feat(BRIDGE-424): FIDO2 GUI support.

internal/fido/utils.go

@@ -0,0 +1,111 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package fido
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+
+	"github.com/ProtonMail/go-proton-api"
+)
+
+type authData struct {
+	AllowCredentials    []interface{}
+	ClientDataJSONBytes []byte
+	RpID                string
+}
+
+func extractFidoAuthData(auth proton.Auth) (authData, error) {
+	authOptions, ok := auth.TwoFA.FIDO2.AuthenticationOptions.(map[string]interface{})
+	if !ok {
+		return authData{}, fmt.Errorf("invalid authentication options format")
+	}
+
+	publicKey, ok := authOptions["publicKey"].(map[string]interface{})
+	if !ok {
+		return authData{}, fmt.Errorf("no publicKey found in authentication options")
+	}
+
+	rpID, ok := publicKey["rpId"].(string)
+	if !ok {
+		return authData{}, fmt.Errorf("could not find rpId in authentication options")
+	}
+
+	challengeArray, ok := publicKey["challenge"].([]interface{})
+	if !ok {
+		return authData{}, fmt.Errorf("no challenge found in authentication options")
+	}
+	challenge := sliceAnyToByteArray(challengeArray)
+
+	allowCredentials, ok := publicKey["allowCredentials"].([]interface{})
+	if !ok || len(allowCredentials) == 0 {
+		return authData{}, fmt.Errorf("no allowed credentials found in authentication options")
+	}
+
+	clientDataJSON := map[string]interface{}{
+		"type":      "webauthn.get",
+		"challenge": base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(challenge),
+		"origin":    "https://" + rpID,
+	}
+
+	clientDataJSONBytes, err := json.Marshal(clientDataJSON)
+	if err != nil {
+		return authData{}, fmt.Errorf("failed to marshal client data JSON: %w", err)
+	}
+
+	return authData{
+		AllowCredentials:    allowCredentials,
+		ClientDataJSONBytes: clientDataJSONBytes,
+		RpID:                rpID,
+	}, nil
+}
+
+func sliceAnyToByteArray(s []any) []byte {
+	result := make([]byte, len(s))
+	for i, val := range s {
+		if intVal, ok := val.(float64); ok {
+			result[i] = byte(intVal)
+		} else {
+			panic("boom")
+		}
+	}
+	return result
+}
+
+func authWithFido(client *proton.Client, auth proton.Auth, credentialIDs []byte, clientDataJSON []byte, authDataRaw []byte, signature []byte) error {
+	credentialIDInts := make([]int, len(credentialIDs))
+	for i, b := range credentialIDs {
+		credentialIDInts[i] = int(b)
+	}
+
+	fido2Req := proton.FIDO2Req{
+		AuthenticationOptions: auth.TwoFA.FIDO2.AuthenticationOptions,
+		ClientData:            base64.StdEncoding.EncodeToString(clientDataJSON),
+		AuthenticatorData:     base64.StdEncoding.EncodeToString(authDataRaw),
+		Signature:             base64.StdEncoding.EncodeToString(signature),
+		CredentialID:          credentialIDInts,
+	}
+
+	if err := client.Auth2FA(context.Background(), proton.Auth2FAReq{FIDO2: fido2Req}); err != nil {
+		return fmt.Errorf("FIDO2 authentication failed: %w", err)
+	}
+
+	return nil
+}