Add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls #9248

[imran-ishaq]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9248

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on enhancing the security and robustness of the FIDO2 authentication process in the Janssen FIDO2 server application, covering various aspects of the attestation and assertion flows, with a strong emphasis on verifying the integrity and source of the provided data.

Expand for full summary

Summary:

The provided code changes focus on enhancing the security and robustness of the FIDO2 (Fast Identity Online) authentication process in the Janssen FIDO2 server application. The changes cover various aspects of the attestation and assertion (authentication) flows, with a strong emphasis on verifying the integrity and source of the provided data.

Key security improvements include:

1. Relying Party (RP) Domain Verification: The code has been updated to verify the RP domain against a list of allowed/requested parties, helping to prevent potential domain spoofing attacks.
2. Credential Management: The application ensures that only valid and registered credentials are allowed for the assertion process, handling different types of authenticators (e.g., platform, hybrid, USB, NFC, BLE).
3. External Security Integration: The code integrates an ExternalFido2Service that allows for custom security checks or integrations during the assertion process.
4. Persistence and Expiration: The application stores the assertion request and response in the persistence layer, with appropriate expiration settings to limit the lifetime of unfinished requests.
5. Push Token and Session Updates: The code handles updates to the user's push token and session information, ensuring a seamless and secure authentication experience.

Overall, the changes in this pull request demonstrate the application's commitment to implementing robust FIDO2 authentication mechanisms and validating the integrity of the attestation and assertion data, which is crucial for maintaining a secure and reliable authentication process.

Files Changed:

1. AttestationErrorResponseType.java: Adds a new error type called INVALID_ORIGIN, which represents an error related to the attestation origin validation.
2. AttestationService.java: Enhances the RP domain verification by checking the domain against the list of configured requested parties, reducing the risk of domain spoofing attacks.
3. AssertionService.java: Improves the security of the assertion process by verifying the RP domain, managing allowed credentials, integrating external security services, and handling session and push token updates.
4. Fido2ExternalAuthenticator.py: Separates the assertion and attestation flows, passes domain information as part of the FIDO2 request parameters, and properly handles exceptions and metadata configuration.
5. CommonVerifiers.java: Strengthens the verification of the RP domain and the counter value, helping to prevent replay attacks and other security vulnerabilities.

Code Analysis

We ran 9 analyzers against 5 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	6 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.