[PM-4167] feat: add support for storing PRF keys

bitwarden · Oct 6, 2023 · 4b9b047 · 4b9b047
1 parent e6f5534
commit 4b9b047
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 3 deletions.
diff --git a/src/Api/Auth/Controllers/WebAuthnController.cs b/src/Api/Auth/Controllers/WebAuthnController.cs
@@ -68,7 +68,7 @@ public async Task Post([FromBody] WebAuthnCredentialRequestModel model)
             throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
         }
 
-        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, model.SupportsPrf, tokenable.Options, model.DeviceResponse);
+        var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, model.SupportsPrf, model.EncryptedUserKey, model.EncryptedPublicKey, model.EncryptedPrivateKey, tokenable.Options, model.DeviceResponse);
         if (!success)
         {
             throw new BadRequestException("Unable to complete WebAuthn registration.");

diff --git a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs
@@ -1,4 +1,5 @@
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
 using Fido2NetLib;
 
 namespace Bit.Api.Auth.Models.Request.Webauthn;
@@ -16,5 +17,20 @@ public class WebAuthnCredentialRequestModel
 
     [Required]
     public bool SupportsPrf { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPrivateKey { get; set; }
 }
 
diff --git a/src/Core/Auth/Entities/WebAuthnCredential.cs b/src/Core/Auth/Entities/WebAuthnCredential.cs
@@ -19,8 +19,11 @@ public class WebAuthnCredential : ITableObject<Guid>
     [MaxLength(20)]
     public string Type { get; set; }
     public Guid AaGuid { get; set; }
+    [MaxLength(2000)]
     public string EncryptedUserKey { get; set; }
+    [MaxLength(2000)]
     public string EncryptedPrivateKey { get; set; }
+    [MaxLength(2000)]
     public string EncryptedPublicKey { get; set; }
     public bool SupportsPrf { get; set; }
     public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;

diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
@@ -28,7 +28,7 @@ public interface IUserService
     Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
     Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
     Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
-    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, bool supportsPrf, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
+    Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, bool supportsPrf, string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
     Task<AssertionOptions> StartWebAuthnLoginAssertionAsync(User user);
     Task<string> CompleteWebAuthLoginAssertionAsync(AuthenticatorAssertionRawResponse assertionResponse, User user);
     Task SendEmailVerificationAsync(User user);

diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
@@ -543,6 +543,7 @@ public async Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(U
     }
 
     public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, bool supportsPrf,
+        string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey,
         CredentialCreateOptions options,
         AuthenticatorAttestationRawResponse attestationResponse)
     {
@@ -566,7 +567,10 @@ public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string
             AaGuid = success.Result.Aaguid,
             Counter = (int)success.Result.Counter,
             UserId = user.Id,
-            SupportsPrf = supportsPrf
+            SupportsPrf = supportsPrf,
+            EncryptedUserKey = encryptedUserKey,
+            EncryptedPublicKey = encryptedPublicKey,
+            EncryptedPrivateKey = encryptedPrivateKey
         };
 
         await _webAuthnCredentialRepository.CreateAsync(credential);