public virtual void TestDecodeRegisterResponse() { var registerResponse = RawMessageCodec.DecodeKeyRegisterResponse(REGISTRATION_RESPONSE_DATA.Segment()); Assert.AreEqual( new KeyRegisterResponse(USER_PUBLIC_KEY_ENROLL_HEX, KEY_HANDLE, VENDOR_CERTIFICATE, SIGNATURE_ENROLL), registerResponse); }
/// <exception cref="U2FException" /> public SecurityKeyData ProcessRegistrationResponse(RegisterResponse registrationResponse, long currentTimeInMillis) { log.Info(">> processRegistrationResponse"); var sessionId = registrationResponse.SessionId; var browserDataBase64 = registrationResponse.Bd; var rawRegistrationDataBase64 = registrationResponse.RegistrationData; var sessionData = dataStore.GetEnrollSessionData(sessionId); if (sessionData == null) { throw new U2FException("Unknown session_id"); } var appId = sessionData.AppId; var rawBrowserData = WebSafeBase64Converter.FromBase64String(browserDataBase64); var browserData = Encoding.UTF8.GetString(rawBrowserData, 0, rawBrowserData.Length); var rawRegistrationData = WebSafeBase64Converter.FromBase64String(rawRegistrationDataBase64); log.Info("-- Input --"); log.Info(" sessionId: " + sessionId); log.Info(" challenge: " + sessionData.Challenge.ToHexString()); log.Info(" accountName: " + sessionData.AccountName); log.Info(" browserData: " + browserData); log.Info(" rawRegistrationData: " + rawRegistrationData.ToHexString()); var registerResponse = RawMessageCodec.DecodeKeyRegisterResponse(rawRegistrationData.Segment()); var userPublicKey = registerResponse.UserPublicKey; var keyHandle = registerResponse.KeyHandle; var attestationCertificate = registerResponse.AttestationCertificate; var signature = registerResponse.Signature; IList <SecurityKeyDataTransports> transports = null; try { transports = ParseTransportsExtension(attestationCertificate); } catch (CertificateParsingException e1) { log.Warn("Could not parse transports extension " + e1.Message); } log.Info("-- Parsed rawRegistrationResponse --"); log.Info(" userPublicKey: " + userPublicKey.ToHexString ()); log.Info(" keyHandle: " + keyHandle.ToHexString()); log.Info(" attestationCertificate: " + SecurityKeyData.SafeCertificateToString(attestationCertificate)); log.Info(" transports: " + transports); log.Info(" attestationCertificate bytes: " + attestationCertificate.GetEncoded().ToHexString()); log.Info(" signature: " + signature.ToHexString()); var appIdSha256 = cryto.ComputeSha256(Encoding.UTF8.GetBytes(appId)); var browserDataSha256 = cryto.ComputeSha256(Encoding.UTF8.GetBytes(browserData)); var signedBytes = RawMessageCodec.EncodeKeyRegisterSignedBytes(appIdSha256, browserDataSha256, keyHandle, userPublicKey); var trustedCertificates = dataStore.GetTrustedCertificates(); if (!trustedCertificates.Contains(attestationCertificate)) { log.Warn("Attestion cert is not trusted"); } VerifyBrowserData(browserData, "navigator.id.finishEnrollment", sessionData); log.Info("Verifying signature of bytes " + signedBytes.ToHexString()); if (!cryto.VerifySignature(attestationCertificate, signedBytes, signature)) { throw new U2FException("Signature is invalid"); } // The first time we create the SecurityKeyData, we set the counter value to -1. // We don't actually know what the counter value of the real device is - but it will // be something bigger than -1, so subsequent signatures will check out ok. var securityKeyData = new SecurityKeyData(currentTimeInMillis, transports, keyHandle, userPublicKey, attestationCertificate, -1); /* initial counter value */ dataStore.AddSecurityKeyData(sessionData.AccountName, securityKeyData); log.Info("<< processRegistrationResponse"); return(securityKeyData); }