internal static List <PublicKeyCredentialDescriptor> ToCore(this List <MFAPublicKeyCredentialDescriptor> data)
{
var creds = new List <PublicKeyCredentialDescriptor>();
foreach (MFAPublicKeyCredentialDescriptor MFADesc in data)
{
PublicKeyCredentialDescriptor res = MFADesc.ToCore();
creds.Add(res);
}
return(creds);
}
public async Task <CacheItem> ExecuteAsync(string fido2Payload, CacheItem relatedItem)
{
var request = OwnIdSerializer.Deserialize <Fido2LoginRequest>(fido2Payload);
var storedFido2Info = await _userHandlerAdapter.FindFido2InfoAsync(request.CredentialId);
if (storedFido2Info == null)
{
throw new OwnIdException(ErrorType.UserNotFound);
}
var options = new AssertionOptions
{
Challenge = Encoding.ASCII.GetBytes(relatedItem.Context),
RpId = _configuration.Fido2.RelyingPartyId
};
var fidoResponse = new AuthenticatorAssertionRawResponse
{
Extensions = new AuthenticationExtensionsClientOutputs(),
Id = Base64Url.Decode(request.CredentialId),
RawId = Base64Url.Decode(request.CredentialId),
Response = new AuthenticatorAssertionRawResponse.AssertionResponse
{
AuthenticatorData = Base64Url.Decode(request.AuthenticatorData),
ClientDataJson = Base64Url.Decode(request.ClientDataJson),
Signature = Base64Url.Decode(request.Signature),
UserHandle = Base64Url.Decode(storedFido2Info.UserId)
},
Type = PublicKeyCredentialType.PublicKey
};
var result = await _fido2.MakeAssertionAsync(
fidoResponse,
options,
Base64Url.Decode(storedFido2Info.PublicKey),
storedFido2Info.SignatureCounter,
args =>
{
var storedCredentialId = Base64Url.Decode(storedFido2Info.CredentialId);
var storedCredDescriptor = new PublicKeyCredentialDescriptor(storedCredentialId);
var credIdValidationResult = storedCredDescriptor.Id.SequenceEqual(args.CredentialId);
return(Task.FromResult(credIdValidationResult));
});
return(await _cacheItemRepository.UpdateAsync(relatedItem.Context, item =>
{
item.PublicKey = storedFido2Info.PublicKey;
item.Fido2SignatureCounter = result.Counter;
item.Fido2CredentialId = request.CredentialId;
item.FinishFlow(storedFido2Info.UserId, storedFido2Info.PublicKey);
}));
}
public static PublicKeyCredentialRequestOptions ConvertToPublicKeyCredentialRequestOptions(
IFido2Client fido2Client,
ServerPublicKeyCredentialCreationOptionsResponse response,
bool isUseSelectedPlatformAuthenticator)
{
PublicKeyCredentialRequestOptions.Builder builder = new PublicKeyCredentialRequestOptions.Builder();
builder.SetRpId(response.RpId);
builder.SetChallenge(ByteUtils.Base64ToByte(response.Challenge));
ServerPublicKeyCredentialDescriptor[] descriptors = response.AllowCredentials;
if (descriptors != null)
{
List <PublicKeyCredentialDescriptor> descriptorList = new List <PublicKeyCredentialDescriptor>();
foreach (ServerPublicKeyCredentialDescriptor descriptor in descriptors)
{
List <AuthenticatorTransport> transports = new List <AuthenticatorTransport>();
if (descriptor.Transports != null)
{
try
{
transports.Add(AuthenticatorTransport.FromValue(descriptor.Transports));
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
PublicKeyCredentialDescriptor desc = new PublicKeyCredentialDescriptor(
PublicKeyCredentialType.PublicKey, ByteUtils.Base64ToByte(descriptor.Id), transports);
descriptorList.Add(desc);
}
builder.SetAllowList(descriptorList);
}
Dictionary <string, Java.Lang.Object> extensions = new Dictionary <string, Java.Lang.Object>();
if (response.Extensions != null)
{
extensions.AddRangeOverride(response.Extensions);
}
// Specify a platform authenticator and related extension items. You can specify a platform
// authenticator or not as needed.
if (isUseSelectedPlatformAuthenticator)
{
UseSelectedPlatformAuthenticator(fido2Client, extensions);
}
builder.SetExtensions(extensions);
builder.SetTimeoutSeconds((Java.Lang.Long)response.Timeout);
return(builder.Build());
}
internal static PublicKeyCredentialDescriptor ToCore(this MFAPublicKeyCredentialDescriptor data)
{
var creds = new PublicKeyCredentialDescriptor()
{
Id = data.Id,
Type = (PublicKeyCredentialType)data.Type
};
if (data.Transports != null)
{
creds.Transports = new AuthenticatorTransport[data.Transports.Length];
for (int i = 0; i < data.Transports.Length; i++)
{
creds.Transports[i] = (AuthenticatorTransport)data.Transports[i];
}
}
return(creds);
}
internal async void MakeAssertionResponse(COSE.KeyType kty, COSE.Algorithm alg, COSE.EllipticCurve crv = COSE.EllipticCurve.P256)
{
const string rp = "fido2.azurewebsites.net";
byte[] rpId = Encoding.UTF8.GetBytes(rp);
var rpIdHash = SHA256.Create().ComputeHash(rpId);
var flags = AuthenticatorFlags.AT | AuthenticatorFlags.ED | AuthenticatorFlags.UP | AuthenticatorFlags.UV;
const ushort signCount = 0xf1d0;
var aaguid = new Guid("F1D0F1D0-F1D0-F1D0-F1D0-F1D0F1D0F1D0");
var credentialID = new byte[] { 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, };
CredentialPublicKey cpk = null;
ECDsa ecdsa = null;
RSA rsa = null;
byte[] expandedPrivateKey = null;
switch (kty)
{
case COSE.KeyType.EC2:
{
ecdsa = MakeECDsa(alg, crv);
var ecparams = ecdsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, crv, ecparams.Q.X, ecparams.Q.Y);
break;
}
case COSE.KeyType.RSA:
{
rsa = RSA.Create();
var rsaparams = rsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, rsaparams.Modulus, rsaparams.Exponent);
break;
}
case COSE.KeyType.OKP:
{
MakeEdDSA(out var privateKeySeed, out var publicKey, out expandedPrivateKey);
cpk = MakeCredentialPublicKey(kty, alg, COSE.EllipticCurve.Ed25519, publicKey);
break;
}
throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}");
}
var acd = new AttestedCredentialData(aaguid, credentialID, cpk);
var extBytes = CBORObject.NewMap().Add("testing", true).EncodeToBytes();
var exts = new Extensions(extBytes);
var ad = new AuthenticatorData(rpIdHash, flags, signCount, acd, exts);
var authData = ad.ToByteArray();
var challenge = new byte[128];
var rng = RandomNumberGenerator.Create();
rng.GetBytes(challenge);
var clientData = new
{
Type = "webauthn.get",
Challenge = challenge,
Origin = rp,
};
var clientDataJson = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(clientData));
var sha = SHA256.Create();
var hashedClientDataJson = sha.ComputeHash(clientDataJson);
byte[] data = new byte[authData.Length + hashedClientDataJson.Length];
Buffer.BlockCopy(authData, 0, data, 0, authData.Length);
Buffer.BlockCopy(hashedClientDataJson, 0, data, authData.Length, hashedClientDataJson.Length);
byte[] signature = null;
switch (kty)
{
case COSE.KeyType.EC2:
{
signature = ecdsa.SignData(data, CryptoUtils.algMap[(int)alg]);
break;
}
case COSE.KeyType.RSA:
{
RSASignaturePadding padding;
switch (alg) // https://www.iana.org/assignments/cose/cose.xhtml#algorithms
{
case COSE.Algorithm.PS256:
case COSE.Algorithm.PS384:
case COSE.Algorithm.PS512:
padding = RSASignaturePadding.Pss;
break;
case COSE.Algorithm.RS1:
case COSE.Algorithm.RS256:
case COSE.Algorithm.RS384:
case COSE.Algorithm.RS512:
padding = RSASignaturePadding.Pkcs1;
break;
default:
throw new ArgumentOutOfRangeException(nameof(alg), $"Missing or unknown alg {alg}");
}
signature = rsa.SignData(data, CryptoUtils.algMap[(int)alg], padding);
break;
}
case COSE.KeyType.OKP:
{
signature = Ed25519.Sign(data, expandedPrivateKey);
break;
}
default:
throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}");
}
if (kty == COSE.KeyType.EC2)
{
signature = EcDsaSigFromSig(signature, ecdsa.KeySize);
}
var userHandle = new byte[16];
rng.GetBytes(userHandle);
var assertion = new AuthenticatorAssertionRawResponse.AssertionResponse()
{
AuthenticatorData = authData,
Signature = signature,
ClientDataJson = clientDataJson,
UserHandle = userHandle,
};
var lib = new Fido2(new Fido2Configuration()
{
ServerDomain = rp,
ServerName = rp,
Origin = rp,
});
var existingCredentials = new List <PublicKeyCredentialDescriptor>();
var cred = new PublicKeyCredentialDescriptor
{
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 }
};
existingCredentials.Add(cred);
var options = lib.GetAssertionOptions(existingCredentials, null, null);
options.Challenge = challenge;
var response = new AuthenticatorAssertionRawResponse()
{
Response = assertion,
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 },
RawId = new byte[] { 0xf1, 0xd0 },
};
IsUserHandleOwnerOfCredentialIdAsync callback = (args) =>
{
return(Task.FromResult(true));
};
var res = await lib.MakeAssertionAsync(response, options, cpk.GetBytes(), signCount - 1, callback);
}
internal static async Task <AssertionVerificationResult> MakeAssertionResponse(COSE.KeyType kty, COSE.Algorithm alg, COSE.EllipticCurve crv = COSE.EllipticCurve.P256, CredentialPublicKey cpk = null, ushort signCount = 0, ECDsa ecdsa = null, RSA rsa = null, byte[] expandedPrivateKey = null)
{
const string rp = "https://www.passwordless.dev";
byte[] rpId = Encoding.UTF8.GetBytes(rp);
var rpIdHash = SHA256.Create().ComputeHash(rpId);
var flags = AuthenticatorFlags.AT | AuthenticatorFlags.ED | AuthenticatorFlags.UP | AuthenticatorFlags.UV;
var aaguid = new Guid("F1D0F1D0-F1D0-F1D0-F1D0-F1D0F1D0F1D0");
var credentialID = new byte[] { 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, };
if (cpk == null)
{
switch (kty)
{
case COSE.KeyType.EC2:
{
if (ecdsa == null)
{
ecdsa = MakeECDsa(alg, crv);
}
var ecparams = ecdsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, crv, ecparams.Q.X, ecparams.Q.Y);
break;
}
case COSE.KeyType.RSA:
{
if (rsa == null)
{
rsa = RSA.Create();
}
var rsaparams = rsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, rsaparams.Modulus, rsaparams.Exponent);
break;
}
case COSE.KeyType.OKP:
{
byte[] publicKey = null;
if (expandedPrivateKey == null)
{
MakeEdDSA(out var privateKeySeed, out publicKey, out expandedPrivateKey);
}
cpk = MakeCredentialPublicKey(kty, alg, COSE.EllipticCurve.Ed25519, publicKey);
break;
}
throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}");
}
}
var acd = new AttestedCredentialData(aaguid, credentialID, cpk);
var extBytes = CBORObject.NewMap().Add("testing", true).EncodeToBytes();
var exts = new Extensions(extBytes);
var ad = new AuthenticatorData(rpIdHash, flags, (uint)(signCount + 1), acd, exts);
var authData = ad.ToByteArray();
var challenge = new byte[128];
var rng = RandomNumberGenerator.Create();
rng.GetBytes(challenge);
var clientData = new
{
Type = "webauthn.get",
Challenge = challenge,
Origin = rp,
};
var clientDataJson = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(clientData));
var sha = SHA256.Create();
var hashedClientDataJson = sha.ComputeHash(clientDataJson);
byte[] data = new byte[authData.Length + hashedClientDataJson.Length];
Buffer.BlockCopy(authData, 0, data, 0, authData.Length);
Buffer.BlockCopy(hashedClientDataJson, 0, data, authData.Length, hashedClientDataJson.Length);
byte[] signature = SignData(kty, alg, data, ecdsa, rsa, expandedPrivateKey);
var userHandle = new byte[16];
rng.GetBytes(userHandle);
var assertion = new AuthenticatorAssertionRawResponse.AssertionResponse()
{
AuthenticatorData = authData,
Signature = signature,
ClientDataJson = clientDataJson,
UserHandle = userHandle,
};
var lib = new Fido2(new Fido2Configuration()
{
ServerDomain = rp,
ServerName = rp,
Origin = rp,
});
var existingCredentials = new List <PublicKeyCredentialDescriptor>();
var cred = new PublicKeyCredentialDescriptor
{
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 }
};
existingCredentials.Add(cred);
var options = lib.GetAssertionOptions(existingCredentials, null, null);
options.Challenge = challenge;
var response = new AuthenticatorAssertionRawResponse()
{
Response = assertion,
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 },
RawId = new byte[] { 0xf1, 0xd0 },
};
IsUserHandleOwnerOfCredentialIdAsync callback = (args) =>
{
return(Task.FromResult(true));
};
return(await lib.MakeAssertionAsync(response, options, cpk.GetBytes(), signCount, callback));
}
public static PublicKeyCredentialCreationOptions ConvertToPublicKeyCredentialCreationOptions(IFido2Client fido2Client,
ServerPublicKeyCredentialCreationOptionsResponse response)
{
PublicKeyCredentialCreationOptions.Builder builder = new PublicKeyCredentialCreationOptions.Builder();
string name = response.Rp.Name;
PublicKeyCredentialRpEntity entity = new PublicKeyCredentialRpEntity(name, name, null);
builder.SetRp(entity);
string id = response.User.Id;
try
{
builder.SetUser(new PublicKeyCredentialUserEntity(id, System.Text.Encoding.UTF8.GetBytes(id)));
}
catch (UnsupportedEncodingException e)
{
Log.Error(Tag, e.Message, e);
}
builder.SetChallenge(ByteUtils.Base64ToByte(response.Challenge));
if (response.PubKeyCredParams != null)
{
List <PublicKeyCredentialParameters> parameters = new List <PublicKeyCredentialParameters>();
ServerPublicKeyCredentialParameters[] serverPublicKeyCredentialParameters = response.PubKeyCredParams;
foreach (ServerPublicKeyCredentialParameters param in serverPublicKeyCredentialParameters)
{
try
{
PublicKeyCredentialParameters parameter = new PublicKeyCredentialParameters(
PublicKeyCredentialType.PublicKey, Algorithm.FromCode(param.Alg));
parameters.Add(parameter);
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
builder.SetPubKeyCredParams(parameters);
}
if (response.ExcludeCredentials != null)
{
List <PublicKeyCredentialDescriptor> descriptors = new List <PublicKeyCredentialDescriptor>();
ServerPublicKeyCredentialDescriptor[] serverDescriptors = response.ExcludeCredentials;
foreach (ServerPublicKeyCredentialDescriptor desc in serverDescriptors)
{
List <AuthenticatorTransport> transports = new List <AuthenticatorTransport>();
if (desc.Transports != null)
{
try
{
transports.Add(AuthenticatorTransport.FromValue(desc.Transports));
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
PublicKeyCredentialDescriptor descriptor = new PublicKeyCredentialDescriptor(
PublicKeyCredentialType.PublicKey, ByteUtils.Base64ToByte(desc.Id), transports);
descriptors.Add(descriptor);
}
builder.SetExcludeList(descriptors);
}
Attachment attachment = null;
if (response.AuthenticatorSelection != null)
{
ServerAuthenticatorSelectionCriteria selectionCriteria = response.AuthenticatorSelection;
if (selectionCriteria.AuthenticatorAttachment != null)
{
try
{
attachment = Attachment.FromValue(selectionCriteria.AuthenticatorAttachment);
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
bool residentKey = selectionCriteria.IsRequireResidentKey;
UserVerificationRequirement requirement = null;
if (selectionCriteria.UserVerification != null)
{
try
{
requirement = UserVerificationRequirement.FromValue(selectionCriteria.UserVerification);
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
AuthenticatorSelectionCriteria fido2Selection =
new AuthenticatorSelectionCriteria(attachment, (Java.Lang.Boolean)residentKey, requirement);
builder.SetAuthenticatorSelection(fido2Selection);
}
// attestation
if (response.Attestation != null)
{
try
{
AttestationConveyancePreference preference =
AttestationConveyancePreference.FromValue(response.Attestation);
builder.SetAttestation(preference);
}
catch (System.Exception e)
{
Log.Error(Tag, e.Message, e);
}
}
Dictionary <string, Java.Lang.Object> extensions = new Dictionary <string, Java.Lang.Object>();
if (response.Extensions != null)
{
extensions.AddRangeOverride(response.Extensions);
}
// Specify a platform authenticator and related extension items. You can specify a platform
// authenticator or not as needed.
if (Attachment.Platform.Equals(attachment))
{
UseSelectedPlatformAuthenticator(fido2Client, extensions);
}
builder.SetExtensions(extensions);
builder.SetTimeoutSeconds((Java.Lang.Long)response.Timeout);
return(builder.Build());
}
