Update AuthenticatorAssertionResponse.cs

AssertionResponse: UserPresent flag is must have unless we are in conformance testing
googyi · Dec 5, 2023 · 84c9909 · 84c9909
1 parent 9775832
commit 84c9909
Showing 1 changed file with 7 additions and 9 deletions.
diff --git a/Src/Fido2/AuthenticatorAssertionResponse.cs b/Src/Fido2/AuthenticatorAssertionResponse.cs
@@ -122,20 +122,18 @@ public async Task<VerifyAssertionResult> VerifyAsync(
         var rpid = Raw.Extensions?.AppID ?? false ? options.Extensions?.GetAppID() : options.RpId;
         byte[] hashedRpId = CryptoUtils.HashData(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes(rpid ?? string.Empty));
         byte[] hash = CryptoUtils.HashData(HashAlgorithmName.SHA256, Raw.Response.ClientDataJson);
+        bool conformanceTesting = metadataService != null && metadataService.ConformanceTesting();
 
         if (!authData.RpIdHash.SequenceEqual(hashedRpId))
             throw new Fido2VerificationException(Fido2ErrorCode.InvalidRpidHash, Fido2ErrorMessages.InvalidRpidHash);
 
-        if (options.UserVerification is UserVerificationRequirement.Required)
-        {
-            // 14. Verify that the UP bit of the flags in authData is set.
-            if (!authData.UserPresent)
-                throw new Fido2VerificationException(Fido2ErrorCode.UserPresentFlagNotSet, Fido2ErrorMessages.UserPresentFlagNotSet);
+        // 14. Verify that the UP bit of the flags in authData is set.
+        if (!authData.UserPresent && (!conformanceTesting || options.UserVerification is UserVerificationRequirement.Required))
+            throw new Fido2VerificationException(Fido2ErrorCode.UserPresentFlagNotSet, Fido2ErrorMessages.UserPresentFlagNotSet);
 
-            // 15. If the Relying Party requires user verification for this assertion, verify that the UV bit of the flags in authData is set.
-            if (!authData.UserVerified)
-                throw new Fido2VerificationException(Fido2ErrorCode.UserVerificationRequirementNotMet, Fido2ErrorMessages.UserVerificationRequirementNotMet);
-        }
+        // 15. If the Relying Party requires user verification for this assertion, verify that the UV bit of the flags in authData is set.
+        if (options.UserVerification is UserVerificationRequirement.Required && !authData.UserVerified)
+            throw new Fido2VerificationException(Fido2ErrorCode.UserVerificationRequirementNotMet, Fido2ErrorMessages.UserVerificationRequirementNotMet);
 
         // 16. If the credential backup state is used as part of Relying Party business logic or policy, let currentBe and currentBs be the values of the BE and BS bits, respectively, of the flags in authData.
         // Compare currentBe and currentBs with credentialRecord.BE and credentialRecord.BS and apply Relying Party policy, if any.