Implement Webauthn 🎉 (#5088)

* Implement Webauthn :tada: * Share hexifyAB * Move hr inside template and add AttestationChallenges janitor daemon * Apply suggestions from code review Co-Authored-By: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * Add newline at the end of file * Fix stray newline in promise chain * Ignore var in try{}catch(){} block Co-Authored-By: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * Add missing comma * Add missing semicolon * Support more attestation formats * add support for more key types and linter pass * Refactor * Refactor * credentialId --> id * Fix * Improve readability * Add indexes * fixes for credentialId->id * Avoid changing store state * Fix syntax error and code style * Remove unused import * Refactor of getkey API * Create 1561706992953-webauthn.ts * Update ja-JP.yml * Add type annotations * Fix code style * Specify depedency version * Fix code style * Fix janitor daemon and login requesting 2FA regardless of status
author: Mary <Ipadlover8322@gmail.com> 2019-07-03 07:18:07 -0400
committer: syuilo <Syuilotan@yahoo.co.jp> 2019-07-03 20:18:07 +0900
commit: fd94b817abd8fa628586746eed3a1f61b4a2b3d8 (patch)
tree: 53eccf1b923f9b29f73ec6651b361b1682af3247 /src/server/api/2fa.ts
parent: Resolve #5072 (diff)
download: sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.gz
sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.bz2
sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.zip
1 files changed, 422 insertions, 0 deletions
diff --git a/src/server/api/2fa.ts b/src/server/api/2fa.ts
new file mode 100644
index 0000000000..bc5f6e6d7d
--- /dev/null
+++ b/src/server/api/2fa.ts
@@ -0,0 +1,422 @@
+import * as crypto from 'crypto';
+import config from '../../config';
+import * as jsrsasign from 'jsrsasign';
+
+const ECC_PRELUDE = Buffer.from([0x04]);
+const NULL_BYTE = Buffer.from([0]);
+const PEM_PRELUDE = Buffer.from(
+	'3059301306072a8648ce3d020106082a8648ce3d030107034200',
+	'hex'
+);
+
+// Android Safetynet attestations are signed with this cert:
+const GSR2 = `-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
+MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
+v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
+eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
+tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
+C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
+zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
+mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
+V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
+bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
+3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
+J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
+291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
+AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
+TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
+-----END CERTIFICATE-----\n`;
+
+function base64URLDecode(source: string) {
+	return Buffer.from(source.replace(/\-/g, '+').replace(/_/g, '/'), 'base64');
+}
+
+function getCertSubject(certificate: string) {
+	const subjectCert = new jsrsasign.X509();
+	subjectCert.readCertPEM(certificate);
+
+	const subjectString = subjectCert.getSubjectString();
+	const subjectFields = subjectString.slice(1).split('/');
+
+	const fields = {} as Record<string, string>;
+	for (const field of subjectFields) {
+		const eqIndex = field.indexOf('=');
+		fields[field.substring(0, eqIndex)] = field.substring(eqIndex + 1);
+	}
+
+	return fields;
+}
+
+function verifyCertificateChain(certificates: string[]) {
+	let valid = true;
+
+	for (let i = 0; i < certificates.length; i++) {
+		const Cert = certificates[i];
+		const certificate = new jsrsasign.X509();
+		certificate.readCertPEM(Cert);
+
+		const CACert = i + 1 >= certificates.length ? Cert : certificates[i + 1];
+
+		const certStruct = jsrsasign.ASN1HEX.getTLVbyList(certificate.hex, 0, [0]);
+		const algorithm = certificate.getSignatureAlgorithmField();
+		const signatureHex = certificate.getSignatureValueHex();
+
+		// Verify against CA
+		const Signature = new jsrsasign.crypto.Signature({alg: algorithm});
+		Signature.init(CACert);
+		Signature.updateHex(certStruct);
+		valid = valid && Signature.verify(signatureHex); // true if CA signed the certificate
+	}
+
+	return valid;
+}
+
+function PEMString(pemBuffer: Buffer, type = 'CERTIFICATE') {
+	if (pemBuffer.length == 65 && pemBuffer[0] == 0x04) {
+		pemBuffer = Buffer.concat([PEM_PRELUDE, pemBuffer], 91);
+		type = 'PUBLIC KEY';
+	}
+	const cert = pemBuffer.toString('base64');
+
+	const keyParts = [];
+	const max = Math.ceil(cert.length / 64);
+	let start = 0;
+	for (let i = 0; i < max; i++) {
+		keyParts.push(cert.substring(start, start + 64));
+		start += 64;
+	}
+
+	return (
+		`-----BEGIN ${type}-----\n` +
+		keyParts.join('\n') +
+		`\n-----END ${type}-----\n`
+	);
+}
+
+export function hash(data: Buffer) {
+	return crypto
+		.createHash('sha256')
+		.update(data)
+		.digest();
+}
+
+export function verifyLogin({
+	publicKey,
+	authenticatorData,
+	clientDataJSON,
+	clientData,
+	signature,
+	challenge
+}: {
+	publicKey: Buffer,
+	authenticatorData: Buffer,
+	clientDataJSON: Buffer,
+	clientData: any,
+	signature: Buffer,
+	challenge: string
+}) {
+	if (clientData.type != 'webauthn.get') {
+		throw new Error('type is not webauthn.get');
+	}
+
+	if (hash(clientData.challenge).toString('hex') != challenge) {
+		throw new Error('challenge mismatch');
+	}
+	if (clientData.origin != config.scheme + '://' + config.host) {
+		throw new Error('origin mismatch');
+	}
+
+	const verificationData = Buffer.concat(
+		[authenticatorData, hash(clientDataJSON)],
+		32 + authenticatorData.length
+	);
+
+	return crypto
+		.createVerify('SHA256')
+		.update(verificationData)
+		.verify(PEMString(publicKey), signature);
+}
+
+export const procedures = {
+	none: {
+		verify({publicKey}: {publicKey: Map<number, Buffer>}) {
+			const negTwo = publicKey.get(-2);
+
+			if (!negTwo || negTwo.length != 32) {
+				throw new Error('invalid or no -2 key given');
+			}
+			const negThree = publicKey.get(-3);
+			if (!negThree || negThree.length != 32) {
+				throw new Error('invalid or no -3 key given');
+			}
+
+			const publicKeyU2F = Buffer.concat(
+				[ECC_PRELUDE, negTwo, negThree],
+				1 + 32 + 32
+			);
+
+			return {
+				publicKey: publicKeyU2F,
+				valid: true
+			};
+		}
+	},
+	'android-key': {
+		verify({
+			attStmt,
+			authenticatorData,
+			clientDataHash,
+			publicKey,
+			rpIdHash,
+			credentialId
+		}: {
+			attStmt: any,
+			authenticatorData: Buffer,
+			clientDataHash: Buffer,
+			publicKey: Map<number, any>;
+			rpIdHash: Buffer,
+			credentialId: Buffer,
+		}) {
+			if (attStmt.alg != -7) {
+				throw new Error('alg mismatch');
+			}
+
+			const verificationData = Buffer.concat([
+				authenticatorData,
+				clientDataHash
+			]);
+
+			const attCert: Buffer = attStmt.x5c[0];
+
+			const negTwo = publicKey.get(-2);
+
+			if (!negTwo || negTwo.length != 32) {
+				throw new Error('invalid or no -2 key given');
+			}
+			const negThree = publicKey.get(-3);
+			if (!negThree || negThree.length != 32) {
+				throw new Error('invalid or no -3 key given');
+			}
+
+			const publicKeyData = Buffer.concat(
+				[ECC_PRELUDE, negTwo, negThree],
+				1 + 32 + 32
+			);
+
+			if (!attCert.equals(publicKeyData)) {
+				throw new Error('public key mismatch');
+			}
+
+			const isValid = crypto
+				.createVerify('SHA256')
+				.update(verificationData)
+				.verify(PEMString(attCert), attStmt.sig);
+
+			// TODO: Check 'attestationChallenge' field in extension of cert matches hash(clientDataJSON)
+
+			return {
+				valid: isValid,
+				publicKey: publicKeyData
+			};
+		}
+	},
+	// what a stupid attestation
+	'android-safetynet': {
+		verify({
+			attStmt,
+			authenticatorData,
+			clientDataHash,
+			publicKey,
+			rpIdHash,
+			credentialId
+		}: {
+			attStmt: any,
+			authenticatorData: Buffer,
+			clientDataHash: Buffer,
+			publicKey: Map<number, any>;
+			rpIdHash: Buffer,
+			credentialId: Buffer,
+		}) {
+			const verificationData = hash(
+				Buffer.concat([authenticatorData, clientDataHash])
+			);
+
+			const jwsParts = attStmt.response.toString('utf-8').split('.');
+
+			const header = JSON.parse(base64URLDecode(jwsParts[0]).toString('utf-8'));
+			const response = JSON.parse(
+				base64URLDecode(jwsParts[1]).toString('utf-8')
+			);
+			const signature = jwsParts[2];
+
+			if (!verificationData.equals(Buffer.from(response.nonce, 'base64'))) {
+				throw new Error('invalid nonce');
+			}
+
+			const certificateChain = header.x5c
+				.map(key => PEMString(key))
+				.concat([GSR2]);
+
+			if (getCertSubject(certificateChain[0]).CN != 'attest.android.com') {
+				throw new Error('invalid common name');
+			}
+
+			if (!verifyCertificateChain(certificateChain)) {
+				throw new Error('Invalid certificate chain!');
+			}
+
+			const signatureBase = Buffer.from(
+				jwsParts[0] + '.' + jwsParts[1],
+				'utf-8'
+			);
+
+			const valid = crypto
+				.createVerify('sha256')
+				.update(signatureBase)
+				.verify(certificateChain[0], base64URLDecode(signature));
+
+			const negTwo = publicKey.get(-2);
+
+			if (!negTwo || negTwo.length != 32) {
+				throw new Error('invalid or no -2 key given');
+			}
+			const negThree = publicKey.get(-3);
+			if (!negThree || negThree.length != 32) {
+				throw new Error('invalid or no -3 key given');
+			}
+
+			const publicKeyData = Buffer.concat(
+				[ECC_PRELUDE, negTwo, negThree],
+				1 + 32 + 32
+			);
+			return {
+				valid,
+				publicKey: publicKeyData
+			};
+		}
+	},
+	packed: {
+		verify({
+			attStmt,
+			authenticatorData,
+			clientDataHash,
+			publicKey,
+			rpIdHash,
+			credentialId
+		}: {
+			attStmt: any,
+			authenticatorData: Buffer,
+			clientDataHash: Buffer,
+			publicKey: Map<number, any>;
+			rpIdHash: Buffer,
+			credentialId: Buffer,
+		}) {
+			const verificationData = Buffer.concat([
+				authenticatorData,
+				clientDataHash
+			]);
+
+			if (attStmt.x5c) {
+				const attCert = attStmt.x5c[0];
+
+				const validSignature = crypto
+					.createVerify('SHA256')
+					.update(verificationData)
+					.verify(PEMString(attCert), attStmt.sig);
+
+				const negTwo = publicKey.get(-2);
+
+				if (!negTwo || negTwo.length != 32) {
+					throw new Error('invalid or no -2 key given');
+				}
+				const negThree = publicKey.get(-3);
+				if (!negThree || negThree.length != 32) {
+					throw new Error('invalid or no -3 key given');
+				}
+
+				const publicKeyData = Buffer.concat(
+					[ECC_PRELUDE, negTwo, negThree],
+					1 + 32 + 32
+				);
+
+				return {
+					valid: validSignature,
+					publicKey: publicKeyData
+				};
+			} else if (attStmt.ecdaaKeyId) {
+				// https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html#ecdaa-verify-operation
+				throw new Error('ECDAA-Verify is not supported');
+			} else {
+				if (attStmt.alg != -7) throw new Error('alg mismatch');
+
+				throw new Error('self attestation is not supported');
+			}
+		}
+	},
+
+	'fido-u2f': {
+		verify({
+			attStmt,
+			authenticatorData,
+			clientDataHash,
+			publicKey,
+			rpIdHash,
+			credentialId
+		}: {
+			attStmt: any,
+			authenticatorData: Buffer,
+			clientDataHash: Buffer,
+			publicKey: Map<number, any>,
+			rpIdHash: Buffer,
+			credentialId: Buffer
+		}) {
+			const x5c: Buffer[] = attStmt.x5c;
+			if (x5c.length != 1) {
+				throw new Error('x5c length does not match expectation');
+			}
+
+			const attCert = x5c[0];
+
+			// TODO: make sure attCert is an Elliptic Curve (EC) public key over the P-256 curve
+
+			const negTwo: Buffer = publicKey.get(-2);
+
+			if (!negTwo || negTwo.length != 32) {
+				throw new Error('invalid or no -2 key given');
+			}
+			const negThree: Buffer = publicKey.get(-3);
+			if (!negThree || negThree.length != 32) {
+				throw new Error('invalid or no -3 key given');
+			}
+
+			const publicKeyU2F = Buffer.concat(
+				[ECC_PRELUDE, negTwo, negThree],
+				1 + 32 + 32
+			);
+
+			const verificationData = Buffer.concat([
+				NULL_BYTE,
+				rpIdHash,
+				clientDataHash,
+				credentialId,
+				publicKeyU2F
+			]);
+
+			const validSignature = crypto
+				.createVerify('SHA256')
+				.update(verificationData)
+				.verify(PEMString(attCert), attStmt.sig);
+
+			return {
+				valid: validSignature,
+				publicKey: publicKeyU2F
+			};
+		}
+	}
+};
author	Mary <Ipadlover8322@gmail.com>	2019-07-03 07:18:07 -0400
committer	syuilo <Syuilotan@yahoo.co.jp>	2019-07-03 20:18:07 +0900
commit	fd94b817abd8fa628586746eed3a1f61b4a2b3d8 (patch)
tree	53eccf1b923f9b29f73ec6651b361b1682af3247 /src/server/api/2fa.ts
parent	Resolve #5072 (diff)
download	sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.gz sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.bz2 sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.zip