use of com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs in project webauthn4j by webauthn4j.
the class AndroidSafetyNetAuthenticatorRegistrationValidationTest method validate_RegistrationContext_with_android_safety_net_attestation_statement_test.
@Test
void validate_RegistrationContext_with_android_safety_net_attestation_statement_test() {
String rpId = "example.com";
Challenge challenge = new DefaultChallenge();
AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
PublicKeyCredentialUserEntity publicKeyCredentialUserEntity = new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName");
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "example.com"), publicKeyCredentialUserEntity, challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
PublicKeyCredential<AuthenticatorAttestationResponse, RegistrationExtensionClientOutput> credential = clientPlatform.create(credentialCreationOptions);
AuthenticatorAttestationResponse authenticatorAttestationResponse = credential.getAuthenticatorResponse();
AuthenticationExtensionsClientOutputs<RegistrationExtensionClientOutput> clientExtensionResults = credential.getClientExtensionResults();
Set<String> transports = Collections.emptySet();
String clientExtensionJSON = authenticationExtensionsClientOutputsConverter.convertToString(clientExtensionResults);
ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), authenticatorAttestationResponse.getClientDataJSON(), clientExtensionJSON, transports);
RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
RegistrationData response = target.validate(registrationRequest, registrationParameters);
assertAll(() -> assertThat(response.getCollectedClientData()).isNotNull(), () -> assertThat(response.getAttestationObject()).isNotNull(), () -> assertThat(response.getClientExtensions()).isNotNull());
}
use of com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs in project webauthn4j-spring-security by webauthn4j.
the class AttestationOptionsTest method getter_test.
@Test
public void getter_test() {
String rpId = "example.com";
PublicKeyCredentialRpEntity rp = new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com");
PublicKeyCredentialUserEntity user = new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName");
Challenge challenge = new DefaultChallenge();
PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
List<PublicKeyCredentialParameters> pubKeyCredParams = Collections.singletonList(publicKeyCredentialParameters);
long timeout = 10000;
List<PublicKeyCredentialDescriptor> excludeCredentials = Collections.emptyList();
AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
AttestationConveyancePreference attestation = AttestationConveyancePreference.DIRECT;
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
AttestationOptions credentialCreationOptions = new AttestationOptions(rp, user, challenge, pubKeyCredParams, timeout, excludeCredentials, authenticatorSelectionCriteria, attestation, extensions);
assertAll(() -> assertThat(credentialCreationOptions.getRp()).isEqualTo(rp), () -> assertThat(credentialCreationOptions.getUser()).isEqualTo(user), () -> assertThat(credentialCreationOptions.getChallenge()).isEqualTo(challenge), () -> assertThat(credentialCreationOptions.getPubKeyCredParams()).isEqualTo(pubKeyCredParams), () -> assertThat(credentialCreationOptions.getTimeout()).isEqualTo(timeout), () -> assertThat(credentialCreationOptions.getExcludeCredentials()).isEqualTo(excludeCredentials), () -> assertThat(credentialCreationOptions.getAuthenticatorSelection()).isEqualTo(authenticatorSelectionCriteria), () -> assertThat(credentialCreationOptions.getAttestation()).isEqualTo(attestation), () -> assertThat(credentialCreationOptions.getExtensions()).isEqualTo(extensions));
}
use of com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs in project webauthn4j-spring-security by webauthn4j.
the class FidoServerAttestationOptionsEndpointFilter method processRequest.
@Override
protected ServerResponse processRequest(HttpServletRequest request) {
InputStream inputStream;
try {
inputStream = request.getInputStream();
} catch (IOException e) {
throw new UncheckedIOException(e);
}
try {
ServerPublicKeyCredentialCreationOptionsRequest serverRequest = objectConverter.getJsonConverter().readValue(inputStream, ServerPublicKeyCredentialCreationOptionsRequest.class);
String username = serverRequest.getUsername();
String displayName = serverRequest.getDisplayName();
Challenge challenge = serverEndpointFilterUtil.encodeUsername(new DefaultChallenge(), username);
challengeRepository.saveChallenge(challenge, request);
// TODO: UsernamePasswordAuthenticationToken should not be used here in this way
AttestationOptions attestationOptions = optionsProvider.getAttestationOptions(request, new UsernamePasswordAuthenticationToken(username, null, Collections.emptyList()));
String userHandle;
if (attestationOptions.getUser() == null) {
userHandle = Base64UrlUtil.encodeToString(generateUserHandle());
} else {
userHandle = Base64UrlUtil.encodeToString(attestationOptions.getUser().getId());
}
ServerPublicKeyCredentialUserEntity user = new ServerPublicKeyCredentialUserEntity(userHandle, username, displayName);
List<ServerPublicKeyCredentialDescriptor> credentials = attestationOptions.getExcludeCredentials().stream().map(credential -> new ServerPublicKeyCredentialDescriptor(credential.getType(), Base64UrlUtil.encodeToString(credential.getId()), credential.getTransports())).collect(Collectors.toList());
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> authenticationExtensionsClientInputs;
if (serverRequest.getExtensions() != null) {
authenticationExtensionsClientInputs = serverRequest.getExtensions();
} else {
authenticationExtensionsClientInputs = attestationOptions.getExtensions();
}
return new ServerPublicKeyCredentialCreationOptionsResponse(attestationOptions.getRp(), user, Base64UrlUtil.encodeToString(attestationOptions.getChallenge().getValue()), attestationOptions.getPubKeyCredParams(), attestationOptions.getTimeout(), credentials, serverRequest.getAuthenticatorSelection(), serverRequest.getAttestation(), authenticationExtensionsClientInputs);
} catch (DataConversionException e) {
throw new com.webauthn4j.springframework.security.exception.DataConversionException("Failed to convert data", e);
}
}
use of com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs in project webauthn4j by webauthn4j.
the class FIDOU2FAuthenticatorRegistrationValidationTest method validate_invalid_format_attestation_signature_test.
@Test
void validate_invalid_format_attestation_signature_test() {
String rpId = "example.com";
Challenge challenge = new DefaultChallenge();
PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
RegistrationEmulationOption registrationEmulationOption = new RegistrationEmulationOption();
registrationEmulationOption.setSignatureOverrideEnabled(true);
AuthenticatorAttestationResponse authenticatorAttestationResponse = clientPlatform.create(credentialCreationOptions, registrationEmulationOption).getAuthenticatorResponse();
Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(authenticatorAttestationResponse.getTransports());
ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), authenticatorAttestationResponse.getClientDataJSON(), transports);
RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
assertThrows(BadSignatureException.class, () -> target.validate(registrationRequest, registrationParameters));
}
use of com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs in project webauthn4j by webauthn4j.
the class FIDOU2FAuthenticatorRegistrationValidationTest method validate_malicious_client_data_test.
@Test
void validate_malicious_client_data_test() {
Origin phishingSiteOrigin = new Origin("http://phishing.site.example.com");
Origin validSiteOrigin = new Origin("http://valid.site.example.com");
Origin phishingSiteClaimingOrigin = new Origin("http://valid.site.example.com");
// client platform loads phishing site
ClientPlatform clientPlatform = new ClientPlatform(phishingSiteOrigin, new FIDOU2FAuthenticatorAdaptor());
String rpId = "valid.site.example.com";
Challenge challenge = new DefaultChallenge();
PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
AuthenticatorAttestationResponse authenticatorAttestationResponse = clientPlatform.create(credentialCreationOptions).getAuthenticatorResponse();
CollectedClientData maliciousClientData = new CollectedClientData(ClientDataType.WEBAUTHN_CREATE, challenge, phishingSiteClaimingOrigin, null);
byte[] maliciousClientDataBytes = new CollectedClientDataConverter(objectConverter).convertToBytes(maliciousClientData);
Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(authenticatorAttestationResponse.getTransports());
ServerProperty serverProperty = new ServerProperty(validSiteOrigin, rpId, challenge, null);
RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), maliciousClientDataBytes, transports);
RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
assertThrows(BadSignatureException.class, () -> target.validate(registrationRequest, registrationParameters));
}
Aggregations