Search in sources :

Example 6 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class RawRegistrationService method checkSignature.

public void checkSignature(String appId, ClientData clientData, RawRegisterResponse rawRegisterResponse) throws BadInputException {
    String rawClientData = clientData.getRawClientData();
    byte[] signedBytes = packBytesToSign(signatureVerification.hash(appId), signatureVerification.hash(rawClientData), rawRegisterResponse.getKeyHandle(), rawRegisterResponse.getUserPublicKey());
    try {
        signatureVerification.checkSignature(rawRegisterResponse.getAttestationCertificate(), signedBytes, rawRegisterResponse.getSignature());
    } catch (SignatureException ex) {
        throw new BadInputException("Failed to checkSignature", ex);
    }
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) SignatureException(org.gluu.oxauth.model.exception.SignatureException)

Example 7 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class AuthenticationService method getUserInumByKeyHandle.

public String getUserInumByKeyHandle(String appId, String keyHandle) throws InvalidKeyHandleDeviceException {
    if (org.gluu.util.StringHelper.isEmpty(appId) || StringHelper.isEmpty(keyHandle)) {
        return null;
    }
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, keyHandle, "oxId");
    if (deviceRegistrations.isEmpty()) {
        throw new InvalidKeyHandleDeviceException(String.format("Failed to find device by keyHandle '%s' in LDAP", keyHandle));
    }
    if (deviceRegistrations.size() != 1) {
        throw new BadInputException(String.format("There are '%d' devices with keyHandle '%s' in LDAP", deviceRegistrations.size(), keyHandle));
    }
    DeviceRegistration deviceRegistration = deviceRegistrations.get(0);
    return userService.getUserInumByDn(deviceRegistration.getDn());
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) InvalidKeyHandleDeviceException(org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration)

Example 8 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class AuthenticationService method finishAuthentication.

public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum, Set<String> facets) throws BadInputException, DeviceCompromisedException {
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, requestMessage.getAppId());
    final AuthenticateRequest request = getAuthenticateRequest(requestMessage, response);
    DeviceRegistration usedDeviceRegistration = null;
    for (DeviceRegistration deviceRegistration : deviceRegistrations) {
        if (StringHelper.equals(request.getKeyHandle(), deviceRegistration.getKeyHandle())) {
            usedDeviceRegistration = deviceRegistration;
            break;
        }
    }
    if (usedDeviceRegistration == null) {
        throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
    }
    if (usedDeviceRegistration.isCompromised()) {
        throw new DeviceCompromisedException(usedDeviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
    }
    ClientData clientData = response.getClientData();
    log.debug("Client data HEX '{}'", Hex.encodeHexString(response.getClientDataRaw().getBytes()));
    log.debug("Signature data HEX '{}'", Hex.encodeHexString(response.getSignatureData().getBytes()));
    clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, request.getChallenge(), facets);
    RawAuthenticateResponse rawAuthenticateResponse = rawAuthenticationService.parseRawAuthenticateResponse(response.getSignatureData());
    rawAuthenticationService.checkSignature(request.getAppId(), clientData, rawAuthenticateResponse, Base64Util.base64urldecode(usedDeviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
    rawAuthenticateResponse.checkUserPresence();
    log.debug("Counter in finish authentication request'{}', countr in database '{}'", rawAuthenticateResponse.getCounter(), usedDeviceRegistration.getCounter());
    usedDeviceRegistration.checkAndUpdateCounter(rawAuthenticateResponse.getCounter());
    usedDeviceRegistration.setLastAccessTime(new Date());
    deviceRegistrationService.updateDeviceRegistration(userInum, usedDeviceRegistration);
    DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;
    boolean approved = StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp());
    if (!approved) {
        status = DeviceRegistrationResult.Status.CANCELED;
        log.debug("Authentication request with keyHandle '{}' was canceled", response.getKeyHandle());
    }
    return new DeviceRegistrationResult(usedDeviceRegistration, status);
}
Also used : AuthenticateRequest(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) ClientData(org.gluu.oxauth.model.fido.u2f.protocol.ClientData) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceRegistrationResult(org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult) RawAuthenticateResponse(org.gluu.oxauth.model.fido.u2f.message.RawAuthenticateResponse) Date(java.util.Date)

Example 9 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class U2fRegistrationWS method startRegistration.

@GET
@Produces({ "application/json" })
public Response startRegistration(@QueryParam("username") String userName, @QueryParam("application") String appId, @QueryParam("session_id") String sessionId, @QueryParam("enrollment_code") String enrollmentCode) {
    // Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
    try {
        if (appConfiguration.getDisableU2fEndpoint()) {
            return Response.status(Status.FORBIDDEN).build();
        }
        log.debug("Startig registration with username '{}' for appId '{}'. session_id '{}', enrollment_code '{}'", userName, appId, sessionId, enrollmentCode);
        String userInum = null;
        boolean sessionBasedEnrollment = false;
        boolean twoStep = StringHelper.isNotEmpty(userName);
        if (twoStep) {
            boolean removeEnrollment = false;
            if (StringHelper.isNotEmpty(sessionId)) {
                boolean valid = u2fValidationService.isValidSessionId(userName, sessionId);
                if (!valid) {
                    throw new BadInputException(String.format("session_id '%s' is invalid", sessionId));
                }
                sessionBasedEnrollment = true;
            } else if (StringHelper.isNotEmpty(enrollmentCode)) {
                boolean valid = u2fValidationService.isValidEnrollmentCode(userName, enrollmentCode);
                if (!valid) {
                    throw new BadInputException(String.format("enrollment_code '%s' is invalid", enrollmentCode));
                }
                removeEnrollment = true;
            } else {
                throw new BadInputException("session_id or enrollment_code is mandatory");
            }
            User user = userService.getUser(userName);
            userInum = userService.getUserInum(user);
            if (StringHelper.isEmpty(userInum)) {
                throw new BadInputException(String.format("Failed to find user '%s' in LDAP", userName));
            }
            if (removeEnrollment) {
                // We allow to use enrollment code only one time
                user.setAttribute(U2fConstants.U2F_ENROLLMENT_CODE_ATTRIBUTE, "");
                userService.updateUser(user);
            }
        }
        if (sessionBasedEnrollment) {
            List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
            if (deviceRegistrations.size() > 0 && !isCurrentAuthenticationLevelCorrespondsToU2fLevel(sessionId)) {
                throw new RegistrationNotAllowed(String.format("It's not possible to start registration with user_name and session_id because user '%s' has already enrolled device", userName));
            }
        }
        RegisterRequestMessage registerRequestMessage = u2fRegistrationService.builRegisterRequestMessage(appId, userInum);
        u2fRegistrationService.storeRegisterRequestMessage(registerRequestMessage, userInum, sessionId);
        // Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(registerRequestMessage);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        if (ex instanceof RegistrationNotAllowed) {
            throw new WebApplicationException(Response.status(Response.Status.NOT_ACCEPTABLE).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.REGISTRATION_NOT_ALLOWED)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) User(org.gluu.oxauth.model.common.User) RegistrationNotAllowed(org.gluu.oxauth.model.fido.u2f.exception.RegistrationNotAllowed) RegisterRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.RegisterRequestMessage) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Example 10 with BadInputException

use of org.gluu.oxauth.model.fido.u2f.exception.BadInputException in project oxAuth by GluuFederation.

the class U2fRegistrationWS method finishRegistration.

@POST
@Produces({ "application/json" })
public Response finishRegistration(@FormParam("username") String userName, @FormParam("tokenResponse") String registerResponseString) {
    String sessionId = null;
    try {
        if (appConfiguration.getDisableU2fEndpoint()) {
            return Response.status(Status.FORBIDDEN).build();
        }
        log.debug("Finishing registration for username '{}' with response '{}'", userName, registerResponseString);
        RegisterResponse registerResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(registerResponseString, RegisterResponse.class);
        String requestId = registerResponse.getRequestId();
        RegisterRequestMessageLdap registerRequestMessageLdap = u2fRegistrationService.getRegisterRequestMessageByRequestId(requestId);
        if (registerRequestMessageLdap == null) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
        }
        u2fRegistrationService.removeRegisterRequestMessage(registerRequestMessageLdap);
        String foundUserInum = registerRequestMessageLdap.getUserInum();
        RegisterRequestMessage registerRequestMessage = registerRequestMessageLdap.getRegisterRequestMessage();
        DeviceRegistrationResult deviceRegistrationResult = u2fRegistrationService.finishRegistration(registerRequestMessage, registerResponse, foundUserInum);
        // If sessionId is not empty update session
        sessionId = registerRequestMessageLdap.getSessionId();
        if (StringHelper.isNotEmpty(sessionId)) {
            log.debug("There is session id. Setting session id attributes");
            boolean oneStep = StringHelper.isEmpty(foundUserInum);
            userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, true, oneStep);
        }
        RegisterStatus registerStatus = new RegisterStatus(Constants.RESULT_SUCCESS, requestId);
        // Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(registerStatus);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        try {
            // If sessionId is not empty update session
            if (StringHelper.isNotEmpty(sessionId)) {
                log.debug("There is session id. Setting session id status to 'declined'");
                userSessionIdService.updateUserSessionIdOnError(sessionId);
            }
        } catch (Exception ex2) {
            log.error("Failed to update session id status", ex2);
        }
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        if (ex instanceof BadInputException) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : RegisterResponse(org.gluu.oxauth.model.fido.u2f.protocol.RegisterResponse) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) RegisterStatus(org.gluu.oxauth.model.fido.u2f.protocol.RegisterStatus) RegisterRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.RegisterRequestMessage) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Aggregations

BadInputException (org.gluu.oxauth.model.fido.u2f.exception.BadInputException)10 DeviceCompromisedException (org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException)4 InvalidKeyHandleDeviceException (org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)3 DeviceRegistration (org.gluu.oxauth.model.fido.u2f.DeviceRegistration)3 NoEligableDevicesException (org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException)2 SignatureException (org.gluu.oxauth.model.exception.SignatureException)2 DeviceRegistrationResult (org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult)2 AuthenticateRequestMessage (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)2 RegisterRequestMessage (org.gluu.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)2 Date (java.util.Date)1 User (org.gluu.oxauth.model.common.User)1 AuthenticateRequestMessageLdap (org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)1 RegistrationNotAllowed (org.gluu.oxauth.model.fido.u2f.exception.RegistrationNotAllowed)1 RawAuthenticateResponse (org.gluu.oxauth.model.fido.u2f.message.RawAuthenticateResponse)1 RawRegisterResponse (org.gluu.oxauth.model.fido.u2f.message.RawRegisterResponse)1 AuthenticateRequest (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest)1 AuthenticateResponse (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse)1 AuthenticateStatus (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateStatus)1 ClientData (org.gluu.oxauth.model.fido.u2f.protocol.ClientData)1 RegisterResponse (org.gluu.oxauth.model.fido.u2f.protocol.RegisterResponse)1