Search in sources :

Example 1 with SignSessionData

use of com.google.u2f.server.data.SignSessionData in project OpenUnison by TremoloSecurity.

the class U2FServerUnison method getSignRequest.

@Override
public U2fSignRequest getSignRequest(String accountName, String appId) throws U2FException {
    if (log.isDebugEnabled()) {
        log.debug(">> getSignRequest " + accountName);
    }
    List<SecurityKeyData> securityKeyDataList = dataStore.getSecurityKeyData(accountName);
    byte[] challenge = challengeGenerator.generateChallenge(accountName);
    String challengeBase64 = Base64.encodeBase64URLSafeString(challenge);
    ImmutableList.Builder<RegisteredKey> registeredKeys = ImmutableList.builder();
    if (log.isDebugEnabled()) {
        log.debug("  challenge: " + Hex.encodeHexString(challenge));
    }
    for (SecurityKeyData securityKeyData : securityKeyDataList) {
        SignSessionData sessionData = new SignSessionData(accountName, appId, challenge, securityKeyData.getPublicKey());
        String sessionId = dataStore.storeSessionData(sessionData);
        byte[] keyHandle = securityKeyData.getKeyHandle();
        List<Transports> transports = securityKeyData.getTransports();
        if (log.isDebugEnabled()) {
            log.debug("-- Output --");
            log.debug("  sessionId: " + sessionId);
            log.debug("  keyHandle: " + Hex.encodeHexString(keyHandle));
        }
        String keyHandleBase64 = Base64.encodeBase64URLSafeString(keyHandle);
        if (log.isDebugEnabled()) {
            log.debug("<< getRegisteredKey " + accountName);
        }
        registeredKeys.add(new RegisteredKey(U2FConsts.U2F_V2, keyHandleBase64, transports, appId, sessionId));
    }
    return new U2fSignRequest(challengeBase64, registeredKeys.build());
}
Also used : SignSessionData(com.google.u2f.server.data.SignSessionData) U2fSignRequest(com.google.u2f.server.messages.U2fSignRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) ImmutableList(com.google.common.collect.ImmutableList) Transports(com.google.u2f.server.data.SecurityKeyData.Transports) RegisteredKey(com.google.u2f.server.messages.RegisteredKey)

Example 2 with SignSessionData

use of com.google.u2f.server.data.SignSessionData in project OpenUnison by TremoloSecurity.

the class U2FServerReferenceImpl method processSignResponse.

@Override
public SecurityKeyData processSignResponse(SignResponse signResponse) throws U2FException {
    Log.info(">> processSignResponse");
    String sessionId = signResponse.getSessionId();
    String browserDataBase64 = signResponse.getClientData();
    String rawSignDataBase64 = signResponse.getSignatureData();
    SignSessionData sessionData = dataStore.getSignSessionData(sessionId);
    if (sessionData == null) {
        throw new U2FException("Unknown session_id");
    }
    String appId = sessionData.getAppId();
    SecurityKeyData securityKeyData = null;
    for (SecurityKeyData temp : dataStore.getSecurityKeyData(sessionData.getAccountName())) {
        if (Arrays.equals(sessionData.getPublicKey(), temp.getPublicKey())) {
            securityKeyData = temp;
            break;
        }
    }
    if (securityKeyData == null) {
        throw new U2FException("No security keys registered for this user");
    }
    String browserData = new String(Base64.decodeBase64(browserDataBase64));
    byte[] rawSignData = Base64.decodeBase64(rawSignDataBase64);
    Log.info("-- Input --");
    Log.info("  sessionId: " + sessionId);
    Log.info("  publicKey: " + Hex.encodeHexString(securityKeyData.getPublicKey()));
    Log.info("  challenge: " + Hex.encodeHexString(sessionData.getChallenge()));
    Log.info("  accountName: " + sessionData.getAccountName());
    Log.info("  browserData: " + browserData);
    Log.info("  rawSignData: " + Hex.encodeHexString(rawSignData));
    verifyBrowserData(new JsonParser().parse(browserData), "navigator.id.getAssertion", sessionData);
    AuthenticateResponse authenticateResponse = RawMessageCodec.decodeAuthenticateResponse(rawSignData);
    byte userPresence = authenticateResponse.getUserPresence();
    int counter = authenticateResponse.getCounter();
    byte[] signature = authenticateResponse.getSignature();
    Log.info("-- Parsed rawSignData --");
    Log.info("  userPresence: " + Integer.toHexString(userPresence & 0xFF));
    Log.info("  counter: " + counter);
    Log.info("  signature: " + Hex.encodeHexString(signature));
    if ((userPresence & UserPresenceVerifier.USER_PRESENT_FLAG) == 0) {
        throw new U2FException("User presence invalid during authentication");
    }
    if (counter <= securityKeyData.getCounter()) {
        throw new U2FException("Counter value smaller than expected!");
    }
    byte[] appIdSha256 = crypto.computeSha256(appId.getBytes());
    byte[] browserDataSha256 = crypto.computeSha256(browserData.getBytes());
    byte[] signedBytes = RawMessageCodec.encodeAuthenticateSignedBytes(appIdSha256, userPresence, counter, browserDataSha256);
    Log.info("Verifying signature of bytes " + Hex.encodeHexString(signedBytes));
    if (!crypto.verifySignature(crypto.decodePublicKey(securityKeyData.getPublicKey()), signedBytes, signature)) {
        throw new U2FException("Signature is invalid");
    }
    dataStore.updateSecurityKeyCounter(sessionData.getAccountName(), securityKeyData.getPublicKey(), counter);
    Log.info("<< processSignResponse");
    return securityKeyData;
}
Also used : SignSessionData(com.google.u2f.server.data.SignSessionData) AuthenticateResponse(com.google.u2f.key.messages.AuthenticateResponse) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) U2FException(com.google.u2f.U2FException) JsonParser(com.google.gson.JsonParser)

Example 3 with SignSessionData

use of com.google.u2f.server.data.SignSessionData in project OpenUnison by TremoloSecurity.

the class U2FServerReferenceImpl method getSignRequest.

@Override
public U2fSignRequest getSignRequest(String accountName, String appId) throws U2FException {
    Log.info(">> getSignRequest " + accountName);
    List<SecurityKeyData> securityKeyDataList = dataStore.getSecurityKeyData(accountName);
    byte[] challenge = challengeGenerator.generateChallenge(accountName);
    String challengeBase64 = Base64.encodeBase64URLSafeString(challenge);
    ImmutableList.Builder<RegisteredKey> registeredKeys = ImmutableList.builder();
    Log.info("  challenge: " + Hex.encodeHexString(challenge));
    for (SecurityKeyData securityKeyData : securityKeyDataList) {
        SignSessionData sessionData = new SignSessionData(accountName, appId, challenge, securityKeyData.getPublicKey());
        String sessionId = dataStore.storeSessionData(sessionData);
        byte[] keyHandle = securityKeyData.getKeyHandle();
        List<Transports> transports = securityKeyData.getTransports();
        Log.info("-- Output --");
        Log.info("  sessionId: " + sessionId);
        Log.info("  keyHandle: " + Hex.encodeHexString(keyHandle));
        String keyHandleBase64 = Base64.encodeBase64URLSafeString(keyHandle);
        Log.info("<< getRegisteredKey " + accountName);
        registeredKeys.add(new RegisteredKey(U2FConsts.U2F_V2, keyHandleBase64, transports, appId, sessionId));
    }
    return new U2fSignRequest(challengeBase64, registeredKeys.build());
}
Also used : SignSessionData(com.google.u2f.server.data.SignSessionData) U2fSignRequest(com.google.u2f.server.messages.U2fSignRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) ImmutableList(com.google.common.collect.ImmutableList) Transports(com.google.u2f.server.data.SecurityKeyData.Transports) RegisteredKey(com.google.u2f.server.messages.RegisteredKey)

Example 4 with SignSessionData

use of com.google.u2f.server.data.SignSessionData in project OpenUnison by TremoloSecurity.

the class U2FServerUnison method processSignResponse.

@Override
public SecurityKeyData processSignResponse(SignResponse signResponse) throws U2FException {
    if (log.isDebugEnabled()) {
        log.debug(">> processSignResponse");
    }
    String sessionId = signResponse.getSessionId();
    String browserDataBase64 = signResponse.getClientData();
    String rawSignDataBase64 = signResponse.getSignatureData();
    SignSessionData sessionData = dataStore.getSignSessionData(sessionId);
    if (sessionData == null) {
        throw new U2FException("Unknown session_id");
    }
    String appId = sessionData.getAppId();
    SecurityKeyData securityKeyData = null;
    for (SecurityKeyData temp : dataStore.getSecurityKeyData(sessionData.getAccountName())) {
        if (Arrays.equals(sessionData.getPublicKey(), temp.getPublicKey())) {
            securityKeyData = temp;
            break;
        }
    }
    if (securityKeyData == null) {
        throw new U2FException("No security keys registered for this user");
    }
    String browserData = new String(Base64.decodeBase64(browserDataBase64));
    byte[] rawSignData = Base64.decodeBase64(rawSignDataBase64);
    if (log.isDebugEnabled()) {
        log.debug("-- Input --");
        log.debug("  sessionId: " + sessionId);
        log.debug("  publicKey: " + Hex.encodeHexString(securityKeyData.getPublicKey()));
        log.debug("  challenge: " + Hex.encodeHexString(sessionData.getChallenge()));
        log.debug("  accountName: " + sessionData.getAccountName());
        log.debug("  browserData: " + browserData);
        log.debug("  rawSignData: " + Hex.encodeHexString(rawSignData));
    }
    verifyBrowserData(new JsonParser().parse(browserData), "navigator.id.getAssertion", sessionData);
    AuthenticateResponse authenticateResponse = RawMessageCodec.decodeAuthenticateResponse(rawSignData);
    byte userPresence = authenticateResponse.getUserPresence();
    int counter = authenticateResponse.getCounter();
    byte[] signature = authenticateResponse.getSignature();
    if (log.isDebugEnabled()) {
        log.debug("-- Parsed rawSignData --");
        log.debug("  userPresence: " + Integer.toHexString(userPresence & 0xFF));
        log.debug("  counter: " + counter);
        log.debug("  signature: " + Hex.encodeHexString(signature));
    }
    if ((userPresence & UserPresenceVerifier.USER_PRESENT_FLAG) == 0) {
        throw new U2FException("User presence invalid during authentication");
    }
    if (counter <= securityKeyData.getCounter()) {
        throw new U2FException("Counter value smaller than expected!");
    }
    byte[] appIdSha256 = crypto.computeSha256(appId.getBytes());
    byte[] browserDataSha256 = crypto.computeSha256(browserData.getBytes());
    byte[] signedBytes = RawMessageCodec.encodeAuthenticateSignedBytes(appIdSha256, userPresence, counter, browserDataSha256);
    if (log.isDebugEnabled()) {
        log.debug("Verifying signature of bytes " + Hex.encodeHexString(signedBytes));
    }
    if (!crypto.verifySignature(crypto.decodePublicKey(securityKeyData.getPublicKey()), signedBytes, signature)) {
        throw new U2FException("Signature is invalid");
    }
    dataStore.updateSecurityKeyCounter(sessionData.getAccountName(), securityKeyData.getPublicKey(), counter);
    if (log.isDebugEnabled()) {
        log.debug("<< processSignResponse");
    }
    return securityKeyData;
}
Also used : SignSessionData(com.google.u2f.server.data.SignSessionData) AuthenticateResponse(com.google.u2f.key.messages.AuthenticateResponse) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) U2FException(com.google.u2f.U2FException) JsonParser(com.google.gson.JsonParser)

Aggregations

SecurityKeyData (com.google.u2f.server.data.SecurityKeyData)4 SignSessionData (com.google.u2f.server.data.SignSessionData)4 ImmutableList (com.google.common.collect.ImmutableList)2 JsonParser (com.google.gson.JsonParser)2 U2FException (com.google.u2f.U2FException)2 AuthenticateResponse (com.google.u2f.key.messages.AuthenticateResponse)2 Transports (com.google.u2f.server.data.SecurityKeyData.Transports)2 RegisteredKey (com.google.u2f.server.messages.RegisteredKey)2 U2fSignRequest (com.google.u2f.server.messages.U2fSignRequest)2