Search in sources :

Example 11 with RegistrationExtensionClientInput

use of com.webauthn4j.data.extension.client.RegistrationExtensionClientInput in project webauthn4j by webauthn4j.

the class AndroidSafetyNetAuthenticatorRegistrationValidationTest method validate_RegistrationContext_with_android_safety_net_attestation_statement_test.

@Test
void validate_RegistrationContext_with_android_safety_net_attestation_statement_test() {
    String rpId = "example.com";
    Challenge challenge = new DefaultChallenge();
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    PublicKeyCredentialUserEntity publicKeyCredentialUserEntity = new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName");
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "example.com"), publicKeyCredentialUserEntity, challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
    PublicKeyCredential<AuthenticatorAttestationResponse, RegistrationExtensionClientOutput> credential = clientPlatform.create(credentialCreationOptions);
    AuthenticatorAttestationResponse authenticatorAttestationResponse = credential.getAuthenticatorResponse();
    AuthenticationExtensionsClientOutputs<RegistrationExtensionClientOutput> clientExtensionResults = credential.getClientExtensionResults();
    Set<String> transports = Collections.emptySet();
    String clientExtensionJSON = authenticationExtensionsClientOutputsConverter.convertToString(clientExtensionResults);
    ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
    RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), authenticatorAttestationResponse.getClientDataJSON(), clientExtensionJSON, transports);
    RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
    RegistrationData response = target.validate(registrationRequest, registrationParameters);
    assertAll(() -> assertThat(response.getCollectedClientData()).isNotNull(), () -> assertThat(response.getAttestationObject()).isNotNull(), () -> assertThat(response.getClientExtensions()).isNotNull());
}
Also used : ServerProperty(com.webauthn4j.server.ServerProperty) RegistrationExtensionClientOutput(com.webauthn4j.data.extension.client.RegistrationExtensionClientOutput) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.jupiter.api.Test)

Example 12 with RegistrationExtensionClientInput

use of com.webauthn4j.data.extension.client.RegistrationExtensionClientInput in project webauthn4j-spring-security by webauthn4j.

the class AttestationOptionsTest method getter_test.

@Test
public void getter_test() {
    String rpId = "example.com";
    PublicKeyCredentialRpEntity rp = new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com");
    PublicKeyCredentialUserEntity user = new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName");
    Challenge challenge = new DefaultChallenge();
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    List<PublicKeyCredentialParameters> pubKeyCredParams = Collections.singletonList(publicKeyCredentialParameters);
    long timeout = 10000;
    List<PublicKeyCredentialDescriptor> excludeCredentials = Collections.emptyList();
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    AttestationConveyancePreference attestation = AttestationConveyancePreference.DIRECT;
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    AttestationOptions credentialCreationOptions = new AttestationOptions(rp, user, challenge, pubKeyCredParams, timeout, excludeCredentials, authenticatorSelectionCriteria, attestation, extensions);
    assertAll(() -> assertThat(credentialCreationOptions.getRp()).isEqualTo(rp), () -> assertThat(credentialCreationOptions.getUser()).isEqualTo(user), () -> assertThat(credentialCreationOptions.getChallenge()).isEqualTo(challenge), () -> assertThat(credentialCreationOptions.getPubKeyCredParams()).isEqualTo(pubKeyCredParams), () -> assertThat(credentialCreationOptions.getTimeout()).isEqualTo(timeout), () -> assertThat(credentialCreationOptions.getExcludeCredentials()).isEqualTo(excludeCredentials), () -> assertThat(credentialCreationOptions.getAuthenticatorSelection()).isEqualTo(authenticatorSelectionCriteria), () -> assertThat(credentialCreationOptions.getAttestation()).isEqualTo(attestation), () -> assertThat(credentialCreationOptions.getExtensions()).isEqualTo(extensions));
}
Also used : Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.Test)

Example 13 with RegistrationExtensionClientInput

use of com.webauthn4j.data.extension.client.RegistrationExtensionClientInput in project webauthn4j-spring-security by webauthn4j.

the class FidoServerAttestationOptionsEndpointFilter method processRequest.

@Override
protected ServerResponse processRequest(HttpServletRequest request) {
    InputStream inputStream;
    try {
        inputStream = request.getInputStream();
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
    try {
        ServerPublicKeyCredentialCreationOptionsRequest serverRequest = objectConverter.getJsonConverter().readValue(inputStream, ServerPublicKeyCredentialCreationOptionsRequest.class);
        String username = serverRequest.getUsername();
        String displayName = serverRequest.getDisplayName();
        Challenge challenge = serverEndpointFilterUtil.encodeUsername(new DefaultChallenge(), username);
        challengeRepository.saveChallenge(challenge, request);
        // TODO: UsernamePasswordAuthenticationToken should not be used here in this way
        AttestationOptions attestationOptions = optionsProvider.getAttestationOptions(request, new UsernamePasswordAuthenticationToken(username, null, Collections.emptyList()));
        String userHandle;
        if (attestationOptions.getUser() == null) {
            userHandle = Base64UrlUtil.encodeToString(generateUserHandle());
        } else {
            userHandle = Base64UrlUtil.encodeToString(attestationOptions.getUser().getId());
        }
        ServerPublicKeyCredentialUserEntity user = new ServerPublicKeyCredentialUserEntity(userHandle, username, displayName);
        List<ServerPublicKeyCredentialDescriptor> credentials = attestationOptions.getExcludeCredentials().stream().map(credential -> new ServerPublicKeyCredentialDescriptor(credential.getType(), Base64UrlUtil.encodeToString(credential.getId()), credential.getTransports())).collect(Collectors.toList());
        AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> authenticationExtensionsClientInputs;
        if (serverRequest.getExtensions() != null) {
            authenticationExtensionsClientInputs = serverRequest.getExtensions();
        } else {
            authenticationExtensionsClientInputs = attestationOptions.getExtensions();
        }
        return new ServerPublicKeyCredentialCreationOptionsResponse(attestationOptions.getRp(), user, Base64UrlUtil.encodeToString(attestationOptions.getChallenge().getValue()), attestationOptions.getPubKeyCredParams(), attestationOptions.getTimeout(), credentials, serverRequest.getAuthenticatorSelection(), serverRequest.getAttestation(), authenticationExtensionsClientInputs);
    } catch (DataConversionException e) {
        throw new com.webauthn4j.springframework.security.exception.DataConversionException("Failed to convert data", e);
    }
}
Also used : AttestationOptions(com.webauthn4j.springframework.security.options.AttestationOptions) IOException(java.io.IOException) Challenge(com.webauthn4j.data.client.challenge.Challenge) UUID(java.util.UUID) ChallengeRepository(com.webauthn4j.springframework.security.challenge.ChallengeRepository) Base64UrlUtil(com.webauthn4j.util.Base64UrlUtil) Collectors(java.util.stream.Collectors) ByteBuffer(java.nio.ByteBuffer) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) AttestationOptionsProvider(com.webauthn4j.springframework.security.options.AttestationOptionsProvider) UncheckedIOException(java.io.UncheckedIOException) HttpServletRequest(javax.servlet.http.HttpServletRequest) List(java.util.List) ObjectConverter(com.webauthn4j.converter.util.ObjectConverter) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) DataConversionException(com.webauthn4j.converter.exception.DataConversionException) Collections(java.util.Collections) Assert(org.springframework.util.Assert) InputStream(java.io.InputStream) InputStream(java.io.InputStream) AttestationOptions(com.webauthn4j.springframework.security.options.AttestationOptions) UncheckedIOException(java.io.UncheckedIOException) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) DataConversionException(com.webauthn4j.converter.exception.DataConversionException)

Example 14 with RegistrationExtensionClientInput

use of com.webauthn4j.data.extension.client.RegistrationExtensionClientInput in project webauthn4j by webauthn4j.

the class FIDOU2FAuthenticatorRegistrationValidationTest method validate_invalid_format_attestation_signature_test.

@Test
void validate_invalid_format_attestation_signature_test() {
    String rpId = "example.com";
    Challenge challenge = new DefaultChallenge();
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
    RegistrationEmulationOption registrationEmulationOption = new RegistrationEmulationOption();
    registrationEmulationOption.setSignatureOverrideEnabled(true);
    AuthenticatorAttestationResponse authenticatorAttestationResponse = clientPlatform.create(credentialCreationOptions, registrationEmulationOption).getAuthenticatorResponse();
    Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(authenticatorAttestationResponse.getTransports());
    ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
    RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), authenticatorAttestationResponse.getClientDataJSON(), transports);
    RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
    assertThrows(BadSignatureException.class, () -> target.validate(registrationRequest, registrationParameters));
}
Also used : ServerProperty(com.webauthn4j.server.ServerProperty) RegistrationEmulationOption(com.webauthn4j.test.client.RegistrationEmulationOption) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.jupiter.api.Test)

Example 15 with RegistrationExtensionClientInput

use of com.webauthn4j.data.extension.client.RegistrationExtensionClientInput in project webauthn4j by webauthn4j.

the class FIDOU2FAuthenticatorRegistrationValidationTest method validate_malicious_client_data_test.

@Test
void validate_malicious_client_data_test() {
    Origin phishingSiteOrigin = new Origin("http://phishing.site.example.com");
    Origin validSiteOrigin = new Origin("http://valid.site.example.com");
    Origin phishingSiteClaimingOrigin = new Origin("http://valid.site.example.com");
    // client platform loads phishing site
    ClientPlatform clientPlatform = new ClientPlatform(phishingSiteOrigin, new FIDOU2FAuthenticatorAdaptor());
    String rpId = "valid.site.example.com";
    Challenge challenge = new DefaultChallenge();
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
    AuthenticatorAttestationResponse authenticatorAttestationResponse = clientPlatform.create(credentialCreationOptions).getAuthenticatorResponse();
    CollectedClientData maliciousClientData = new CollectedClientData(ClientDataType.WEBAUTHN_CREATE, challenge, phishingSiteClaimingOrigin, null);
    byte[] maliciousClientDataBytes = new CollectedClientDataConverter(objectConverter).convertToBytes(maliciousClientData);
    Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(authenticatorAttestationResponse.getTransports());
    ServerProperty serverProperty = new ServerProperty(validSiteOrigin, rpId, challenge, null);
    RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), maliciousClientDataBytes, transports);
    RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
    assertThrows(BadSignatureException.class, () -> target.validate(registrationRequest, registrationParameters));
}
Also used : Origin(com.webauthn4j.data.client.Origin) ServerProperty(com.webauthn4j.server.ServerProperty) ClientPlatform(com.webauthn4j.test.client.ClientPlatform) CollectedClientDataConverter(com.webauthn4j.converter.CollectedClientDataConverter) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) CollectedClientData(com.webauthn4j.data.client.CollectedClientData) FIDOU2FAuthenticatorAdaptor(com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.jupiter.api.Test)

Aggregations

AuthenticationExtensionsClientInputs (com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs)20 RegistrationExtensionClientInput (com.webauthn4j.data.extension.client.RegistrationExtensionClientInput)20 Challenge (com.webauthn4j.data.client.challenge.Challenge)18 DefaultChallenge (com.webauthn4j.data.client.challenge.DefaultChallenge)18 Test (org.junit.jupiter.api.Test)15 ServerProperty (com.webauthn4j.server.ServerProperty)13 RegistrationExtensionClientOutput (com.webauthn4j.data.extension.client.RegistrationExtensionClientOutput)10 ClientPlatform (com.webauthn4j.test.client.ClientPlatform)3 AttestationObjectConverter (com.webauthn4j.converter.AttestationObjectConverter)2 ObjectConverter (com.webauthn4j.converter.util.ObjectConverter)2 Origin (com.webauthn4j.data.client.Origin)2 FIDOU2FAuthenticatorAdaptor (com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor)2 IOException (java.io.IOException)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 AuthController (com.tremolosecurity.proxy.auth.AuthController)1 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)1 WebAuthnUserData (com.tremolosecurity.proxy.auth.webauthn.WebAuthnUserData)1 CollectedClientDataConverter (com.webauthn4j.converter.CollectedClientDataConverter)1 DataConversionException (com.webauthn4j.converter.exception.DataConversionException)1 CborConverter (com.webauthn4j.converter.util.CborConverter)1