Fix #1458: FIDO2: Concat operation data to credentialId (#1460)

wultra · Apr 15, 2024 · 7cfbae3 · 7cfbae3
1 parent 0cd73fd
commit 7cfbae3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 25 deletions.
diff --git a/...ain/java/com/wultra/powerauth/fido2/rest/model/converter/AssertionChallengeConverter.java b/...ain/java/com/wultra/powerauth/fido2/rest/model/converter/AssertionChallengeConverter.java
@@ -26,6 +26,7 @@
 import com.wultra.security.powerauth.fido2.model.entity.AuthenticatorDetail;
 import com.wultra.security.powerauth.fido2.model.request.AssertionChallengeRequest;
 import com.wultra.security.powerauth.fido2.model.response.AssertionChallengeResponse;
+import io.getlime.security.powerauth.crypto.lib.util.ByteUtils;
 import lombok.extern.slf4j.Slf4j;
 
 import java.nio.charset.StandardCharsets;
@@ -108,16 +109,16 @@ public static AssertionChallenge convertAssertionChallengeFromOperationDetail(Op
 
         if (authenticatorDetails != null && !authenticatorDetails.isEmpty()) {
             final List<AllowCredentials> allowCredentials = new ArrayList<>();
-            boolean hasWultraModel = false;
             for (AuthenticatorDetail ad: authenticatorDetails) {
 
                 @SuppressWarnings("unchecked")
                 final List<String> transports = (List<String>) ad.getExtras().get("transports");
                 final String aaguid = (String) ad.getExtras().get("aaguid");
 
-                final byte[] credentialId = Base64.getDecoder().decode(ad.getCredentialId());
+                byte[] credentialId = Base64.getDecoder().decode(ad.getCredentialId());
                 if (aaguid != null && Fido2DefaultAuthenticators.isWultraModel(aaguid)) {
-                    hasWultraModel = true;
+                    final byte[] operationDataBytes = source.getData().getBytes(StandardCharsets.UTF_8);
+                    credentialId = ByteUtils.concat(credentialId, operationDataBytes);
                 }
 
                 final AllowCredentials ac = AllowCredentials.builder()
@@ -126,13 +127,6 @@ public static AssertionChallenge convertAssertionChallengeFromOperationDetail(Op
                         .build();
                 allowCredentials.add(ac);
             }
-            if (hasWultraModel) {
-                final byte[] credentialId = source.getData().getBytes(StandardCharsets.UTF_8);
-                final AllowCredentials ac = AllowCredentials.builder()
-                        .credentialId(credentialId)
-                        .build();
-                allowCredentials.add(ac);
-            }
             destination.setAllowCredentials(allowCredentials);
         }
         return destination;

diff --git a/...java/com/wultra/powerauth/fido2/rest/model/converter/AssertionChallengeConverterTest.java b/...java/com/wultra/powerauth/fido2/rest/model/converter/AssertionChallengeConverterTest.java
@@ -153,16 +153,11 @@ void testConvertAssertionChallengeFromOperationDetail_withWultraAuthenticatorDet
         assertEquals(5L, assertionChallenge.getMaxFailedAttempts());
 
         assertNotNull(assertionChallenge.getAllowCredentials());
-        assertEquals(2, assertionChallenge.getAllowCredentials().size());
+        assertEquals(1, assertionChallenge.getAllowCredentials().size());
         final AllowCredentials allowCredential = assertionChallenge.getAllowCredentials().get(0);
-        assertArrayEquals("credential-1".getBytes(), allowCredential.getCredentialId());
+        assertArrayEquals("credential-1A1*A100CZK".getBytes(), allowCredential.getCredentialId());
         assertEquals("usb", allowCredential.getTransports().get(0));
         assertEquals("public-key", allowCredential.getType());
-
-        final AllowCredentials operationDataCredential = assertionChallenge.getAllowCredentials().get(1);
-        assertArrayEquals("A1*A100CZK".getBytes(), operationDataCredential.getCredentialId());
-        assertTrue(operationDataCredential.getTransports().isEmpty());
-        assertEquals("public-key", operationDataCredential.getType());
     }
 
     @Test
@@ -198,21 +193,16 @@ void testConvertAssertionChallengeFromOperationDetail_multipleWultraAuthenticato
         assertEquals(5L, assertionChallenge.getMaxFailedAttempts());
 
         assertNotNull(assertionChallenge.getAllowCredentials());
-        assertEquals(3, assertionChallenge.getAllowCredentials().size());
+        assertEquals(2, assertionChallenge.getAllowCredentials().size());
         final AllowCredentials allowCredential1 = assertionChallenge.getAllowCredentials().get(0);
-        assertArrayEquals("credential-1".getBytes(), allowCredential1.getCredentialId());
+        assertArrayEquals("credential-1A1*A100CZK".getBytes(), allowCredential1.getCredentialId());
         assertEquals("usb", allowCredential1.getTransports().get(0));
         assertEquals("public-key", allowCredential1.getType());
 
         final AllowCredentials allowCredential2 = assertionChallenge.getAllowCredentials().get(1);
-        assertArrayEquals("credential-2".getBytes(), allowCredential2.getCredentialId());
+        assertArrayEquals("credential-2A1*A100CZK".getBytes(), allowCredential2.getCredentialId());
         assertEquals("usb", allowCredential2.getTransports().get(0));
         assertEquals("public-key", allowCredential2.getType());
-
-        final AllowCredentials operationDataCredential = assertionChallenge.getAllowCredentials().get(2);
-        assertArrayEquals("A1*A100CZK".getBytes(), operationDataCredential.getCredentialId());
-        assertTrue(operationDataCredential.getTransports().isEmpty());
-        assertEquals("public-key", operationDataCredential.getType());
     }
 
 }