Use BCL Base64Url implementation (#575)

* Use BCL Base64Url implementation

* [Testing] React to Base64Url changes (encoder is now strict, and no longer supports Base64)

* Apply formatting

* Update deps

* Eliminate allocation in Base64UrlConverter and improve error message when encountering invalid data

* Add Base64UrlConverter.EnableRelaxedDecoding feature

* Format Base64UrlConverter

* Fix EnableRelaxedDecoding implementation and add test coverage

Author: iamcarbon

Demo/TestController.cs

@@ -1,5 +1,7 @@
-using System.Text;
+using System.Buffers.Text;
+using System.Text;
 using System.Text.Json;
+
 using Fido2NetLib;
 using Fido2NetLib.Development;
 using Fido2NetLib.Objects;
@@ -42,7 +44,7 @@ public OkObjectResult MakeCredentialOptionsTest([FromBody] TEST_MakeCredentialPa
 
         try
         {
-            username = Base64Url.Decode(opts.Username);
+            username = Base64Url.DecodeFromChars(opts.Username);
         }
         catch (FormatException)
         {

Src/Fido2.Models/Base64Url.cs

@@ -1,4 +1,8 @@
-using System.Text.Json;
+#nullable enable
+
+using System.Buffers;
+using System.Buffers.Text;
+using System.Text.Json;
 using System.Text.Json.Serialization;
 
 namespace Fido2NetLib;
@@ -8,20 +12,87 @@ namespace Fido2NetLib;
 /// </summary>
 public sealed class Base64UrlConverter : JsonConverter<byte[]>
 {
+    public static bool EnableRelaxedDecoding { get; set; }
+
     public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
     {
-        if (!reader.HasValueSequence)
+        byte[]? rentedBuffer = null;
+
+        scoped ReadOnlySpan<byte> source;
+
+        if (!reader.HasValueSequence && !reader.ValueIsEscaped)
         {
-            return Base64Url.DecodeUtf8(reader.ValueSpan);
+            source = reader.ValueSpan;
         }
         else
         {
-            return Base64Url.Decode(reader.GetString());
+            int valueLength = reader.HasValueSequence ? checked((int)reader.ValueSequence.Length) : reader.ValueSpan.Length;
+
+            Span<byte> buffer = valueLength <= 32 ? stackalloc byte[32] : (rentedBuffer = ArrayPool<byte>.Shared.Rent(valueLength));
+            int bytesRead = reader.CopyString(buffer);
+            source = buffer[..bytesRead];
+        }
+
+        try
+        {
+            return Base64Url.DecodeFromUtf8(source);
+        }
+        catch (Exception ex)
+        {
+            if (Base64.IsValid(source))
+            {
+                static byte[] DecodeBase64FromUtf8(scoped ReadOnlySpan<byte> source)
+                {
+                    var rentedBuffer = ArrayPool<byte>.Shared.Rent(Base64.GetMaxDecodedFromUtf8Length(source.Length));
+
+                    try
+                    {
+                        _ = Base64.DecodeFromUtf8(source, rentedBuffer, out _, out int written);
+
+                        return rentedBuffer[0..written];
+                    }
+                    finally
+                    {
+                        ArrayPool<byte>.Shared.Return(rentedBuffer);
+                    }
+                }
+
+                if (EnableRelaxedDecoding)
+                {
+                    return DecodeBase64FromUtf8(source);
+                }
+                else
+                {
+                    throw new JsonException("Expected data to be in Base64Url format, but received Base64 encoding instead.");
+                }
+            }
+            else
+            {
+                throw new JsonException(ex.Message, ex);
+            }
+        }
+        finally
+        {
+            if (rentedBuffer != null)
+            {
+                ArrayPool<byte>.Shared.Return(rentedBuffer);
+            }
         }
     }
 
     public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
     {
-        writer.WriteStringValue(Base64Url.Encode(value));
+        var rentedBuffer = ArrayPool<byte>.Shared.Rent(Base64Url.GetEncodedLength(value.Length));
+
+        try
+        {
+            Base64Url.EncodeToUtf8(value, rentedBuffer, out _, out int written);
+
+            writer.WriteStringValue(rentedBuffer.AsSpan(0..written));
+        }
+        finally
+        {
+            ArrayPool<byte>.Shared.Return(rentedBuffer);
+        }
     }
 }

Src/Fido2.Models/Converters/Base64UrlConverter.cs

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>$(SupportedTargetFrameworks)</TargetFrameworks>
@@ -9,4 +9,8 @@
     <IsPackable>true</IsPackable>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.0" />
+  </ItemGroup>
+
 </Project>

Src/Fido2.Models/Fido2.Models.csproj

@@ -1,5 +1,4 @@
-using System.ComponentModel.DataAnnotations;
-using System.Text.Json.Serialization;
+using System.Text.Json.Serialization;
 
 namespace Fido2NetLib;
 

Src/Fido2.Models/Metadata/BiometricStatusReport.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Buffers.Text;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Cryptography;
@@ -46,7 +47,7 @@ public override async ValueTask<VerifyAttestationResult> VerifyAsync(VerifyAttes
 
         try
         {
-            jwtHeaderBytes = Base64Url.Decode(jwtComponents[0]);
+            jwtHeaderBytes = Base64Url.DecodeFromChars(jwtComponents[0]);
         }
         catch (FormatException)
         {

Src/Fido2/AttestationFormat/AndroidSafetyNet.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;

Src/Fido2/AuthenticatorAssertionResponse.cs

@@ -12,9 +12,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Fido2.Models\Fido2.Models.csproj" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.0" />
     <PackageReference Include="NSec.Cryptography" Version="22.4.0" />
-    <PackageReference Include="System.Formats.Cbor" Version="8.0.0" />
+    <PackageReference Include="System.Formats.Cbor" Version="9.0.0" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.0" />
   </ItemGroup>
 

Src/Fido2/Fido2.csproj

@@ -1,6 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.ComponentModel;
+using System.ComponentModel;
 
 namespace Fido2NetLib;
 

Src/Fido2/MakeAssertionParams.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Buffers.Text;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
@@ -132,7 +133,7 @@ public async Task<MetadataBLOBPayload> DeserializeAndValidateBlobAsync(string ra
             throw new Fido2MetadataException("The JWT does not have the 3 expected components");
 
         var blobHeader = jwtParts[0];
-        using var jsonDoc = JsonDocument.Parse(Base64Url.Decode(blobHeader));
+        using var jsonDoc = JsonDocument.Parse(Base64Url.DecodeFromChars(blobHeader));
         var tokenHeader = jsonDoc.RootElement;
 
         var blobAlg = tokenHeader.TryGetProperty("alg", out var algEl)
@@ -235,7 +236,7 @@ public async Task<MetadataBLOBPayload> DeserializeAndValidateBlobAsync(string ra
 
         var blobPayload = ((JsonWebToken)validateTokenResult.SecurityToken).EncodedPayload;
 
-        MetadataBLOBPayload blob = JsonSerializer.Deserialize(Base64Url.Decode(blobPayload), FidoModelSerializerContext.Default.MetadataBLOBPayload)!;
+        MetadataBLOBPayload blob = JsonSerializer.Deserialize(Base64Url.DecodeFromChars(blobPayload), FidoModelSerializerContext.Default.MetadataBLOBPayload)!;
         blob.JwtAlg = blobAlg;
         return blob;
     }