public WebauthController(IConfiguration config)
{
var MDSAccessKey = config["fido2:MDSAccessKey"];
var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000";
var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_origin = "https://localhost:44329";
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = "localhost",
ServerName = "Fido2 test",
Origin = _origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds,
TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance")
});
}
public MfaFido2SignInFidoController(
Fido2Storage fido2Storage,
UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IOptions <Fido2Configuration> optionsFido2Configuration,
IStringLocalizerFactory factory)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_signInManager = signInManager;
_userManager = userManager;
_fido2Storage = fido2Storage;
var type = typeof(SharedResource);
var assemblyName = new AssemblyName(type.GetTypeInfo().Assembly.FullName);
_sharedLocalizer = factory.Create("SharedResource", assemblyName.Name);
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
public FidoController(
UserManager <User> users,
AuthenticationContext authContext,
IConfiguration configuraiton)
{
_users = users;
_authContext = authContext;
var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000";
_origin = configuraiton["Fido2:Origin"];
var MDSAccessKey = configuraiton["fido2:MDSAccessKey"];
var MDSCacheDirPath = configuraiton["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = configuraiton["Fido2:ServerDomain"],
ServerName = "Fido2 Identity Server",
Origin = _origin,
MetadataService = _mds
});
}
public PwFido2RegisterController(
Fido2Storage fido2Storage,
UserManager <IdentityUser> userManager,
IOptions <Fido2Configuration> optionsFido2Configuration,
IOptions <Fido2MdsConfiguration> optionsFido2MdsConfiguration)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_optionsFido2MdsConfiguration = optionsFido2MdsConfiguration;
_fido2Storage = fido2Storage;
var MDSCacheDirPath = _optionsFido2MdsConfiguration.Value.MDSCacheDirPath ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(_optionsFido2MdsConfiguration.Value.MDSAccessKey) ? null : MDSMetadata.Instance(
_optionsFido2MdsConfiguration.Value.MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
public SignInFidoController(IConfiguration config,
Fido2Storage fido2Storage,
UserManager <IdentityUser> userManager,
SignInManager <IdentityUser> signInManager)
{
_signInManager = signInManager;
_userManager = userManager;
_fido2Storage = fido2Storage;
var MDSAccessKey = config["fido2:MDSAccessKey"];
var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_origin = config["fido2:origin"];
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = _origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds,
TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance")
});
}
public FidoController(IConfiguration config, IIdentityServerInteractionService interaction)
{
//var MDSAccessKey = config["fido2:MDSAccessKey"];
//_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]);
//if (null != _mds)
//{
// if (false == _mds.IsInitialized())
// _mds.Initialize().Wait();
//}
_origin = config["fido2:origin"];
_lib = new Fido2(new Fido2Configuration
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = _origin,
// Only create and use Metadataservice if we have an acesskey
//MetadataService = _mds,
//TimestampDriftTolerance = config.GetValue<int>("fido2:TimestampDriftTolerance")
});
_interaction = interaction;
}
public static WebAuthnAssertion VerifyAssertionResult(Fido2Configuration fido2Config, string requestJSON, string resultJSON, Func <string, byte[]> getStoredPublicKey)
{
var fido2 = new Fido2(fido2Config);
IsUserHandleOwnerOfCredentialIdAsync callback = (args) =>
{
var u = args.UserHandle;
var id = args.CredentialId;
return(Task.FromResult(true));
};
var request = Newtonsoft.Json.JsonConvert.DeserializeObject <AssertionOptions>(requestJSON);
AuthenticatorAssertionRawResponse assertionResponse = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorAssertionRawResponse>(resultJSON);
var credentialId = System.Convert.ToBase64String(assertionResponse.Id);
uint storedCounter = 0; // 0 means always success
var publicKey = getStoredPublicKey(credentialId);
var success = fido2.MakeAssertionAsync(assertionResponse, request, publicKey, storedCounter, callback).Result;
var clientDataJson = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorResponse>(System.Text.UTF8Encoding.UTF8.GetString(assertionResponse.Response.ClientDataJson));
var challenge = clientDataJson.Challenge;
return(new WebAuthnAssertion
{
verified = true,
challenge = System.Convert.ToBase64String(clientDataJson.Challenge),
credentialId = credentialId,
publicKey = System.Convert.ToBase64String(publicKey),
userHandle = assertionResponse.Response.UserHandle
});
}
public static WebAuthnAssertion VerifyAttestationResult(Fido2Configuration fido2Config, string requestJSON, string resultJSON)
{
var fido2 = new Fido2(fido2Config);
IsCredentialIdUniqueToUserAsyncDelegate callback = (IsCredentialIdUniqueToUserParams args) =>
{
var id = args.CredentialId; // generated ID by authenticator(should be always unique for each authenticator, equivalent to client cert)
var u = args.User; // user info, kind of useless as this can be changed by js at client side
return(Task.FromResult(true));
};
var request = Newtonsoft.Json.JsonConvert.DeserializeObject <CredentialCreateOptions>(requestJSON);
AuthenticatorAttestationRawResponse regResponse = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorAttestationRawResponse>(resultJSON);
var success = fido2.MakeNewCredentialAsync(regResponse, request, callback).Result;
var clientDataJson = Newtonsoft.Json.JsonConvert.DeserializeObject <AuthenticatorResponse>(System.Text.UTF8Encoding.UTF8.GetString(regResponse.Response.ClientDataJson));
var challenge = System.Convert.ToBase64String(clientDataJson.Challenge);
var credentialId = System.Convert.ToBase64String(success.Result.CredentialId);
var publicKey = System.Convert.ToBase64String(success.Result.PublicKey);
var signingCounter = success.Result.Counter; // designed for replay attact prevention but useless for a multiple node situation
var user = success.Result.User;
var aaguid = success.Result.Aaguid;
return(new WebAuthnAssertion
{
verified = true,
challenge = challenge,
credentialId = credentialId,
publicKey = publicKey,
signingCounter = signingCounter,
aaguid = aaguid,
userHandle = request.User.Id
});
}
public AuthenticationController(IMemoryCache memoryCache, IDataStore dataStorage, Fido2 lib, IOptions <IndexingOptions> indexOptions, ElasticClient elasticClient)
{
_memoryCache = memoryCache;
_dataStore = dataStorage;
_lib = lib;
_indexOptions = indexOptions.Value;
_elasticClient = elasticClient;
}
public RegistrationController(IDataStore dataStore, IMemoryCache memoryCache, Fido2 lib, ElasticClient elasticClient, IOptions <IndexingOptions> indexOptions)
{
_memoryCache = memoryCache;
_dataStore = dataStore;
_lib = lib;
_elasticClient = elasticClient;
_indexOptions = indexOptions.Value;
}
public async Task TestFido2AssertionWithExistingU2fRegistrationWithAppId()
{
// u2f registration with appId
var appId = "https://localhost:44336";
var keyHandleData = Base64Url.Decode("2uzGTqu9XGoDQpRBhkv3qDYWzEEZrDjOHT94fHe3J9VXl6KpaY6jL1C4gCAVSBCWZejOn-EYSyXfiG7RDQqgKw");
var publicKeyData = Base64Url.Decode("BEKJkJiDzo8wlrYbAHmyz5a5vShbkStO58ZO7F-hy4fvBp6TowCZoV2dNGcxIN1yT18799bb_WuP0Yq_DSv5a-U");
//key as cbor
var publicKey = CreatePublicKeyFromU2fRegistrationData(keyHandleData, publicKeyData);
var options = new AssertionOptions
{
Challenge = Base64Url.Decode("mNxQVDWI8+ahBXeQJ8iS4jk5pDUd5KetZGVOwSkw2X0"),
RpId = "localhost",
AllowCredentials = new[]
{
new PublicKeyCredentialDescriptor
{
Id = keyHandleData,
Type = PublicKeyCredentialType.PublicKey
}
},
Extensions = new AuthenticationExtensionsClientInputs
{
AppID = appId
}
};
var authResponse = new AuthenticatorAssertionRawResponse
{
Id = keyHandleData,
RawId = keyHandleData,
Type = PublicKeyCredentialType.PublicKey,
Extensions = new AuthenticationExtensionsClientOutputs
{
AppID = true
},
Response = new AuthenticatorAssertionRawResponse.AssertionResponse
{
AuthenticatorData = Base64Url.Decode("B6_fPoU4uitIYRHXuNfpbqt5mrDWz8cp7d1noAUrAucBAAABTQ"),
ClientDataJson = Base64Url.Decode("eyJjaGFsbGVuZ2UiOiJtTnhRVkRXSTgtYWhCWGVRSjhpUzRqazVwRFVkNUtldFpHVk93U2t3MlgwIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzYiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0"),
Signature = Base64Url.Decode("MEQCICHV36RVY9DdFmKZgxF5Z_yScpPPsKcj__8KcPmngtGHAiAq_SzmTY8rZz4-5uNNiz3h6xO9osNTh7O7Mjqtoxul8w")
}
};
IFido2 fido2 = new Fido2(new Fido2Configuration
{
Origins = new System.Collections.Generic.HashSet <string> {
"https://localhost:44336"
} //data was generated with this origin
});
var res = await fido2.MakeAssertionAsync(authResponse, options, publicKey.Encode(), 0, null);
Assert.Equal("ok", res.Status);
}
public TestController(IConfiguration config)
{
_lib = new Fido2(new Fido2.Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = config["fido2:origin"],
MetadataService = MDSMetadata.Instance(config["fido2:MDSAccessKey"], config["fido2:MDSCacheDirPath"])
});
}
protected override void OnCreate(Bundle savedInstanceState)
{
base.OnCreate(savedInstanceState);
Xamarin.Essentials.Platform.Init(this, savedInstanceState);
SetContentView(Resource.Layout.activity_fido2_demo_main);
InitiateViews();
fido2Client = Fido2.GetFido2Client(this);
}
public WebAuthnController()
{
var config = WebAuthnLogic.GetConfig();
fido2 = new Fido2(new Fido2Configuration
{
ServerDomain = config.ServerDomain,
ServerName = config.ServerName,
Origin = config.Origin,
TimestampDriftTolerance = 300000,
});
}
public MyController(IConfiguration config)
{
var MDSAccessKey = config["fido2:MDSAccessKey"];
_lib = new Fido2(new Fido2.Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = config["fido2:origin"],
// Only create and use Metadataservice if we have and acesskey
MetadataService = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"])
});
}
public AccountController(
IIdentityServerInteractionService interaction,
IClientStore clientStore,
IAuthenticationSchemeProvider schemeProvider,
IEventService events,
UserManager <User> users,
IUserStore <User> userStore,
IResourceOwnerPasswordValidator validator,
IPasswordHasher <User> passwordHasher,
SignInManager <User> signInManager,
AuthenticationContext authenticationContext,
IConfiguration configuration,
IJsonHelper jsonHelper)
{
// if the TestUserStore is not in DI, then we'll just use the global users collection
// this is where you would plug in your own custom identity management library (e.g. ASP.NET Identity)
_users = users;
_userStore = userStore;
_signInManager = signInManager;
_interaction = interaction;
_clientStore = clientStore;
_schemeProvider = schemeProvider;
_events = events;
_validator = validator;
_passwordHasher = passwordHasher;
_authenticationContext = authenticationContext;
_jsonHelper = jsonHelper;
var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000";
_origin = configuration["Fido2:Origin"];
var MDSAccessKey = configuration["fido2:MDSAccessKey"];
var MDSCacheDirPath = configuration["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = configuration["Fido2:ServerDomain"],
ServerName = "Fido2 Identity Server",
Origin = _origin,
MetadataService = _mds
});
}
public TestController(IConfiguration config)
{
var MDSAccessKey = config["fido2:MDSAccessKey"];
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]);
_origin = config["fido2:origin"];
_lib = new Fido2(new Fido2.Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = _origin,
MetadataService = _mds
});
}
public static string MakeWebAuthnAttestationRequest(Fido2Configuration fido2Config, byte[] challenge, LoginUsr LUser, List <PublicKeyCredentialDescriptor> excludedCredentials)
{
string usrId = LUser.UsrId.ToString();
string usrIdB64 = System.Convert.ToBase64String(usrId.ToUtf8ByteArray());
Fido2User user = new Fido2User
{
DisplayName = LUser.UsrName,
/* must be restricted to no more than than 64 for device like yubikey as it would fail without reason */
//Name = (Guid.NewGuid().ToString() + " " + DateTime.UtcNow.ToString("o")).Left(64),
//Id= Guid.NewGuid().ToString().ToUtf8ByteArray()
Name = LUser.LoginName,
Id = usrIdB64.ToUtf8ByteArray()
};
AuthenticatorSelection authenticatorSelection = new AuthenticatorSelection
{
RequireResidentKey = false,
UserVerification = UserVerificationRequirement.Discouraged,
// AuthenticatorAttachment = AuthenticatorAttachment.Platform,
};
AttestationConveyancePreference attConveyancePreference = AttestationConveyancePreference.None;
AuthenticationExtensionsClientInputs clientExtensions = new AuthenticationExtensionsClientInputs
{
Extensions = true,
SimpleTransactionAuthorization = string.Format("you are registering to {0}", fido2Config.ServerName),
Location = true,
UserVerificationMethod = true,
BiometricAuthenticatorPerformanceBounds = new AuthenticatorBiometricPerfBounds
{
FAR = float.MaxValue,
FRR = float.MaxValue
}
};
var fido2 = new Fido2(fido2Config);
// must do this for the verification to work
var options = fido2.RequestNewCredential(user, excludedCredentials, authenticatorSelection, attConveyancePreference, clientExtensions);
// the challenge is random byte but we need more info, replace it
options.Challenge = challenge;
var createRequest = Fido2NetLib.CredentialCreateOptions.Create(fido2Config
, challenge, user, authenticatorSelection, attConveyancePreference
, excludedCredentials != null && excludedCredentials.Count > 0 ? excludedCredentials : null
, clientExtensions);
string createRequestJson = options.ToJson();
return(createRequestJson);
}
public TestController(IConfiguration config)
{
// Sample bogus key from https://fidoalliance.org/metadata/
var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000";
_origin = config["fido2:origin"];
_mds = MDSMetadata.ConformanceInstance(invalidToken, config["fido2:MDSCacheDirPath"], _origin);
_lib = new Fido2(new Fido2.Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = _origin,
MetadataService = _mds
});
}
public MfaFido2SignInFidoController(
Fido2Store fido2Store,
SignInManager <IdentityUser> signInManager,
IOptions <Fido2Configuration> optionsFido2Configuration)
{
_optionsFido2Configuration = optionsFido2Configuration;
_signInManager = signInManager;
_fido2Store = fido2Store;
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
public PwFido2RegisterController(
Fido2Store fido2Store,
UserManager <IdentityUser> userManager,
IOptions <Fido2Configuration> optionsFido2Configuration)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_fido2Store = fido2Store;
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
public MfaFido2SignInFidoController(
Fido2Storage fido2Storage,
UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IOptions <Fido2Configuration> optionsFido2Configuration,
IOptions <Fido2MdsConfiguration> optionsFido2MdsConfiguration,
IStringLocalizerFactory factory)
{
_userManager = userManager;
_optionsFido2Configuration = optionsFido2Configuration;
_optionsFido2MdsConfiguration = optionsFido2MdsConfiguration;
_signInManager = signInManager;
_userManager = userManager;
_fido2Storage = fido2Storage;
var type = typeof(SharedResource);
var assemblyName = new AssemblyName(type.GetTypeInfo().Assembly.FullName);
_sharedLocalizer = factory.Create("SharedResource", assemblyName.Name);
var MDSCacheDirPath = _optionsFido2MdsConfiguration.Value.MDSCacheDirPath ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(_optionsFido2MdsConfiguration.Value.MDSAccessKey) ? null : MDSMetadata.Instance(
_optionsFido2MdsConfiguration.Value.MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
ServerName = _optionsFido2Configuration.Value.ServerName,
Origin = _optionsFido2Configuration.Value.Origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds,
TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
});
}
public AccountManageController(
UserManager <ApplicationUser> userManager,
UrlEncoder urlEncoder,
Fido2Service fido2Service,
IDistributedCache distributedCache,
IConfiguration configuration)
{
_userManager = userManager;
_urlEncoder = urlEncoder;
_fido2Service = fido2Service;
_distributedCache = distributedCache;
_configuration = configuration;
_fido2 = new Fido2(new Fido2Configuration()
{
ServerDomain = _configuration["Fido2ServerDomain"],
ServerName = "MyScimApp",
Origin = _configuration["Fido2Origin"]
});
}
public WebAuthTestController(IConfiguration config)
{
// Sample bogus key from https://fidoalliance.org/metadata/
var invalidToken = "6d6b44d78b09fed0c5559e34c71db291d0d322d4d4de0000";
_origin = config["https://localhost:44329"];
_mds = MDSMetadata.ConformanceInstance(invalidToken, config["fido2:MDSCacheDirPath"], _origin);
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = config["localhost"],
ServerName = "Fido2 test",
Origin = _origin,
MetadataService = _mds
});
}
public Fido2Service(UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IAsyncRepository <FidoStoredCredential> fidoCredentialsRepository,
IAsyncRepository <ApplicationUser> applicationUserRepository,
IOptions <Fido2Configuration> fido2Configuration,
IMemoryCache memoryCache)
{
_userManager = userManager;
_signInManager = signInManager;
_fidoCredentialsRepository = fidoCredentialsRepository;
_applicationUserRepository = applicationUserRepository;
_fido2Configuration = fido2Configuration;
_memoryCache = memoryCache;
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = _fido2Configuration.Value.ServerDomain,
ServerName = _fido2Configuration.Value.ServerName,
Origin = _fido2Configuration.Value.Origin,
TimestampDriftTolerance = _fido2Configuration.Value.TimestampDriftTolerance
});
}
public MyController(IConfiguration config)
{
var MDSAccessKey = config["fido2:MDSAccessKey"];
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, config["fido2:MDSCacheDirPath"]);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_origin = config["fido2:origin"];
_lib = new Fido2(new Configuration()
{
ServerDomain = config["fido2:serverDomain"],
ServerName = "Fido2 test",
Origin = _origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds
});
}
public RegisterFido2Controller(IConfiguration config, Fido2Storage fido2Storage, UserManager <IdentityUser> userManager, IDistributedCache distributedCache)
{
_userManager = userManager;
_fido2Storage = fido2Storage;
_distributedCache = distributedCache;
var MDSAccessKey = config["fido2:MDSAccessKey"];
var MDSCacheDirPath = config["fido2:MDSCacheDirPath"] ?? Path.Combine(Path.GetTempPath(), "fido2mdscache");
_mds = string.IsNullOrEmpty(MDSAccessKey) ? null : MDSMetadata.Instance(MDSAccessKey, MDSCacheDirPath);
if (null != _mds)
{
if (false == _mds.IsInitialized())
{
_mds.Initialize().Wait();
}
}
_origin = config["fido2:origin"];
if (_origin == null)
{
_origin = "https://localhost:44388";
}
var domain = config["fido2:serverDomain"];
if (domain == null)
{
domain = "localhost";
}
_lib = new Fido2(new Fido2Configuration()
{
ServerDomain = domain,
ServerName = "Fido2IdentityMfa",
Origin = _origin,
// Only create and use Metadataservice if we have an acesskey
MetadataService = _mds,
TimestampDriftTolerance = config.GetValue <int>("fido2:TimestampDriftTolerance")
});
}
public AccountController(
UserManager <ApplicationUser> userManager,
SignInManager <ApplicationUser> signInManager,
IIdentityServerInteractionService interaction,
ApplicationDbContext applicationDbContext,
Fido2Service fido2Service,
IDistributedCache distributedCache,
IConfiguration configuration)
{
_userManager = userManager;
_signInManager = signInManager;
_interaction = interaction;
_applicationDbContext = applicationDbContext;
_fido2Service = fido2Service;
_distributedCache = distributedCache;
_configuration = configuration;
_fido2 = new Fido2(new Fido2Configuration()
{
ServerDomain = _configuration["Fido2ServerDomain"],
ServerName = "MyScimApp",
Origin = _configuration["Fido2Origin"]
});
}
public static string MakeWebAuthnAssertionRequest(Fido2Configuration fido2Config, byte[] challenge, List <PublicKeyCredentialDescriptor> allowedCredentials)
{
AuthenticatorSelection authSelection = new AuthenticatorSelection
{
RequireResidentKey = false,
UserVerification = UserVerificationRequirement.Preferred,
// AuthenticatorAttachment = null,
};
AuthenticationExtensionsClientInputs clientExtensions = new AuthenticationExtensionsClientInputs
{
Extensions = true,
SimpleTransactionAuthorization = string.Format("you are registering to {0}", fido2Config.ServerName),
Location = true,
UserVerificationMethod = true,
};
var fido2 = new Fido2(fido2Config);
var assertionRequest = Fido2NetLib.AssertionOptions.Create(fido2Config, challenge, allowedCredentials, UserVerificationRequirement.Preferred, clientExtensions);
string assertionRequestJson = assertionRequest.ToJson();
return(assertionRequestJson);
}
internal async void MakeAssertionResponse(COSE.KeyType kty, COSE.Algorithm alg, COSE.EllipticCurve crv = COSE.EllipticCurve.P256)
{
const string rp = "fido2.azurewebsites.net";
byte[] rpId = Encoding.UTF8.GetBytes(rp);
var rpIdHash = SHA256.Create().ComputeHash(rpId);
var flags = AuthenticatorFlags.AT | AuthenticatorFlags.ED | AuthenticatorFlags.UP | AuthenticatorFlags.UV;
const ushort signCount = 0xf1d0;
var aaguid = new Guid("F1D0F1D0-F1D0-F1D0-F1D0-F1D0F1D0F1D0");
var credentialID = new byte[] { 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, 0xf1, 0xd0, };
CredentialPublicKey cpk = null;
ECDsa ecdsa = null;
RSA rsa = null;
byte[] expandedPrivateKey = null;
switch (kty)
{
case COSE.KeyType.EC2:
{
ecdsa = MakeECDsa(alg, crv);
var ecparams = ecdsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, crv, ecparams.Q.X, ecparams.Q.Y);
break;
}
case COSE.KeyType.RSA:
{
rsa = RSA.Create();
var rsaparams = rsa.ExportParameters(true);
cpk = MakeCredentialPublicKey(kty, alg, rsaparams.Modulus, rsaparams.Exponent);
break;
}
case COSE.KeyType.OKP:
{
MakeEdDSA(out var privateKeySeed, out var publicKey, out expandedPrivateKey);
cpk = MakeCredentialPublicKey(kty, alg, COSE.EllipticCurve.Ed25519, publicKey);
break;
}
throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}");
}
var acd = new AttestedCredentialData(aaguid, credentialID, cpk);
var extBytes = CBORObject.NewMap().Add("testing", true).EncodeToBytes();
var exts = new Extensions(extBytes);
var ad = new AuthenticatorData(rpIdHash, flags, signCount, acd, exts);
var authData = ad.ToByteArray();
var challenge = new byte[128];
var rng = RandomNumberGenerator.Create();
rng.GetBytes(challenge);
var clientData = new
{
Type = "webauthn.get",
Challenge = challenge,
Origin = rp,
};
var clientDataJson = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(clientData));
var sha = SHA256.Create();
var hashedClientDataJson = sha.ComputeHash(clientDataJson);
byte[] data = new byte[authData.Length + hashedClientDataJson.Length];
Buffer.BlockCopy(authData, 0, data, 0, authData.Length);
Buffer.BlockCopy(hashedClientDataJson, 0, data, authData.Length, hashedClientDataJson.Length);
byte[] signature = null;
switch (kty)
{
case COSE.KeyType.EC2:
{
signature = ecdsa.SignData(data, CryptoUtils.algMap[(int)alg]);
break;
}
case COSE.KeyType.RSA:
{
RSASignaturePadding padding;
switch (alg) // https://www.iana.org/assignments/cose/cose.xhtml#algorithms
{
case COSE.Algorithm.PS256:
case COSE.Algorithm.PS384:
case COSE.Algorithm.PS512:
padding = RSASignaturePadding.Pss;
break;
case COSE.Algorithm.RS1:
case COSE.Algorithm.RS256:
case COSE.Algorithm.RS384:
case COSE.Algorithm.RS512:
padding = RSASignaturePadding.Pkcs1;
break;
default:
throw new ArgumentOutOfRangeException(nameof(alg), $"Missing or unknown alg {alg}");
}
signature = rsa.SignData(data, CryptoUtils.algMap[(int)alg], padding);
break;
}
case COSE.KeyType.OKP:
{
signature = Ed25519.Sign(data, expandedPrivateKey);
break;
}
default:
throw new ArgumentOutOfRangeException(nameof(kty), $"Missing or unknown kty {kty}");
}
if (kty == COSE.KeyType.EC2)
{
signature = EcDsaSigFromSig(signature, ecdsa.KeySize);
}
var userHandle = new byte[16];
rng.GetBytes(userHandle);
var assertion = new AuthenticatorAssertionRawResponse.AssertionResponse()
{
AuthenticatorData = authData,
Signature = signature,
ClientDataJson = clientDataJson,
UserHandle = userHandle,
};
var lib = new Fido2(new Fido2Configuration()
{
ServerDomain = rp,
ServerName = rp,
Origin = rp,
});
var existingCredentials = new List <PublicKeyCredentialDescriptor>();
var cred = new PublicKeyCredentialDescriptor
{
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 }
};
existingCredentials.Add(cred);
var options = lib.GetAssertionOptions(existingCredentials, null, null);
options.Challenge = challenge;
var response = new AuthenticatorAssertionRawResponse()
{
Response = assertion,
Type = PublicKeyCredentialType.PublicKey,
Id = new byte[] { 0xf1, 0xd0 },
RawId = new byte[] { 0xf1, 0xd0 },
};
IsUserHandleOwnerOfCredentialIdAsync callback = (args) =>
{
return(Task.FromResult(true));
};
var res = await lib.MakeAssertionAsync(response, options, cpk.GetBytes(), signCount - 1, callback);
}
