public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication,
FidoAuthenticateResponse authResponse,
FidoDeviceRegistration deviceRegistration,
IEnumerable <FidoFacetId> trustedFacetIds)
{
authResponse.Validate();
var clientData = authResponse.ClientData;
ExpectClientDataType(clientData, AuthenticateType);
if (clientData.Challenge != startedAuthentication.Challenge)
{
throw new InvalidOperationException("Incorrect challenge signed in client data");
}
ValidateOrigin(trustedFacetIds, new FidoFacetId(clientData.Origin));
var signatureData = authResponse.SignatureData;
VerifyAuthSignature(startedAuthentication.AppId, signatureData, clientData, deviceRegistration);
deviceRegistration.UpdateCounter(signatureData.Counter);
return(signatureData.Counter);
}
public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication,
string rawAuthResponse,
FidoDeviceRegistration deviceRegistration,
IEnumerable<FidoFacetId> trustedFacetIds)
{
var authResponse = FidoAuthenticateResponse.FromJson(rawAuthResponse);
return FinishAuthentication(startedAuthentication, authResponse, deviceRegistration, trustedFacetIds);
}
public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication,
string rawAuthResponse,
FidoDeviceRegistration deviceRegistration,
IEnumerable <FidoFacetId> trustedFacetIds)
{
var authResponse = FidoAuthenticateResponse.FromJson(rawAuthResponse);
return(FinishAuthentication(startedAuthentication, authResponse, deviceRegistration, trustedFacetIds));
}
public static void AddDeviceRegistration(string deviceName, FidoDeviceRegistration deviceRegistration)
{
CurrentUser.Devices.Add(new Device {
Name = deviceName,
Identifier = deviceRegistration.KeyHandle.ToString(),
Usage = 0,
Data = deviceRegistration.ToJson()
});
}
private static FidoDeviceRegistration CreateTestDeviceRegistration()
{
var keyHandle = new FidoKeyHandle(Encoding.Default.GetBytes("keyhandle"));
var publicKey = new FidoPublicKey(Encoding.Default.GetBytes("publickey"));
var certificate = new FidoAttestationCertificate(Encoding.Default.GetBytes("certificate"));
var deviceRegistration = new FidoDeviceRegistration(keyHandle, publicKey, certificate, 12345);
return(deviceRegistration);
}
public void Equals_DifferentPublicKey()
{
var registration1 = CreateTestDeviceRegistration();
var registration2 = new FidoDeviceRegistration(
registration1.KeyHandle,
new FidoPublicKey(Encoding.Default.GetBytes("different publickey")),
registration1.Certificate,
registration1.Counter);
Assert.IsFalse(registration1.Equals(registration2));
}
public void Equals_DifferentCertificate()
{
var registration1 = CreateTestDeviceRegistration();
var registration2 = new FidoDeviceRegistration(
registration1.KeyHandle,
registration1.PublicKey,
new FidoAttestationCertificate(Encoding.UTF8.GetBytes("different certificate")),
registration1.Counter);
Assert.IsFalse(registration1.Equals(registration2));
}
public void Equals_DifferentCertificate()
{
var registration1 = CreateTestDeviceRegistration();
var registration2 = new FidoDeviceRegistration(
registration1.KeyHandle,
registration1.PublicKey,
new FidoAttestationCertificate(Encoding.UTF8.GetBytes("different certificate")),
registration1.Counter);
Assert.IsFalse(registration1.Equals(registration2));
}
public void Equals_DifferentKeyHandle()
{
var registration1 = CreateTestDeviceRegistration();
var registration2 = new FidoDeviceRegistration(
new FidoKeyHandle(Encoding.Default.GetBytes("different keyhandle")),
registration1.PublicKey,
registration1.Certificate,
registration1.Counter);
Assert.IsFalse(registration1.Equals(registration2));
}
public void FromJson()
{
var deviceRegistration = FidoDeviceRegistration.FromJson("{\"Certificate\":\"Y2VydGlmaWNhdGU\",\"Counter\":12345,\"KeyHandle\":\"a2V5aGFuZGxl\",\"PublicKey\":\"cHVibGlja2V5\"}");
var keyHandle = new FidoKeyHandle(Encoding.Default.GetBytes("keyhandle"));
var publicKey = new FidoPublicKey(Encoding.Default.GetBytes("publickey"));
var certificate = new FidoAttestationCertificate(Encoding.Default.GetBytes("certificate"));
Assert.AreEqual(12345, deviceRegistration.Counter);
Assert.IsTrue(certificate.Equals(deviceRegistration.Certificate));
Assert.IsTrue(publicKey.Equals(deviceRegistration.PublicKey));
Assert.IsTrue(keyHandle.Equals(deviceRegistration.KeyHandle));
}
public AuthenticateDeviceModel GetAuthenticationModel(Device device)
{
var u2F = new FidoUniversalTwoFactor();
var deviceRegistration = FidoDeviceRegistration.FromJson(device.Data);
var authentication = u2F.StartAuthentication(AppId, deviceRegistration);
var model = new AuthenticateDeviceModel
{
AppId = authentication.AppId.ToString(),
Challenge = authentication.Challenge,
KeyHandle = device.Identifier
};
return(model);
}
public FidoStartedAuthentication StartAuthentication(FidoAppId appId, FidoDeviceRegistration deviceRegistration)
{
if (appId == null)
{
throw new ArgumentNullException("appId");
}
if (deviceRegistration == null)
{
throw new ArgumentNullException("deviceRegistration");
}
var challenge = _generateFidoChallenge.GenerateChallenge();
return(new FidoStartedAuthentication(appId,
WebSafeBase64Converter.ToBase64String(challenge),
deviceRegistration.KeyHandle));
}
private void VerifyAuthSignature(FidoAppId appId, FidoSignatureData signatureData, FidoClientData clientData,
FidoDeviceRegistration deviceRegistration)
{
if (appId == null)
{
throw new ArgumentNullException("appId");
}
if (signatureData == null)
{
throw new ArgumentNullException("signatureData");
}
if (clientData == null)
{
throw new ArgumentNullException("clientData");
}
if (deviceRegistration == null)
{
throw new ArgumentNullException("deviceRegistration");
}
if (String.IsNullOrEmpty(clientData.RawJsonValue))
{
throw new InvalidOperationException("Client data has no JSON representation");
}
var counterBytes = BitConverter.GetBytes(signatureData.Counter);
if (BitConverter.IsLittleEndian)
{
Array.Reverse(counterBytes);
}
var signedBytes = PackBytes(
Helpers.Sha256(appId.ToString()),
new [] { signatureData.UserPresence },
counterBytes,
Helpers.Sha256(clientData.RawJsonValue));
VerifySignature(deviceRegistration, signatureData.Signature, signedBytes);
if (signatureData.UserPresence != UserPresentFlag)
{
throw new InvalidOperationException("User presence invalid during authentication");
}
}
public void ToJson()
{
var keyHandle = new FidoKeyHandle(Encoding.Default.GetBytes("keyhandle"));
var publicKey = new FidoPublicKey(Encoding.Default.GetBytes("publickey"));
var certificate = new FidoAttestationCertificate(Encoding.Default.GetBytes("certificate"));
var deviceRegistration = new FidoDeviceRegistration(keyHandle, publicKey, certificate, 12345);
var serialized = deviceRegistration.ToJson();
var jsonObject = JObject.Parse(serialized);
var properties = jsonObject.Properties().ToLookup(x => x.Name.ToLowerInvariant(), x => x.Value.ToString());
Assert.AreEqual("Y2VydGlmaWNhdGU", properties["certificate"].Single());
Assert.AreEqual("12345", properties["counter"].Single());
Assert.AreEqual("a2V5aGFuZGxl", properties["keyhandle"].Single());
Assert.AreEqual("cHVibGlja2V5", properties["publickey"].Single());
}
public IActionResult AuthenticateDevice(AuthenticateDeviceModel model)
{
if (App.CurrentUser == null)
{
return(BadRequest(new { error = "You must login.", code = 401 }));
}
if (model == null || string.IsNullOrEmpty(model.KeyHandle))
{
return(BadRequest(new { error = "Invalid device id.", code = 400 }));
}
var device = App.CurrentUser.Devices.FirstOrDefault(x => x.Identifier.Equals(model.KeyHandle));
if (device == null)
{
return(BadRequest(new { error = "Device not found.", code = 400 }));
}
var u2F = new FidoUniversalTwoFactor();
var deviceRegistration = FidoDeviceRegistration.FromJson(device.Data);
if (deviceRegistration == null)
{
return(BadRequest(new { error = "Unknown key handle.", code = 400 }));
}
var challenge = model.Challenge;
var startedAuthentication = new FidoStartedAuthentication(AppId, challenge, FidoKeyHandle.FromWebSafeBase64(model.KeyHandle ?? ""));
var facetIds = new List <FidoFacetId> {
new FidoFacetId(AppId.ToString())
};
var counter = u2F.FinishAuthentication(startedAuthentication, model.RawAuthenticateResponse, deviceRegistration, facetIds);
deviceRegistration.Counter = counter;
device.Usage++;
return(Ok(new { message = "Device has been authenticated.", code = 200, redirect = Url.Action("CurrentUser") }));
}
private void VerifySignature(FidoDeviceRegistration deviceRegistration, FidoSignature signature,
byte[] signedBytes)
{
try
{
var certPublicKey = deviceRegistration.PublicKey.PublicKey;
var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(false, certPublicKey);
signer.BlockUpdate(signedBytes, 0, signedBytes.Length);
if (signer.VerifySignature(signature.ToByteArray()))
{
throw new InvalidOperationException("Invalid signature");
}
}
catch
{
throw new InvalidOperationException("Invalid signature");
}
}
public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication,
FidoAuthenticateResponse authResponse,
FidoDeviceRegistration deviceRegistration,
IEnumerable<FidoFacetId> trustedFacetIds)
{
authResponse.Validate();
var clientData = authResponse.ClientData;
ExpectClientDataType(clientData, AuthenticateType);
if (clientData.Challenge != startedAuthentication.Challenge)
throw new InvalidOperationException("Incorrect challenge signed in client data");
ValidateOrigin(trustedFacetIds, new FidoFacetId(clientData.Origin));
var signatureData = authResponse.SignatureData;
VerifyAuthSignature(startedAuthentication.AppId, signatureData, clientData, deviceRegistration);
deviceRegistration.UpdateCounter(signatureData.Counter);
return signatureData.Counter;
}
public void StoreDeviceRegistration(string userName, FidoDeviceRegistration deviceRegistration)
{
DeviceRegistrations.Add(deviceRegistration);
}
public void StoreDeviceRegistration(string userName, FidoDeviceRegistration deviceRegistration)
{
DeviceRegistrations.Add(deviceRegistration);
}
public FidoStartedAuthentication StartAuthentication(FidoAppId appId, FidoDeviceRegistration deviceRegistration)
{
if (appId == null) throw new ArgumentNullException("appId");
if (deviceRegistration == null) throw new ArgumentNullException("deviceRegistration");
var challenge = _generateFidoChallenge.GenerateChallenge();
return new FidoStartedAuthentication(appId,
WebSafeBase64Converter.ToBase64String(challenge),
deviceRegistration.KeyHandle);
}
private static FidoDeviceRegistration CreateTestDeviceRegistration()
{
var keyHandle = new FidoKeyHandle(Encoding.Default.GetBytes("keyhandle"));
var publicKey = new FidoPublicKey(Encoding.Default.GetBytes("publickey"));
var certificate = new FidoAttestationCertificate(Encoding.Default.GetBytes("certificate"));
var deviceRegistration = new FidoDeviceRegistration(keyHandle, publicKey, certificate, 12345);
return deviceRegistration;
}
public void ToJson()
{
var keyHandle = new FidoKeyHandle(Encoding.Default.GetBytes("keyhandle"));
var publicKey = new FidoPublicKey(Encoding.Default.GetBytes("publickey"));
var certificate = new FidoAttestationCertificate(Encoding.Default.GetBytes("certificate"));
var deviceRegistration = new FidoDeviceRegistration(keyHandle, publicKey, certificate, 12345);
var serialized = deviceRegistration.ToJson();
var jsonObject = JObject.Parse(serialized);
var properties = jsonObject.Properties().ToLookup(x => x.Name.ToLowerInvariant(), x => x.Value.ToString());
Assert.AreEqual("Y2VydGlmaWNhdGU", properties["certificate"].Single());
Assert.AreEqual("12345", properties["counter"].Single());
Assert.AreEqual("a2V5aGFuZGxl", properties["keyhandle"].Single());
Assert.AreEqual("cHVibGlja2V5", properties["publickey"].Single());
}
private void VerifyAuthSignature(FidoAppId appId, FidoSignatureData signatureData, FidoClientData clientData,
FidoDeviceRegistration deviceRegistration)
{
if (appId == null) throw new ArgumentNullException("appId");
if (signatureData == null) throw new ArgumentNullException("signatureData");
if (clientData == null) throw new ArgumentNullException("clientData");
if (deviceRegistration == null) throw new ArgumentNullException("deviceRegistration");
if (String.IsNullOrEmpty(clientData.RawJsonValue))
throw new InvalidOperationException("Client data has no JSON representation");
var counterBytes = BitConverter.GetBytes(signatureData.Counter);
if (BitConverter.IsLittleEndian)
Array.Reverse(counterBytes);
var signedBytes = PackBytes(
Helpers.Sha256(appId.ToString()),
new [] { signatureData.UserPresence },
counterBytes,
Helpers.Sha256(clientData.RawJsonValue));
VerifySignature(deviceRegistration, signatureData.Signature, signedBytes);
if (signatureData.UserPresence != UserPresentFlag)
throw new InvalidOperationException("User presence invalid during authentication");
}
private void VerifySignature(FidoDeviceRegistration deviceRegistration, FidoSignature signature,
byte[] signedBytes)
{
try
{
var certPublicKey = deviceRegistration.PublicKey.PublicKey;
var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(false, certPublicKey);
signer.BlockUpdate(signedBytes, 0, signedBytes.Length);
if (signer.VerifySignature(signature.ToByteArray()))
throw new InvalidOperationException("Invalid signature");
}
catch
{
throw new InvalidOperationException("Invalid signature");
}
}
