AuthenticatorData, AttestedCredentialData, and Cred… #97)
• Restructure repository per proposal in [Proposal] Restructuring repository #79 @aseigler (Restructure repository per proposal in #79 #95)
• Convert metadata to async @aseigler (Convert metadata to async #83)
• Refactor and improve ToEnum extension method @CodeTherapist (Refactor and improve ToEnum extension method #85)
• Add minimal tests for Base64Url class @CodeTherapist (Add minimal tests for Base64Url class #84)
• Parsing EnumMember values to Enum @daviddesmet (Parsing EnumMember values to Enum #75)
• Support Target Frameworks by OS @daviddesmet (Support Target Frameworks by OS #74)
• Properties of PublicKeyCredentialType enum are nullable @daviddesmet (Properties of PublicKeyCredentialType enum are nullable #73)
• Prefer enumeration @daviddesmet (Prefer enumeration #69)
• Removed net462 from test project @abergs (Removed net462 from test project #65)
• Added a guarding mechanism to prevent usage in .NET46X @MeikTranel (Added a guarding mechanism to prevent usage in .NET46X #66)
• TPM chain validation, move MDS to packed attestation specific area @aseigler (TPM chain validation, move MDS to packed attestation specific area #63)
• Please review @aseigler (Please review #59)

🐛 Bug Fixes

• Fix SafetyNet attestation verification, add unit tests @aseigler (Fix SafetyNet attestation verification, add unit tests #165)
• Fix for issue Upgrade to System.IdentityModel.Tokens.Jwt 6.5.0 has broken the Fido2MetadataServiceRepository #153 - System.IdentityModel.Tokens.Jwt version upgrade an associated fixes @mackie1001 (Fix for issue #153 - System.IdentityModel.Tokens.Jwt version upgrade an associated fixes #156)
• Bug fix: require_resident_key @Shane32 (Bug fix: require_resident_key #152)
• EdDSA test, sign the actual data, not a hash of the data @aseigler (EdDSA test, sign the actual data, not a hash of the data #128)
• Problem with non English OS @fa18swiss (Problem with non English OS #119)
• corrected error variable @Celdus (corrected error variable #118)
• Wrong naming of attestationObject and clientDataJSON in usernameless.… @Wesseldr (Wrong naming of attestationObject and clientDataJSON in usernameless.… #105)
• Add field userHandle in verifyAssertionWithServer @Wesseldr (Add field userHandle in verifyAssertionWithServer #108)
• use AppId instead of RpId to hash when AppId-Extensions-Flag is set @dgorbach (use AppId instead of RpId to hash when AppId-Extensions-Flag is set #99)
• Fixes enum parsing with dashed values @daviddesmet (Fixes enum parsing with dashed values #90)

🧰 Maintenance & documentation

• Solve CI/CD Missing packages error @abergs (Solve CI/CD Missing packages error #182)
• Improved release note template @abergs (Improved release note template #174)
• Require labels on PR for better release notes @abergs (Require labels on PR for better release notes #173)
• Added better badges @abergs (Added better badges #172)
• Added support for release-drafter as GH action @abergs (Added support for release-drafter as GH action #171)
• fix 404 CHANGELOG link @damienbod (fix 404 CHANGELOG link  #163)
• Adding a changelog, and 2 links to the readme @damienbod (Adding a changelog, and 2 links to the readme #160)
• Created CONTRIBUTING.md @Shtong (Created CONTRIBUTING.md #129)
• Cleaned dead code @Shtong (Cleaned dead code #131)
• Adds xml comment documentation @CodeTherapist (Adds xml comment documentation #122)
• Code cleanup @Shtong (Code cleanup #127)
• Activating Open Collective @monkeywithacupcake (Activating Open Collective #123)
• Fix minor typos in demo javascript @Tornhoof (Fix minor typos in demo javascript #115)
• fix links in readme to demo controllers @damienbod (fix links in readme to demo controllers #114)
• Redesign @abergs (Redesign #102)
• Add webauthn.io site to Read More @nicksteele (Add webauthn.io site to Read More #81)
• Update README.md @aseigler (Update README.md #77)
• Added syntax highlight to the code samples @herrjemand (Added syntax highlight to the code samples #67)
• General project structure overhaul @MeikTranel (General project structure overhaul #61)

[github-actions]

This pull request contains a valid label.

[github-actions]

This pull request contains a valid label.

[codecov]

Codecov Report

Merging #175 (3e4ded5) into master (acda23d) will increase coverage by 0.43%.
The diff coverage is n/a.

❗ Current head 3e4ded5 differs from pull request most recent head 9e1530a. Consider uploading reports for the commit 9e1530a to get more accurate results

@@            Coverage Diff             @@
##           master     #175      +/-   ##
==========================================
+ Coverage   71.30%   71.73%   +0.43%     
==========================================
  Files          67       68       +1     
  Lines        3042     3361     +319     
==========================================
+ Hits         2169     2411     +242     
- Misses        873      950      +77     

Impacted Files	Coverage Δ
...s/Objects/AuthenticationExtensionsClientOutputs.cs	10.00% <0.00%> (-90.00%)	⬇️
Src/Fido2.Models/Objects/GeoCoordinate.cs	0.00% <0.00%> (-40.57%)	⬇️
Src/Fido2/AuthenticatorAttestationResponse.cs	82.02% <0.00%> (-17.98%)	⬇️
...ido2.Models/AuthenticatorAttestationRawResponse.cs	85.71% <0.00%> (-14.29%)	⬇️
Src/Fido2/AttestationFormat/Packed.cs	66.66% <0.00%> (-9.74%)	⬇️
Src/Fido2/AuthenticatorAssertionResponse.cs	94.73% <0.00%> (-5.27%)	⬇️
Src/Fido2/AttestationFormat/FidoU2f.cs	86.41% <0.00%> (-4.63%)	⬇️
Src/Fido2.Models/Fido2Configuration.cs	38.46% <0.00%> (-3.21%)	⬇️
Src/Fido2/Objects/CredentialPublicKey.cs	83.89% <0.00%> (-0.68%)	⬇️
Src/Fido2/Fido2NetLib.cs	79.54% <0.00%> (ø)
... and 8 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d823eb...9e1530a. Read the comment docs.

[abergs]

@aseigler We are waiting for #166, right?

[aseigler]

@aseigler We are waiting for #166, right?

Yes please, hoping to have it resolved in the next couple of days.

[abergs]

@aseigler No stress, preview package is out for consumers who need it.

[mackie1001]

Thanks guys :)

[aseigler]

[github-actions]

This pull request contains a valid label.

[abergs]

Published preview2 package: https://www.nuget.org/packages/Fido2/2.0.0-preview2

@mackie1001 Could you try and verify that preview works for you?

[aseigler]

Published preview2 package: https://www.nuget.org/packages/Fido2/2.0.0-preview2

@mackie1001 Could you try and verify that preview works for you?

Bump.

[abergs]

@mackie1001 How has your experience been with the 2.0 preview?

[mackie1001]

@abergs Apologies for the lack of response. I've not had the chance to pick it up as I've been focusing on another project at work. I will try and give it a go over the weekend.

[mackie1001]

@abergs Overall it seems fine, however I have encountered an issue when trying to register my Windows Hello enabled laptop.

The exception when calling MakeNewCredentialAsync() is:

Asn1.AsnException: wrong number of sub-elements: 3 (expected: 1)
   at Asn1.AsnElt.CheckNumSub(Int32 n)
   at Fido2NetLib.AttestationFormat.Tpm.SANFromAttnCertExts(X509ExtensionCollection exts)
   at Fido2NetLib.AttestationFormat.Tpm.Verify()
   at Fido2NetLib.AuthenticatorAttestationResponse.<VerifyAsync>d__10.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Fido2NetLib.Fido2.<MakeNewCredentialAsync>d__6.MoveNext()

It looks like the TPM logic has been beefed up considerably since 1.1.

The error occurs on line 279 of Tpm.cs:

exp.CheckNumSub(1);

I've reproduced it with the following settings in the custom registration in the demo app:

Attestation type: Direct
Autheticator: Platform (TPM)
User verification: discouraged

The authenticator is "Windows Hello Hardware Authenticator", AAGUID: 08987058-cadc-4b81-b6e1-30de50dcbe96

Playing around a bit I managed to tweak the code in line with the sample on page 35 of this doc: https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf

// SEQUENCE
30 49
    // SET
    31 16
        // SEQUENCE
        30 14
            // OBJECT IDENTIFER tcg-at-tpmManufacturer (2.23.133.2.1)
            06 05 67 81 05 02 01
            // UTF8 STRING id:54434700 (TCG)
            0C 0B 69 64 3A 35 34 34 33 34 37 30 30
    // SET
    31 17
        // SEQUENCE
        30 15
            // OBJECT IDENTIFER tcg-at-tpmModel (2.23.133.2.2)
            06 05 67 81 05 02 02
            // UTF8 STRING ABCDEF123456
            0C 0C 41 42 43 44 45 46 31 32 33 34 35 36
    // SET
    31 16
        // SEQUENCE
        30 14
            // OBJECT IDENTIFER tcg-at-tpmVersion (2.23.133.2.3)
            06 05 67 81 05 02 03
            // UTF8 STRING id:00010023
            0C 0B 69 64 3A 30 30 30 31 30 30 32 33 

var exp = generalName.GetSub(0); actually ends up being the top level // SEQUENCE from that sample and not the level above like the current code assumes.

I think the mistake was thinking the GeneralName to directoryName relationship was "has a" rather than "is a".

I'll raise a PR ASAP but I'd appreciate some help verifying the fix using another real world TPM implenentation - e.g. OSX maybe?

[aseigler]

Switching the ASN.1 decoder/encoder was definitely a big piece of this update. Definitely will try to reproduce the scenario you hit as well.

There is no other real world TPM implementation right now, only Windows 10. Apple doesn't TPM, the only real hope for TPM would be Linux someday if someone wants it bad enough.

[mackie1001]

@aseigler I assumed all TPM-based implementations used tpm but it looks like I was wrong. Windows Hello Software Authenticator uses packed too.

[aseigler]

@aseigler I assumed all TPM-based implementations used tpm but it looks like I was wrong. Windows Hello Software Authenticator uses packed too.

Yes, a platform authenticator attestation request on Windows 10 can result in packed or TPM depending on several factors.

[mackie1001]

FYI I've now tested this on Windows 10 1909 and 2004 and get the same result.

[github-actions]

This pull request contains a valid label.

[github-actions]

This pull request contains a valid label.

[github-actions]

This pull request contains a valid label.

[yackermann]

Congrats guys!