public void FinishAuthentication_InvalidSignatureData()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var signatureData = FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64);
var signatureBytes = signatureData.Signature.ToByteArray();
signatureBytes[0] ^= 0xFF;
signatureData = new FidoSignatureData(
signatureData.UserPresence,
signatureData.Counter,
new FidoSignature(signatureBytes));
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
signatureData,
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public ActionResult Login(string keyHandle)
{
var model = new LoginDeviceViewModel {
KeyHandle = keyHandle
};
try
{
var u2f = new FidoUniversalTwoFactor();
var appId = new FidoAppId(Request.Url);
var deviceRegistration = GetFidoRepository().GetDeviceRegistrationsOfUser(GetCurrentUser()).FirstOrDefault(x => x.KeyHandle.ToWebSafeBase64() == keyHandle);
if (deviceRegistration == null)
{
ModelState.AddModelError("", "Unknown key handle: " + keyHandle);
return(View(model));
}
var startedRegistration = u2f.StartAuthentication(appId, deviceRegistration);
model = new LoginDeviceViewModel
{
AppId = startedRegistration.AppId.ToString(),
Challenge = startedRegistration.Challenge,
KeyHandle = startedRegistration.KeyHandle.ToWebSafeBase64(),
UserName = GetCurrentUser()
};
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.GetType().Name + ": " + ex.Message);
}
return(View(model));
}
public ActionResult Login(string keyHandle)
{
var model = new LoginDeviceViewModel { KeyHandle = keyHandle };
try
{
var u2f = new FidoUniversalTwoFactor();
var appId = new FidoAppId(Request.Url);
var deviceRegistration = GetFidoRepository().GetDeviceRegistrationsOfUser(GetCurrentUser()).FirstOrDefault(x => x.KeyHandle.ToWebSafeBase64() == keyHandle);
if (deviceRegistration == null)
{
ModelState.AddModelError("", "Unknown key handle: " + keyHandle);
return View(model);
}
var startedRegistration = u2f.StartAuthentication(appId, deviceRegistration);
model = new LoginDeviceViewModel
{
AppId = startedRegistration.AppId.ToString(),
Challenge = startedRegistration.Challenge,
KeyHandle = startedRegistration.KeyHandle.ToWebSafeBase64(),
UserName = GetCurrentUser()
};
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.GetType().Name + ": " + ex.Message);
}
return View(model);
}
public AuthenticateDeviceModel GetAuthenticationModel(Device device)
{
var u2F = new FidoUniversalTwoFactor();
var deviceRegistration = FidoDeviceRegistration.FromJson(device.Data);
var authentication = u2F.StartAuthentication(AppId, deviceRegistration);
var model = new AuthenticateDeviceModel
{
AppId = authentication.AppId.ToString(),
Challenge = authentication.Challenge,
KeyHandle = device.Identifier
};
return(model);
}
public void FinishAuthentication_Works()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains);
}
public void FinishAuthentication_DifferentChallenge()
{
var mockGenerateChallenge = new Mock<IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("challenge\":\"opsXqUifDriAAmWclinfbS0e-USY0CgyJHe_Otd7z8o", "challenge\":\"different");
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws<InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public void StartAuthentication()
{
var randomChallenge = Encoding.Default.GetBytes("random challenge");
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(randomChallenge);
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
mockGenerateChallenge.Verify(x => x.GenerateChallenge(), Times.Once);
Assert.AreEqual(TestVectors.AppIdEnroll, startedAuthentication.AppId.ToString());
Assert.AreEqual(randomChallenge, WebSafeBase64Converter.FromBase64String(startedAuthentication.Challenge));
Assert.AreEqual(deviceRegistration.KeyHandle, startedAuthentication.KeyHandle);
}
public void FinishAuthentication_UntrustedOrigin(string origin)
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("origin\":\"http://example.com", "origin\":\"" + origin);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public void FinishAuthentication_DifferentChallenge()
{
var mockGenerateChallenge = new Mock <IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("challenge\":\"opsXqUifDriAAmWclinfbS0e-USY0CgyJHe_Otd7z8o", "challenge\":\"different");
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws <InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public void FinishAuthentication_CounterTooSmall()
{
var mockGenerateChallenge = new Mock<IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var signatureData = FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64);
signatureData = new FidoSignatureData(
signatureData.UserPresence,
0,
signatureData.Signature);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
signatureData,
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws<InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
public void StartAuthentication()
{
var randomChallenge = Encoding.Default.GetBytes("random challenge");
var mockGenerateChallenge = new Mock<IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(randomChallenge);
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
mockGenerateChallenge.Verify(x => x.GenerateChallenge(), Times.Once);
Assert.AreEqual(TestVectors.AppIdEnroll, startedAuthentication.AppId.ToString());
Assert.AreEqual(randomChallenge, WebSafeBase64Converter.FromBase64String(startedAuthentication.Challenge));
Assert.AreEqual(deviceRegistration.KeyHandle, startedAuthentication.KeyHandle);
}
public void FinishAuthentication_Works()
{
var mockGenerateChallenge = new Mock<IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(TestVectors.ClientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains);
}
public void FinishAuthentication_UntrustedOrigin(string origin)
{
var mockGenerateChallenge = new Mock<IGenerateFidoChallenge>();
mockGenerateChallenge.Setup(x => x.GenerateChallenge()).Returns(WebSafeBase64Converter.FromBase64String(TestVectors.ServerChallengeAuthBase64));
var fido = new FidoUniversalTwoFactor(mockGenerateChallenge.Object);
var deviceRegistration = CreateTestDeviceRegistration();
var startedAuthentication = fido.StartAuthentication(new FidoAppId(TestVectors.AppIdEnroll), deviceRegistration);
var clientDataAuth = TestVectors.ClientDataAuth.Replace("origin\":\"http://example.com", "origin\":\"" + origin);
var authenticateResponse = new FidoAuthenticateResponse(
FidoClientData.FromJson(clientDataAuth),
FidoSignatureData.FromWebSafeBase64(TestVectors.SignResponseDataBase64),
FidoKeyHandle.FromWebSafeBase64(TestVectors.KeyHandle));
Assert.Throws<InvalidOperationException>(() => fido.FinishAuthentication(startedAuthentication, authenticateResponse, deviceRegistration, TestVectors.TrustedDomains));
}
