Update AuthenticatorAssertionResponse.cs

Gabor Mihaly · Gabor Mihaly · commit 84c99095a088 · 2023-12-05T15:54:15.000+01:00
AssertionResponse: UserPresent flag is must have unless we are in conformance testing
diff --git a/Src/Fido2/AuthenticatorAssertionResponse.cs b/Src/Fido2/AuthenticatorAssertionResponse.cs
@@ -122,20 +122,18 @@ public async Task<VerifyAssertionResult> VerifyAsync(
         var rpid = Raw.Extensions?.AppID ?? false ? options.Extensions?.GetAppID() : options.RpId;
         byte[] hashedRpId = CryptoUtils.HashData(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes(rpid ?? string.Empty));
         byte[] hash = CryptoUtils.HashData(HashAlgorithmName.SHA256, Raw.Response.ClientDataJson);
+        bool conformanceTesting = metadataService != null && metadataService.ConformanceTesting();
 
         if (!authData.RpIdHash.SequenceEqual(hashedRpId))
             throw new Fido2VerificationException(Fido2ErrorCode.InvalidRpidHash, Fido2ErrorMessages.InvalidRpidHash);
 
-        if (options.UserVerification is UserVerificationRequirement.Required)
-        {
-            // 14. Verify that the UP bit of the flags in authData is set.
-            if (!authData.UserPresent)
-                throw new Fido2VerificationException(Fido2ErrorCode.UserPresentFlagNotSet, Fido2ErrorMessages.UserPresentFlagNotSet);
+        // 14. Verify that the UP bit of the flags in authData is set.
+        if (!authData.UserPresent && (!conformanceTesting || options.UserVerification is UserVerificationRequirement.Required))
+            throw new Fido2VerificationException(Fido2ErrorCode.UserPresentFlagNotSet, Fido2ErrorMessages.UserPresentFlagNotSet);
 
-            // 15. If the Relying Party requires user verification for this assertion, verify that the UV bit of the flags in authData is set.
-            if (!authData.UserVerified)
-                throw new Fido2VerificationException(Fido2ErrorCode.UserVerificationRequirementNotMet, Fido2ErrorMessages.UserVerificationRequirementNotMet);
-        }
+        // 15. If the Relying Party requires user verification for this assertion, verify that the UV bit of the flags in authData is set.
+        if (options.UserVerification is UserVerificationRequirement.Required && !authData.UserVerified)
+            throw new Fido2VerificationException(Fido2ErrorCode.UserVerificationRequirementNotMet, Fido2ErrorMessages.UserVerificationRequirementNotMet);
 
         // 16. If the credential backup state is used as part of Relying Party business logic or policy, let currentBe and currentBs be the values of the BE and BS bits, respectively, of the flags in authData.
         // Compare currentBe and currentBs with credentialRecord.BE and credentialRecord.BS and apply Relying Party policy, if any.
