Search in sources :

Example 1 with ClientData

use of org.xdi.oxauth.model.fido.u2f.protocol.ClientData in project oxAuth by GluuFederation.

the class AuthenticationService method finishAuthentication.

public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum, Set<String> facets) throws BadInputException, DeviceCompromisedException {
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, requestMessage.getAppId());
    final AuthenticateRequest request = getAuthenticateRequest(requestMessage, response);
    DeviceRegistration usedDeviceRegistration = null;
    for (DeviceRegistration deviceRegistration : deviceRegistrations) {
        if (StringHelper.equals(request.getKeyHandle(), deviceRegistration.getKeyHandle())) {
            usedDeviceRegistration = deviceRegistration;
            break;
        }
    }
    if (usedDeviceRegistration == null) {
        throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
    }
    if (usedDeviceRegistration.isCompromised()) {
        throw new DeviceCompromisedException(usedDeviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
    }
    ClientData clientData = response.getClientData();
    clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, request.getChallenge(), facets);
    RawAuthenticateResponse rawAuthenticateResponse = rawAuthenticationService.parseRawAuthenticateResponse(response.getSignatureData());
    rawAuthenticationService.checkSignature(request.getAppId(), clientData, rawAuthenticateResponse, Base64Util.base64urldecode(usedDeviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
    rawAuthenticateResponse.checkUserPresence();
    usedDeviceRegistration.checkAndUpdateCounter(rawAuthenticateResponse.getCounter());
    usedDeviceRegistration.setLastAccessTime(new Date());
    deviceRegistrationService.updateDeviceRegistration(userInum, usedDeviceRegistration);
    DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;
    boolean approved = StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp());
    if (!approved) {
        status = DeviceRegistrationResult.Status.CANCELED;
        log.debug("Authentication request with keyHandle '{}' was canceled", response.getKeyHandle());
    }
    return new DeviceRegistrationResult(usedDeviceRegistration, status);
}
Also used : AuthenticateRequest(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) ClientData(org.xdi.oxauth.model.fido.u2f.protocol.ClientData) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult) RawAuthenticateResponse(org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse) Date(java.util.Date)

Example 2 with ClientData

use of org.xdi.oxauth.model.fido.u2f.protocol.ClientData in project oxAuth by GluuFederation.

the class RegistrationService method finishRegistration.

public DeviceRegistrationResult finishRegistration(RegisterRequestMessage requestMessage, RegisterResponse response, String userInum, Set<String> facets) throws BadInputException {
    RegisterRequest request = requestMessage.getRegisterRequest();
    String appId = request.getAppId();
    ClientData clientData = response.getClientData();
    clientDataValidationService.checkContent(clientData, RawRegistrationService.SUPPORTED_REGISTER_TYPES, request.getChallenge(), facets);
    RawRegisterResponse rawRegisterResponse = rawRegistrationService.parseRawRegisterResponse(response.getRegistrationData());
    rawRegistrationService.checkSignature(appId, clientData, rawRegisterResponse);
    Date now = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
    DeviceRegistration deviceRegistration = rawRegistrationService.createDevice(rawRegisterResponse);
    deviceRegistration.setStatus(DeviceRegistrationStatus.ACTIVE);
    deviceRegistration.setApplication(appId);
    deviceRegistration.setCreationDate(now);
    int keyHandleHashCode = deviceRegistrationService.getKeyHandleHashCode(rawRegisterResponse.getKeyHandle());
    deviceRegistration.setKeyHandleHashCode(keyHandleHashCode);
    final String deviceRegistrationId = String.valueOf(System.currentTimeMillis());
    deviceRegistration.setId(deviceRegistrationId);
    String responseDeviceData = response.getDeviceData();
    if (StringHelper.isNotEmpty(responseDeviceData)) {
        try {
            String responseDeviceDataDecoded = new String(Base64Util.base64urldecode(responseDeviceData));
            DeviceData deviceData = ServerUtil.jsonMapperWithWrapRoot().readValue(responseDeviceDataDecoded, DeviceData.class);
            deviceRegistration.setDeviceData(deviceData);
        } catch (Exception ex) {
            throw new BadInputException(String.format("Device data is invalid: %s", responseDeviceData), ex);
        }
    }
    boolean approved = StringHelper.equals(RawRegistrationService.REGISTER_FINISH_TYPE, response.getClientData().getTyp());
    if (!approved) {
        log.debug("Registratio request with keyHandle '{}' was canceled", rawRegisterResponse.getKeyHandle());
        return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.CANCELED);
    }
    boolean twoStep = StringHelper.isNotEmpty(userInum);
    if (twoStep) {
        deviceRegistration.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, deviceRegistrationId));
        // Check if there is device registration with keyHandle in LDAP already
        List<DeviceRegistration> foundDeviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, deviceRegistration.getKeyHandle(), "oxId");
        if (foundDeviceRegistrations.size() != 0) {
            throw new BadInputException(String.format("KeyHandle %s was compromised", deviceRegistration.getKeyHandle()));
        }
        deviceRegistrationService.addUserDeviceRegistration(userInum, deviceRegistration);
    } else {
        deviceRegistration.setDn(deviceRegistrationService.getDnForOneStepU2fDevice(deviceRegistrationId));
        deviceRegistrationService.addOneStepDeviceRegistration(deviceRegistration);
    }
    return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.APPROVED);
}
Also used : RegisterRequest(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequest) GregorianCalendar(java.util.GregorianCalendar) RawRegisterResponse(org.xdi.oxauth.model.fido.u2f.message.RawRegisterResponse) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) Date(java.util.Date) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) ClientData(org.xdi.oxauth.model.fido.u2f.protocol.ClientData) DeviceData(org.xdi.oxauth.model.fido.u2f.protocol.DeviceData) DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)

Aggregations

Date (java.util.Date)2 DeviceCompromisedException (org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)2 DeviceRegistration (org.xdi.oxauth.model.fido.u2f.DeviceRegistration)2 DeviceRegistrationResult (org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)2 BadInputException (org.xdi.oxauth.model.fido.u2f.exception.BadInputException)2 ClientData (org.xdi.oxauth.model.fido.u2f.protocol.ClientData)2 GregorianCalendar (java.util.GregorianCalendar)1 RawAuthenticateResponse (org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse)1 RawRegisterResponse (org.xdi.oxauth.model.fido.u2f.message.RawRegisterResponse)1 AuthenticateRequest (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest)1 DeviceData (org.xdi.oxauth.model.fido.u2f.protocol.DeviceData)1 RegisterRequest (org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequest)1