private List <Tuple <string, TwoFactorProvider.U2fMetaData> > LoadKeys(TwoFactorProvider provider)
{
var keys = new List <Tuple <string, TwoFactorProvider.U2fMetaData> >();
if (!HasProperMetaData(provider))
{
return(keys);
}
// Support up to 5 keys
for (var i = 1; i <= 5; i++)
{
var keyName = $"Key{i}";
if (provider.MetaData.ContainsKey(keyName))
{
var key = new TwoFactorProvider.U2fMetaData((dynamic)provider.MetaData[keyName]);
if (!key?.Compromised ?? false)
{
keys.Add(new Tuple <string, TwoFactorProvider.U2fMetaData>(keyName, key));
}
}
}
return(keys);
}
public async Task <string> GenerateAsync(string purpose, UserManager <User> manager, User user)
{
if (!user.Premium)
{
return(null);
}
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.U2f);
if (!HasProperMetaData(provider))
{
return(null);
}
var keys = new List <TwoFactorProvider.U2fMetaData>();
var key1 = new TwoFactorProvider.U2fMetaData((dynamic)provider.MetaData["Key1"]);
if (!key1?.Compromised ?? false)
{
keys.Add(key1);
}
if (keys.Count == 0)
{
return(null);
}
await _u2fRepository.DeleteManyByUserIdAsync(user.Id);
var challenges = new List <object>();
foreach (var key in keys)
{
var registration = new DeviceRegistration(key.KeyHandleBytes, key.PublicKeyBytes,
key.CertificateBytes, key.Counter);
var auth = U2fLib.StartAuthentication(Utilities.CoreHelpers.U2fAppIdUrl(_globalSettings), registration);
// Maybe move this to a bulk create when we support more than 1 key?
await _u2fRepository.CreateAsync(new U2f
{
AppId = auth.AppId,
Challenge = auth.Challenge,
KeyHandle = auth.KeyHandle,
Version = auth.Version,
UserId = user.Id,
CreationDate = DateTime.UtcNow
});
challenges.Add(new
{
appId = auth.AppId,
challenge = auth.Challenge,
keyHandle = auth.KeyHandle,
version = auth.Version
});
}
var token = JsonConvert.SerializeObject(challenges);
return(token);
}
public async Task <bool> ValidateAsync(string purpose, string token, UserManager <User> manager, User user)
{
if (!user.Premium || string.IsNullOrWhiteSpace(token))
{
return(false);
}
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.U2f);
if (!HasProperMetaData(provider))
{
return(false);
}
var keys = new List <TwoFactorProvider.U2fMetaData>();
var key1 = new TwoFactorProvider.U2fMetaData((dynamic)provider.MetaData["Key1"]);
if (!key1?.Compromised ?? false)
{
keys.Add(key1);
}
if (keys.Count == 0)
{
return(false);
}
var authenticateResponse = BaseModel.FromJson <AuthenticateResponse>(token);
var key = keys.FirstOrDefault(f => f.KeyHandle == authenticateResponse.KeyHandle);
if (key == null)
{
return(false);
}
var challenges = await _u2fRepository.GetManyByUserIdAsync(user.Id);
if (challenges.Count == 0)
{
return(false);
}
// User will have a authentication request for each device they have registered so get the one that matches
// the device key handle
var challenge = challenges.FirstOrDefault(c => c.KeyHandle == authenticateResponse.KeyHandle);
if (challenge == null)
{
return(false);
}
var success = true;
var registration = new DeviceRegistration(key.KeyHandleBytes, key.PublicKeyBytes, key.CertificateBytes,
key.Counter);
try
{
var auth = new StartedAuthentication(challenge.Challenge, challenge.AppId, challenge.KeyHandle);
U2fLib.FinishAuthentication(auth, authenticateResponse, registration);
}
catch (U2fException)
{
success = false;
}
// Update database
await _u2fRepository.DeleteManyByUserIdAsync(user.Id);
key.Counter = registration.Counter;
key.Compromised = registration.IsCompromised;
var providers = user.GetTwoFactorProviders();
providers[TwoFactorProviderType.U2f].MetaData["Key1"] = key;
user.SetTwoFactorProviders(providers);
await manager.UpdateAsync(user);
return(success);
}
public KeyModel(string id, TwoFactorProvider.U2fMetaData data)
{
Name = data.Name;
Id = Convert.ToInt32(id.Replace("Key", string.Empty));
Compromised = data.Compromised;
}
