fido2-net-lib https://github.com/abergs/fido2-net-lib を分析している (2018/08/29) 。

1. Response from makeCredentialOptions WebAPI.json

{
	"status": "ok",
	"errorMessage": "",
	"rp": {
		"id": "localhost",
		"name": "Fido2 test"
	},
	"user": {
		"name": "aaa@example.com",
		"id": "YWFhQGV4YW1wbGUuY29t",
		"displayName": "Display aaa@example.com"
	},
	"challenge": "8P0YAYk-sxYVM0Xmt7Irow",
	"pubKeyCredParams": [
		{
			"type": "public-key",
			"alg": -7
		},
		{
			"type": "public-key",
			"alg": -257
		}
	],
	"timeout": 60000,
	"attestation": "none",
	"authenticatorSelection": null,
	"excludeCredentials": []
}

2. Parameter of navigator.credentials.create()

{
	"status": "ok",
	"errorMessage": "",
	"rp": {
		"id": "localhost",
		"name": "Fido2 test"
	},
	"user": {
		"name": "aaa@example.com",
		"id": "ArrayBuffer(15)",
		"displayName": "Display aaa@example.com"
	},
	"challenge": "ArrayBuffer(16)",
	"pubKeyCredParams(Array(2))": {
		"0": {
			"type": "public-key",
			"alg": "-7"
		},
		"1": {
			"type": "public-key",
			"alg": "-257"
		}
	},
	"timeout": "60000",
	"attestation": "none",
	"authenticatorSelection": "null",
	"excludeCredentials": "[]",
	"__proto__": "Object"
}

3. Return of navigator.credentials.create()

{
	"id": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"rawId": "ArrayBuffer(64)",
	"response(AuthenticatorAttestationResponse)": {
		"attestationObject": "ArrayBuffer(226)",
		"clientDataJSON": "ArrayBuffer(98)"
	},
	"type": "public-key",
	"__proto__": "PublicKeyCredential"
}

4. Request to makeCredential WebAPI.json

{
	"id": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"rawId": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"type": "public-key",
	"response": {
		"AttestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjESZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NBAAAAAAAAAAAAAAAAAAAAAAAAAAAAQOBfhSeT1gdjLJwWAvagTqPQ40iMhzxnqMjSZUdQnNyzsjsoErtBxinbweZZ_u4SD_AsqOrOZK7CpIg8TWkbtwSlAQIDJiABIVggjXJiXxbIKez0-7iKeN9BLn9WSRUjGuBZT2KAzxuzvdYiWCAgv0KMHPO69DiXQntyKfueL2Fb9DpaEQrene0hZoaTsQ",
		"clientDataJson": "eyJjaGFsbGVuZ2UiOiI4UDBZQVlrLXN4WVZNMFhtdDdJcm93Iiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMjkiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0"
	}
}

5. Response from makeCredential WebAPI.json

{
	"status": "ok",
	"errorMessage": "",
	"result": {
		"publicKey": "pQECAyYgASFYII1yYl8WyCns9Pu4injfQS5_VkkVIxrgWU9igM8bs73WIlggIL9CjBzzuvQ4l0J7cin7ni9hW_Q6WhEK3p3tIWaGk7E",
		"credentialId": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
		"user": {
			"name": "aaa@example.com",
			"id": "YWFhQGV4YW1wbGUuY29t",
			"displayName": "Display aaa@example.com"
		}
	}
}

6. Request to assertionOptions WebAPI.json

aaa@example.com

7. Response from assertionOptions WebAPI.json

{
	"status": "ok",
	"errorMessage": "",
	"challenge": "TDmWbzrQ9gIHkbs6dw78mA",
	"timeout": 60000,
	"rpId": "localhost",
	"allowCredentials": [
		{
			"type": "public-key",
			"id": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
			"transports": []
		}
	],
	"userVerification": "discouraged"
}

8. Parameter of navigator.credentials.get()

{
	"status": "ok",
	"errorMessage": "",
	"challenge": {
		"0": 76,
		"1": 57,
		"2": 150,
		"3": 111,
		"4": 58,
		"5": 208,
		"6": 246,
		"7": 2,
		"8": 7,
		"9": 145,
		"10": 187,
		"11": 58,
		"12": 119,
		"13": 14,
		"14": 252,
		"15": 152
	},
	"timeout": 60000,
	"rpId": "localhost",
	"allowCredentials": [
		{
			"type": "public-key",
			"id": {
				"0": 224,
				"1": 95,
				"2": 133,
				"3": 39,
				"4": 147,
				"5": 214,
				"6": 7,
				"7": 99,
				"8": 44,
				"9": 156,
				"10": 22,
				"11": 2,
				"12": 246,
				"13": 160,
				"14": 78,
				"15": 163,
				"16": 208,
				"17": 227,
				"18": 72,
				"19": 140,
				"20": 135,
				"21": 60,
				"22": 103,
				"23": 168,
				"24": 200,
				"25": 210,
				"26": 101,
				"27": 71,
				"28": 80,
				"29": 156,
				"30": 220,
				"31": 179,
				"32": 178,
				"33": 59,
				"34": 40,
				"35": 18,
				"36": 187,
				"37": 65,
				"38": 198,
				"39": 41,
				"40": 219,
				"41": 193,
				"42": 230,
				"43": 89,
				"44": 254,
				"45": 238,
				"46": 18,
				"47": 15,
				"48": 240,
				"49": 44,
				"50": 168,
				"51": 234,
				"52": 206,
				"53": 100,
				"54": 174,
				"55": 194,
				"56": 164,
				"57": 136,
				"58": 60,
				"59": 77,
				"60": 105,
				"61": 27,
				"62": 183,
				"63": 4
			},
			"transports": []
		}
	],
	"userVerification": "discouraged"
}

9. Return of navigator.credentials.get()

{
	"id": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"rawId": "ArrayBuffer(64) {}",
	"response(AuthenticatorAssertionResponse)": {
		"authenticatorData": "ArrayBuffer(37) {}",
		"clientDataJSON": "ArrayBuffer(95) {}",
		"signature": "ArrayBuffer(71) {}",
		"userHandle": "ArrayBuffer(0) {}",
		"__proto__": "AuthenticatorAssertionResponse"
	},
	"type": "public-key",
	"__proto__": "PublicKeyCredential"
}

A. Request to makeAssertion WebAPI.json

{
	"id": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"rawId": "4F-FJ5PWB2MsnBYC9qBOo9DjSIyHPGeoyNJlR1Cc3LOyOygSu0HGKdvB5ln-7hIP8Cyo6s5krsKkiDxNaRu3BA",
	"type": "public-key",
	"response": {
		"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MBAAAAEw",
		"clientDataJson": "eyJjaGFsbGVuZ2UiOiJURG1XYnpyUTlnSUhrYnM2ZHc3OG1BIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMjkiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0",
		"signature": "MEUCIQDHjPF36rA_5LIXfUs8ZBI-HbQ68YRWa2z3tNVAWWqOPwIgMr_aeefHsqJJrCWkZwYO1h5ciU83dKGlQW8qOcbsJcU"
	}
}

B. Response to makeAssertion WebAPI.json

{
	"CredentialId": "qD7spwzSO7q1W3F7r84aUud9yHq37aufS72jHaeckZfIbHHl9LNNzZwRohJjs9v7MjaiW/FiI/IImg1kZ9lGIQ==",
	"Counter": 21
}

登録（Attestation）

makeCredentialOptions WebAPI

• 引数：POST（username, attType）
• 戻り値：navigator.credentials.create()メソッドへの引数を生成して返す。
• JavaScript
  • 戻り値の一部のメンバがJavaScriptで、base64urlからArrayBufferに変換される（base64url -> base64 -> Uint8Array）。
    • challenge
    • user.id
    • excludeCredentials ??
  • navigator.credentials.create()メソッドの引数に渡されて戻り値を受け取る。
  • 戻り値の一部のメンバは、ArrayBufferからbase64urlに変換される（Uint8Array -> base64 -> base64url）。
    • id: 変換無し
    • rawId: base64enc (よくよく見ると、id = rawId)
    • type: 変換無し
    • response
      • attestationObject: base64enc
      • clientDataJSON: base64enc

makeCredential WebAPI

• 引数：POST（JSON）
• 処理内容：navigator.credentials.create()メソッドの戻り値を加工して以下のプロパティを生成・登録する。
  • UserId
  • CredentialId
  • PublicKey
• 戻り値：JSONを生成してはいるが、
• JavaScript
  戻り値は、そのまま捨てられている。

認証（Assertion）

assertionOptions WebAPI

• 引数：POST（username）
• 戻り値：navigator.credentials.get()メソッドへの引数を生成して返す。
• JavaScript
  • 戻り値の一部のメンバがJavaScriptで以下のように変換される。
    Uint8Array.from(atob(string.replace(/-/g, "+").replace(/_/g, "/")), c => c.charCodeAt(0))
    • challenge
    • allowCredentials.id
  • navigator.credentials.get()メソッドの引数に渡されて戻り値を受け取る。
  • 戻り値の一部のメンバは、JavaScriptで変換される。
    • id: 変換無し
    • rawId: base64enc
    • type: 変換無し
    • response
      • authenticatorData: base64enc
      • clientDataJson: base64enc
      • signature: base64enc

makeAssertion WebAPI

• 引数：POST（JSON）
• 処理内容：navigator.credentials.get()メソッドの戻り値の署名を公開鍵で検証して認証する。
• 戻り値：JSONを生成してはいるが、
• JavaScript
  戻り値は、そのまま捨てられている。

参考

コミュニティとのやり取り

abergs/fido2-net-lib#26

W3Cの仕様の分析

• マイクロソフト系技術情報 Wiki
  https://techinfoofmicrosofttech.osscons.jp/
  • FIDO2
    https://techinfoofmicrosofttech.osscons.jp/index.php?FIDO2
  • Web Authentication API
    https://techinfoofmicrosofttech.osscons.jp/index.php?Web%20Authentication%20API

2019/03/03

Preview版の再分析
https://gist.github.com/daisukenishino2/f09fb400fa2186aead4b6f8cad59ab38