Skip to content

Commit

Permalink
fix(jans-fido2): #9248 Renaming domain to origin and application id t…
Browse files Browse the repository at this point in the history
…o RpId

Signed-off-by: Madhumita <[email protected]>
  • Loading branch information
maduvena authored and moabu committed Nov 7, 2024
1 parent d01ae62 commit 29594a3
Show file tree
Hide file tree
Showing 9 changed files with 23 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,10 @@ public AssertionOptionsResponse options(AssertionOptions assertionOptions) {
Fido2AuthenticationData entity = new Fido2AuthenticationData();
entity.setUsername(username);
entity.setChallenge(challenge);
entity.setDomain(documentDomain);
entity.setOrigin(documentDomain);
entity.setUserVerificationOption(userVerification);
entity.setStatus(Fido2AuthenticationStatus.pending);
entity.setApplicationId(documentDomain);
entity.setRpId(documentDomain);


// Store original request
Expand Down Expand Up @@ -251,10 +251,10 @@ public AsserOptGenerateResponse generateOptions(AssertionOptionsGenerate asserti
Fido2AuthenticationData entity = new Fido2AuthenticationData();
entity.setUsername(null);
entity.setChallenge(challenge);
entity.setDomain(documentDomain);
entity.setOrigin(documentDomain);
entity.setUserVerificationOption(userVerification);
entity.setStatus(Fido2AuthenticationStatus.pending);
entity.setApplicationId(documentDomain);
entity.setRpId(documentDomain);

// Store original request
entity.setAssertionRequest(CommonUtilService.toJsonNode(assertionOptionsGenerate).toString());
Expand Down Expand Up @@ -307,7 +307,7 @@ public AttestationOrAssertionResponse verify(AssertionResult assertionResult) {
Fido2AuthenticationData authenticationData = authenticationEntity.getAuthenticationData();

// Verify domain
domainVerifier.verifyDomain(authenticationData.getDomain(), clientJsonNode);
domainVerifier.verifyDomain(authenticationData.getOrigin(), clientJsonNode);

// Find registered public key
Fido2RegistrationEntry registrationEntry = registrationPersistenceService.findByPublicKeyId(keyId, authenticationEntity.getRpId())
Expand Down Expand Up @@ -452,11 +452,11 @@ private Pair<List<PublicKeyCredentialDescriptor>, String> prepareAllowedCredenti
});

Optional<Fido2RegistrationEntry> fidoRegistration = allowedFido2Registrations.parallelStream()
.filter(f -> StringUtils.isNotEmpty(f.getRegistrationData().getApplicationId())).findAny();
.filter(f -> StringUtils.isNotEmpty(f.getRegistrationData().getRpId())).findAny();
String applicationId = null;

// applicationId should not be sent incase of pure fido2
applicationId = fidoRegistration.get().getRegistrationData().getApplicationId();
applicationId = fidoRegistration.get().getRegistrationData().getRpId();

return Pair.of(allowedFido2Keys, applicationId);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -241,15 +241,15 @@ else if(hints.contains(PublicKeyCredentialHints.SECURITY_KEY.getValue()) || hint
entity.setUsername(attestationOptions.getUsername());
entity.setUserId(userId);
entity.setChallenge(challenge);
entity.setDomain(documentDomain);
entity.setOrigin(documentDomain);
entity.setStatus(Fido2RegistrationStatus.pending);
//if (params.hasNonNull(CommonVerifiers.SUPER_GLUU_APP_ID)) {
/*
* if (!Strings.isNullOrEmpty(attestationOptions.getSuperGluuAppId())) {
* entity.setApplicationId(attestationOptions.getSuperGluuAppId()); } else {
*/
// TODO: this can be removed out in the future
entity.setApplicationId(documentDomain);
entity.setRpId(documentDomain);
//}

// Store original requests
Expand Down Expand Up @@ -304,7 +304,7 @@ public AttestationOrAssertionResponse verify(AttestationResult attestationResult
Fido2RegistrationData registrationData = registrationEntry.getRegistrationData();

// Verify domain
domainVerifier.verifyDomain(registrationData.getDomain(), clientDataJSONNode);
domainVerifier.verifyDomain(registrationData.getOrigin(), clientDataJSONNode);

// Verify authenticator attestation response
CredAndCounterData attestationData = attestationVerifier.verifyAuthenticatorAttestationResponse(attestationResult.getResponse(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ public Fido2AuthenticationEntry buildFido2AuthenticationEntry(Fido2Authenticatio
if (StringUtils.isNotEmpty(challenge)) {
authenticationEntity.setChallengeHash(challengeGenerator.getChallengeHashCode(challenge));
}
authenticationEntity.setRpId(authenticationData.getApplicationId());
authenticationEntity.setRpId(authenticationData.getRpId());

authenticationData.setCreatedDate(now);
authenticationData.setCreatedBy(userName);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ public Fido2RegistrationEntry buildFido2RegistrationEntry(Fido2RegistrationData
if (StringUtils.isNotEmpty(challenge)) {
registrationEntry.setChallengeHash(getChallengeHashCode(challenge));
}
registrationEntry.setRpId(registrationData.getApplicationId());
registrationEntry.setRpId(registrationData.getRpId());

registrationData.setCreatedDate(now);
registrationData.setCreatedBy(userName);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData r
commonVerifiers.verifyAAGUIDZeroed(authData);

userVerificationVerifier.verifyUserPresent(authData);
commonVerifiers.verifyRpIdHash(authData, registration.getDomain());
commonVerifiers.verifyRpIdHash(authData, registration.getOrigin());

if (attStmt.hasNonNull("x5c")) {
Iterator<JsonNode> i = attStmt.get("x5c").elements();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ public void process(JsonNode attStmt, AuthData authData, Fido2RegistrationData r
byte[] challengeHash = DigestUtils.getSha256Digest().digest(registration.getChallenge().getBytes(Charset.forName("UTF-8")));

// RP ID hash is application for Super Gluu
byte[] rpIdhash = DigestUtils.getSha256Digest().digest(registration.getApplicationId().getBytes(Charset.forName("UTF-8")));
byte[] rpIdhash = DigestUtils.getSha256Digest().digest(registration.getRpId().getBytes(Charset.forName("UTF-8")));

authenticatorDataVerifier.verifyU2FAttestationSignature(authData, rpIdhash, challengeHash, signature, verifiedCert, alg);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ public void verifyAuthenticatorAssertionResponse(Response response, Fido2Registr
public void process(String base64AuthenticatorData, String signature, String clientDataJson, Fido2RegistrationData registration,
Fido2AuthenticationData authenticationEntity) {
AuthData authData = authenticatorDataParser.parseAssertionData(base64AuthenticatorData);
commonVerifiers.verifyRpIdHash(authData, registration.getDomain());
commonVerifiers.verifyRpIdHash(authData, registration.getOrigin());

log.debug("User verification option {}", authenticationEntity.getUserVerificationOption());
userVerificationVerifier.verifyUserVerificationOption(authenticationEntity.getUserVerificationOption(), authData);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ protected Fido2RegistrationData convertToFido2RegistrationData(String documentDo
registrationData.setUpdatedBy(username);

registrationData.setUsername(username);
registrationData.setDomain(documentDomain);
registrationData.setOrigin(documentDomain);

JsonNode uncompressedECPoint = coseService.convertECKeyToUncompressedPoint(
base64Service.urlDecode(fidoRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
Expand All @@ -179,7 +179,7 @@ protected Fido2RegistrationData convertToFido2RegistrationData(String documentDo

registrationData.setStatus(Fido2RegistrationStatus.registered);

registrationData.setApplicationId(fidoRegistration.getApplication());
registrationData.setRpId(fidoRegistration.getApplication());

return registrationData;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ void process_ifAttStmtHasX5cAndVerifyAttestationThrowErrorAndCertificatesIsEmpty
byte[] clientDataHash = new byte[]{};
CredAndCounterData credIdAndCounters = mock(CredAndCounterData.class);
JsonNode x5cNode = mock(JsonNode.class);
when(registration.getDomain()).thenReturn("test-domain");
when(registration.getOrigin()).thenReturn("test-domain");
when(attStmt.hasNonNull("x5c")).thenReturn(true);
when(attStmt.get("x5c")).thenReturn(x5cNode);
when(x5cNode.elements()).thenReturn(Collections.emptyIterator());
Expand Down Expand Up @@ -124,7 +124,7 @@ void process_ifAttStmprocess_ifAttStmtHasX5cAndVerifyAttestationThrowErrorAndCer
byte[] clientDataHash = new byte[]{};
CredAndCounterData credIdAndCounters = mock(CredAndCounterData.class);
JsonNode x5cNode = mock(JsonNode.class);
when(registration.getDomain()).thenReturn("test-domain");
when(registration.getOrigin()).thenReturn("test-domain");
when(attStmt.hasNonNull("x5c")).thenReturn(true);
when(attStmt.get("x5c")).thenReturn(x5cNode);
when(x5cNode.elements()).thenReturn(Collections.singletonList((JsonNode) new TextNode("cert1")).iterator());
Expand Down Expand Up @@ -162,7 +162,8 @@ void process_ifAttStmtHasX5cAndCertificatesIsNotEmptyAndVerifyAttestationIsValid
byte[] clientDataHash = new byte[]{};
CredAndCounterData credIdAndCounters = mock(CredAndCounterData.class);
JsonNode x5cNode = mock(JsonNode.class);
when(registration.getDomain()).thenReturn("test-domain");
when(registration.getOrigin
()).thenReturn("test-domain");
when(attStmt.hasNonNull("x5c")).thenReturn(true);
when(attStmt.get("x5c")).thenReturn(x5cNode);
when(x5cNode.elements()).thenReturn(Collections.singletonList((JsonNode) new TextNode("cert1")).iterator());
Expand Down Expand Up @@ -193,7 +194,7 @@ void process_ifAttStmtHasEcdaaKeyId_badRequestException() {
Fido2RegistrationData registration = mock(Fido2RegistrationData.class);
byte[] clientDataHash = new byte[]{};
CredAndCounterData credIdAndCounters = mock(CredAndCounterData.class);
when(registration.getDomain()).thenReturn("test-domain");
when(registration.getOrigin()).thenReturn("test-domain");
when(attStmt.get("sig")).thenReturn(mock(JsonNode.class));
when(attStmt.hasNonNull("x5c")).thenReturn(false);
when(attStmt.hasNonNull("ecdaaKeyId")).thenReturn(true);
Expand Down Expand Up @@ -222,7 +223,7 @@ void process_ifAttStmtNotIsX5cOrEcdaaKeyId_success() {
Fido2RegistrationData registration = mock(Fido2RegistrationData.class);
byte[] clientDataHash = new byte[]{};
CredAndCounterData credIdAndCounters = mock(CredAndCounterData.class);
when(registration.getDomain()).thenReturn("test-domain");
when(registration.getOrigin()).thenReturn("test-domain");
when(authData.getAuthDataDecoded()).thenReturn("test-decoded".getBytes());
when(attStmt.get("sig")).thenReturn(mock(JsonNode.class));
when(commonVerifiers.verifyBase64String(any())).thenReturn("test-signature");
Expand Down

0 comments on commit 29594a3

Please sign in to comment.