Updated throws to specify types when possible

Author: dimitribouniol

Sources/WebAuthn/Ceremonies/Shared/AuthenticatorData.swift

@@ -27,11 +27,10 @@ struct AuthenticatorData: Equatable, Sendable {
 }
 
 extension AuthenticatorData {
-    init(bytes: [UInt8]) throws {
+    init(bytes: [UInt8]) throws(WebAuthnError) {
         let minAuthDataLength = 37
-        guard bytes.count >= minAuthDataLength else {
-            throw WebAuthnError.authDataTooShort
-        }
+        guard bytes.count >= minAuthDataLength
+        else { throw .authDataTooShort }
 
         let relyingPartyIDHash = Array(bytes[..<32])
         let flags = AuthenticatorFlags(bytes[32])
@@ -43,69 +42,69 @@ extension AuthenticatorData {
         // For attestation signatures, the authenticator MUST set the AT flag and include the attestedCredentialData.
         if flags.attestedCredentialData {
             let minAttestedAuthLength = 37 + AAGUID.size + 2
-            guard bytes.count > minAttestedAuthLength else {
-                throw WebAuthnError.attestedCredentialDataMissing
-            }
+            guard bytes.count > minAttestedAuthLength
+            else { throw .attestedCredentialDataMissing }
+
             let (data, length) = try Self.parseAttestedData(bytes)
             attestedCredentialData = data
             remainingCount -= length
         // For assertion signatures, the AT flag MUST NOT be set and the attestedCredentialData MUST NOT be included.
         } else {
             if !flags.extensionDataIncluded && bytes.count != minAuthDataLength {
-                throw WebAuthnError.attestedCredentialFlagNotSet
+                throw .attestedCredentialFlagNotSet
             }
         }
 
         var extensionData: [UInt8]?
         if flags.extensionDataIncluded {
-            guard remainingCount != 0 else {
-                throw WebAuthnError.extensionDataMissing
-            }
+            guard remainingCount != 0
+            else { throw .extensionDataMissing }
+
             extensionData = Array(bytes[(bytes.count - remainingCount)...])
             remainingCount -= extensionData!.count
         }
 
-        guard remainingCount == 0 else {
-            throw WebAuthnError.leftOverBytesInAuthenticatorData
-        }
+        guard remainingCount == 0
+        else { throw .leftOverBytesInAuthenticatorData }
 
         self.relyingPartyIDHash = relyingPartyIDHash
         self.flags = flags
         self.counter = counter
         self.attestedData = attestedCredentialData
         self.extData = extensionData
-
     }
 
     /// Parse and return the attested credential data and its length.
     ///
     /// This is assumed to take place after the first 37 bytes of `data`, which is always of fixed size.
     /// - SeeAlso: [WebAuthn Level 3 Editor's Draft §6.5.1. Attested Credential Data]( https://w3c.github.io/webauthn/#sctn-attested-credential-data)
-    private static func parseAttestedData(_ data: [UInt8]) throws -> (AttestedCredentialData, Int) {
+    private static func parseAttestedData(_ data: [UInt8]) throws(WebAuthnError) -> (AttestedCredentialData, Int) {
         /// **aaguid** (16): The AAGUID of the authenticator.
         guard let aaguid = AAGUID(bytes: data[37..<(37 + AAGUID.size)])  // Bytes [37-52]
-        else { throw WebAuthnError.attestedCredentialDataMissing }
+        else { throw .attestedCredentialDataMissing }
 
         /// **credentialIdLength** (2): Byte length L of credentialId, 16-bit unsigned big-endian integer. Value MUST be ≤ 1023.
         let idLengthBytes = data[53..<55]  // Length is 2 bytes
         let idLengthData = Data(idLengthBytes)
         let idLength = UInt16(bigEndianBytes: idLengthData)
 
         guard idLength <= 1023
-        else { throw WebAuthnError.credentialIDTooLong }
+        else { throw .credentialIDTooLong }
 
         let credentialIDEndIndex = Int(idLength) + 55
         guard data.count >= credentialIDEndIndex 
-        else { throw WebAuthnError.credentialIDTooShort }
+        else { throw .credentialIDTooShort }
 
         /// **credentialId** (L): Credential ID
         let credentialID = data[55..<credentialIDEndIndex]
 
         /// **credentialPublicKey** (variable): The credential public key encoded in `COSE_Key` format, as defined in [Section 7](https://tools.ietf.org/html/rfc9052#section-7) of [RFC9052], using the CTAP2 canonical CBOR encoding form.
-        /// Assuming valid CBOR, verify the public key's length by decoding the next CBOR item.
+        /// Assuming valid CBOR, verify the public key's length by decoding the next CBOR item, and checking how much data is left on the stream.
         let inputStream = ByteInputStream(data[credentialIDEndIndex...])
-        let decoder = CBORDecoder(stream: inputStream, options: CBOROptions(maximumDepth: 16))
-        _ = try decoder.decodeItem()
+        do {
+            let decoder = CBORDecoder(stream: inputStream, options: CBOROptions(maximumDepth: 16))
+            _ = try decoder.decodeItem()
+        } catch { throw .invalidPublicKeyLength }
         let publicKeyBytes = data[credentialIDEndIndex..<(data.count - inputStream.remainingBytes)]
 
         let data = AttestedCredentialData(
@@ -132,13 +131,13 @@ class ByteInputStream: CBORInputStream {
     /// The remaining bytes in the original data buffer.
     var remainingBytes: Int { slice.count }
 
-    func popByte() throws -> UInt8 {
-        if slice.count < 1 { throw CBORError.unfinishedSequence }
+    func popByte() throws(CBORError) -> UInt8 {
+        if slice.count < 1 { throw .unfinishedSequence }
         return slice.removeFirst()
     }
 
-    func popBytes(_ n: Int) throws -> ArraySlice<UInt8> {
-        if slice.count < n { throw CBORError.unfinishedSequence }
+    func popBytes(_ n: Int) throws(CBORError) -> ArraySlice<UInt8> {
+        if slice.count < n { throw .unfinishedSequence }
         let result = slice.prefix(n)
         slice = slice.dropFirst(n)
         return result

Sources/WebAuthn/Ceremonies/Shared/CollectedClientData.swift

@@ -34,11 +34,14 @@ public struct CollectedClientData: Codable, Hashable, Sendable {
     public let challenge: URLEncodedBase64
     public let origin: String
 
-    func verify(storedChallenge: [UInt8], ceremonyType: CeremonyType, relyingPartyOrigin: String) throws {
-        guard type == ceremonyType else { throw CollectedClientDataVerifyError.ceremonyTypeDoesNotMatch }
-        guard challenge == storedChallenge.base64URLEncodedString() else {
-            throw CollectedClientDataVerifyError.challengeDoesNotMatch
-        }
-        guard origin == relyingPartyOrigin else { throw CollectedClientDataVerifyError.originDoesNotMatch }
+    func verify(storedChallenge: [UInt8], ceremonyType: CeremonyType, relyingPartyOrigin: String) throws(CollectedClientDataVerifyError) {
+        guard type == ceremonyType
+        else { throw .ceremonyTypeDoesNotMatch }
+        
+        guard challenge == storedChallenge.base64URLEncodedString()
+        else { throw .challengeDoesNotMatch }
+        
+        guard origin == relyingPartyOrigin
+        else { throw .originDoesNotMatch }
     }
 }

Sources/WebAuthn/Ceremonies/Shared/CredentialPublicKey.swift

@@ -105,28 +105,28 @@ struct EC2PublicKey: PublicKey, Sendable {
         self.yCoordinate = yCoordinate
     }
 
-    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws {
+    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws(WebAuthnError) {
         self.algorithm = algorithm
 
-        // Curve is key -1 - or -0 for SwiftCBOR
-        // X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
-        // Y Coordinate is key -3, or NegativeInt 2 for SwiftCBOR
-        guard let curveRaw = publicKeyObject[COSEKey.crv.cbor],
+        /// Curve is key -1 - or -0 for SwiftCBOR
+        /// X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
+        /// Y Coordinate is key -3, or NegativeInt 2 for SwiftCBOR
+        guard
+            let curveRaw = publicKeyObject[COSEKey.crv.cbor],
             case let .unsignedInt(curve) = curveRaw,
-            let coseCurve = COSECurve(rawValue: curve) else {
-            throw WebAuthnError.invalidCurve
-        }
+            let coseCurve = COSECurve(rawValue: curve)
+        else { throw .invalidCurve }
         self.curve = coseCurve
 
-        guard let xCoordRaw = publicKeyObject[COSEKey.x.cbor],
-              case let .byteString(xCoordinateBytes) = xCoordRaw else {
-            throw WebAuthnError.invalidXCoordinate
-        }
+        guard
+            let xCoordRaw = publicKeyObject[COSEKey.x.cbor],
+            case let .byteString(xCoordinateBytes) = xCoordRaw
+        else { throw .invalidXCoordinate }
         xCoordinate = xCoordinateBytes
-        guard let yCoordRaw = publicKeyObject[COSEKey.y.cbor],
-              case let .byteString(yCoordinateBytes) = yCoordRaw else {
-            throw WebAuthnError.invalidYCoordinate
-        }
+        guard
+            let yCoordRaw = publicKeyObject[COSEKey.y.cbor],
+            case let .byteString(yCoordinateBytes) = yCoordRaw
+        else { throw .invalidYCoordinate }
         yCoordinate = yCoordinateBytes
     }
 
@@ -164,23 +164,23 @@ struct RSAPublicKeyData: PublicKey, Sendable {
 
     var rawRepresentation: [UInt8] { n + e }
 
-    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws {
+    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws(WebAuthnError) {
         self.algorithm = algorithm
 
-        guard let nRaw = publicKeyObject[COSEKey.n.cbor],
-              case let .byteString(nBytes) = nRaw else {
-            throw WebAuthnError.invalidModulus
-        }
+        guard
+            let nRaw = publicKeyObject[COSEKey.n.cbor],
+            case let .byteString(nBytes) = nRaw
+        else { throw .invalidModulus }
         n = nBytes
 
-        guard let eRaw = publicKeyObject[COSEKey.e.cbor],
-              case let .byteString(eBytes) = eRaw else {
-            throw WebAuthnError.invalidExponent
-        }
+        guard
+            let eRaw = publicKeyObject[COSEKey.e.cbor],
+            case let .byteString(eBytes) = eRaw
+        else { throw .invalidExponent }
         e = eBytes
     }
 
-    func verify(signature: some DataProtocol, data: some DataProtocol) throws {
+    func verify(signature: some DataProtocol, data: some DataProtocol) throws(WebAuthnError) {
         throw WebAuthnError.unsupported
         // let rsaSignature = _RSA.Signing.RSASignature(derRepresentation: signature)
 
@@ -210,22 +210,24 @@ struct OKPPublicKey: PublicKey, Sendable {
     let curve: UInt64
     let xCoordinate: [UInt8]
 
-    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws {
+    init(publicKeyObject: CBOR, algorithm: COSEAlgorithmIdentifier) throws(WebAuthnError) {
         self.algorithm = algorithm
-        // Curve is key -1, or NegativeInt 0 for SwiftCBOR
-        guard let curveRaw = publicKeyObject[.negativeInt(0)], case let .unsignedInt(curve) = curveRaw else {
-            throw WebAuthnError.invalidCurve
-        }
+        /// Curve is key -1, or NegativeInt 0 for SwiftCBOR
+        guard
+            let curveRaw = publicKeyObject[.negativeInt(0)],
+            case let .unsignedInt(curve) = curveRaw
+        else { throw .invalidCurve }
         self.curve = curve
-        // X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
-        guard let xCoordRaw = publicKeyObject[.negativeInt(1)],
-            case let .byteString(xCoordinateBytes) = xCoordRaw else {
-            throw WebAuthnError.invalidXCoordinate
-        }
+        
+        /// X Coordinate is key -2, or NegativeInt 1 for SwiftCBOR
+        guard
+            let xCoordRaw = publicKeyObject[.negativeInt(1)],
+            case let .byteString(xCoordinateBytes) = xCoordRaw
+        else { throw .invalidXCoordinate }
         xCoordinate = xCoordinateBytes
     }
 
-    func verify(signature: some DataProtocol, data: some DataProtocol) throws {
+    func verify(signature: some DataProtocol, data: some DataProtocol) throws(WebAuthnError) {
         throw WebAuthnError.unsupported
     }
 }

Sources/WebAuthn/WebAuthnError.swift

@@ -51,6 +51,7 @@ public struct WebAuthnError: Error, Hashable, Sendable {
         case leftOverBytesInAuthenticatorData
         case credentialIDTooLong
         case credentialIDTooShort
+        case invalidPublicKeyLength
 
         // MARK: CredentialPublicKey
         case badPublicKeyBytes
@@ -110,6 +111,7 @@ public struct WebAuthnError: Error, Hashable, Sendable {
     public static let leftOverBytesInAuthenticatorData = Self(reason: .leftOverBytesInAuthenticatorData)
     public static let credentialIDTooLong = Self(reason: .credentialIDTooLong)
     public static let credentialIDTooShort = Self(reason: .credentialIDTooShort)
+    public static let invalidPublicKeyLength = Self(reason: .invalidPublicKeyLength)
 
     // MARK: CredentialPublicKey
     public static let badPublicKeyBytes = Self(reason: .badPublicKeyBytes)

Sources/WebAuthn/WebAuthnManager.swift

@@ -112,9 +112,8 @@ public struct WebAuthnManager: Sendable {
         // TODO: Step 18. -> Verify client extensions
 
         // Step 24.
-        guard try await confirmCredentialIDNotRegisteredYet(parsedData.id.asString()) else {
-            throw WebAuthnError.credentialIDAlreadyExists
-        }
+        guard try await confirmCredentialIDNotRegisteredYet(parsedData.id.asString())
+        else { throw WebAuthnError.credentialIDAlreadyExists }
 
         // Step 25.
         return Credential(
@@ -142,7 +141,7 @@ public struct WebAuthnManager: Sendable {
         timeout: Duration? = .seconds(60),
         allowCredentials: [PublicKeyCredentialDescriptor]? = nil,
         userVerification: UserVerificationRequirement = .preferred
-    ) throws -> PublicKeyCredentialRequestOptions {
+    ) -> PublicKeyCredentialRequestOptions {
         let challenge = challengeGenerator.generate()
 
         return PublicKeyCredentialRequestOptions(

Tests/WebAuthnTests/WebAuthnManagerAuthenticationTests.swift

@@ -35,7 +35,7 @@ final class WebAuthnManagerAuthenticationTests: XCTestCase {
 
     func testBeginAuthentication() async throws {
         let allowCredentials = [PublicKeyCredentialDescriptor(type: .publicKey, id: [1, 0, 2, 30])]
-        let options = try webAuthnManager.beginAuthentication(
+        let options = webAuthnManager.beginAuthentication(
             timeout: .seconds(1234),
             allowCredentials: allowCredentials,
             userVerification: .preferred

Tests/WebAuthnTests/WebAuthnManagerIntegrationTests.swift

@@ -99,7 +99,7 @@ final class WebAuthnManagerIntegrationTests: XCTestCase {
             id: [UInt8](URLEncodedBase64(credential.id).urlDecoded.decoded!)
         )]
 
-        let authenticationOptions = try webAuthnManager.beginAuthentication(
+        let authenticationOptions = webAuthnManager.beginAuthentication(
             timeout: authenticationTimeout,
             allowCredentials: rememberedCredentials,
             userVerification: userVerification