Refactored away from bool to enum.

abergs · abergs · commit dfa6f72b20d9 · 2024-10-18T13:25:52.000+02:00
diff --git a/Src/Fido2/AuthenticatorAttestationResponse.cs b/Src/Fido2/AuthenticatorAttestationResponse.cs
@@ -153,7 +153,7 @@ public async Task<RegisteredPublicKeyCredential> VerifyAsync(
         if (metadataService?.ConformanceTesting() is true && metadataEntry is null && attType != AttestationType.None && AttestationObject.Fmt is not "fido-u2f")
             throw new Fido2VerificationException(Fido2ErrorCode.AaGuidNotFound, "AAGUID not found in MDS test metadata");
 
-        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true);
+        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true ? FidoValidationMode.FidoConformance2024 : FidoValidationMode.Default);
 
         // 22. Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows:
         //     If self attestation was used, check if self attestation is acceptable under Relying Party policy.
@@ -257,7 +257,7 @@ private async Task<byte[]> DevicePublicKeyRegistrationAsync(
         if (metadataService?.ConformanceTesting() is true && metadataEntry is null && attType != AttestationType.None && devicePublicKeyAuthenticatorOutput.Fmt is not "fido-u2f")
             throw new Fido2VerificationException(Fido2ErrorCode.AaGuidNotFound, "AAGUID not found in MDS test metadata");
 
-        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true);
+        TrustAnchor.Verify(metadataEntry, trustPath, metadataService?.ConformanceTesting() is true ? FidoValidationMode.FidoConformance2024 : FidoValidationMode.Default);
 
         // Check status reports for authenticator with undesirable status
         var latestStatusReport = metadataEntry?.GetLatestStatusReport();
diff --git a/Src/Fido2/Extensions/CryptoUtils.cs b/Src/Fido2/Extensions/CryptoUtils.cs
@@ -49,7 +49,7 @@ public static HashAlgorithmName HashAlgFromCOSEAlg(COSE.Algorithm alg)
         };
     }
 
-    public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certificate2[] attestationRootCertificates, bool conformance = false)
+    public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certificate2[] attestationRootCertificates, FidoValidationMode validationMode = FidoValidationMode.Default)
     {
         // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-statement-v2.0-id-20180227.html#widl-MetadataStatement-attestationRootCertificates
 
@@ -102,10 +102,10 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
             chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
 
             // if the attestation cert has a CDP extension, go ahead and turn on online revocation checking
-            if (!string.IsNullOrEmpty(CDPFromCertificateExts(trustPath[0].Extensions)) && !conformance)
-                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
-
-            // don't allow unknown root now that we have a custom root
+            if (!string.IsNullOrEmpty(CDPFromCertificateExts(trustPath[0].Extensions)) && validationMode != FidoValidationMode.FidoConformance2024)
+                chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+
+            // don't allow unknown root now that we have a custom root
             chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
 
             // now, verify chain again with all checks turned on
diff --git a/Src/Fido2/FidoValidationMode.cs b/Src/Fido2/FidoValidationMode.cs
@@ -0,0 +1,6 @@
+public enum FidoValidationMode
+{
+    WebAuthNLevel3,
+    FidoConformance2024,
+    Default = WebAuthNLevel3
+}
diff --git a/Src/Fido2/TrustAnchor.cs b/Src/Fido2/TrustAnchor.cs
@@ -8,7 +8,7 @@ namespace Fido2NetLib;
 
 public static class TrustAnchor
 {
-    public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, bool conformance)
+    public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, FidoValidationMode validationMode = FidoValidationMode.Default)
     {
         if (trustPath != null && metadataEntry?.MetadataStatement?.AttestationTypes is not null)
         {
@@ -34,7 +34,7 @@ static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAtte
                     throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);
                 }
 
-                if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, conformance))
+                if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, validationMode))
                 {
                     throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);
                 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ namespace Fido2NetLib;`
`8`	`8`
`9`	`9`	`public static class TrustAnchor`
`10`	`10`	`{`
`11`		`- public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, bool conformance)`
	`11`	`+ public static void Verify(MetadataBLOBPayloadEntry? metadataEntry, X509Certificate2[] trustPath, FidoValidationMode validationMode = FidoValidationMode.Default)`
`12`	`12`	`{`
`13`	`13`	`if (trustPath != null && metadataEntry?.MetadataStatement?.AttestationTypes is not null)`
`14`	`14`	`{`
`@@ -34,7 +34,7 @@ static bool ContainsAttestationType(MetadataBLOBPayloadEntry entry, MetadataAtte`
`34`	`34`	`throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);`
`35`	`35`	`}`
`36`	`36`
`37`		`- if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, conformance))`
	`37`	`+ if (!CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates, validationMode))`
`38`	`38`	`{`
`39`	`39`	`throw new Fido2VerificationException(Fido2ErrorMessages.InvalidCertificateChain);`
`40`	`40`	`}`