public KeySignResponse Authenticate(KeySignRequest keySignRequest)
{
while (true)
{
var result = key.SignAsync(keySignRequest).Result;
switch (result.Status)
{
case KeyResponseStatus.Success:
Debug.Assert(result.Data != null, "no data for success");
return(result.Data);
case KeyResponseStatus.TestOfuserPresenceRequired:
Console.WriteLine("User presence required");
Thread.Sleep(100);
continue;
case KeyResponseStatus.Failure:
throw new U2FException("Failure: " + result.Raw.Status);
case KeyResponseStatus.BadKeyHandle:
throw new U2FException("Bad key handle");
default:
throw new ArgumentOutOfRangeException();
}
}
}
/// <exception cref="U2FException" />
public KeySignResponse Authenticate(KeySignRequest keySignRequest)
{
if (keySignRequest == null)
{
throw new ArgumentNullException(nameof(keySignRequest));
}
log.Info(">> authenticate");
var applicationSha256 = keySignRequest.ApplicationSha256;
var challengeSha256 = keySignRequest.ChallengeSha256;
var keyHandle = keySignRequest.KeyHandle;
log.Info(" -- Inputs --");
log.Info(" applicationSha256: " + applicationSha256.ToHexString());
log.Info(" challengeSha256: " + challengeSha256.ToHexString());
log.Info(" keyHandle: " + keyHandle.ToHexString());
var keyPair = dataStore.GetKeyPair(keyHandle);
var counter = dataStore.IncrementCounter();
var userPresence = userPresenceVerifier.VerifyUserPresence();
var signedData = RawMessageCodec.EncodeKeySignSignedBytes(applicationSha256, userPresence, counter,
challengeSha256);
log.Info("Signing bytes " + signedData.ToHexString());
var signature = crypto.Sign(signedData, keyPair.PrivateKey);
log.Info(" -- Outputs --");
log.Info(" userPresence: " + userPresence);
log.Info(" counter: " + counter);
log.Info(" signature: " + signature.ToHexString());
log.Info("<< authenticate");
return(new KeySignResponse(userPresence, counter, signature));
}
public virtual void TestEncodeAuthenticateRequest()
{
var authenticateRequest = new KeySignRequest(U2FVersion.V2,
BROWSER_DATA_SIGN_SHA256, APP_ID_SIGN_SHA256, KEY_HANDLE);
var encodedBytes = RawMessageCodec.EncodeKeySignRequest(authenticateRequest);
CollectionAssert.AreEqual(SIGN_REQUEST_DATA, encodedBytes);
}
public virtual void TestDecodeAuthenticateRequest()
{
KeySignRequest keySignRequest = RawMessageCodec
.DecodeKeySignRequest(SIGN_REQUEST_DATA);
Assert.AreEqual(new KeySignRequest
(U2FVersion.V2, BROWSER_DATA_SIGN_SHA256
, APP_ID_SIGN_SHA256, KEY_HANDLE), keySignRequest);
}
SignInfo GenerateSignInfo(SignRequest signRequest)
{
var clientDataB64 = ClientDataCodec.EncodeClientData(ClientDataCodec.RequestTypeAuthenticate, signRequest.Challenge,
sender.Origin, sender.ChannelId);
var clientDataSha256 = crypto.ComputeSha256(clientDataB64);
var appIdSha256 = crypto.ComputeSha256(signRequest.AppId);
var keyHandle = WebSafeBase64Converter.FromBase64String(signRequest.KeyHandle);
var authRequest = new KeySignRequest(U2FVersion.V2,
clientDataSha256, appIdSha256, keyHandle);
return(new SignInfo(signRequest, clientDataB64, authRequest));
}
public virtual void TestAuthenticate()
{
var authenticateRequest = new KeySignRequest(U2FVersion.V2,
BROWSER_DATA_SIGN_SHA256, APP_ID_SIGN_SHA256, KEY_HANDLE);
var authenticateResponse = u2FKey.Authenticate(authenticateRequest);
Assert.AreEqual(UserPresenceVerifierConstants.UserPresentFlag, authenticateResponse.UserPresence);
Assert.AreEqual(COUNTER_VALUE, authenticateResponse.Counter);
var ecdsaSignature = SignerUtilities.GetSigner("SHA-256withECDSA");
ecdsaSignature.Init(false, USER_PUBLIC_KEY_SIGN);
ecdsaSignature.BlockUpdate(EXPECTED_AUTHENTICATE_SIGNED_BYTES, 0, EXPECTED_AUTHENTICATE_SIGNED_BYTES.Length);
Assert.IsTrue(ecdsaSignature.VerifySignature(authenticateResponse.Signature));
}
public async Task <KeyResponse <KeySignResponse> > SignAsync(KeySignRequest request,
CancellationToken cancellationToken = new CancellationToken(),
bool noWink = false)
{
var flags = noWink
? EnforceUserPresenceAndSign | InteractionFlags.TestSignatureOnly
: EnforceUserPresenceAndSign;
var message = ApduMessageCodec.EncodeAuthenticateRequest(
new KeyRequest <KeySignRequest>(request, flags));
var response = await QueryApduAsync(message, cancellationToken);
return(ApduMessageCodec.DecodeAuthenticateReponse(response));
}
/// <exception cref="U2FException"/>
public static byte[] EncodeKeySignRequest([NotNull] KeySignRequest keySignRequest)
{
if (keySignRequest == null)
{
throw new ArgumentNullException(nameof(keySignRequest));
}
//var controlByte = authenticateRequest.Control;
var appIdSha256 = keySignRequest.ApplicationSha256;
var challengeSha256 = keySignRequest.ChallengeSha256;
var keyHandle = keySignRequest.KeyHandle;
if (keyHandle.Length > 255)
{
throw new U2FException("keyHandle length cannot be longer than 255 bytes!");
}
int size;
switch (keySignRequest.Version)
{
case U2FVersion.V1:
size = appIdSha256.Length + challengeSha256.Length + keyHandle.Length;
break;
case U2FVersion.V2:
size = appIdSha256.Length + challengeSha256.Length + keyHandle.Length + 1;
break;
default:
throw new ArgumentException("Unknown version: " + keySignRequest.Version, nameof(keySignRequest));
}
var result = new byte[size];
using (var writer = new EndianWriter(new MemoryStream(result), Endianness.BigEndian))
{
writer.Write(challengeSha256);
writer.Write(appIdSha256);
if (keySignRequest.Version == U2FVersion.V2)
{
writer.Write((byte)keyHandle.Length);
}
writer.Write(keyHandle);
}
return(result);
}
public Task <KeyResponse <KeySignResponse> > SignAsync(KeySignRequest request, CancellationToken cancellationToken = new CancellationToken(),
bool noWink = false)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
log.Info(">> authenticate");
var applicationSha256 = request.ApplicationSha256;
var challengeSha256 = request.ChallengeSha256;
var keyHandle = request.KeyHandle;
log.Info(" -- Inputs --");
log.Info(" applicationSha256: " + applicationSha256.ToHexString());
log.Info(" challengeSha256: " + challengeSha256.ToHexString());
log.Info(" keyHandle: " + keyHandle.ToHexString());
var keyPair = dataStore.GetKeyPair(keyHandle);
var counter = dataStore.IncrementCounter();
var userPresent = userPresenceVerifier.VerifyUserPresence();
if ((userPresent & UserPresenceVerifierConstants.UserPresentFlag) == 0)
{
return(TestOfUserPresenceRequired <KeySignResponse>());
}
var signedData = RawMessageCodec.EncodeKeySignSignedBytes(applicationSha256, userPresent, counter,
challengeSha256);
log.Info("Signing bytes " + signedData.ToHexString());
var signature = crypto.Sign(signedData, keyPair.PrivateKey);
log.Info(" -- Outputs --");
log.Info(" userPresence: " + userPresent);
log.Info(" counter: " + counter);
log.Info(" signature: " + signature.ToHexString());
log.Info("<< authenticate");
var response = new KeySignResponse(userPresent, counter, signature);
var responseData = RawMessageCodec.EncodeKeySignResponse(response).Segment();
var apdu = new ApduResponse(ApduResponseStatus.NoError, responseData);
var keyResponse = new KeyResponse <KeySignResponse>(apdu, response, KeyResponseStatus.Success);
return(TaskEx.FromResult(keyResponse));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="U2FException"/>
public static void SendAuthenticateRequest(Stream outputStream, KeySignRequest keySignRequest)
{
SendRequest(outputStream, CommandAuthenticate,
RawMessageCodec.EncodeKeySignRequest(keySignRequest));
}
public SignInfo(SignRequest signRequest, string clientDataBase64, KeySignRequest keySignRequest)
{
ClientDataBase64 = clientDataBase64;
KeySignRequest = keySignRequest;
SignRequest = signRequest;
}
async Task <SignOperationResult?> TrySignOneRequest(IKey key, bool isFirstPass, KeySignRequest request,
CancellationToken cancellationToken)
{
try
{
var result = await key.SignAsync(request, cancellationToken, isFirstPass);
log.Info(result.Status.ToString());
switch (result.Status)
{
case KeyResponseStatus.BadKeyHandle:
// No use retrying
blacklistedKeyHandles.Add(request.KeyHandle);
break;
case KeyResponseStatus.Success:
return(SignOperationResult.Success(request, result.Data));
}
}
catch (KeyGoneException)
{
// No sense in continuing with this signer, the key isn't physically present anymore
log.DebugFormat("Key '{0}' is gone", keyId);
throw;
}
catch (TaskCanceledException)
{
// Let cancellation bubble up
throw;
}
catch (KeyBusyException)
{
// Maybe it won't be busy later
}
catch (Exception exception)
{
log.Error("Authenticate request failed", exception);
}
return(null);
}
private bool IsBlacklisted(KeySignRequest request)
{
return(blacklistedKeyHandles.Any(h => h.SequenceEqual(request.KeyHandle)));
}
public static SignOperationResult Success(KeySignRequest request, KeySignResponse response)
{
return(new SignOperationResult(KeyResponseStatus.Success, request, response));
}
private SignOperationResult(KeyResponseStatus status, KeySignRequest request, KeySignResponse response)
{
Status = status;
Request = request;
Response = response;
}
