Search in sources :

Example 1 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class ClientDataValidationService method checkContent.

public void checkContent(ClientData clientData, String[] types, String challenge, Set<String> facets) throws BadInputException {
    if (!ArrayUtils.contains(types, clientData.getTyp())) {
        throw new BadInputException("Bad clientData: wrong typ " + clientData.getTyp());
    }
    if (!challenge.equals(clientData.getChallenge())) {
        throw new BadInputException("Bad clientData: wrong challenge");
    }
    if (facets != null && !facets.isEmpty()) {
        Set<String> allowedFacets = canonicalizeOrigins(facets);
        String canonicalOrigin;
        try {
            canonicalOrigin = canonicalizeOrigin(clientData.getOrigin());
        } catch (RuntimeException e) {
            throw new BadInputException("Bad clientData: Malformed origin", e);
        }
        verifyOrigin(canonicalOrigin, allowedFacets);
    }
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Example 2 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class RawAuthenticationService method checkSignature.

public void checkSignature(String appId, ClientData clientData, RawAuthenticateResponse rawAuthenticateResponse, byte[] publicKey) throws BadInputException {
    String rawClientData = clientData.getRawClientData();
    byte[] signedBytes = packBytesToSign(signatureVerification.hash(appId), rawAuthenticateResponse.getUserPresence(), rawAuthenticateResponse.getCounter(), signatureVerification.hash(rawClientData));
    log.debug("Packed bytes to sign in HEX '{}'", Hex.encodeHexString(signedBytes));
    log.debug("Signature from authentication response in HEX '{}'", Hex.encodeHexString(rawAuthenticateResponse.getSignature()));
    try {
        boolean isValid = signatureVerification.checkSignature(signatureVerification.decodePublicKey(publicKey), signedBytes, rawAuthenticateResponse.getSignature());
        if (!isValid) {
            throw new BadInputException("Signature is not valid");
        }
    } catch (SignatureException ex) {
        throw new BadInputException("Failed to checkSignature", ex);
    }
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) SignatureException(org.gluu.oxauth.model.exception.SignatureException)

Example 3 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class RegistrationService method finishRegistration.

public DeviceRegistrationResult finishRegistration(RegisterRequestMessage requestMessage, RegisterResponse response, String userInum, Set<String> facets) throws BadInputException {
    RegisterRequest request = requestMessage.getRegisterRequest();
    String appId = request.getAppId();
    ClientData clientData = response.getClientData();
    clientDataValidationService.checkContent(clientData, RawRegistrationService.SUPPORTED_REGISTER_TYPES, request.getChallenge(), facets);
    RawRegisterResponse rawRegisterResponse = rawRegistrationService.parseRawRegisterResponse(response.getRegistrationData());
    rawRegistrationService.checkSignature(appId, clientData, rawRegisterResponse);
    Date now = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
    DeviceRegistration deviceRegistration = rawRegistrationService.createDevice(userInum, rawRegisterResponse);
    deviceRegistration.setStatus(DeviceRegistrationStatus.ACTIVE);
    deviceRegistration.setApplication(appId);
    deviceRegistration.setCreationDate(now);
    int keyHandleHashCode = deviceRegistrationService.getKeyHandleHashCode(rawRegisterResponse.getKeyHandle());
    deviceRegistration.setKeyHandleHashCode(keyHandleHashCode);
    final String deviceRegistrationId = String.valueOf(System.currentTimeMillis());
    deviceRegistration.setId(deviceRegistrationId);
    String responseDeviceData = response.getDeviceData();
    if (StringHelper.isNotEmpty(responseDeviceData)) {
        try {
            String responseDeviceDataDecoded = new String(Base64Util.base64urldecode(responseDeviceData));
            DeviceData deviceData = ServerUtil.jsonMapperWithWrapRoot().readValue(responseDeviceDataDecoded, DeviceData.class);
            deviceRegistration.setDeviceData(deviceData);
        } catch (Exception ex) {
            throw new BadInputException(String.format("Device data is invalid: %s", responseDeviceData), ex);
        }
    }
    boolean approved = StringHelper.equals(RawRegistrationService.REGISTER_FINISH_TYPE, response.getClientData().getTyp());
    if (!approved) {
        log.debug("Registratio request with keyHandle '{}' was canceled", rawRegisterResponse.getKeyHandle());
        return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.CANCELED);
    }
    boolean twoStep = StringHelper.isNotEmpty(userInum);
    if (twoStep) {
        deviceRegistration.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, deviceRegistrationId));
        // Check if there is device registration with keyHandle in LDAP already
        List<DeviceRegistration> foundDeviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, deviceRegistration.getKeyHandle(), "oxId");
        if (foundDeviceRegistrations.size() != 0) {
            throw new BadInputException(String.format("KeyHandle %s was compromised", deviceRegistration.getKeyHandle()));
        }
        deviceRegistrationService.addUserDeviceRegistration(userInum, deviceRegistration);
    } else {
        deviceRegistration.setDn(deviceRegistrationService.getDnForOneStepU2fDevice(deviceRegistrationId));
        deviceRegistrationService.addOneStepDeviceRegistration(deviceRegistration);
    }
    return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.APPROVED);
}
Also used : RawRegisterResponse(org.gluu.oxauth.model.fido.u2f.message.RawRegisterResponse) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Example 4 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class U2fAuthenticationWS method finishAuthentication.

@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
    String sessionId = null;
    try {
        if (appConfiguration.getDisableU2fEndpoint()) {
            return Response.status(Status.FORBIDDEN).build();
        }
        log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
        AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
        String requestId = authenticateResponse.getRequestId();
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
        if (authenticateRequestMessageLdap == null) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
        }
        sessionId = authenticateRequestMessageLdap.getSessionId();
        u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
        AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
        String foundUserInum = authenticateRequestMessageLdap.getUserInum();
        DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
        // If sessionId is not empty update session
        if (StringHelper.isNotEmpty(sessionId)) {
            log.debug("There is session id. Setting session id attributes");
            boolean oneStep = StringHelper.isEmpty(userName);
            userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, false, oneStep);
        }
        AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
        // convert manually to avoid possible conflict between resteasy
        // providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(authenticationStatus);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        try {
            // If sessionId is not empty update session
            if (StringHelper.isNotEmpty(sessionId)) {
                log.debug("There is session id. Setting session id status to 'declined'");
                userSessionIdService.updateUserSessionIdOnError(sessionId);
            }
        } catch (Exception ex2) {
            log.error("Failed to update session id status", ex2);
        }
        if (ex instanceof BadInputException) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
        }
        if (ex instanceof DeviceCompromisedException) {
            DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
            try {
                deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
            } catch (Exception ex2) {
                log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
            }
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : AuthenticateStatus(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateStatus) AuthenticateResponse(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse) AuthenticateRequestMessageLdap(org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap) AuthenticateRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) DeviceRegistrationResult(org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) InvalidKeyHandleDeviceException(org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) NoEligableDevicesException(org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Example 5 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class U2fAuthenticationWS method startAuthentication.

@GET
@Produces({ "application/json" })
public Response startAuthentication(@QueryParam("username") String userName, @QueryParam("keyhandle") String keyHandle, @QueryParam("application") String appId, @QueryParam("session_id") String sessionId) {
    // Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
    try {
        if (appConfiguration.getDisableU2fEndpoint()) {
            return Response.status(Status.FORBIDDEN).build();
        }
        log.debug("Startig authentication with username '{}', keyhandle '{}' for appId '{}' and session_id '{}'", userName, keyHandle, appId, sessionId);
        if (StringHelper.isEmpty(userName) && StringHelper.isEmpty(keyHandle)) {
            throw new BadInputException("The request should contains either username or keyhandle");
        }
        String foundUserInum = null;
        boolean twoStep = StringHelper.isNotEmpty(userName);
        if (twoStep) {
            boolean valid = u2fValidationService.isValidSessionId(userName, sessionId);
            if (!valid) {
                throw new BadInputException(String.format("session_id '%s' is invalid", sessionId));
            }
            foundUserInum = userService.getUserInum(userName);
        } else {
            // Convert to non padding URL base64 string
            String keyHandleWithoutPading = Base64Util.base64urlencode(Base64Util.base64urldecode(keyHandle));
            // In one step we expects empty username and not empty keyhandle
            foundUserInum = u2fAuthenticationService.getUserInumByKeyHandle(appId, keyHandleWithoutPading);
        }
        if (StringHelper.isEmpty(foundUserInum)) {
            throw new BadInputException(String.format("Failed to find user by userName '%s' or keyHandle '%s' in LDAP", userName, keyHandle));
        }
        AuthenticateRequestMessage authenticateRequestMessage = u2fAuthenticationService.buildAuthenticateRequestMessage(appId, foundUserInum);
        u2fAuthenticationService.storeAuthenticationRequestMessage(authenticateRequestMessage, foundUserInum, sessionId);
        // convert manually to avoid possible conflict between resteasy
        // providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(authenticateRequestMessage);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        if ((ex instanceof NoEligableDevicesException) || (ex instanceof InvalidKeyHandleDeviceException)) {
            throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.NO_ELIGABLE_DEVICES)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) AuthenticateRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) NoEligableDevicesException(org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException) InvalidKeyHandleDeviceException(org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) InvalidKeyHandleDeviceException(org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) NoEligableDevicesException(org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Aggregations

BadInputException (org.gluu.oxauth.model.fido.u2f.exception.BadInputException)10 DeviceCompromisedException (org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException)4 InvalidKeyHandleDeviceException (org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)3 DeviceRegistration (org.gluu.oxauth.model.fido.u2f.DeviceRegistration)3 NoEligableDevicesException (org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException)2 SignatureException (org.gluu.oxauth.model.exception.SignatureException)2 DeviceRegistrationResult (org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult)2 AuthenticateRequestMessage (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)2 RegisterRequestMessage (org.gluu.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)2 Date (java.util.Date)1 User (org.gluu.oxauth.model.common.User)1 AuthenticateRequestMessageLdap (org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)1 RegistrationNotAllowed (org.gluu.oxauth.model.fido.u2f.exception.RegistrationNotAllowed)1 RawAuthenticateResponse (org.gluu.oxauth.model.fido.u2f.message.RawAuthenticateResponse)1 RawRegisterResponse (org.gluu.oxauth.model.fido.u2f.message.RawRegisterResponse)1 AuthenticateRequest (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest)1 AuthenticateResponse (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse)1 AuthenticateStatus (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateStatus)1 ClientData (org.gluu.oxauth.model.fido.u2f.protocol.ClientData)1 RegisterResponse (org.gluu.oxauth.model.fido.u2f.protocol.RegisterResponse)1