search

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.18k stars 172 forks source link

Consider using CDDL (CBOR data definition language) to define CBOR-encoded data structures #318

Closed equalsJeffH closed 7 years ago

equalsJeffH commented 7 years ago

See: https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl

Presently we are defining CBOR data structs in the fashion used in the CBOR spec itself [RFC7049], though this is essentially ad-hoc. The above Internet-Draft (I-D) defines a formal means for defining CBOR-encoded data structs. There is already some early tooling: https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl-09#appendix-F

A "CBOR Maintenance & Extensions" WG is in-formation and the above I-D is a work item in the draft charter: https://datatracker.ietf.org/doc/charter-ietf-cbor/

equalsJeffH commented 7 years ago

for example, here's some examples of data structures from the spec expressed in CDDL:

; attestationObject expressed in CDDL:

attestationObject = {
  "fmt":    tstr,
  "authnDat":   bytes,
  "attStmt":    bytes
}

; all attestation stmts expressed in CDDL:

PackedAttestationStatement = {
  "alg":    tstr,
  "sig":    bytes,
  "x5c":    [ attstnCert: bytes,  * bytes ],
  "daaKey": bytes,
}

TpmAttestationStatement = {
  "ver":    tstr,
  "x5c":    [ attstnCert: bytes,  * bytes ],
  "alg":    tstr,
  "sig":    bytes,
  "certInfo":   bytes,
  "pubArea":    bytes,
}

AndroidKeyAttestationStatement = {
  bytes
}

AndroidSafetyNetAttestationStatement = {
  "ver":    tstr,
  "response":   bytes,
}

FidoU2fAttestationStatement = {
  "x5c":    bytes,
  "sig":    bytes,
}
vijaybh commented 7 years ago

I like it. This would make the doc easier to skim for an implementer or developer. It would also allow us to simplify some of the processing rules by representing them in syntax - for example instead of saying that the RP should reject an attestation when it has both x5c and daaKey, we could just put it down as a choice in CDDL.

I'll take a stab at this in the next couple of days if nobody has an objection.

equalsJeffH commented 7 years ago

@vijaybh wrote wrt using CDDL..

I like it. This would make the doc easier to skim for an implementer or developer. ...

fyi: IETF CBOR Maintenance and Extensions WG has formally formed.. https://lists.w3.org/Archives/Public/public-webauthn/2017Jan/0040.html

..which strongly implies CDDL will progress to RFC

see also https://github.com/w3c/webauthn/pull/321#discussion_r96979991 which argues for using ABNF to describe our known-type, known-length binary objects and CDDL for the CBOR portions.