Search in sources :

Example 1 with FIDOU2FAuthenticatorAdaptor

use of com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor in project webauthn4j by webauthn4j.

the class FIDOU2FAuthenticatorRegistrationValidationTest method validate_malicious_client_data_test.

@Test
void validate_malicious_client_data_test() {
    Origin phishingSiteOrigin = new Origin("http://phishing.site.example.com");
    Origin validSiteOrigin = new Origin("http://valid.site.example.com");
    Origin phishingSiteClaimingOrigin = new Origin("http://valid.site.example.com");
    // client platform loads phishing site
    ClientPlatform clientPlatform = new ClientPlatform(phishingSiteOrigin, new FIDOU2FAuthenticatorAdaptor());
    String rpId = "valid.site.example.com";
    Challenge challenge = new DefaultChallenge();
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
    AuthenticatorAttestationResponse authenticatorAttestationResponse = clientPlatform.create(credentialCreationOptions).getAuthenticatorResponse();
    CollectedClientData maliciousClientData = new CollectedClientData(ClientDataType.WEBAUTHN_CREATE, challenge, phishingSiteClaimingOrigin, null);
    byte[] maliciousClientDataBytes = new CollectedClientDataConverter(objectConverter).convertToBytes(maliciousClientData);
    Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(authenticatorAttestationResponse.getTransports());
    ServerProperty serverProperty = new ServerProperty(validSiteOrigin, rpId, challenge, null);
    RegistrationRequest registrationRequest = new RegistrationRequest(authenticatorAttestationResponse.getAttestationObject(), maliciousClientDataBytes, transports);
    RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false, true);
    assertThrows(BadSignatureException.class, () -> target.validate(registrationRequest, registrationParameters));
}
Also used : Origin(com.webauthn4j.data.client.Origin) ServerProperty(com.webauthn4j.server.ServerProperty) ClientPlatform(com.webauthn4j.test.client.ClientPlatform) CollectedClientDataConverter(com.webauthn4j.converter.CollectedClientDataConverter) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) CollectedClientData(com.webauthn4j.data.client.CollectedClientData) FIDOU2FAuthenticatorAdaptor(com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.jupiter.api.Test)

Example 2 with FIDOU2FAuthenticatorAdaptor

use of com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor in project webauthn4j by webauthn4j.

the class NullAttestationStatementValidatorTest method validate_RegistrationRequest_with_fido_u2f_attestation_statement_test.

@Test
void validate_RegistrationRequest_with_fido_u2f_attestation_statement_test() {
    FIDOU2FAuthenticatorAdaptor fidou2FAuthenticatorAdaptor = new FIDOU2FAuthenticatorAdaptor();
    ClientPlatform clientPlatform = new ClientPlatform(origin, fidou2FAuthenticatorAdaptor);
    String rpId = "example.com";
    Challenge challenge = new DefaultChallenge();
    PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
    AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(AuthenticatorAttachment.CROSS_PLATFORM, true, UserVerificationRequirement.REQUIRED);
    AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
    PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, "valid.site.example.com"), new PublicKeyCredentialUserEntity(new byte[32], "username", "displayName"), challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.DIRECT, extensions);
    AuthenticatorAttestationResponse registrationRequest = clientPlatform.create(credentialCreationOptions).getAuthenticatorResponse();
    Set<String> transports = authenticatorTransportConverter.convertSetToStringSet(registrationRequest.getTransports());
    ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
    RegistrationRequest webAuthnRegistrationRequest = new RegistrationRequest(registrationRequest.getAttestationObject(), registrationRequest.getClientDataJSON(), transports);
    RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, null, false);
    target.validate(webAuthnRegistrationRequest, registrationParameters);
}
Also used : ServerProperty(com.webauthn4j.server.ServerProperty) ClientPlatform(com.webauthn4j.test.client.ClientPlatform) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) FIDOU2FAuthenticatorAdaptor(com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor) AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs) RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput) Test(org.junit.jupiter.api.Test)

Example 3 with FIDOU2FAuthenticatorAdaptor

use of com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor in project webauthn4j by webauthn4j.

the class FIDOU2FAuthenticatorAuthenticationValidationTest method validate_assertion_with_UP_flag_off_test.

@Test
void validate_assertion_with_UP_flag_off_test() {
    FIDOU2FAuthenticatorAdaptor fidou2FAuthenticatorAdaptor = new FIDOU2FAuthenticatorAdaptor();
    fidou2FAuthenticatorAdaptor.getFIDOU2FAuthenticator().setFlags(FIDOU2FAuthenticator.FLAG_OFF);
    clientPlatform = new ClientPlatform(origin, fidou2FAuthenticatorAdaptor);
    String rpId = "example.com";
    long timeout = 0;
    Challenge challenge = new DefaultChallenge();
    // create
    AttestationObject attestationObject = createAttestationObject(rpId, challenge);
    byte[] credentialId = attestationObject.getAuthenticatorData().getAttestedCredentialData().getCredentialId();
    // get
    PublicKeyCredentialRequestOptions credentialRequestOptions = new PublicKeyCredentialRequestOptions(challenge, timeout, rpId, Collections.singletonList(new PublicKeyCredentialDescriptor(PublicKeyCredentialType.PUBLIC_KEY, attestationObject.getAuthenticatorData().getAttestedCredentialData().getCredentialId(), CollectionUtil.unmodifiableSet(AuthenticatorTransport.USB, AuthenticatorTransport.NFC, AuthenticatorTransport.BLE))), UserVerificationRequirement.DISCOURAGED, null);
    PublicKeyCredential<AuthenticatorAssertionResponse, AuthenticationExtensionClientOutput> credential = clientPlatform.get(credentialRequestOptions);
    AuthenticatorAssertionResponse authenticatorAssertionResponse = credential.getAuthenticatorResponse();
    ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
    Authenticator authenticator = TestDataUtil.createAuthenticator(attestationObject);
    AuthenticationRequest authenticationRequest = new AuthenticationRequest(credential.getRawId(), authenticatorAssertionResponse.getAuthenticatorData(), authenticatorAssertionResponse.getClientDataJSON(), authenticatorAssertionResponse.getSignature());
    AuthenticationParameters authenticationParameters = new AuthenticationParameters(serverProperty, authenticator, Collections.singletonList(credentialId), false, true);
    assertThrows(UserNotPresentException.class, () -> target.validate(authenticationRequest, authenticationParameters));
}
Also used : ServerProperty(com.webauthn4j.server.ServerProperty) ClientPlatform(com.webauthn4j.test.client.ClientPlatform) Challenge(com.webauthn4j.data.client.challenge.Challenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge) FIDOU2FAuthenticatorAdaptor(com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor) AuthenticationExtensionClientOutput(com.webauthn4j.data.extension.client.AuthenticationExtensionClientOutput) AttestationObject(com.webauthn4j.data.attestation.AttestationObject) Authenticator(com.webauthn4j.authenticator.Authenticator) FIDOU2FAuthenticator(com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticator) Test(org.junit.jupiter.api.Test)

Aggregations

Challenge (com.webauthn4j.data.client.challenge.Challenge)3 DefaultChallenge (com.webauthn4j.data.client.challenge.DefaultChallenge)3 ServerProperty (com.webauthn4j.server.ServerProperty)3 FIDOU2FAuthenticatorAdaptor (com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticatorAdaptor)3 ClientPlatform (com.webauthn4j.test.client.ClientPlatform)3 Test (org.junit.jupiter.api.Test)3 AuthenticationExtensionsClientInputs (com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs)2 RegistrationExtensionClientInput (com.webauthn4j.data.extension.client.RegistrationExtensionClientInput)2 Authenticator (com.webauthn4j.authenticator.Authenticator)1 CollectedClientDataConverter (com.webauthn4j.converter.CollectedClientDataConverter)1 AttestationObject (com.webauthn4j.data.attestation.AttestationObject)1 CollectedClientData (com.webauthn4j.data.client.CollectedClientData)1 Origin (com.webauthn4j.data.client.Origin)1 AuthenticationExtensionClientOutput (com.webauthn4j.data.extension.client.AuthenticationExtensionClientOutput)1 FIDOU2FAuthenticator (com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticator)1