Merge branch 'master' into bug_fixes_117

component-samples/demo/aio/WEB-INF/web.xml

@@ -311,6 +311,8 @@
     <web-resource-collection>
         <web-resource-name>apis</web-resource-name>
         <url-pattern>/api/v1/*</url-pattern>
+        <!-- <url-pattern>/fdo/101/msg/10</url-pattern>
+        <url-pattern>/fdo/101/msg/12</url-pattern> -->
     </web-resource-collection>
     <auth-constraint>
         <role-name>api</role-name>

component-samples/demo/device/README.md

@@ -1,3 +1,4 @@
+
 # Getting the Executable
 
 Use the following commands to build FIDO Device Onboard (FDO) Protocol Reference Implementation (PRI) HTTP Device Component sample source.
@@ -23,6 +24,44 @@ All the runtime configurations for the device is specified in `service.yml` file
 
 - `workers:` The section contains the configuration to select desired functionality for the device. The deployer can pick and choose the functionality during runtime.
 
+###  DI with mTLS
+1. To execute DI with mTLS, first uncomment the following lines from `<fdo-pri-src>/component-samples/demo/aio/WEB-INF/Web.xml` or `<fdo-pri-src>/component-samples/demo/manufacturer/WEB-INF/Web.xml` and start the sevices.
+
+```
+  <security-constraint>
+    <web-resource-collection>
+        <web-resource-name>apis</web-resource-name>
+        <url-pattern>/api/v1/*</url-pattern>
+        <!-- <url-pattern>/fdo/101/msg/10</url-pattern>
+        <url-pattern>/fdo/101/msg/12</url-pattern> -->
+    </web-resource-collection>
+    <auth-constraint>
+        <role-name>api</role-name>
+    </auth-constraint>
+    <user-data-constraint>
+       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+  </security-constraint>
+  ```
+
+2.  Copy `api-user.pem` and `ca-cert.pem` into `demo/device/app-data` folder.
+3. Disable the following workers.
+`- org.fidoalliance.fdo.protocol.SelfSignedHttpClientSupplier`
+4. Enable the following workers.
+`- org.fidoalliance.fdo.protocol.StandardHttpClientSupplier`
+5. Then uncomment the following lines from `<fdo-pri-src>/component-samples/demo/device/service.yml`
+
+```
+system-properties:
+  # javax.net.ssl.keyStorePassword: default
+  # javax.net.ssl.trustStorePassword: default
+  # javax.net.ssl.keyStore: ./app-data/api-user.pem
+  # javax.net.ssl.trustStore: ./app-data/ca-cert.pem
+  # javax.net.ssl.keyStoreType: PEM
+  # javax.net.ssl.trustStoreType: PEM
+```
+
+
 
 # Starting the Device Service
 

component-samples/demo/device/service.yml

@@ -87,6 +87,7 @@ workers:
   - org.fidoalliance.fdo.protocol.StandardExceptionConsumer
   - org.fidoalliance.fdo.protocol.StandardMessageDispatcher
   - org.fidoalliance.fdo.protocol.StandardCryptoService
+  # - org.fidoalliance.fdo.protocol.StandardHttpClientSupplier
   - org.fidoalliance.fdo.protocol.SelfSignedHttpClientSupplier
   - org.fidoalliance.fdo.sample.FileCredentialConsumer
   - org.fidoalliance.fdo.sample.FileCredentialSupplier 
@@ -107,3 +108,9 @@ workers:
 system-properties:
   log4j.configurationFile: log4j2.xml
   app-data.dir: ./app-data
+  # javax.net.ssl.keyStorePassword: default
+  # javax.net.ssl.trustStorePassword: default
+  # javax.net.ssl.keyStore: ./app-data/api-user.pem
+  # javax.net.ssl.trustStore: ./app-data/ca-cert.pem
+  # javax.net.ssl.keyStoreType: PEM
+  # javax.net.ssl.trustStoreType: PEM

component-samples/demo/manufacturer/WEB-INF/web.xml

@@ -130,6 +130,8 @@
     <web-resource-collection>
         <web-resource-name>apis</web-resource-name>
         <url-pattern>/api/v1/*</url-pattern>
+        <!-- <url-pattern>/fdo/101/msg/10</url-pattern>
+        <url-pattern>/fdo/101/msg/12</url-pattern> -->
     </web-resource-collection>
     <auth-constraint>
         <role-name>api</role-name>

pom.xml

@@ -28,8 +28,8 @@
 
 
     <!-- Dependency Version -->
-    <bcpkix.version>1.74</bcpkix.version>
-    <bcprov.version>1.74</bcprov.version>
+    <bcpkix.version>1.76</bcpkix.version>
+    <bcprov.version>1.76</bcprov.version>
     <commons-beanutils.version>1.9.4</commons-beanutils.version>
     <commons-codec.version>1.15</commons-codec.version>
     <commons-text.version>1.10.0</commons-text.version>
@@ -42,15 +42,15 @@
     <log4j.version>2.17.2</log4j.version>
     <slf4j.version>1.7.36</slf4j.version>
     <hibernate.version>6.1.0.Final</hibernate.version>
-    <tomcat.version>10.1.10</tomcat.version>
+    <tomcat.version>10.1.15</tomcat.version>
     <apache-httpcomponents.version>4.5.13</apache-httpcomponents.version>
     <snakeyaml.version>2.0</snakeyaml.version>
     <jackson-dataformat.version>2.15.2</jackson-dataformat.version>
     <jackson-databind.version>2.15.2</jackson-databind.version>
     <cose-java.version>1.1.0</cose-java.version>
 
     <!-- Database Client Version -->
-    <h2db.version>2.2.220</h2db.version>
+    <h2db.version>2.2.224</h2db.version>
     <mariadb.version>3.0.5</mariadb.version>
     <mysql.version>8.0.33</mysql.version>
     <postgresql.version>42.5.2</postgresql.version>

protocol/src/main/java/org/fidoalliance/fdo/protocol/HttpClient.java

@@ -225,6 +225,11 @@ && index < getInstructions().size()
         }
 
         logger.info("all instructions exhausted");
+
+        if (getRequest().getMsgType() == MsgType.TO0_HELLO) {
+          logger.info("Failed TO0 with error: " + e.getMessage());
+        }
+
         throw new IOException(e);
       }
 

protocol/src/main/java/org/fidoalliance/fdo/protocol/StandardMessageDispatcher.java

@@ -441,6 +441,10 @@ protected void doTo0Hello(DispatchMessage request, DispatchMessage response) thr
     Nonce nonceTO0Sign = Nonce.fromRandomUuid();
     response.setAuthToken(createCwtSession(nonceTO0Sign));
 
+    if (request.getMessage().length != 1) {
+      throw new InvalidMessageException("Invalid message for the body");
+    }
+
     To0HelloAck helloAck = new To0HelloAck();
     helloAck.setNonce(nonceTO0Sign);
     response.setMessage(Mapper.INSTANCE.writeValue(helloAck));

protocol/src/main/java/org/fidoalliance/fdo/protocol/serialization/ManufacturingInfoDeserializer.java

@@ -9,6 +9,10 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import org.fidoalliance.fdo.protocol.InvalidMessageException;
 import org.fidoalliance.fdo.protocol.Mapper;
 import org.fidoalliance.fdo.protocol.message.AnyType;
 import org.fidoalliance.fdo.protocol.message.CertChain;
@@ -28,6 +32,25 @@ public ManufacturingInfoDeserializer(Class<?> t) {
     super(t);
   }
 
+  /**
+   * Checks whether string contains only alphanumberic characters along with '_' and '-'.
+   * @param deviceString The string to be validated as a device string.
+   * @return True if the string is a valid device string, false otherwise.
+   */
+  public boolean isValidString(String deviceString) {
+    String[] invalidStrings = { "", "null", "none", "true", "false", "undefined", "undef",
+        "NaN", "nil",
+        "_", "-", "--", "--version", "--help" };
+
+    Boolean invalidStringMatch = Arrays.stream(invalidStrings).anyMatch(
+        invalid -> invalid.equalsIgnoreCase(deviceString));
+
+    Boolean invalidCharMatch = deviceString.chars().anyMatch(
+        c -> !Character.isLetterOrDigit(c) && c != '_' && c != '-');
+
+    return !invalidStringMatch && !invalidCharMatch;
+  }
+
   @Override
   public ManufacturingInfo deserialize(JsonParser jp, DeserializationContext ctxt)
       throws IOException {
@@ -38,8 +61,23 @@ public ManufacturingInfo deserialize(JsonParser jp, DeserializationContext ctxt)
 
     info.setKeyType(PublicKeyType.fromNumber(node.get(index++).intValue()));
     info.setKeyEnc(PublicKeyEncoding.fromNumber(node.get(index++).intValue()));
-    info.setSerialNumber(node.get(index++).textValue());
-    info.setDeviceInfo(node.get(index++).textValue());
+
+    String serialNumber = node.get(index++).textValue();
+
+    if (isValidString(serialNumber)) {
+      info.setSerialNumber(serialNumber);
+    } else {
+      throw new InvalidMessageException("Invalid Serial Number");
+    }
+
+    String deviceInfo = node.get(index++).textValue();
+
+    if (isValidString(deviceInfo)) {
+      info.setDeviceInfo(deviceInfo);
+    } else {
+      throw new InvalidMessageException("Invalid Device Info");
+    }
+
     if (index < node.size()) {
       JsonNode subNode = node.get(index++);
       if (subNode.isBinary()) {

protocol/src/test/java/org/fidoalliance/fdo/protocol/ManufacturingInfoTest.java

@@ -0,0 +1,91 @@
+// package org.fidoalliance.fdo.protocol;
+
+// public class ManufacturingInfoTest {
+
+// }
+
+package org.fidoalliance.fdo.protocol;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.util.UUID;
+import org.apache.commons.codec.DecoderException;
+import org.fidoalliance.fdo.protocol.message.Guid;
+import org.fidoalliance.fdo.protocol.serialization.ManufacturingInfoDeserializer;
+import org.junit.jupiter.api.Test;
+
+public class ManufacturingInfoTest {
+    @Test
+    public void Test() throws DecoderException, IOException {
+
+        ManufacturingInfoDeserializer obj = new ManufacturingInfoDeserializer();
+
+        String[] invalidStrings = {
+                "",
+                "none",
+                "NaN",
+                "undefined",
+                "undef",
+                "null",
+                "NULL",
+                "(null)",
+                "nil",
+                "NIL",
+                "true",
+                "false",
+                "True",
+                "False",
+                "TRUE",
+                "FALSE",
+                "None",
+                "????",
+                "???????????????????????????????????????????????????????????????????????????????",
+                "??????????",
+                "??? ??? ???",
+                "'",
+                "\"",
+                "''",
+                "\"\"",
+                "'\"'",
+                "\"''''\"'\"",
+                "\"'\"'\"''''\"",
+                "1;DROP TABLE users",
+                "1'; DROP TABLE users-- 1",
+                "'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --",
+                "' OR 1=1 -- 1",
+                "' OR '1'='1",
+                "1'1",
+                "1 exec sp_ (or exec xp_)",
+                "1 and 1=1",
+                "1' and 1=(select count(*) from tablenames); --",
+                "1 or 1=1",
+                "1' or '1'='1",
+                " ",
+                "%",
+                "_",
+                "-",
+                "--",
+                "--version",
+                "--help",
+                "$USER",
+                "/dev/null; touch /tmp/blns.fail ; echo",
+                "`touch /tmp/blns.fail`",
+                "$(touch /tmp/blns.fail)",
+                "@{[system \"touch /tmp/blns.fail\"]}",
+                "() { 0; }; touch /tmp/blns.shellshock1.fail;",
+                "() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }",
+                "<<< %s(un='%s') = %u",
+                "+++ATH0",
+                "%.1024d",
+                "%.2048d",
+                "%.4096d",
+                "%.8200d",
+        };
+
+        for (String invalid : invalidStrings) {
+            assertFalse(obj.isValidString(invalid), "Expected false for invalid string: " + invalid);
+        }
+    }
+}