feat(metadata)!: rework as a provider (#239)

This is a massive rework to how metadata is handled. This allows for very powerful interactions with the metadata including trust anchor validation, status report validation customization, control over if attestation types are validated against the metadata, exclusion of zero AAGUID's, ensuring a metadata entry for the authentication exists, etc.  In addition it allows the implementer to more easily control caching logic and implement locking and live refreshes of the metadata where necessary. It should reasonably be expected that anyone currently using the metadata package will have quite a bit of work to do. In the release we'll aim to include migration instructions but there is unfortunately it will require some additional work. 

Closes #77, Closes #154

BREAKING CHANGE: This change will require manual intervention from the implementer. Information is likely to be provided at a later date helping with the migrations required.

README.md

@@ -290,10 +290,56 @@ func main() {
 }
 ```
 
+## Credential Record
+
+The WebAuthn Level 3 specification describes the Credential Record which includes several required and optional elements
+that you should store for. See [§ 4 Terminology](https://www.w3.org/TR/webauthn-3/#credential-record) for details.
+
+This section describes this element. 
+
+The fields listed in the specification have corresponding fields in the [webauthn.Credential] struct. See the below
+table for more information. We also include JSON mappings for those that wish to just store these values as JSON.
+
+|    Specification Field    |       Library Field        |         JSON Field         |                                           Notes                                           |
+|:-------------------------:|:--------------------------:|:--------------------------:|:-----------------------------------------------------------------------------------------:|
+|           type            |            N/A             |            N/A             |                       This field is always `publicKey` for WebAuthn                       |
+|            id             |             ID             |             id             |                                                                                           |
+|         publicKey         |         PublicKey          |         publicKey          |                                                                                           |
+|         signCount         |  Authenticator.SignCount   |  authenticator.signCount   |                                                                                           |
+|        transports         |         Transport          |         transport          |                                                                                           |
+|       uvInitialized       |     Flags.UserVerified     |     flags.userVerified     |                                                                                           |
+|      backupEligible       |    Flags.BackupEligible    |    flags.backupEligible    |                                                                                           |
+|        backupState        |     Flags.BackupState      |     flags.backupState      |                                                                                           |
+|     attestationObject     |     Attestation.Object     |     attestation.object     | This field is a composite of the attestationObject and the relevant values to validate it |
+| attestationClientDataJSON | Attestation.ClientDataJSON | attestation.clientDataJSON |                                                                                           |
+
+### Storage
+
+It is also important to note that restoring the [webauthn.Credential] with the correct values will likely affect the
+validity of the [webauthn.Credential], i.e. if some values are not restored the [webauthn.Credential] may fail
+validation in this scenario.
+
+### Verification
+
+As long as the [webauthn.Credential] struct has exactly the same values when restored the [Credential Verify] function 
+can be leveraged to verify the credential against the [metadata.Provider]. This can be either done during registration,
+on every login, or with a audit schedule.
+
+In addition to using the [Credential Verify] function the 
+[webauthn.Config](https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Config) can contain a provider which will
+process all registrations automatically.
+
+At this time no tooling exists to verify the credential automatically outside the registration flow. Implementation of
+this is considered domain logic and beyond the scope of what we provide documentation for; we just provide the necessary
+tooling to implement this yourself.
+
 ## Acknowledgements
 
 We graciously acknowledge the original authors of this library [github.com/duo-labs/webauthn] for their amazing
 implementation. Without their amazing work this library could not exist.
 
 
 [github.com/duo-labs/webauthn]: https://github.com/duo-labs/webauthn
+[webauthn.Credential]: https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Credential
+[metadata.Provider]: https://pkg.go.dev/github.com/go-webauthn/webauthn/metadata#Provider
+[Credential Verify]: https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#Credential.Verify

metadata/const.go

@@ -0,0 +1,35 @@
+package metadata
+
+const (
+	// https://secure.globalsign.com/cacert/root-r3.crt
+	ProductionMDSRoot = "MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9f"
+
+	// Production MDS URL
+	ProductionMDSURL = "https://mds.fidoalliance.org"
+
+	// https://mds3.fido.tools/pki/MDS3ROOT.crt
+	ConformanceMDSRoot = "MIICaDCCAe6gAwIBAgIPBCqih0DiJLW7+UHXx/o1MAoGCCqGSM49BAMDMGcxCzAJBgNVBAYTAlVTMRYwFAYDVQQKDA1GSURPIEFsbGlhbmNlMScwJQYDVQQLDB5GQUtFIE1ldGFkYXRhIDMgQkxPQiBST09UIEZBS0UxFzAVBgNVBAMMDkZBS0UgUm9vdCBGQUtFMB4XDTE3MDIwMTAwMDAwMFoXDTQ1MDEzMTIzNTk1OVowZzELMAkGA1UEBhMCVVMxFjAUBgNVBAoMDUZJRE8gQWxsaWFuY2UxJzAlBgNVBAsMHkZBS0UgTWV0YWRhdGEgMyBCTE9CIFJPT1QgRkFLRTEXMBUGA1UEAwwORkFLRSBSb290IEZBS0UwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASKYiz3YltC6+lmxhPKwA1WFZlIqnX8yL5RybSLTKFAPEQeTD9O6mOz+tg8wcSdnVxHzwnXiQKJwhrav70rKc2ierQi/4QUrdsPes8TEirZOkCVJurpDFbXZOgs++pa4XmjYDBeMAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAfBgNVHSMEGDAWgBQGcfeCs0Y8D+lh6U5B2xSrR74eHTAKBggqhkjOPQQDAwNoADBlAjEA/xFsgri0xubSa3y3v5ormpPqCwfqn9s0MLBAtzCIgxQ/zkzPKctkiwoPtDzI51KnAjAmeMygX2S5Ht8+e+EQnezLJBJXtnkRWY+Zt491wgt/AwSs5PHHMv5QgjELOuMxQBc="
+
+	// Example from https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html
+	ExampleMDSRoot = "MIIGGTCCBAGgAwIBAgIUdT9qLX0sVMRe8l0sLmHd3mZovQ0wDQYJKoZIhvcNAQELBQAwgZsxHzAdBgNVBAMMFkVYQU1QTEUgTURTMyBURVNUIFJPT1QxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20xFDASBgNVBAoMC0V4YW1wbGUgT1JHMRAwDgYDVQQLDAdFeGFtcGxlMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTVkxEjAQBgNVBAcMCVdha2VmaWVsZDAeFw0yMTA0MTkxMTM1MDdaFw00ODA5MDQxMTM1MDdaMIGbMR8wHQYDVQQDDBZFWEFNUExFIE1EUzMgVEVTVCBST09UMSIwIAYJKoZIhvcNAQkBFhNleGFtcGxlQGV4YW1wbGUuY29tMRQwEgYDVQQKDAtFeGFtcGxlIE9SRzEQMA4GA1UECwwHRXhhbXBsZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1ZMRIwEAYDVQQHDAlXYWtlZmllbGQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDDjF5wyEWuhwDHsZosGdGFTCcI677rW881vV+UfW38J+K2ioFFNeGVsxbcebK6AVOiCDPFj0974IpeD9SFOhwAHoDu/LCfXdQWp8ZgQ91ULYWoW8o7NNSp01nbN9zmaO6/xKNCa0bzjmXoGqglqnP1AtRcWYvXOSKZy1rcPeDv4Dhcpdp6W72fBw0eWIqOhsrItuY2/N8ItBPiG03EX72nACq4nZJ/nAIcUbER8STSFPPzvE97TvShsi1FD8aO6l1WkR/QkreAGjMI++GbB2Qc1nN9Y/VEDbMDhQtxXQRdpFwubTjejkN9hKOtF3B71YrwIrng3V9RoPMFdapWMzSlI+WWHog0oTj1PqwJDDg7+z1I6vSDeVWAMKr9mq1w1OGNzgBopIjd9lRWkRtt2kQSPX9XxqS4E1gDDr8MKbpM3JuubQtNCg9D7Ljvbz6vwvUrbPHH+oREvucsp0PZ5PpizloepGIcLFxDQqCulGY2n7Ahl0JOFXJqOFCaK3TWHwBvZsaY5DgBuUvdUrwtgZNg2eg2omWXEepiVFQn3Fvj43Wh2npPMgIe5P0rwncXvROxaczd4rtajKS1ucoB9b9iKqM2+M1y/FDIgVf1fWEHwK7YdzxMlgOeLdeV/kqRU5PEUlLU9a2EwdOErrPbPKZmIfbs/L4B3k4zejMDH3Y+ZwIDAQABo1MwUTAdBgNVHQ4EFgQU8sWwq1TrurK7xMTwO1dKfeJBbCMwHwYDVR0jBBgwFoAU8sWwq1TrurK7xMTwO1dKfeJBbCMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFw6M1PiIfCPIBQ5EBUPNmRvRFuDpolOmDofnf/+mv63LqwQZAdo/W8tzZ9kOFhq24SiLw0H7fsdG/jeREXiIZMNoW/rA6Uac8sU+FYF7Q+qp6CQLlSQbDcpVMifTQjcBk2xh+aLK9SrrXBqnTAhwS+offGtAW8DpoLuH4tAcQmIjlgMlN65jnELCuqNR/wpA+zch8LZW8saQ2cwRCwdr8mAzZoLbsDSVCHxQF3/kQjPT7Nao1q2iWcY3OYcRmKrieHDP67yeLUbVmetfZis2d6ZlkqHLB4ZW1xX4otsEFkuTJA3HWDRsNyhTwx1YoCLsYut5Zp0myqPNBq28w6qGMyyoJN0Z4RzMEO3R6i/MQNfhK55/8O2HciM6xb5t/aBSuHPKlBDrFWhpRnKYkaNtlUo35qV5IbKGKau3SdZdSRciaXUd/p81YmoF01UlhhMz/Rqr1k2gyA0a9tF8+awCeanYt5izl8YO0FlrOU1SQ5UQw4szqqZqbrf4e8fRuU2TXNx4zk+ImE7WRB44f6mSD746ZCBRogZ/SA5jUBu+OPe4/sEtERWRcQD+fXgce9ZEN0+peyJIKAsl5Rm2Bmgyg5IoyWwSG5W+WekGyEokpslou2Yc6EjUj5ndZWz5EiHAiQ74hNfDoCZIxVVLU3Qbp8a0S1bmsoT2JOsspIbtZUg="
+)
+
+const (
+	HeaderX509URI         = "x5u"
+	HeaderX509Certificate = "x5c"
+)
+
+var (
+	errIntermediateCertRevoked = &MetadataError{
+		Type:    "intermediate_revoked",
+		Details: "Intermediate certificate is on issuers revocation list",
+	}
+	errLeafCertRevoked = &MetadataError{
+		Type:    "leaf_revoked",
+		Details: "Leaf certificate is on issuers revocation list",
+	}
+	errCRLUnavailable = &MetadataError{
+		Type:    "crl_unavailable",
+		Details: "Certificate revocation list is unavailable",
+	}
+)

metadata/decode.go

@@ -0,0 +1,276 @@
+package metadata
+
+import (
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/go-webauthn/x/revoke"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/mitchellh/mapstructure"
+)
+
+// NewDecoder returns a new metadata decoder.
+func NewDecoder(opts ...DecoderOption) (decoder *Decoder, err error) {
+	decoder = &Decoder{
+		client: &http.Client{},
+		parser: jwt.NewParser(),
+		hook:   mapstructure.ComposeDecodeHookFunc(),
+	}
+
+	for _, opt := range opts {
+		if err = opt(decoder); err != nil {
+			return nil, fmt.Errorf("failed to apply decoder option: %w", err)
+		}
+	}
+
+	if decoder.root == "" {
+		decoder.root = ProductionMDSRoot
+	}
+
+	return decoder, nil
+}
+
+// Decoder handles decoding and specialized parsing of the metadata blob.
+type Decoder struct {
+	client                   *http.Client
+	parser                   *jwt.Parser
+	hook                     mapstructure.DecodeHookFunc
+	root                     string
+	ignoreEntryParsingErrors bool
+}
+
+// Parse handles parsing of the raw JSON values of the metadata blob. Should be used after using Decode or DecodeBytes.
+func (d *Decoder) Parse(payload *PayloadJSON) (metadata *Metadata, err error) {
+	metadata = &Metadata{
+		Parsed: Parsed{
+			LegalHeader: payload.LegalHeader,
+			Number:      payload.Number,
+		},
+	}
+
+	if metadata.Parsed.NextUpdate, err = time.Parse(time.DateOnly, payload.NextUpdate); err != nil {
+		return nil, fmt.Errorf("error occurred parsing next update value '%s': %w", payload.NextUpdate, err)
+	}
+
+	var parsed Entry
+
+	for _, entry := range payload.Entries {
+		if parsed, err = entry.Parse(); err != nil {
+			metadata.Unparsed = append(metadata.Unparsed, EntryError{
+				Error:     err,
+				EntryJSON: entry,
+			})
+
+			continue
+		}
+
+		metadata.Parsed.Entries = append(metadata.Parsed.Entries, parsed)
+	}
+
+	if n := len(metadata.Unparsed); n != 0 && !d.ignoreEntryParsingErrors {
+		return metadata, fmt.Errorf("error occurred parsing metadata: %d entries had errors during parsing", n)
+	}
+
+	return metadata, nil
+}
+
+// Decode the blob from an io.ReadCloser. This function will close the io.ReadCloser after completing.
+func (d *Decoder) Decode(r io.ReadCloser) (payload *PayloadJSON, err error) {
+	defer r.Close()
+
+	bytes, err := io.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.DecodeBytes(bytes)
+}
+
+// DecodeBytes handles decoding raw bytes. If you have a read closer it's suggested to use Decode.
+func (d *Decoder) DecodeBytes(bytes []byte) (payload *PayloadJSON, err error) {
+	var token *jwt.Token
+
+	if token, err = d.parser.Parse(string(bytes), func(token *jwt.Token) (any, error) {
+		// 2. If the x5u attribute is present in the JWT Header, then
+		if _, ok := token.Header[HeaderX509URI].([]any); ok {
+			// never seen an x5u here, although it is in the spec
+			return nil, errors.New("x5u encountered in header of metadata TOC payload")
+		}
+
+		// 3. If the x5u attribute is missing, the chain should be retrieved from the x5c attribute.
+		var (
+			x5c, chain []any
+			ok, valid  bool
+		)
+
+		if x5c, ok = token.Header[HeaderX509Certificate].([]any); !ok {
+			// If that attribute is missing as well, Metadata TOC signing trust anchor is considered the TOC signing certificate chain.
+			chain[0] = d.root
+		} else {
+			chain = x5c
+		}
+
+		// The certificate chain MUST be verified to properly chain to the metadata TOC signing trust anchor.
+		if valid, err = validateChain(d.root, chain); !valid || err != nil {
+			return nil, err
+		}
+
+		// Chain validated, extract the TOC signing certificate from the chain. Create a buffer large enough to hold the
+		// certificate bytes.
+		o := make([]byte, base64.StdEncoding.DecodedLen(len(chain[0].(string))))
+
+		var (
+			n    int
+			cert *x509.Certificate
+		)
+
+		// Decode the base64 certificate into the buffer.
+		if n, err = base64.StdEncoding.Decode(o, []byte(chain[0].(string))); err != nil {
+			return nil, err
+		}
+
+		// Parse the certificate from the buffer.
+		if cert, err = x509.ParseCertificate(o[:n]); err != nil {
+			return nil, err
+		}
+
+		// 4. Verify the signature of the Metadata TOC object using the TOC signing certificate chain
+		// jwt.Parse() uses the TOC signing certificate public key internally to verify the signature.
+		return cert.PublicKey, err
+	}); err != nil {
+		return nil, err
+	}
+
+	var decoder *mapstructure.Decoder
+
+	payload = &PayloadJSON{}
+
+	if decoder, err = mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Metadata:   nil,
+		Result:     payload,
+		DecodeHook: d.hook,
+		TagName:    "json",
+	}); err != nil {
+		return nil, err
+	}
+
+	if err = decoder.Decode(token.Claims); err != nil {
+		return payload, err
+	}
+
+	return payload, nil
+}
+
+// DecoderOption is a representation of a function that can set options within a decoder.
+type DecoderOption func(decoder *Decoder) (err error)
+
+// WithIgnoreEntryParsingErrors is a DecoderOption which ignores errors when parsing individual entries. The values for
+// these entries will exist as an unparsed entry.
+func WithIgnoreEntryParsingErrors() DecoderOption {
+	return func(decoder *Decoder) (err error) {
+		decoder.ignoreEntryParsingErrors = true
+
+		return nil
+	}
+}
+
+// WithRootCertificate overrides the root certificate used to validate the authenticity of the metadata payload.
+func WithRootCertificate(value string) DecoderOption {
+	return func(decoder *Decoder) (err error) {
+		decoder.root = value
+
+		return nil
+	}
+}
+
+func validateChain(root string, chain []any) (bool, error) {
+	oRoot := make([]byte, base64.StdEncoding.DecodedLen(len(root)))
+
+	nRoot, err := base64.StdEncoding.Decode(oRoot, []byte(root))
+	if err != nil {
+		return false, err
+	}
+
+	rootcert, err := x509.ParseCertificate(oRoot[:nRoot])
+	if err != nil {
+		return false, err
+	}
+
+	roots := x509.NewCertPool()
+
+	roots.AddCert(rootcert)
+
+	o := make([]byte, base64.StdEncoding.DecodedLen(len(chain[1].(string))))
+
+	n, err := base64.StdEncoding.Decode(o, []byte(chain[1].(string)))
+	if err != nil {
+		return false, err
+	}
+
+	intcert, err := x509.ParseCertificate(o[:n])
+	if err != nil {
+		return false, err
+	}
+
+	if revoked, ok := revoke.VerifyCertificate(intcert); !ok {
+		issuer := intcert.IssuingCertificateURL
+
+		if issuer != nil {
+			return false, errCRLUnavailable
+		}
+	} else if revoked {
+		return false, errIntermediateCertRevoked
+	}
+
+	ints := x509.NewCertPool()
+	ints.AddCert(intcert)
+
+	l := make([]byte, base64.StdEncoding.DecodedLen(len(chain[0].(string))))
+
+	n, err = base64.StdEncoding.Decode(l, []byte(chain[0].(string)))
+	if err != nil {
+		return false, err
+	}
+
+	leafcert, err := x509.ParseCertificate(l[:n])
+	if err != nil {
+		return false, err
+	}
+
+	if revoked, ok := revoke.VerifyCertificate(leafcert); !ok {
+		return false, errCRLUnavailable
+	} else if revoked {
+		return false, errLeafCertRevoked
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:         roots,
+		Intermediates: ints,
+	}
+
+	_, err = leafcert.Verify(opts)
+
+	return err == nil, err
+}
+
+func mdsParseX509Certificate(value string) (certificate *x509.Certificate, err error) {
+	var n int
+
+	raw := make([]byte, base64.StdEncoding.DecodedLen(len(value)))
+
+	if n, err = base64.StdEncoding.Decode(raw, []byte(strings.TrimSpace(value))); err != nil {
+		return nil, fmt.Errorf("error occurred parsing *x509.certificate: error occurred decoding base64 data: %w", err)
+	}
+
+	if certificate, err = x509.ParseCertificate(raw[:n]); err != nil {
+		return nil, err
+	}
+
+	return certificate, nil
+}

metadata/doc.go

@@ -0,0 +1,2 @@
+// Package metadata handles metadata validation instrumentation.
+package metadata