Add demo API endpoint for finishing a U2F registration

emlun · emlun · commit ed82ee0ea606 · 2018-09-28T22:07:25.000+02:00
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnRestResource.java
@@ -115,6 +115,7 @@ private StartRegistrationResponse(RegistrationRequest request) throws MalformedU
     }
     private final class StartRegistrationActions {
         public final URL finish = uriInfo.getAbsolutePathBuilder().path("finish").build().toURL();
+        public final URL finishU2f = uriInfo.getAbsolutePathBuilder().path("finish-u2f").build().toURL();
         private StartRegistrationActions() throws MalformedURLException {
         }
     }
@@ -158,6 +159,19 @@ public Response finishRegistration(@NonNull String responseJson) {
         );
     }
 
+    @Path("register/finish-u2f")
+    @POST
+    public Response finishU2fRegistration(@NonNull String responseJson) {
+        logger.trace("finishRegistration responseJson: {}", responseJson);
+        Either<List<String>, WebAuthnServer.SuccessfulU2fRegistrationResult> result = server.insecureFinishU2fRegistration(responseJson);
+        return finishResponse(
+            result,
+            "U2F registration failed; further error message(s) were unfortunately lost to an internal server error.",
+            "finishU2fRegistration",
+            responseJson
+        );
+    }
+
     private final class StartAuthenticationResponse {
         public final boolean success = true;
         public final AssertionRequest request;
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java b/webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java
@@ -17,6 +17,7 @@
 import com.yubico.webauthn.RelyingParty;
 import com.yubico.webauthn.StartAssertionOptions;
 import com.yubico.webauthn.StartRegistrationOptions;
+import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.attestation.MetadataResolver;
 import com.yubico.webauthn.attestation.MetadataService;
 import com.yubico.webauthn.attestation.StandardMetadataService;
@@ -25,7 +26,9 @@
 import com.yubico.webauthn.attestation.resolver.SimpleResolverWithEquality;
 import com.yubico.webauthn.data.AssertionResult;
 import com.yubico.webauthn.data.AttestationConveyancePreference;
+import com.yubico.webauthn.data.AttestationType;
 import com.yubico.webauthn.data.ByteArray;
+import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import com.yubico.webauthn.data.PublicKeyCredentialParameters;
 import com.yubico.webauthn.data.RegistrationResult;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
@@ -39,9 +42,11 @@
 import demo.webauthn.data.CredentialRegistration;
 import demo.webauthn.data.RegistrationRequest;
 import demo.webauthn.data.RegistrationResponse;
+import demo.webauthn.data.U2fRegistrationResponse;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -230,6 +235,16 @@ public SuccessfulRegistrationResult(RegistrationRequest request, RegistrationRes
         }
     }
 
+    @Value
+    public class SuccessfulU2fRegistrationResult {
+        final boolean success = true;
+        final RegistrationRequest request;
+        final U2fRegistrationResponse response;
+        final CredentialRegistration registration;
+        boolean attestationTrusted;
+        Optional<AttestationCertInfo> attestationCert;
+    }
+
     @Value
     public static class AttestationCertInfo {
         final ByteArray der;
@@ -298,6 +313,76 @@ public Either<List<String>, SuccessfulRegistrationResult> finishRegistration(Str
         }
     }
 
+    /**
+     * NOTE: This method does not validate the result. This sole purpose of
+     * this feature is to enable testing that the "appid" extension works. This
+     * requires a credential registered via the U2F API instead of the WebAuthn
+     * API. Since WebAuthn is backwards compatible only with U2F
+     * authentication, not registration, this method is used to sidestep the
+     * WebAuthn module and just add the credential to the database of
+     * registrations.
+     *
+     * This is NOT an example of good code. DO NOT base any code off this as an
+     * example.
+     */
+    public Either<List<String>, SuccessfulU2fRegistrationResult> insecureFinishU2fRegistration(String responseJson) {
+        logger.trace("insecureFinishU2fRegistration responseJson: {}", responseJson);
+        U2fRegistrationResponse response = null;
+        try {
+            response = jsonMapper.readValue(responseJson, U2fRegistrationResponse.class);
+        } catch (IOException e) {
+            logger.error("JSON error in insecureFinishU2fRegistration; responseJson: {}", responseJson, e);
+            return Either.left(Arrays.asList("Registration failed!", "Failed to decode response object.", e.getMessage()));
+        }
+
+        RegistrationRequest request = registerRequestStorage.getIfPresent(response.getRequestId());
+        registerRequestStorage.invalidate(response.getRequestId());
+
+        if (request == null) {
+            logger.debug("fail insecureFinishU2fRegistration responseJson: {}", responseJson);
+            return Either.left(Arrays.asList("Registration failed!", "No such registration in progress."));
+        } else {
+            X509Certificate attestationCert = null;
+            try {
+                attestationCert = CertificateParser.parseDer(response.getCredential().getU2fResponse().getAttestationCert().getBytes());
+            } catch (CertificateException e) {
+                logger.error("Failed to parse attestation certificate: {}", response.getCredential().getU2fResponse().getAttestationCert(), e);
+            }
+
+            Optional<Attestation> attestation = Optional.empty();
+            try {
+                if (attestationCert != null) {
+                    attestation = Optional.of(metadataService.getAttestation(Collections.singletonList(attestationCert)));
+                }
+            } catch (CertificateEncodingException e) {
+                logger.error("Failed to resolve attestation", e);
+            }
+
+            final RegistrationResult result = RegistrationResult.builder()
+                .attestationMetadata(attestation)
+                .attestationTrusted(attestation.map(Attestation::isTrusted).orElse(false))
+                .attestationType(AttestationType.BASIC)
+                .keyId(PublicKeyCredentialDescriptor.builder().id(response.getCredential().getU2fResponse().getKeyHandle()).build())
+                .publicKeyCose(WebAuthnCodecs.rawEcdaKeyToCose(response.getCredential().getU2fResponse().getPublicKey()))
+                .build();
+
+            return Either.right(
+                new SuccessfulU2fRegistrationResult(
+                    request,
+                    response,
+                    addRegistration(
+                        request.getPublicKeyCredentialCreationOptions().getUser(),
+                        request.getCredentialNickname(),
+                        0,
+                        result
+                    ),
+                    result.isAttestationTrusted(),
+                    Optional.of(new AttestationCertInfo(response.getCredential().getU2fResponse().getAttestationCert()))
+                )
+            );
+        }
+    }
+
     public Either<List<String>, AssertionRequest> startAuthentication(Optional<String> username) {
         logger.trace("startAuthentication username: {}", username);
 
@@ -457,13 +542,27 @@ private CredentialRegistration addRegistration(
         Optional<String> nickname,
         RegistrationResponse response,
         RegistrationResult registration
+    ) {
+        return addRegistration(
+            userIdentity,
+            nickname,
+            response.getCredential().getResponse().getAttestation().getAuthenticatorData().getSignatureCounter(),
+            registration
+        );
+    }
+
+    private CredentialRegistration addRegistration(
+        UserIdentity userIdentity,
+        Optional<String> nickname,
+        long signatureCount,
+        RegistrationResult registration
     ) {
         CredentialRegistration reg = CredentialRegistration.builder()
             .userIdentity(userIdentity)
             .credentialNickname(nickname)
             .registrationTime(clock.instant())
             .registration(registration)
-            .signatureCount(response.getCredential().getResponse().getAttestation().getAuthenticatorData().getSignatureCounter())
+            .signatureCount(signatureCount)
             .build();
 
         logger.debug(
@@ -477,4 +576,5 @@ private CredentialRegistration addRegistration(
         userStorage.addRegistrationByUsername(userIdentity.getName(), reg);
         return reg;
     }
+
 }
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fCredential.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fCredential.java
@@ -0,0 +1,20 @@
+package demo.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+public class U2fCredential {
+
+    private final U2fCredentialResponse u2fResponse;
+
+    @JsonCreator
+    public U2fCredential(
+        @NonNull @JsonProperty("u2fResponse") U2fCredentialResponse u2fResponse
+    ) {
+        this.u2fResponse = u2fResponse;
+    }
+
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fCredentialResponse.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fCredentialResponse.java
@@ -0,0 +1,27 @@
+package demo.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.yubico.webauthn.data.ByteArray;
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+public class U2fCredentialResponse {
+
+    private final ByteArray keyHandle;
+    private final ByteArray publicKey;
+    private final ByteArray attestationCert;
+
+    @JsonCreator
+    public U2fCredentialResponse(
+        @NonNull @JsonProperty("keyHandle") ByteArray keyHandle,
+        @NonNull@JsonProperty("publicKey") ByteArray publicKey,
+        @NonNull@JsonProperty("attestationCert") ByteArray attestationCert
+    ) {
+        this.keyHandle = keyHandle;
+        this.publicKey = publicKey;
+        this.attestationCert = attestationCert;
+    }
+
+}
diff --git a/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java b/webauthn-server-demo/src/main/java/demo/webauthn/data/U2fRegistrationResponse.java
@@ -0,0 +1,24 @@
+package demo.webauthn.data;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.yubico.webauthn.data.ByteArray;
+import lombok.NonNull;
+import lombok.Value;
+
+@Value
+public class U2fRegistrationResponse {
+
+    private final ByteArray requestId;
+    private final U2fCredential credential;
+
+    @JsonCreator
+    public U2fRegistrationResponse(
+        @NonNull @JsonProperty("requestId") ByteArray requestId,
+        @NonNull @JsonProperty("credential") U2fCredential credential
+    ) {
+        this.requestId = requestId;
+        this.credential = credential;
+    }
+
+}
