fix(webauthn): Extra checks for algorithm, and public key parts

Author: satoshiotomakan

src/Cbor.cpp

@@ -246,6 +246,11 @@ uint32_t Decode::getTotalLen() const {
     }
 }
 
+Decode::MajorType Decode::getMajorType() const {
+    TypeDesc typeDesc = getTypeDesc();
+    return typeDesc.majorType;
+}
+
 uint64_t Decode::getValue() const {
     TypeDesc typeDesc = getTypeDesc();
     if (typeDesc.majorType != MT_uint && typeDesc.majorType != MT_negint) {

src/Cbor.h

@@ -85,9 +85,22 @@ class Decode {
     /// Constructor, create from CBOR byte stream
     Decode(const Data& input);
 
-public: // decoding
+public:
+    enum MajorType {
+        MT_uint = 0,
+        MT_negint = 1,
+        MT_bytes = 2,
+        MT_string = 3,
+        MT_array = 4,
+        MT_map = 5,
+        MT_tag = 6,
+        MT_special = 7,
+    };
+
     /// Check if contains a valid CBOR byte stream.
     bool isValid() const;
+    // Get the major type
+    MajorType getMajorType() const;
     /// Get the value of a simple type
     uint64_t getValue() const;
     /// Get the value of a string/bytes as string
@@ -107,17 +120,6 @@ class Decode {
     uint32_t length() const { return subLen; }
     /// Return encoded form (useful e.g for parsed out sub-parts)
     Data encoded() const;
-
-    enum MajorType {
-        MT_uint = 0,
-        MT_negint = 1,
-        MT_bytes = 2,
-        MT_string = 3,
-        MT_array = 4,
-        MT_map = 5,
-        MT_tag = 6,
-        MT_special = 7,
-    };
 
 private:
     /// Struct used to keep reference to original data

src/WebAuthn.cpp

@@ -16,6 +16,8 @@ namespace TW::WebAuthn {
 static const std::size_t gAuthDataMinSize = 37;
 // 16 aaguid + 2 credIDLen
 static const std::size_t gAuthCredentialDataMinSize = 18;
+// 6 = -gAlgES256 - 1, where gAlgES256 = -7, ES256 = ECDSA w/ SHA-256 on P-256 curve
+static const uint64_t gAlgES256Encoded = 6;
 
 // https://www.w3.org/TR/webauthn-2/#authenticator-data
 struct AuthData {
@@ -125,17 +127,32 @@ std::optional<PublicKey> getPublicKey(const Data& attestationObject) {
         // https://www.w3.org/TR/webauthn-2/#sctn-encoded-credPubKey-examples
         const std::string xKey = "-2";
         const std::string yKey = "-3";
+        const std::string algKey = "3";
 
         const auto x = findIntKey(COSEPublicKey, xKey);
         const auto y = findIntKey(COSEPublicKey, yKey);
-        if (x == COSEPublicKey.end() || y == COSEPublicKey.end()) {
+        const auto alg = findIntKey(COSEPublicKey, algKey);
+        if (x == COSEPublicKey.end() || y == COSEPublicKey.end() || alg == COSEPublicKey.end()) {
             return std::nullopt;
         }
 
+        if (alg->second.getMajorType() != Cbor::Decode::MajorType::MT_negint) {
+            return std::nullopt;
+        }
+        // Currently, we only support P256 public keys.
+        if (alg->second.getValue() != gAlgES256Encoded) {
+            return std::nullopt;
+        }
+
+        const auto xBytes = x->second.getBytes();
+        const auto yBytes = y->second.getBytes();
+        if (xBytes.size() != 32 || yBytes.size() != 32) {
+            return std::nullopt;
+        }
         Data publicKey;
         append(publicKey, 0x04);
-        append(publicKey, x->second.getBytes());
-        append(publicKey, y->second.getBytes());
+        append(publicKey, xBytes);
+        append(publicKey, yBytes);
 
         return PublicKey(publicKey, TWPublicKeyTypeNIST256p1Extended);
     } catch (...) {