fix(webauthn): validate rp.id as a registrable domain suffix (fix #187) (#190)

Closes #187. Stacked on #188.

## What

Replaces the strict-equality check between the JSON request's `rp.id`
and the origin's effective domain with the spec-correct "registrable
domain suffix of or equal to" relation from HTML §6.5 (referenced by
WebAuthn L3 §5.1.3 step 7 and §5.1.7 step 9).

Net effect: `rp.id = "example.org"` now works against an origin of
`https://login.example.org`, while `rp.id = "co.uk"` against
`https://example.co.uk` is still correctly rejected because `co.uk` is a
public suffix.

## PSL strategy

Per the design discussion in #173 (libwebauthn should not bundle and
manage its own PSL):

- Adds a `PublicSuffixList` trait with sync `registrable_domain` /
`public_suffix` methods.
- Provides a `DatFilePublicSuffixList` impl that reads a Public Suffix
List `.dat` file at construction time. `from_system_file()` reads the
standard `/usr/share/publicsuffix/public_suffix_list.dat`, kept current
by the system package manager.
- No PSL data is bundled in the libwebauthn crate.
- `publicsuffix = "1.5"`. Same crate as #173, just used offline.

## Plumbing into the parsing API

`WebAuthnIDL::from_json` and `FromIdlModel::from_idl_model` now take an
additional `psl: &dyn PublicSuffixList` parameter. This is the simplest
shape we discussed - explicit, no hidden state on `RequestOrigin`. Yes,
it's another breaking signature change on top of #188; the 0.4.0 release
is already breaking, so we eat the cost once.

Origin parsing (`Origin::from_str`, `RequestOrigin::try_from`) stays
purely syntactic. PSL is only consulted at validation time.

## Commits

1. Add `PublicSuffixList` trait and `DatFilePublicSuffixList` impl.
2. Use `PublicSuffixList` for the registrable-suffix check in
`from_idl_model`.

## Tests

- Unit tests on the suffix-check helper using a small
`MockPublicSuffixList` (recognises `com`, `co.uk`, `org`, `net`).
- Unit tests on the mock itself.
- 2 new positive integration tests on `from_json` for both
`MakeCredentialRequest` and `GetAssertionRequest`:
rp.id-as-parent-registrable-suffix accepted, rp.id-as-eTLD rejected.

## Test plan

- [x] `cargo build --workspace --all-targets --all-features`
- [x] `cargo fmt --all -- --check`
- [x] `cargo clippy --workspace --all-targets --all-features -- -D
warnings`
- [x] `cargo test --workspace` (151 tests)
- [x] `cargo publish --dry-run -p libwebauthn`

Author: AlfioEmanueleFresta

Cargo.lock

@@ -38,6 +38,10 @@ _Looking for the D-Bus API proposal?_ Check out [credentialsd][credentialsd].
   - 🟢 Hybrid transport (caBLE v2): QR-initiated transactions
   - 🟢 Hybrid transport (caBLE v2): State-assisted transactions (remember this phone)
 
+## Runtime requirements
+
+Validating the relying party ID against the calling origin requires the [Public Suffix List][psl]. The built-in loader reads it from the standard system path. The `publicsuffix` package on Debian/Ubuntu or `publicsuffix-list` on Fedora and Arch installs it there, but these are not always present on minimal installs. Install explicitly if needed. Callers wiring their own list don't need a system package.
+
 ## Transports
 
 |                              | FIDO U2F              | WebAuthn (FIDO2)      |
@@ -79,3 +83,4 @@ If you don't know where to start, check out the _Issues_ tab.
 [#17]: https://github.com/linux-credentials/libwebauthn/issues/17
 [#18]: https://github.com/linux-credentials/libwebauthn/issues/18
 [#31]: https://github.com/linux-credentials/libwebauthn/issues/31
+[psl]: https://publicsuffix.org/

README.md

@@ -32,6 +32,7 @@ base64-url = "3.0.0"
 dbus = "0.9.5"
 tracing = "0.1.29"
 idna = "1.0.3"
+publicsuffix = { version = "1.5", default-features = false }
 url = "2.5"
 maplit = "1.0.2"
 sha2 = "0.10.2"

libwebauthn/Cargo.toml

@@ -8,8 +8,8 @@ use tokio::sync::broadcast::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, WebAuthnIDL as _,
-    WebAuthnIDLResponse as _,
+    DatFilePublicSuffixList, GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin,
+    WebAuthnIDL as _, WebAuthnIDLResponse as _,
 };
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::transport::hid::list_devices;
@@ -81,6 +81,9 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
 
         let request_origin: RequestOrigin =
             "https://example.org".try_into().expect("Invalid origin");
+        let psl = DatFilePublicSuffixList::from_system_file().expect(
+            "PSL not available; install the publicsuffix-list package or pass an explicit path",
+        );
         let request_json = r#"
                 {
                     "rp": {
@@ -106,7 +109,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 }
                 "#;
         let make_credentials_request: MakeCredentialRequest =
-            MakeCredentialRequest::from_json(&request_origin, request_json)
+            MakeCredentialRequest::from_json(&request_origin, &psl, request_json)
                 .expect("Failed to parse request JSON");
         println!(
             "WebAuthn MakeCredential request: {:?}",
@@ -158,7 +161,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 }
                 "#;
         let get_assertion: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, request_json)
+            GetAssertionRequest::from_json(&request_origin, &psl, request_json)
                 .expect("Failed to parse request JSON");
         println!("WebAuthn GetAssertion request: {:?}", get_assertion);
 

libwebauthn/examples/webauthn_json_hid.rs

@@ -13,13 +13,15 @@ use crate::{
                 HmacGetSecretInputJson, LargeBlobInputJson, PrfInputJson,
                 PublicKeyCredentialRequestOptionsJSON,
             },
+            origin::is_registrable_domain_suffix_or_equal,
             response::{
                 AuthenticationExtensionsClientOutputsJSON, AuthenticationResponseJSON,
                 AuthenticatorAssertionResponseJSON, HMACGetSecretOutputJSON, LargeBlobOutputJSON,
                 PRFOutputJSON, PRFValuesJSON, ResponseSerializationError, WebAuthnIDLResponse,
             },
             Base64UrlString, FromIdlModel, JsonError,
         },
+        psl::PublicSuffixList,
         Operation, WebAuthnIDL,
     },
     pin::PinUvAuthProtocol,
@@ -115,21 +117,25 @@ impl FromIdlModel<PublicKeyCredentialRequestOptionsJSON, GetAssertionRequestPars
 {
     fn from_idl_model(
         request_origin: &RequestOrigin,
+        psl: &dyn PublicSuffixList,
         inner: PublicKeyCredentialRequestOptionsJSON,
     ) -> Result<Self, GetAssertionRequestParsingError> {
         let effective_rp_id = request_origin.origin.host.as_str();
-        if let Some(relying_party_id) = inner.relying_party_id.as_deref() {
+        let resolved_rp_id = if let Some(relying_party_id) = inner.relying_party_id.as_deref() {
             let parsed = RelyingPartyId::try_from(relying_party_id).map_err(|err| {
                 GetAssertionRequestParsingError::InvalidRelyingPartyId(err.to_string())
             })?;
-            // TODO(#160): Add support for related origin per WebAuthn Level 3.
-            if parsed.0 != effective_rp_id {
+            // TODO(#160): Add related-origins fallback per WebAuthn L3 §5.11.
+            if !is_registrable_domain_suffix_or_equal(&parsed.0, effective_rp_id, psl) {
                 return Err(GetAssertionRequestParsingError::MismatchingRelyingPartyId(
                     parsed.0,
                     effective_rp_id.to_string(),
                 ));
             }
-        }
+            parsed.0
+        } else {
+            effective_rp_id.to_string()
+        };
 
         let prf = match inner.extensions.as_ref() {
             Some(ext) => match &ext.prf {
@@ -158,7 +164,7 @@ impl FromIdlModel<PublicKeyCredentialRequestOptionsJSON, GetAssertionRequestPars
             .unwrap_or(DEFAULT_TIMEOUT);
 
         Ok(GetAssertionRequest {
-            relying_party_id: effective_rp_id.to_string(),
+            relying_party_id: resolved_rp_id,
             challenge: inner.challenge.to_vec(),
             origin: request_origin.origin.to_string(),
             top_origin: request_origin.top_origin.as_ref().map(|o| o.to_string()),
@@ -575,6 +581,7 @@ mod tests {
 
     use serde_bytes::ByteBuf;
 
+    use crate::ops::webauthn::psl::MockPublicSuffixList;
     use crate::ops::webauthn::{GetAssertionRequest, RequestOrigin};
     use crate::proto::ctap2::Ctap2PublicKeyCredentialType;
 
@@ -629,8 +636,12 @@ mod tests {
     #[test]
     fn test_request_from_json_base() {
         let request_origin: RequestOrigin = "https://example.org".parse().unwrap();
-        let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, REQUEST_BASE_JSON).unwrap();
+        let req: GetAssertionRequest = GetAssertionRequest::from_json(
+            &request_origin,
+            &MockPublicSuffixList,
+            REQUEST_BASE_JSON,
+        )
+        .unwrap();
         assert_eq!(req, request_base());
     }
 
@@ -640,7 +651,8 @@ mod tests {
         let req_json = json_field_rm(REQUEST_BASE_JSON, "rpId");
 
         let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &req_json).unwrap();
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+                .unwrap();
         assert_eq!(req, request_base());
     }
 
@@ -649,7 +661,8 @@ mod tests {
         let request_origin: RequestOrigin = "https://example.org".parse().unwrap();
         let req_json = json_field_add(REQUEST_BASE_JSON, "rpId", r#""example.org.""#);
 
-        let result = GetAssertionRequest::from_json(&request_origin, &req_json);
+        let result =
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json);
         assert!(matches!(
             result,
             Err(GetAssertionRequestParsingError::InvalidRelyingPartyId(_))
@@ -661,7 +674,37 @@ mod tests {
         let request_origin: RequestOrigin = "https://example.org".parse().unwrap();
         let req_json = json_field_add(REQUEST_BASE_JSON, "rpId", r#""other.example.org""#);
 
-        let result = GetAssertionRequest::from_json(&request_origin, &req_json);
+        let result =
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json);
+        assert!(matches!(
+            result,
+            Err(GetAssertionRequestParsingError::MismatchingRelyingPartyId(
+                _,
+                _
+            ))
+        ));
+    }
+
+    #[test]
+    fn test_request_from_json_rp_id_is_parent_registrable_suffix() {
+        // origin = login.example.org, rp.id = example.org -> accepted.
+        let request_origin: RequestOrigin = "https://login.example.org".parse().unwrap();
+        let req_json = json_field_add(REQUEST_BASE_JSON, "rpId", r#""example.org""#);
+
+        let req = GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+            .unwrap();
+        assert_eq!(req.relying_party_id, "example.org");
+        assert_eq!(req.origin, "https://login.example.org");
+    }
+
+    #[test]
+    fn test_request_from_json_rp_id_is_etld_rejected() {
+        // origin = example.co.uk, rp.id = co.uk (a public suffix) -> rejected.
+        let request_origin: RequestOrigin = "https://example.co.uk".parse().unwrap();
+        let req_json = json_field_add(REQUEST_BASE_JSON, "rpId", r#""co.uk""#);
+
+        let result =
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json);
         assert!(matches!(
             result,
             Err(GetAssertionRequestParsingError::MismatchingRelyingPartyId(
@@ -677,7 +720,8 @@ mod tests {
         let req_json = json_field_rm(REQUEST_BASE_JSON, "allowCredentials");
 
         let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &req_json).unwrap();
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+                .unwrap();
         assert_eq!(
             req,
             GetAssertionRequest {
@@ -693,7 +737,8 @@ mod tests {
         let req_json = json_field_rm(REQUEST_BASE_JSON, "timeout");
 
         let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &req_json).unwrap();
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+                .unwrap();
         assert_eq!(req.timeout, DEFAULT_TIMEOUT);
     }
 
@@ -706,7 +751,8 @@ mod tests {
         let req_json = json_field_add(REQUEST_BASE_JSON, "extensions", r#"{}"#);
 
         let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &req_json).unwrap();
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+                .unwrap();
         assert_eq!(
             req.extensions,
             Some(GetAssertionRequestExtensions::default())
@@ -724,7 +770,8 @@ mod tests {
         );
 
         let req: GetAssertionRequest =
-            GetAssertionRequest::from_json(&request_origin, &req_json).unwrap();
+            GetAssertionRequest::from_json(&request_origin, &MockPublicSuffixList, &req_json)
+                .unwrap();
         if let Some(GetAssertionRequestExtensions {
             prf:
                 Some(PrfInput {

libwebauthn/src/ops/webauthn/get_assertion.rs

@@ -16,6 +16,8 @@ pub use response::{
 
 use origin::RequestOrigin;
 
+use super::psl::PublicSuffixList;
+
 use serde::de::DeserializeOwned;
 use serde_json;
 
@@ -33,9 +35,13 @@ where
     /// The JSON model that this IDL can deserialize from.
     type IdlModel: DeserializeOwned;
 
-    fn from_json(request_origin: &RequestOrigin, json: &str) -> Result<Self, Self::Error> {
+    fn from_json(
+        request_origin: &RequestOrigin,
+        psl: &dyn PublicSuffixList,
+        json: &str,
+    ) -> Result<Self, Self::Error> {
         let idl_model: Self::IdlModel = serde_json::from_str(json)?;
-        Self::from_idl_model(request_origin, idl_model).map_err(From::from)
+        Self::from_idl_model(request_origin, psl, idl_model).map_err(From::from)
     }
 }
 
@@ -44,5 +50,9 @@ where
     T: DeserializeOwned,
     E: std::error::Error,
 {
-    fn from_idl_model(request_origin: &RequestOrigin, model: T) -> Result<Self, E>;
+    fn from_idl_model(
+        request_origin: &RequestOrigin,
+        psl: &dyn PublicSuffixList,
+        model: T,
+    ) -> Result<Self, E>;
 }