use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.
the class ClientDataValidationService method checkContent.
public void checkContent(ClientData clientData, String[] types, String challenge, Set<String> facets) throws BadInputException {
if (!ArrayUtils.contains(types, clientData.getTyp())) {
throw new BadInputException("Bad clientData: wrong typ " + clientData.getTyp());
}
if (!challenge.equals(clientData.getChallenge())) {
throw new BadInputException("Bad clientData: wrong challenge");
}
if (facets != null && !facets.isEmpty()) {
Set<String> allowedFacets = canonicalizeOrigins(facets);
String canonicalOrigin;
try {
canonicalOrigin = canonicalizeOrigin(clientData.getOrigin());
} catch (RuntimeException e) {
throw new BadInputException("Bad clientData: Malformed origin", e);
}
verifyOrigin(canonicalOrigin, allowedFacets);
}
}
use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.
the class RawAuthenticationService method checkSignature.
public void checkSignature(String appId, ClientData clientData, RawAuthenticateResponse rawAuthenticateResponse, byte[] publicKey) throws BadInputException {
String rawClientData = clientData.getRawClientData();
byte[] signedBytes = packBytesToSign(signatureVerification.hash(appId), rawAuthenticateResponse.getUserPresence(), rawAuthenticateResponse.getCounter(), signatureVerification.hash(rawClientData));
log.debug("Packed bytes to sign in HEX '{}'", Hex.encodeHexString(signedBytes));
log.debug("Signature from authentication response in HEX '{}'", Hex.encodeHexString(rawAuthenticateResponse.getSignature()));
try {
boolean isValid = signatureVerification.checkSignature(signatureVerification.decodePublicKey(publicKey), signedBytes, rawAuthenticateResponse.getSignature());
if (!isValid) {
throw new BadInputException("Signature is not valid");
}
} catch (SignatureException ex) {
throw new BadInputException("Failed to checkSignature", ex);
}
}
use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.
the class RegistrationService method finishRegistration.
public DeviceRegistrationResult finishRegistration(RegisterRequestMessage requestMessage, RegisterResponse response, String userInum, Set<String> facets) throws BadInputException {
RegisterRequest request = requestMessage.getRegisterRequest();
String appId = request.getAppId();
ClientData clientData = response.getClientData();
clientDataValidationService.checkContent(clientData, RawRegistrationService.SUPPORTED_REGISTER_TYPES, request.getChallenge(), facets);
RawRegisterResponse rawRegisterResponse = rawRegistrationService.parseRawRegisterResponse(response.getRegistrationData());
rawRegistrationService.checkSignature(appId, clientData, rawRegisterResponse);
Date now = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
DeviceRegistration deviceRegistration = rawRegistrationService.createDevice(userInum, rawRegisterResponse);
deviceRegistration.setStatus(DeviceRegistrationStatus.ACTIVE);
deviceRegistration.setApplication(appId);
deviceRegistration.setCreationDate(now);
int keyHandleHashCode = deviceRegistrationService.getKeyHandleHashCode(rawRegisterResponse.getKeyHandle());
deviceRegistration.setKeyHandleHashCode(keyHandleHashCode);
final String deviceRegistrationId = String.valueOf(System.currentTimeMillis());
deviceRegistration.setId(deviceRegistrationId);
String responseDeviceData = response.getDeviceData();
if (StringHelper.isNotEmpty(responseDeviceData)) {
try {
String responseDeviceDataDecoded = new String(Base64Util.base64urldecode(responseDeviceData));
DeviceData deviceData = ServerUtil.jsonMapperWithWrapRoot().readValue(responseDeviceDataDecoded, DeviceData.class);
deviceRegistration.setDeviceData(deviceData);
} catch (Exception ex) {
throw new BadInputException(String.format("Device data is invalid: %s", responseDeviceData), ex);
}
}
boolean approved = StringHelper.equals(RawRegistrationService.REGISTER_FINISH_TYPE, response.getClientData().getTyp());
if (!approved) {
log.debug("Registratio request with keyHandle '{}' was canceled", rawRegisterResponse.getKeyHandle());
return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.CANCELED);
}
boolean twoStep = StringHelper.isNotEmpty(userInum);
if (twoStep) {
deviceRegistration.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, deviceRegistrationId));
// Check if there is device registration with keyHandle in LDAP already
List<DeviceRegistration> foundDeviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, deviceRegistration.getKeyHandle(), "oxId");
if (foundDeviceRegistrations.size() != 0) {
throw new BadInputException(String.format("KeyHandle %s was compromised", deviceRegistration.getKeyHandle()));
}
deviceRegistrationService.addUserDeviceRegistration(userInum, deviceRegistration);
} else {
deviceRegistration.setDn(deviceRegistrationService.getDnForOneStepU2fDevice(deviceRegistrationId));
deviceRegistrationService.addOneStepDeviceRegistration(deviceRegistration);
}
return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.APPROVED);
}
use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.
the class U2fAuthenticationWS method finishAuthentication.
@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
String sessionId = null;
try {
if (appConfiguration.getDisableU2fEndpoint()) {
return Response.status(Status.FORBIDDEN).build();
}
log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
String requestId = authenticateResponse.getRequestId();
AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
if (authenticateRequestMessageLdap == null) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
}
sessionId = authenticateRequestMessageLdap.getSessionId();
u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
String foundUserInum = authenticateRequestMessageLdap.getUserInum();
DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
// If sessionId is not empty update session
if (StringHelper.isNotEmpty(sessionId)) {
log.debug("There is session id. Setting session id attributes");
boolean oneStep = StringHelper.isEmpty(userName);
userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, false, oneStep);
}
AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
// convert manually to avoid possible conflict between resteasy
// providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(authenticationStatus);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
try {
// If sessionId is not empty update session
if (StringHelper.isNotEmpty(sessionId)) {
log.debug("There is session id. Setting session id status to 'declined'");
userSessionIdService.updateUserSessionIdOnError(sessionId);
}
} catch (Exception ex2) {
log.error("Failed to update session id status", ex2);
}
if (ex instanceof BadInputException) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
}
if (ex instanceof DeviceCompromisedException) {
DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
try {
deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
} catch (Exception ex2) {
log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
}
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.
the class U2fAuthenticationWS method startAuthentication.
@GET
@Produces({ "application/json" })
public Response startAuthentication(@QueryParam("username") String userName, @QueryParam("keyhandle") String keyHandle, @QueryParam("application") String appId, @QueryParam("session_id") String sessionId) {
// Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
try {
if (appConfiguration.getDisableU2fEndpoint()) {
return Response.status(Status.FORBIDDEN).build();
}
log.debug("Startig authentication with username '{}', keyhandle '{}' for appId '{}' and session_id '{}'", userName, keyHandle, appId, sessionId);
if (StringHelper.isEmpty(userName) && StringHelper.isEmpty(keyHandle)) {
throw new BadInputException("The request should contains either username or keyhandle");
}
String foundUserInum = null;
boolean twoStep = StringHelper.isNotEmpty(userName);
if (twoStep) {
boolean valid = u2fValidationService.isValidSessionId(userName, sessionId);
if (!valid) {
throw new BadInputException(String.format("session_id '%s' is invalid", sessionId));
}
foundUserInum = userService.getUserInum(userName);
} else {
// Convert to non padding URL base64 string
String keyHandleWithoutPading = Base64Util.base64urlencode(Base64Util.base64urldecode(keyHandle));
// In one step we expects empty username and not empty keyhandle
foundUserInum = u2fAuthenticationService.getUserInumByKeyHandle(appId, keyHandleWithoutPading);
}
if (StringHelper.isEmpty(foundUserInum)) {
throw new BadInputException(String.format("Failed to find user by userName '%s' or keyHandle '%s' in LDAP", userName, keyHandle));
}
AuthenticateRequestMessage authenticateRequestMessage = u2fAuthenticationService.buildAuthenticateRequestMessage(appId, foundUserInum);
u2fAuthenticationService.storeAuthenticationRequestMessage(authenticateRequestMessage, foundUserInum, sessionId);
// convert manually to avoid possible conflict between resteasy
// providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(authenticateRequestMessage);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
if ((ex instanceof NoEligableDevicesException) || (ex instanceof InvalidKeyHandleDeviceException)) {
throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.NO_ELIGABLE_DEVICES)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
Aggregations