Implement passkeys-get request

purejava · purejava · commit 1c4fac3b30ee · 2024-02-12T13:59:17.000+01:00
diff --git a/README.md b/README.md
@@ -50,6 +50,8 @@ Communication with KeePassXC happens via the KeePassXC protocol. Currently, the
 *   `get-totp`: Request for receiving the current TOTP.
 *   `delete-entry`: Request for deleting an entry in the database, identified by its uuid (KeePassXC 2.7.0 and newer).
 *   `request-autotype`: Request autotype from the KeePassXC database (KeePassXC 2.7.0 and newer).
+*   `passkeys-get`: Request for Passkeys authentication (KeePassXC 2.8.0 and newer).
+*   `passkeys-register`: Request for Passkeys credential registration (KeePassXC 2.8.0 and newer).
 *   `database-locked`: A signal from KeePassXC, the current active database is locked.
 *   `database-unlocked`: A signal from KeePassXC, the current active database is unlocked.
 
diff --git a/src/main/java/org/keepassxc/Connection.java b/src/main/java/org/keepassxc/Connection.java
@@ -708,6 +708,44 @@ public JSONObject passkeysRegister(JSONObject publicKey, String origin, List<Map
 
     }
 
+    /**
+     * Request passkeys-get from the KeePassXC database (KeePassXC 2.8.0 and newer).
+     * @param publicKey An object containing all required information for the public key.
+     * @see <a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API</a> for publicKey contents.
+     * @param origin    The origin the request originates from in the form {@code https://...}
+     * @param list      A list of pairs of associateID and IDKeyPublicKey stored on association.
+     * @return An object that contains the result of the operation. In case authenticating with the Passkey was successful, the response
+     *         looks like: <pre>{@code "response": {
+     *         "authenticatorAttachment": "platform",
+     *         "id": "tX6nBMj5Ksxg6QnTL1ilSwipm_up7rIiYsIQmYTKIAg",
+     *         "response": {
+     *             "authenticatorData": "5Yaf4EYzO6ALp_K7s-p-BQLPSCYVYcKLZptoXwxqQzsFAAAAAA",
+     *             "clientDataJSON": "eyJj...",
+     *             "signature": "MEYC...",
+     *             "userHandle": "DEMO__9fX19ERU1P"
+     *         },
+     *         "type": "public-key"
+     * }}</pre>
+     * In case the authentication failed, the response looks like: <pre>{@code "response": {
+     *         "errorCode": 15
+     * }}</pre>
+     * @throws IOException                 The passkeys-get request failed due to technical reasons.
+     * @throws KeepassProxyAccessException The request could not be processed.
+     */
+    public JSONObject passkeysGet(JSONObject publicKey, String origin, List<Map<String, String>> list) throws IOException, KeepassProxyAccessException {
+        var jsonArray = checkKeysList(list);
+
+        // Send passkeys-get request
+        var nonce = sendEncryptedMessage(Map.of(
+                "action", Message.PASSKEYS_GET.action,
+                "publicKey", publicKey,
+                "origin", ensureNotNull(origin),
+                "keys", jsonArray
+        ));
+        return getEncryptedResponseAndDecrypt(Message.PASSKEYS_GET.action, nonce);
+
+    }
+
     /**
      * Get a String representation of the JSON object.
      *
diff --git a/src/main/java/org/purejava/KeepassProxyAccess.java b/src/main/java/org/purejava/KeepassProxyAccess.java
@@ -464,6 +464,48 @@ public JSONObject passkeysRegister(JSONObject publicKey, String origin, List<Map
         return new JSONObject();
     }
 
+    /**
+     * Request passkeys-get from the KeePassXC database (KeePassXC 2.8.0 and newer).
+     * @param publicKey An object containing all required information for the public key.
+     * @see <a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API</a> for publicKey contents.
+     * @param origin    The origin the request originates from in the form {@code https://...}
+     * @param list      A list of pairs of associateID and IDKeyPublicKey stored on association.
+     * @return An object that contains the result of the operation. In case authenticating with the Passkey was successful, the response
+     *         looks like: <pre>{@code "response": {
+     *         "authenticatorAttachment": "platform",
+     *         "id": "tX6nBMj5Ksxg6QnTL1ilSwipm_up7rIiYsIQmYTKIAg",
+     *         "response": {
+     *             "authenticatorData": "5Yaf4EYzO6ALp_K7s-p-BQLPSCYVYcKLZptoXwxqQzsFAAAAAA",
+     *             "clientDataJSON": "eyJj...",
+     *             "signature": "MEYC...",
+     *             "userHandle": "DEMO__9fX19ERU1P"
+     *         },
+     *         "type": "public-key"
+     * }}</pre>
+     * In case the authentication failed, the response looks like: <pre>{@code "response": {
+     *         "errorCode": 15
+     * }}</pre>
+     */
+    public JSONObject passkeysGet(JSONObject publicKey, String origin, List<Map<String, String>> list) {
+        try {
+            var response = connection.passkeysGet(publicKey, origin, list);
+            if (response.has("response") && response.has("success") && response.getString("success").equals("true")) {
+                try {
+                    var errorCode = response.getJSONObject("response").getInt("errorCode");
+                    throw new KeepassProxyAccessException("ErrorCode: " + errorCode);
+
+                } catch (JSONException e) {
+                    return response.getJSONObject("response"); // PublicKeyCredential
+                }
+            } else {
+                return new JSONObject();
+            }
+        } catch (IOException | KeepassProxyAccessException e) {
+            LOG.info(e.toString(), e.getCause());
+        }
+        return new JSONObject();
+    }
+
     /**
      * Extract the groupUuid for the newly created group.
      * Note: in case a group with the following path was created: level1/level2, only level2 gets returned as name.
diff --git a/src/test/java/org/purejava/UnlockedDatabaseTest.java b/src/test/java/org/purejava/UnlockedDatabaseTest.java
@@ -54,7 +54,11 @@ public void shouldHaveNoErrors() throws InterruptedException {
         LOG.info("Please register the offered Passkey");
         String publicKey = "{\"attestation\":\"direct\",\"authenticatorSelection\":{\"requireResidentKey\":true,\"residentKey\":\"required\",\"userVerification\":\"preferred\"},\"challenge\":\"AICQS3rj6P-dIDb5if3OCte-Y7CEs_BEnpTgoasQRXg\",\"excludeCredentials\":[],\"extensions\":{\"credProps\":true},\"pubKeyCredParams\":[{\"alg\":-7,\"type\":\"public-key\"},{\"alg\":-257,\"type\":\"public-key\"}],\"rp\":{\"id\":\"passkey.org\",\"name\":\"Yubico Demo\"},\"timeout\":90000,\"user\":{\"displayName\":\"purejava\",\"id\":\"DEMO__9fX19ERU1P\",\"name\":\"purejava\"}}";
         JSONObject p = new JSONObject(publicKey);
-        assertTrue(kpa.passkeysRegister(p, "https://passkey.org", l).getJSONObject("response").getString("clientDataJSON").equals("eyJjaGFsbGVuZ2UiOiJBSUNRUzNyajZQLWRJRGI1aWYzT0N0ZS1ZN0NFc19CRW5wVGdvYXNRUlhnIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL3Bhc3NrZXkub3JnIiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9"));
+        assertEquals("eyJjaGFsbGVuZ2UiOiJBSUNRUzNyajZQLWRJRGI1aWYzT0N0ZS1ZN0NFc19CRW5wVGdvYXNRUlhnIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL3Bhc3NrZXkub3JnIiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9", kpa.passkeysRegister(p, "https://passkey.org", l).getJSONObject("response").getString("clientDataJSON"));
+        LOG.info("Please allow authenticate with the stored Passkey");
+        publicKey = "{\"allowCredentials\":[],\"challenge\":\"8rRycwlx8ZOczHfALOJR-ef9RmYBmNt7HQABHxpcSvM\",\"rpId\":\"passkey.org\",\"timeout\":90000,\"userVerification\":\"preferred\"}";
+        p = new JSONObject(publicKey);
+        assertEquals("5Yaf4EYzO6ALp_K7s-p-BQLPSCYVYcKLZptoXwxqQzsFAAAAAA", kpa.passkeysGet(p, "https://passkey.org", l).getJSONObject("response").getString("authenticatorData"));
         LOG.info("Please deny to save changes");
         assertTrue(kpa.lockDatabase());
         assertTrue(kpa.shutdown());
