public void FinishAuthentication_InvalidSignatureData()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var signatureData = FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64);
var signatureBytes = signatureData.Signature.ToByteArray();
signatureBytes[0] ^= 0xFF;
signatureData = new FidoSignatureData(
signatureData.UserPresence,
signatureData.Counter,
new FidoSignature(signatureBytes));
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
signatureData,
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
internal static FidoAuthenticateResponse CreateGoodAuthenticateResponse()
{
var clientData = FidoClientData.FromJson(TestVectors.ClientDataAuth);
var signatureData = FidoSignatureData.FromBytes(TestVectors.AuthenticateResponse);
var keyHandle = FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle);
return(new FidoAuthenticateResponse(clientData, signatureData, keyHandle));
}
public void Deserialize()
{
var clientData = FidoClientData.FromJson("{\"challenge\":\"Y2VydGlmaWNhdGU\",\"origin\":\"http://example.com\",\"typ\":\"sometype\"}");
Assert.AreEqual("Y2VydGlmaWNhdGU", clientData.Challenge);
Assert.AreEqual("http://example.com", clientData.Origin);
Assert.AreEqual("sometype", clientData.Type);
}
private static FidoRegisterResponse GetValidRegisterResponse()
{
var registerResponse = new FidoRegisterResponse
{
RegistrationData = FidoRegistrationData.FromWebSafeBase64(TestVectors.RegistrationResponseDataBase64),
ClientData = FidoClientData.FromJson(TestVectors.ClientDataRegister)
};
return(registerResponse);
}
private static void ExpectClientDataType(FidoClientData clientData, string expectedType)
{
if (clientData.Type == expectedType)
{
return;
}
var message = String.Format("Unexpected type in client data (expected '{0}' but was '{1}')",
expectedType, clientData.Type);
throw new InvalidOperationException(message);
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
var jsonObject = JObject.Load(reader);
var properties = jsonObject.Properties().ToLookup(x => x.Name.ToLowerInvariant());
var serializedRegistrationData = properties["registrationdata"].Single().Value.ToString();
var serializedClientData = properties["clientdata"].Single().Value.ToString();
return(new FidoRegisterResponse
{
RegistrationData = FidoRegistrationData.FromWebSafeBase64(serializedRegistrationData),
ClientData = FidoClientData.FromWebSafeBase64(serializedClientData)
});
}
public void FinishAuthentication_Works()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains);
}
public void Serialize()
{
var clientData = new FidoClientData
{
Challenge = "challenge",
Origin = "http://example.com",
Type = "sometype"
};
var serialized = clientData.ToJson();
var jsonObject = JObject.Parse(serialized);
var properties = jsonObject.Properties().ToLookup(x => x.Name.ToLowerInvariant(), x => x.Value.ToString());
Assert.AreEqual("challenge", properties["challenge"].Single());
Assert.AreEqual("http://example.com", properties["origin"].Single());
Assert.AreEqual("sometype", properties["typ"].Single());
}
public void FinishAuthentication_UntrustedOrigin(string origin)
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("origin\":\"http://example.com", "origin\":\"" + origin);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public void FinishAuthentication_DifferentChallenge()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("challenge\":\"opsXqUifDriAAmWclinfbS0e-USY0CgyJHe_Otd7z8o", "challenge\":\"different");
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
private void VerifyAuthSignature(FidoAppId appId, FidoSignatureData signatureData, FidoClientData clientData,
FidoDeviceRegistration deviceRegistration)
{
if (appId == null)
{
throw new ArgumentNullException("appId");
}
if (signatureData == null)
{
throw new ArgumentNullException("signatureData");
}
if (clientData == null)
{
throw new ArgumentNullException("clientData");
}
if (deviceRegistration == null)
{
throw new ArgumentNullException("deviceRegistration");
}
if (String.IsNullOrEmpty(clientData.RawJsonValue))
{
throw new InvalidOperationException("Client data has no JSON representation");
}
var counterBytes = BitConverter.GetBytes(signatureData.Counter);
if (BitConverter.IsLittleEndian)
{
Array.Reverse(counterBytes);
}
var signedBytes = PackBytes(
Helpers.Sha256(appId.ToString()),
new [] { signatureData.UserPresence },
counterBytes,
Helpers.Sha256(clientData.RawJsonValue));
VerifySignature(deviceRegistration, signatureData.Signature, signedBytes);
if (signatureData.UserPresence != UserPresentFlag)
{
throw new InvalidOperationException("User presence invalid during authentication");
}
}
private void VerifyResponseSignature(FidoAppId appId, FidoRegistrationData registrationData, FidoClientData clientData)
{
if (appId == null)
{
throw new ArgumentNullException("appId");
}
if (registrationData == null)
{
throw new ArgumentNullException("registrationData");
}
if (clientData == null)
{
throw new ArgumentNullException("clientData");
}
if (String.IsNullOrEmpty(clientData.RawJsonValue))
{
throw new InvalidOperationException("Client data has no JSON representation");
}
var signedBytes = PackBytes(
new byte[] { 0 },
Helpers.Sha256(appId.ToString()),
Helpers.Sha256(clientData.RawJsonValue),
registrationData.KeyHandle.ToByteArray(),
registrationData.UserPublicKey.ToByteArray());
VerifySignature(registrationData.AttestationCertificate, registrationData.Signature, signedBytes);
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
return(FidoClientData.FromWebSafeBase64(reader.Value.ToString()));
}
