public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication, FidoAuthenticateResponse authResponse, FidoDeviceRegistration deviceRegistration, IEnumerable <FidoFacetId> trustedFacetIds) { authResponse.Validate(); var clientData = authResponse.ClientData; ExpectClientDataType(clientData, AuthenticateType); if (clientData.Challenge != startedAuthentication.Challenge) { throw new InvalidOperationException("Incorrect challenge signed in client data"); } ValidateOrigin(trustedFacetIds, new FidoFacetId(clientData.Origin)); var signatureData = authResponse.SignatureData; VerifyAuthSignature(startedAuthentication.AppId, signatureData, clientData, deviceRegistration); deviceRegistration.UpdateCounter(signatureData.Counter); return(signatureData.Counter); }
public uint FinishAuthentication(FidoStartedAuthentication startedAuthentication, string rawAuthResponse, FidoDeviceRegistration deviceRegistration, IEnumerable <FidoFacetId> trustedFacetIds) { var authResponse = FidoAuthenticateResponse.FromJson(rawAuthResponse); return(FinishAuthentication(startedAuthentication, authResponse, deviceRegistration, trustedFacetIds)); }
public FidoStartedAuthentication StartAuthentication(FidoAppId appId, FidoDeviceRegistration deviceRegistration) { if (appId == null) { throw new ArgumentNullException("appId"); } if (deviceRegistration == null) { throw new ArgumentNullException("deviceRegistration"); } var challenge = _generateFidoChallenge.GenerateChallenge(); return(new FidoStartedAuthentication(appId, WebSafeBase64Converter.ToBase64String(challenge), deviceRegistration.KeyHandle)); }
private void VerifyAuthSignature(FidoAppId appId, FidoSignatureData signatureData, FidoClientData clientData, FidoDeviceRegistration deviceRegistration) { if (appId == null) { throw new ArgumentNullException("appId"); } if (signatureData == null) { throw new ArgumentNullException("signatureData"); } if (clientData == null) { throw new ArgumentNullException("clientData"); } if (deviceRegistration == null) { throw new ArgumentNullException("deviceRegistration"); } if (String.IsNullOrEmpty(clientData.RawJsonValue)) { throw new InvalidOperationException("Client data has no JSON representation"); } var counterBytes = BitConverter.GetBytes(signatureData.Counter); if (BitConverter.IsLittleEndian) { Array.Reverse(counterBytes); } var signedBytes = PackBytes( Helpers.Sha256(appId.ToString()), new [] { signatureData.UserPresence }, counterBytes, Helpers.Sha256(clientData.RawJsonValue)); VerifySignature(deviceRegistration, signatureData.Signature, signedBytes); if (signatureData.UserPresence != UserPresentFlag) { throw new InvalidOperationException("User presence invalid during authentication"); } }
private void VerifySignature(FidoDeviceRegistration deviceRegistration, FidoSignature signature, byte[] signedBytes) { try { var certPublicKey = deviceRegistration.PublicKey.PublicKey; var signer = SignerUtilities.GetSigner("SHA-256withECDSA"); signer.Init(false, certPublicKey); signer.BlockUpdate(signedBytes, 0, signedBytes.Length); if (signer.VerifySignature(signature.ToByteArray())) { throw new InvalidOperationException("Invalid signature"); } } catch { throw new InvalidOperationException("Invalid signature"); } }