Changeset 6754

Timestamp:

May 31, 2022, 12:01:30 PM (16 months ago)

Author:

Nicklas Nordborg

Message:

References #1396: Implement an login extension for WebAuthn?

Cleaned up the login process by moving most of the code to the LoginProcessHandler. An instance of this object is created in the first step by the PreLoginAuthenticationManager and is used to generate a challenge for the browser. The response from the browser is then processed by the same instance in the second step by the WebAuthnAuthenticationManager.

Location:

extensions/net.sf.basedb.webauthn/trunk

Files:

• src/net/sf/basedb/webauthn/LoginProcessHandler.java (added)
• src/net/sf/basedb/webauthn/PreLoginAuthenticationManager.java (modified) (3 diffs)
• src/net/sf/basedb/webauthn/WebAuthn.java (modified) (2 diffs)
• src/net/sf/basedb/webauthn/WebAuthnAuthenticationManager.java (modified) (4 diffs)
• webauthn.properties (modified) (1 diff)

extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/PreLoginAuthenticationManager.java

@@ -1 +1 @@
 package net.sf.basedb.webauthn;
 
-import java.util.Collections;
-import java.util.Optional;
-import java.util.Set;
+import com.yubico.webauthn.AssertionRequest;
 
-
-import com.yubico.webauthn.AssertionRequest;
-import com.yubico.webauthn.CredentialRepository;
-import com.yubico.webauthn.RegisteredCredential;
-import com.yubico.webauthn.RelyingParty;
-import com.yubico.webauthn.StartAssertionOptions;
-import com.yubico.webauthn.data.ByteArray;
-import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
-import com.yubico.webauthn.data.RelyingPartyIdentity;
-
-import net.sf.basedb.core.Application;
 import net.sf.basedb.core.AuthenticationContext;
 import net.sf.basedb.core.authentication.AuthenticatedUser;
@@ -21 +8 @@
 import net.sf.basedb.core.authentication.LoginException;
 import net.sf.basedb.core.authentication.LoginRequest;
+import net.sf.basedb.core.authentication.UnknownLoginException;
 import net.sf.basedb.core.data.UserData;
 
@@ -52 +40 @@
     String login = request.getLogin();
 
-    // Check if the user exists
+    // Check if the user exists and has configured a security key
     UserData user = context.getUserByLogin(login);
-    if (user == null)
-    {
-      throw new LoginException("Unknown username '" + login + "'.");
-    }
+    if (user == null) throw new UnknownLoginException(login);
     if (user.getExtended("webAuthnCredentialId") == null)
     {
-      throw new LoginException("User '"+login+"' has not configured a security key.");
+      throw new LoginException("User '"+login+"' has not configured a WebAuthn Security Key.");
     }
     
-    RelyingPartyIdentity rpi = RelyingPartyIdentity.builder()
-      .id(request.getAttribute("serverName"))  // TODO -- config option
-      .name(Application.getTitle())
-      .build();
-        
-    RelyingParty rp = RelyingParty.builder()
-      .identity(rpi)
-      .credentialRepository(new NoCredentialRepository(user))
-      .allowOriginPort(true) // TODO -- config option?
-      .build();
-
-    AssertionRequest assertionRequest = rp.startAssertion(StartAssertionOptions.builder()
-       .username(login)
-       .build());
+    String serverName = request.getAttribute("serverName");
+    LoginProcessHandler handler = new LoginProcessHandler(user, serverName);
+    AssertionRequest assertionRequest = handler.getAssertionRequest();
     
-    context.getSessionControl().setSessionSetting("webauthn-assertion-request", assertionRequest);
-    
+    context.getSessionControl().setSessionSetting("webauthn-login-handler", handler);
     throw new AssertionRequestException(assertionRequest);
-  }
-
-
-  static class NoCredentialRepository
-    implements CredentialRepository
-  {
-    
-    private final UserData user;
-    
-    NoCredentialRepository(UserData user)
-    {
-      this.user = user;
-    }
-    
-    @Override
-    public Set<PublicKeyCredentialDescriptor> getCredentialIdsForUsername(String username) 
-    {
-      System.out.println("getCredentialIdsForUsername: "+username);
-      String credentialId = (String)user.getExtended("webAuthnCredentialId");
-      PublicKeyCredentialDescriptor pk = PublicKeyCredentialDescriptor.builder()
-        .id(ByteArray.fromBase64(credentialId))
-        .build();
-      return Collections.singleton(pk);
-    }
-
-    @Override
-    public Optional<ByteArray> getUserHandleForUsername(String username) 
-    {
-      System.out.println("getUserHandleForUsername: "+username);
-      String userHandle = (String)user.getExtended("webAuthnUserHandle");
-      return Optional.of(ByteArray.fromBase64(userHandle));
-    }
-
-    @Override
-    public Optional<String> getUsernameForUserHandle(ByteArray userHandle) 
-    {
-      System.out.println("getUsernameForUserHandle: "+userHandle);
-      return Optional.empty();
-    }
-
-    @Override
-    public Optional<RegisteredCredential> lookup(ByteArray credentialId, ByteArray userHandle) 
-    {
-      System.out.println("lookup: "+credentialId+"; "+userHandle);
-      
-      String publicKey = (String)user.getExtended("webAuthnPublicKey");
-      Integer count = (Integer)user.getExtended("webAuthnSignatureCount");
-      return Optional.of(RegisteredCredential.builder()
-        .credentialId(credentialId)
-        .userHandle(userHandle)
-        .publicKeyCose(ByteArray.fromBase64(publicKey))
-        .signatureCount(count == null ? 0 : count)
-        .build());
-    }
-
-    @Override
-    public Set<RegisteredCredential> lookupAll(ByteArray credentialId) 
-    {
-      System.out.println("lookupAll: "+credentialId);
-      return Collections.emptySet();
-    }
-
   }
     

extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/WebAuthn.java

@@ -9 +9 @@
 import java.util.Set;
 
+import com.yubico.webauthn.CredentialRepository;
+import com.yubico.webauthn.RelyingParty;
+import com.yubico.webauthn.data.RelyingPartyIdentity;
+
+import net.sf.basedb.core.Application;
 import net.sf.basedb.core.ConfigurationException;
 import net.sf.basedb.core.authentication.AuthenticationMethod;
 import net.sf.basedb.util.FileUtil;
+import net.sf.basedb.util.Values;
 
 /**
@@ -157 +163 @@
     return allowedAuthenticationMethods.contains("*") || allowedAuthenticationMethods.contains(auth.getMethod());
   }
+  
+  /**
+    Create a RelyingParty instance.
+    @param id The ID taken from HTTP request parameters
+    @param cred A credentials repository implementation
+  */
+  public static RelyingParty createRelyingParty(String id, CredentialRepository cred)
+  {
+    Properties cfg = getConfig(true);
+    id = cfg.getProperty("relying-party-id", id);
+    boolean port = Values.getBoolean(cfg.getProperty("relying-party-allow-origin-port"));
+    boolean subdomain = Values.getBoolean(cfg.getProperty("relying-party-allow-origin-subdomain"));
+    boolean disableCounter = Values.getBoolean(cfg.getProperty("relying-party-disable-signature-counter"));
+    
+    RelyingPartyIdentity rpi = RelyingPartyIdentity.builder()
+      .id(id)
+      .name(Application.getTitle())
+      .build();
+          
+    RelyingParty rp = RelyingParty.builder()
+      .identity(rpi)
+      .credentialRepository(cred)
+      .allowOriginPort(port)
+      .allowOriginSubdomain(subdomain)
+      .validateSignatureCounter(!disableCounter)
+      .build();
+    return rp;
+  }
 
 }

extensions/net.sf.basedb.webauthn/trunk/src/net/sf/basedb/webauthn/WebAuthnAuthenticationManager.java

@@ -1 +1 @@
 package net.sf.basedb.webauthn;
 
-import com.yubico.webauthn.AssertionRequest;
+
 import com.yubico.webauthn.AssertionResult;
-import com.yubico.webauthn.FinishAssertionOptions;
-import com.yubico.webauthn.RelyingParty;
-import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
-import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
-import com.yubico.webauthn.data.PublicKeyCredential;
-import com.yubico.webauthn.data.RelyingPartyIdentity;
 
-import net.sf.basedb.core.Application;
 import net.sf.basedb.core.AuthenticationContext;
 import net.sf.basedb.core.authentication.AuthenticatedUser;
@@ -17 +10 @@
 import net.sf.basedb.core.authentication.LoginRequest;
 import net.sf.basedb.core.data.UserData;
-import net.sf.basedb.webauthn.PreLoginAuthenticationManager.NoCredentialRepository;
 
 /**
-  Authentication 
+  Authentication manager for the final step in the WebAuthn authentication
+  process. It will first verify that the login+password is correct and
+  then verify the response from the security key.
   
   @author nicklas
@@ -60 +54 @@
     }
 
+    // Check the password with the internal authentication
     AuthenticatedUser auth = context.verifyUserInternal(request);
     UserData user = context.getUserById(auth.getInternalId());
@@ -73 +68 @@
         throw new LoginException("User '" + login + "' has not configured a WebAuthn Security Key.");
       }
+      return null;
     }
-    else
+    
+    // Get and clear the stored login handler
+    LoginProcessHandler handler = context.getSessionControl().setSessionSetting("webauthn-login-handler", null);
+    if (handler == null)
     {
-      
-      try
-      {
-        PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> pkc = PublicKeyCredential.parseAssertionResponseJson(assertionResponse); 
-        AssertionRequest ar = context.getSessionControl().getSessionSetting("webauthn-assertion-request");
-        FinishAssertionOptions ass = FinishAssertionOptions.builder()
-            .request(ar)
-            .response(pkc)
-            .build();
-  
-        RelyingPartyIdentity rpi = RelyingPartyIdentity.builder()
-            .id("localhost")  // TODO -- config option
-            .name(Application.getTitle())
-            .build();
-            
-        RelyingParty rp = RelyingParty.builder()
-          .identity(rpi)
-          .credentialRepository(new NoCredentialRepository(user))
-          .allowOriginPort(true) // TODO -- config option?
-          .build();
-    
-        AssertionResult asResult = rp.finishAssertion(ass);
-        
-        if (!asResult.isSuccess())
-        {
-          System.out.println("webautn no success");
-          
-          throw new LoginException("Login failed");
-        }
-        Integer count = (Integer)user.getExtended("webAuthnSignatureCount");
-        user.setExtended("webAuthnSignatureCount", count+1);
-        
-      }
-      catch (Exception ex)
-      {
-        ex.printStackTrace(System.out);
-        throw new LoginException("Login failed", ex);
-      }
-      
-      auth = new AuthenticatedUser(WebAuthn.AUTHENTICATION_METHOD, user);
+      throw new LoginException("No login handler exists for user '"+login+"'");
     }
+    AssertionResult result = handler.processAssertionResponse(assertionResponse);
+    user.setExtended("webAuthnSignatureCount", (int)result.getSignatureCount());
+    auth = new AuthenticatedUser(WebAuthn.AUTHENTICATION_METHOD, user);
     return auth;
   }

extensions/net.sf.basedb.webauthn/trunk/webauthn.properties

@@ -27 +27 @@
 ## override the 'no-webauthn' or 'require-webauthn' settings.
 # allow-other-authentication = 
+
+## The ID of the RelyingParty is normally taken from the HTTP
+## request headers. If, for some reason, that doesn't work as
+## expected it is possible manually configure it here
+# relying-party-id = localhost
+
+## A flag that can be set to allow the RelyingParty to match
+## against any port number. Should not be needed except for
+## developers that use non-standard ports.
+# relying-party-allow-origin-port = 1
+
+## A flag that can be set to allow the RelyingParty to match
+## against any subdomain to the id.
+# relying-party-allow-origin-subdomain = 1
+
+## A flag for disabling validation of the signature counter
+## This counter is an increasing number intended to prevent
+## replay attacks. It is recommended to keep this enabled,
+## unless it is causing problems with security keys that 
+## don't support the counter
+# relying-party-disable-signature-counter = 1