public WebauthController(IConfiguration config) { var MDSAccessKey = config["fido2:MDSAccessKey"]; var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000"; var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _origin = "https://localhost:44329"; _lib = new Fido2(new Fido2Configuration() { ServerDomain = "localhost", ServerName = "Fido2 test", Origin = _origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds, TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance") }); }
public MfaFido2SignInFidoController( Fido2Storage fido2Storage, UserManager <ApplicationUser> userManager, SignInManager <ApplicationUser> signInManager, IOptions <Fido2Configuration> optionsFido2Configuration, IStringLocalizerFactory factory) { _userManager = userManager; _optionsFido2Configuration = optionsFido2Configuration; _signInManager = signInManager; _userManager = userManager; _fido2Storage = fido2Storage; var type = typeof(SharedResource); var assemblyName = new AssemblyName(type.GetTypeInfo().Assembly.FullName); _sharedLocalizer = factory.Create("SharedResource", assemblyName.Name); _lib = new Fido2(new Fido2Configuration() { ServerDomain = _optionsFido2Configuration.Value.ServerDomain, ServerName = _optionsFido2Configuration.Value.ServerName, Origin = _optionsFido2Configuration.Value.Origin, TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance }); }
public FidoController( UserManager <User> users, AuthenticationContext authContext, IConfiguration configuraiton) { _users = users; _authContext = authContext; var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000"; _origin = configuraiton["Fido2:Origin"]; var MDSAccessKey = configuraiton["fido2:MDSAccessKey"]; var MDSCacheDirPath = configuraiton["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _lib = new Fido2(new Fido2Configuration() { ServerDomain = configuraiton["Fido2:ServerDomain"], ServerName = "Fido2 Identity Server", Origin = _origin, MetadataService = _mds }); }
public PwFido2RegisterController( Fido2Storage fido2Storage, UserManager <IdentityUser> userManager, IOptions <Fido2Configuration> optionsFido2Configuration, IOptions <Fido2MdsConfiguration> optionsFido2MdsConfiguration) { _userManager = userManager; _optionsFido2Configuration = optionsFido2Configuration; _optionsFido2MdsConfiguration = optionsFido2MdsConfiguration; _fido2Storage = fido2Storage; var MDSCacheDirPath = _optionsFido2MdsConfiguration.Value.MDSCacheDirPath ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(_optionsFido2MdsConfiguration.Value.MDSAccessKey) ? null : MDSMetadata.Instance( _optionsFido2MdsConfiguration.Value.MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _lib = new Fido2(new Fido2Configuration() { ServerDomain = _optionsFido2Configuration.Value.ServerDomain, ServerName = _optionsFido2Configuration.Value.ServerName, Origin = _optionsFido2Configuration.Value.Origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds, TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance }); }
public SignInFidoController(IConfiguration config, Fido2Storage fido2Storage, UserManager <IdentityUser> userManager, SignInManager <IdentityUser> signInManager) { _signInManager = signInManager; _userManager = userManager; _fido2Storage = fido2Storage; var MDSAccessKey = config["fido2:MDSAccessKey"]; var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _origin = config["fido2:origin"]; _lib = new Fido2(new Fido2Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = _origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds, TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance") }); }
public FidoController(IConfiguration config, IIdentityServerInteractionService interaction) { //var MDSAccessKey = config["fido2:MDSAccessKey"]; //_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]); //if (null != _mds) //{ // if (false == _mds.IsInitialized()) // _mds.Initialize().Wait(); //} _origin = config["fido2:origin"]; _lib = new Fido2(new Fido2Configuration { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = _origin, // Only create and use Metadataservice if we have an acesskey //MetadataService = _mds, //TimestampDriftTolerance = config.GetValue<int>("fido2:TimestampDriftTolerance") }); _interaction = interaction; }
public static WebAuthnAssertion VerifyAssertionResult(Fido2Configuration fido2Config, string requestJSON, string resultJSON, Func <string, byte[]> getStoredPublicKey) { var fido2 = new Fido2(fido2Config); IsUserHandleOwnerOfCredentialIdAsync callback = (args) => { var u = args.UserHandle; var id = args.CredentialId; return(Task.FromResult(true)); }; var request = Newtonsoft.Json.JsonConvert.DeserializeObject <AssertionOptions>(requestJSON); AuthenticatorAssertionRawResponse assertionResponse = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorAssertionRawResponse>(resultJSON); var credentialId = System.Convert.ToBase64String(assertionResponse.Id); uint storedCounter = 0; // 0 means always success var publicKey = getStoredPublicKey(credentialId); var success = fido2.MakeAssertionAsync(assertionResponse, request, publicKey, storedCounter, callback).Result; var clientDataJson = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorResponse>(System.Text.UTF8Encoding.UTF8.GetString(assertionResponse.Response.ClientDataJson)); var challenge = clientDataJson.Challenge; return(new WebAuthnAssertion { verified = true, challenge = System.Convert.ToBase64String(clientDataJson.Challenge), credentialId = credentialId, publicKey = System.Convert.ToBase64String(publicKey), userHandle = assertionResponse.Response.UserHandle }); }
public static WebAuthnAssertion VerifyAttestationResult(Fido2Configuration fido2Config, string requestJSON, string resultJSON) { var fido2 = new Fido2(fido2Config); IsCredentialIdUniqueToUserAsyncDelegate callback = (IsCredentialIdUniqueToUserParams args) => { var id = args.CredentialId; // generated ID by authenticator(should be always unique for each authenticator, equivalent to client cert) var u = args.User; // user info, kind of useless as this can be changed by js at client side return(Task.FromResult(true)); }; var request = Newtonsoft.Json.JsonConvert.DeserializeObject <CredentialCreateOptions>(requestJSON); AuthenticatorAttestationRawResponse regResponse = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorAttestationRawResponse>(resultJSON); var success = fido2.MakeNewCredentialAsync(regResponse, request, callback).Result; var clientDataJson = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorResponse>(System.Text.UTF8Encoding.UTF8.GetString(regResponse.Response.ClientDataJson)); var challenge = System.Convert.ToBase64String(clientDataJson.Challenge); var credentialId = System.Convert.ToBase64String(success.Result.CredentialId); var publicKey = System.Convert.ToBase64String(success.Result.PublicKey); var signingCounter = success.Result.Counter; // designed for replay attact prevention but useless for a multiple node situation var user = success.Result.User; var aaguid = success.Result.Aaguid; return(new WebAuthnAssertion { verified = true, challenge = challenge, credentialId = credentialId, publicKey = publicKey, signingCounter = signingCounter, aaguid = aaguid, userHandle = request.User.Id }); }
public AuthenticationController(IMemoryCache memoryCache, IDataStore dataStorage, Fido2 lib, IOptions <IndexingOptions> indexOptions, ElasticClient elasticClient) { _memoryCache = memoryCache; _dataStore = dataStorage; _lib = lib; _indexOptions = indexOptions.Value; _elasticClient = elasticClient; }
public RegistrationController(IDataStore dataStore, IMemoryCache memoryCache, Fido2 lib, ElasticClient elasticClient, IOptions <IndexingOptions> indexOptions) { _memoryCache = memoryCache; _dataStore = dataStore; _lib = lib; _elasticClient = elasticClient; _indexOptions = indexOptions.Value; }
public async Task TestFido2AssertionWithExistingU2fRegistrationWithAppId() { // u2f registration with appId var appId = "https://localhost:44336"; var keyHandleData = Base64Url.Decode("2uzGTqu9XGoDQpRBhkv3qDYWzEEZrDjOHT94fHe3J9VXl6KpaY6jL1C4gCAVSBCWZejOn-EYSyXfiG7RDQqgKw"); var publicKeyData = Base64Url.Decode("BEKJkJiDzo8wlrYbAHmyz5a5vShbkStO58ZO7F-hy4fvBp6TowCZoV2dNGcxIN1yT18799bb_WuP0Yq_DSv5a-U"); //key as cbor var publicKey = CreatePublicKeyFromU2fRegistrationData(keyHandleData, publicKeyData); var options = new AssertionOptions { Challenge = Base64Url.Decode("mNxQVDWI8+ahBXeQJ8iS4jk5pDUd5KetZGVOwSkw2X0"), RpId = "localhost", AllowCredentials = new[] { new PublicKeyCredentialDescriptor { Id = keyHandleData, Type = PublicKeyCredentialType.PublicKey } }, Extensions = new AuthenticationExtensionsClientInputs { AppID = appId } }; var authResponse = new AuthenticatorAssertionRawResponse { Id = keyHandleData, RawId = keyHandleData, Type = PublicKeyCredentialType.PublicKey, Extensions = new AuthenticationExtensionsClientOutputs { AppID = true }, Response = new AuthenticatorAssertionRawResponse.AssertionResponse { AuthenticatorData = Base64Url.Decode("B6_fPoU4uitIYRHXuNfpbqt5mrDWz8cp7d1noAUrAucBAAABTQ"), ClientDataJson = Base64Url.Decode("eyJjaGFsbGVuZ2UiOiJtTnhRVkRXSTgtYWhCWGVRSjhpUzRqazVwRFVkNUtldFpHVk93U2t3MlgwIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzYiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0"), Signature = Base64Url.Decode("MEQCICHV36RVY9DdFmKZgxF5Z_yScpPPsKcj__8KcPmngtGHAiAq_SzmTY8rZz4-5uNNiz3h6xO9osNTh7O7Mjqtoxul8w") } }; IFido2 fido2 = new Fido2(new Fido2Configuration { Origins = new System.Collections.Generic.HashSet <string> { "https://localhost:44336" } //data was generated with this origin }); var res = await fido2.MakeAssertionAsync(authResponse, options, publicKey.Encode(), 0, null); Assert.Equal("ok", res.Status); }
public TestController(IConfiguration config) { _lib = new Fido2(new Fido2.Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = config["fido2:origin"], MetadataService = MDSMetadata.Instance(config["fido2:MDSAccessKey"], config["fido2:MDSCacheDirPath"]) }); }
protected override void OnCreate(Bundle savedInstanceState) { base.OnCreate(savedInstanceState); Xamarin.Essentials.Platform.Init(this, savedInstanceState); SetContentView(Resource.Layout.activity_fido2_demo_main); InitiateViews(); fido2Client = Fido2.GetFido2Client(this); }
public WebAuthnController() { var config = WebAuthnLogic.GetConfig(); fido2 = new Fido2(new Fido2Configuration { ServerDomain = config.ServerDomain, ServerName = config.ServerName, Origin = config.Origin, TimestampDriftTolerance = 300000, }); }
public MyController(IConfiguration config) { var MDSAccessKey = config["fido2:MDSAccessKey"]; _lib = new Fido2(new Fido2.Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = config["fido2:origin"], // Only create and use Metadataservice if we have and acesskey MetadataService = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]) }); }
public AccountController( IIdentityServerInteractionService interaction, IClientStore clientStore, IAuthenticationSchemeProvider schemeProvider, IEventService events, UserManager <User> users, IUserStore <User> userStore, IResourceOwnerPasswordValidator validator, IPasswordHasher <User> passwordHasher, SignInManager <User> signInManager, AuthenticationContext authenticationContext, IConfiguration configuration, IJsonHelper jsonHelper) { // if the TestUserStore is not in DI, then we'll just use the global users collection // this is where you would plug in your own custom identity management library (e.g. ASP.NET Identity) _users = users; _userStore = userStore; _signInManager = signInManager; _interaction = interaction; _clientStore = clientStore; _schemeProvider = schemeProvider; _events = events; _validator = validator; _passwordHasher = passwordHasher; _authenticationContext = authenticationContext; _jsonHelper = jsonHelper; var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000"; _origin = configuration["Fido2:Origin"]; var MDSAccessKey = configuration["fido2:MDSAccessKey"]; var MDSCacheDirPath = configuration["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _lib = new Fido2(new Fido2Configuration() { ServerDomain = configuration["Fido2:ServerDomain"], ServerName = "Fido2 Identity Server", Origin = _origin, MetadataService = _mds }); }
public TestController(IConfiguration config) { var MDSAccessKey = config["fido2:MDSAccessKey"]; _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]); _origin = config["fido2:origin"]; _lib = new Fido2(new Fido2.Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = _origin, MetadataService = _mds }); }
public static string MakeWebAuthnAttestationRequest(Fido2Configuration fido2Config, byte[] challenge, LoginUsr LUser, List <PublicKeyCredentialDescriptor> excludedCredentials) { string usrId = LUser.UsrId.ToString(); string usrIdB64 = System.Convert.ToBase64String(usrId.ToUtf8ByteArray()); Fido2User user = new Fido2User { DisplayName = LUser.UsrName, /* must be restricted to no more than than 64 for device like yubikey as it would fail without reason */ //Name = (Guid.NewGuid().ToString() + " " + DateTime.UtcNow.ToString("o")).Left(64), //Id= Guid.NewGuid().ToString().ToUtf8ByteArray() Name = LUser.LoginName, Id = usrIdB64.ToUtf8ByteArray() }; AuthenticatorSelection authenticatorSelection = new AuthenticatorSelection { RequireResidentKey = false, UserVerification = UserVerificationRequirement.Discouraged, // AuthenticatorAttachment = AuthenticatorAttachment.Platform, }; AttestationConveyancePreference attConveyancePreference = AttestationConveyancePreference.None; AuthenticationExtensionsClientInputs clientExtensions = new AuthenticationExtensionsClientInputs { Extensions = true, SimpleTransactionAuthorization = string.Format("you are registering to {0}", fido2Config.ServerName), Location = true, UserVerificationMethod = true, BiometricAuthenticatorPerformanceBounds = new AuthenticatorBiometricPerfBounds { FAR = float.MaxValue, FRR = float.MaxValue } }; var fido2 = new Fido2(fido2Config); // must do this for the verification to work var options = fido2.RequestNewCredential(user, excludedCredentials, authenticatorSelection, attConveyancePreference, clientExtensions); // the challenge is random byte but we need more info, replace it options.Challenge = challenge; var createRequest = Fido2NetLib.CredentialCreateOptions.Create(fido2Config , challenge, user, authenticatorSelection, attConveyancePreference , excludedCredentials != null && excludedCredentials.Count > 0 ? excludedCredentials : null , clientExtensions); string createRequestJson = options.ToJson(); return(createRequestJson); }
public TestController(IConfiguration config) { // Sample bogus key from https://fidoalliance.org/metadata/ var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000"; _origin = config["fido2:origin"]; _mds = MDSMetadata.ConformanceInstance(invalidToken, config["fido2:MDSCacheDirPath"], _origin); _lib = new Fido2(new Fido2.Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = _origin, MetadataService = _mds }); }
public MfaFido2SignInFidoController( Fido2Store fido2Store, SignInManager <IdentityUser> signInManager, IOptions <Fido2Configuration> optionsFido2Configuration) { _optionsFido2Configuration = optionsFido2Configuration; _signInManager = signInManager; _fido2Store = fido2Store; _lib = new Fido2(new Fido2Configuration() { ServerDomain = _optionsFido2Configuration.Value.ServerDomain, ServerName = _optionsFido2Configuration.Value.ServerName, Origin = _optionsFido2Configuration.Value.Origin, TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance }); }
public PwFido2RegisterController( Fido2Store fido2Store, UserManager <IdentityUser> userManager, IOptions <Fido2Configuration> optionsFido2Configuration) { _userManager = userManager; _optionsFido2Configuration = optionsFido2Configuration; _fido2Store = fido2Store; _lib = new Fido2(new Fido2Configuration() { ServerDomain = _optionsFido2Configuration.Value.ServerDomain, ServerName = _optionsFido2Configuration.Value.ServerName, Origin = _optionsFido2Configuration.Value.Origin, TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance }); }
public MfaFido2SignInFidoController( Fido2Storage fido2Storage, UserManager <ApplicationUser> userManager, SignInManager <ApplicationUser> signInManager, IOptions <Fido2Configuration> optionsFido2Configuration, IOptions <Fido2MdsConfiguration> optionsFido2MdsConfiguration, IStringLocalizerFactory factory) { _userManager = userManager; _optionsFido2Configuration = optionsFido2Configuration; _optionsFido2MdsConfiguration = optionsFido2MdsConfiguration; _signInManager = signInManager; _userManager = userManager; _fido2Storage = fido2Storage; var type = typeof(SharedResource); var assemblyName = new AssemblyName(type.GetTypeInfo().Assembly.FullName); _sharedLocalizer = factory.Create("SharedResource", assemblyName.Name); var MDSCacheDirPath = _optionsFido2MdsConfiguration.Value.MDSCacheDirPath ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(_optionsFido2MdsConfiguration.Value.MDSAccessKey) ? null : MDSMetadata.Instance( _optionsFido2MdsConfiguration.Value.MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _lib = new Fido2(new Fido2Configuration() { ServerDomain = _optionsFido2Configuration.Value.ServerDomain, ServerName = _optionsFido2Configuration.Value.ServerName, Origin = _optionsFido2Configuration.Value.Origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds, TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance }); }
public AccountManageController( UserManager <ApplicationUser> userManager, UrlEncoder urlEncoder, Fido2Service fido2Service, IDistributedCache distributedCache, IConfiguration configuration) { _userManager = userManager; _urlEncoder = urlEncoder; _fido2Service = fido2Service; _distributedCache = distributedCache; _configuration = configuration; _fido2 = new Fido2(new Fido2Configuration() { ServerDomain = _configuration["Fido2ServerDomain"], ServerName = "MyScimApp", Origin = _configuration["Fido2Origin"] }); }
public WebAuthTestController(IConfiguration config) { // Sample bogus key from https://fidoalliance.org/metadata/ var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000"; _origin = config["https://localhost:44329"]; _mds = MDSMetadata.ConformanceInstance(invalidToken, config["fido2:MDSCacheDirPath"], _origin); if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } _lib = new Fido2(new Fido2Configuration() { ServerDomain = config["localhost"], ServerName = "Fido2 test", Origin = _origin, MetadataService = _mds }); }
public Fido2Service(UserManager <ApplicationUser> userManager, SignInManager <ApplicationUser> signInManager, IAsyncRepository <FidoStoredCredential> fidoCredentialsRepository, IAsyncRepository <ApplicationUser> applicationUserRepository, IOptions <Fido2Configuration> fido2Configuration, IMemoryCache memoryCache) { _userManager = userManager; _signInManager = signInManager; _fidoCredentialsRepository = fidoCredentialsRepository; _applicationUserRepository = applicationUserRepository; _fido2Configuration = fido2Configuration; _memoryCache = memoryCache; _lib = new Fido2(new Fido2Configuration() { ServerDomain = _fido2Configuration.Value.ServerDomain, ServerName = _fido2Configuration.Value.ServerName, Origin = _fido2Configuration.Value.Origin, TimestampDriftTolerance = _fido2Configuration.Value.TimestampDriftTolerance }); }
public MyController(IConfiguration config) { var MDSAccessKey = config["fido2:MDSAccessKey"]; _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _origin = config["fido2:origin"]; _lib = new Fido2(new Configuration() { ServerDomain = config["fido2:serverDomain"], ServerName = "Fido2 test", Origin = _origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds }); }
public RegisterFido2Controller(IConfiguration config, Fido2Storage fido2Storage, UserManager <IdentityUser> userManager, IDistributedCache distributedCache) { _userManager = userManager; _fido2Storage = fido2Storage; _distributedCache = distributedCache; var MDSAccessKey = config["fido2:MDSAccessKey"]; var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache"); _mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath); if (null != _mds) { if (false == _mds.IsInitialized()) { _mds.Initialize().Wait(); } } _origin = config["fido2:origin"]; if (_origin == null) { _origin = "https://localhost:44388"; } var domain = config["fido2:serverDomain"]; if (domain == null) { domain = "localhost"; } _lib = new Fido2(new Fido2Configuration() { ServerDomain = domain, ServerName = "Fido2IdentityMfa", Origin = _origin, // Only create and use Metadataservice if we have an acesskey MetadataService = _mds, TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance") }); }
public AccountController( UserManager <ApplicationUser> userManager, SignInManager <ApplicationUser> signInManager, IIdentityServerInteractionService interaction, ApplicationDbContext applicationDbContext, Fido2Service fido2Service, IDistributedCache distributedCache, IConfiguration configuration) { _userManager = userManager; _signInManager = signInManager; _interaction = interaction; _applicationDbContext = applicationDbContext; _fido2Service = fido2Service; _distributedCache = distributedCache; _configuration = configuration; _fido2 = new Fido2(new Fido2Configuration() { ServerDomain = _configuration["Fido2ServerDomain"], ServerName = "MyScimApp", Origin = _configuration["Fido2Origin"] }); }
public static string MakeWebAuthnAssertionRequest(Fido2Configuration fido2Config, byte[] challenge, List <PublicKeyCredentialDescriptor> allowedCredentials) { AuthenticatorSelection authSelection = new AuthenticatorSelection { RequireResidentKey = false, UserVerification = UserVerificationRequirement.Preferred, // AuthenticatorAttachment = null, }; AuthenticationExtensionsClientInputs clientExtensions = new AuthenticationExtensionsClientInputs { Extensions = true, SimpleTransactionAuthorization = string.Format("you are registering to {0}", fido2Config.ServerName), Location = true, UserVerificationMethod = true, }; var fido2 = new Fido2(fido2Config); var assertionRequest = Fido2NetLib.AssertionOptions.Create(fido2Config, challenge, allowedCredentials, UserVerificationRequirement.Preferred, clientExtensions); string assertionRequestJson = assertionRequest.ToJson(); return(assertionRequestJson); }
internal async void MakeAssertionResponse(COSE.KeyType kty, COSE.Algorithm alg, COSE.EllipticCurve crv = COSE.EllipticCurve.P256) { const string rp = "fido2.azurewebsites.net"; byte[] rpId = Encoding.UTF8.GetBytes(rp); var rpIdHash = SHA256.Create().ComputeHash(rpId); var flags = AuthenticatorFlags.AT | AuthenticatorFlags.ED | AuthenticatorFlags.UP | AuthenticatorFlags.UV; const ushort signCount = 0xf1d0; var aaguid = new Guid("F1D0F1D0-F1D0-F1D0-F1D0-F1D0F1D0F1D0"); var credentialID = new byte[] { 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, }; CredentialPublicKey cpk = null; ECDsa ecdsa = null; RSA rsa = null; byte[] expandedPrivateKey = null; switch (kty) { case COSE.KeyType.EC2: { ecdsa = MakeECDsa(alg, crv); var ecparams = ecdsa.ExportParameters(true); cpk = MakeCredentialPublicKey(kty, alg, crv, ecparams.Q.X, ecparams.Q.Y); break; } case COSE.KeyType.RSA: { rsa = RSA.Create(); var rsaparams = rsa.ExportParameters(true); cpk = MakeCredentialPublicKey(kty, alg, rsaparams.Modulus, rsaparams.Exponent); break; } case COSE.KeyType.OKP: { MakeEdDSA(out var privateKeySeed, out var publicKey, out expandedPrivateKey); cpk = MakeCredentialPublicKey(kty, alg, COSE.EllipticCurve.Ed25519, publicKey); break; } throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}"); } var acd = new AttestedCredentialData(aaguid, credentialID, cpk); var extBytes = CBORObject.NewMap().Add("testing", true).EncodeToBytes(); var exts = new Extensions(extBytes); var ad = new AuthenticatorData(rpIdHash, flags, signCount, acd, exts); var authData = ad.ToByteArray(); var challenge = new byte[128]; var rng = RandomNumberGenerator.Create(); rng.GetBytes(challenge); var clientData = new { Type = "webauthn.get", Challenge = challenge, Origin = rp, }; var clientDataJson = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(clientData)); var sha = SHA256.Create(); var hashedClientDataJson = sha.ComputeHash(clientDataJson); byte[] data = new byte[authData.Length + hashedClientDataJson.Length]; Buffer.BlockCopy(authData, 0, data, 0, authData.Length); Buffer.BlockCopy(hashedClientDataJson, 0, data, authData.Length, hashedClientDataJson.Length); byte[] signature = null; switch (kty) { case COSE.KeyType.EC2: { signature = ecdsa.SignData(data, CryptoUtils.algMap[(int)alg]); break; } case COSE.KeyType.RSA: { RSASignaturePadding padding; switch (alg) // https://www.iana.org/assignments/cose/cose.xhtml#algorithms { case COSE.Algorithm.PS256: case COSE.Algorithm.PS384: case COSE.Algorithm.PS512: padding = RSASignaturePadding.Pss; break; case COSE.Algorithm.RS1: case COSE.Algorithm.RS256: case COSE.Algorithm.RS384: case COSE.Algorithm.RS512: padding = RSASignaturePadding.Pkcs1; break; default: throw new ArgumentOutOfRangeException(nameof(alg), $"Missing or unknown alg {alg}"); } signature = rsa.SignData(data, CryptoUtils.algMap[(int)alg], padding); break; } case COSE.KeyType.OKP: { signature = Ed25519.Sign(data, expandedPrivateKey); break; } default: throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}"); } if (kty == COSE.KeyType.EC2) { signature = EcDsaSigFromSig(signature, ecdsa.KeySize); } var userHandle = new byte[16]; rng.GetBytes(userHandle); var assertion = new AuthenticatorAssertionRawResponse.AssertionResponse() { AuthenticatorData = authData, Signature = signature, ClientDataJson = clientDataJson, UserHandle = userHandle, }; var lib = new Fido2(new Fido2Configuration() { ServerDomain = rp, ServerName = rp, Origin = rp, }); var existingCredentials = new List <PublicKeyCredentialDescriptor>(); var cred = new PublicKeyCredentialDescriptor { Type = PublicKeyCredentialType.PublicKey, Id = new byte[] { 0xf1, 0xd0 } }; existingCredentials.Add(cred); var options = lib.GetAssertionOptions(existingCredentials, null, null); options.Challenge = challenge; var response = new AuthenticatorAssertionRawResponse() { Response = assertion, Type = PublicKeyCredentialType.PublicKey, Id = new byte[] { 0xf1, 0xd0 }, RawId = new byte[] { 0xf1, 0xd0 }, }; IsUserHandleOwnerOfCredentialIdAsync callback = (args) => { return(Task.FromResult(true)); }; var res = await lib.MakeAssertionAsync(response, options, cpk.GetBytes(), signCount - 1, callback); }