「[[マイクロソフト系技術情報 Wiki>http://techinfoofmicrosofttech.osscons.jp/]]」は、「[[Open棟梁Project>https://github.com/OpenTouryoProject/]]」,「[[OSSコンソーシアム .NET開発基盤部会>https://www.osscons.jp/dotNetDevelopmentInfrastructure/]]」によって運営されています。 -[[戻る>Web Authentication API]] * 目次 [#e714d9cd] #contents *概要 [#ve68877a] -WebAuthnを実装する前に理解を深める。 -specレベルは上位項を参照のこと。 *詳細 [#h2a3b42d] 以下に、各種、調査結果をサマリーする。 **登録フロー [#xedb9d2b] ***(1) challengeの受信 [#l5e6e253] -fido2-net-lib --request --[[response>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-1-response-from-makecredentialoptions-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/33]] --[[request>https://www.slideshare.net/techblogyahoo/fido-124019677/35]] --[[response>https://www.slideshare.net/techblogyahoo/fido-124019677/36]] ***(2) navigator.credentials.create() の param [#u04b283d] -[[spec>Web Authentication API#k26de1bf]] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-2-parameter-of-navigator-credentials-create]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/38]] |#|>|パラメタ|必須 / 任意|説明|フォーマット|h |1|>|rp|必須|Relying partyに関する情報|JSON Object (下記メンバを持つ)| |1-1|・|id|~|FQDN名|String| |1-2|・|name|~|任意のRPサイト名|String| |2|>|user|必須|Credentialが紐づくユーザー情報|JSON Object (下記メンバを持つ)| |2-1|・|id|~|RP上のユーザID|ArrayBuffer| |2-2|・|name|~|RP上のユーザID|String| |2-3|・|displayName|~|RP上のユーザ表示名|String| |3|>|challenge|必須|サーバーで生成した乱数|ArrayBuffer| |4|>|pubKeyCredParams|必須|Credential情報|JSON Objectの配列| |4-1|・|type|~|タイプ(public-key固定)|String| |4-2|・|alg|~|アルゴリズムを表す数値|Int| |5|>|timeout|任意|ユーザーの入力待機時間|Int| |6|>|attestation|任意|Authenticatorの出どころを検証するかどうか|JSON Object (AttestationConveyancePreference)| |7|>|authenticatorSelection|任意|認証器への要求事項|JSON Object (AuthenticatorSelectionCriteria)| |8|>|excludeCredentials|任意||JSON Object (PublicKeyCredentialDescriptor)| ***(3) navigator.credentials.create() の return [#head8b53] -[[spec>Web Authentication API#z3e54d7d]] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-3-return-of-navigator-credentials-create]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/42]] |# |>|>|>|>|パラメタ|説明|フォーマット|h |1 |>|>|>|>|id|割り当てられたid|rawIdの文字列表現| |2 |>|>|>|>|rawId|idのArrayBuffer版|ArrayBuffer| |3 |・|>|>|>|response|AuthenticatorAttestationResponse|JSON Object (AuthenticatorAttestationResponse)| |3-1 ||・|>|>|attestationObject|公開鍵などを含む|[[CBOR]]形式| |3-1-1 |||・|>|fmt|Attestation format|"fmt": "packed"| |3-1-2 |||・|>|authData|Raw buffer struct containing user info|"authData": "..."| |3-1-3 |||・|>|attStmt|Attestation statement data|"attStmt": {| |3-1-3-1||||・|sig|Signature|"sig": "..."| |3-1-3-2||||・|x5c"|X.509 Certificate Chain|"x5c": ["..."]| |3-2 ||・|>|>|clientDataJSON|クライアント・データ|[[CBOR]]形式| |3-2-1 |||・|>|challenge|Random number|"challenge": "..."| |3-2-2 |||・|>|origin|Origin of the website|"origin": "http(s)://..."| |3-2-3 |||・|>|type|Type of the call|"type": "webauthn.create"| |4 |>|>|>|>|type|pubKeyCredParams - typeと同じ|"type": "public-key"| ***(4) challenge、origin、typeの検証 [#vb30e592] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-4-request-to-makecredential-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/49]] --[[challenge>https://www.slideshare.net/techblogyahoo/fido-124019677/51]]~ param.challenge = return.clientDataJSON.challenge みたいな話。 --[[origin>https://www.slideshare.net/techblogyahoo/fido-124019677/52]]~ xxxx = return.clientDataJSON.origin みたいな話。 --[[type>https://www.slideshare.net/techblogyahoo/fido-124019677/53]]~ "webauthn.create" = return.clientDataJSON.type みたいな話。 ***(5) flagsの検証 [#pe1d0784] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-4-request-to-makecredential-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/54]] --UP : User Presence~ ユーザーの存在確認(必須) --UV : User Verification~ ユーザーの認証(任意) ***(6) signatureの検証 [#j1fd7b8b] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-4-request-to-makecredential-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/57]] >[[authDataをattStmt.x5cで署名した値 = attStmt.sig みたいな話。>https://www.slideshare.net/techblogyahoo/fido-124019677/58]] ***(7) 公開鍵の保存 [#t769d565] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-4-request-to-makecredential-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/63]] >[[COSE]]から[[公開鍵を取り出して、>CWT#edb8c145]]保存する。 **認証フロー [#lc23111a] ***(1) challengeの受信 [#vbc77f66] -fido2-net-lib --[[request>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-6-request-to-assertionoptions-webapi-json]] --[[response>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-7-response-from-assertionoptions-webapi-json]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/70]] --[[request>https://www.slideshare.net/techblogyahoo/fido-124019677/72]] --[[response>https://www.slideshare.net/techblogyahoo/fido-124019677/73]] ***(2) navigator.credentials.get() の param [#ja036073] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-8-parameter-of-navigator-credentials-get]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/75]] |#|パラメタ|必須 / 任意|説明|フォーマット|h |1|challenge|必須|サーバーで生成した乱数|ArrayBuffer| |2|timeout|任意|ユーザーの入力待機時間|Int| |3|rpId|任意|rpIdの指定(登録時と同じ値を指定)|String| |4|allowCredentials|任意|ユーザに紐づくCredentialのリスト|Array (PublicKeyCredentialDescriptor)| |5|userVerification|任意|ユーザ検証に関する依拠当事者の要件を記述|String (enum UserVerificationRequirement)| ***(3) navigator.credentials.get() の return [#v312bbc2] -[[fido2-net-lib>https://gist.github.com/daisukenishino2/d50bfcfa415902abfdee0e27ed48a715#file-9-return-of-navigator-credentials-get]] -[[techblogyahoo>https://www.slideshare.net/techblogyahoo/fido-124019677/79]] |#|>|パラメタ|説明|フォーマット|h |1|>|id|割り当てられたid|rawIdの文字列表現| |2|>|rawId|idのArrayBuffer版|ArrayBuffer| |3|>|response|assertion data|JSON Object (AuthenticatorAssertionResponse)| |3-1|・|authenticatorData||ArrayBuffer| |3-2|・|clientDataJSON||ArrayBuffer| |3-3|・|signature||ArrayBuffer| |3-4|・|userHandle||ArrayBuffer| |4|>|type|タイプ(public-key固定)|String| |5|>|getClientExtensionResults|extensions results struct|| ***(4) challenge、origin、typeの検証 [#c7de901d] ***(5) flagsの検証 [#pc3d8dee] ***(6) signatureの検証 [#z00f8626] *参考 [#m98eeaca] **[[fido2-net-lib]] [#k952458b] **techblogyahoo [#ge4fa39c] -FIDO認証によるパスワードレスログイン実装入門 > デモ~ https://www.slideshare.net/techblogyahoo/fido-124019677/29 ***[[登録フロー>https://www.slideshare.net/techblogyahoo/fido-124019677/30]] [#c3d1bc55] -[[実装範囲>https://www.slideshare.net/techblogyahoo/fido-124019677/32]] -準備 --[[ユーザー名の入力>https://www.slideshare.net/techblogyahoo/fido-124019677/34]] --[[ユーザ名の送信>https://www.slideshare.net/techblogyahoo/fido-124019677/35]] --[[challengeの受信>https://www.slideshare.net/techblogyahoo/fido-124019677/36]] -[[navigator.credentials.create()>https://www.slideshare.net/techblogyahoo/fido-124019677/37]] の --[[param>https://www.slideshare.net/techblogyahoo/fido-124019677/38]] --[[return>https://www.slideshare.net/techblogyahoo/fido-124019677/42]] -[[検証>https://www.slideshare.net/techblogyahoo/fido-124019677/49]] --[[challenge、origin、typeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/50]] ---[[challengeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/51]] ---[[originの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/52]] ---[[typeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/53]] --[[flagsの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/54]] --[[signatureの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/57]] ---[[Attestation Certificateの取得>https://www.slideshare.net/techblogyahoo/fido-124019677/59]] ---[[signatureを検証>https://www.slideshare.net/techblogyahoo/fido-124019677/60]] -[[保存>https://www.slideshare.net/techblogyahoo/fido-124019677/63]] --[[公開鍵の保存 (1)>https://www.slideshare.net/techblogyahoo/fido-124019677/64]] --[[公開鍵の保存 (2)>https://www.slideshare.net/techblogyahoo/fido-124019677/65]] --[[公開鍵の保存 (3)>https://www.slideshare.net/techblogyahoo/fido-124019677/66]] ***[[認証フロー>https://www.slideshare.net/techblogyahoo/fido-124019677/67]] [#a9244aab] -[[実装範囲>https://www.slideshare.net/techblogyahoo/fido-124019677/69]] -[[準備>https://www.slideshare.net/techblogyahoo/fido-124019677/70]] --[[ユーザー名の入力>https://www.slideshare.net/techblogyahoo/fido-124019677/71]] --[[ユーザ名の送信>https://www.slideshare.net/techblogyahoo/fido-124019677/72]] --[[challengeの受信>https://www.slideshare.net/techblogyahoo/fido-124019677/73]] -[[navigator.credentials.get()>https://www.slideshare.net/techblogyahoo/fido-124019677/74]] の --[[param>https://www.slideshare.net/techblogyahoo/fido-124019677/75]] --[[return>https://www.slideshare.net/techblogyahoo/fido-124019677/79]] -[[検証>https://www.slideshare.net/techblogyahoo/fido-124019677/83]] --[[challenge、origin、typeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/84]] ---[[challengeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/85]] ---[[originの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/86]] ---[[typeの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/87]] --[[flagsの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/88]] --[[signatureの検証>https://www.slideshare.net/techblogyahoo/fido-124019677/90]] ---[[Authenticatorの検索>https://www.slideshare.net/techblogyahoo/fido-124019677/92]] ---[[PublicKeyの取得>https://www.slideshare.net/techblogyahoo/fido-124019677/93]] ---[[signatureを検証>https://www.slideshare.net/techblogyahoo/fido-124019677/95]] ---[[ counterの検証と更新>https://www.slideshare.net/techblogyahoo/fido-124019677/96]] ---- Tags: [[:IT国際標準]], [[:認証基盤]]