def test_u2f_facets(self):
rp = PublicKeyCredentialRpEntity("Example", "example.com")
app_id = b"https://www.example.com/facets.json"
def verify_u2f_origin(origin):
return origin in ("https://oauth.example.com",
"https://admin.example.com")
server = U2FFido2Server(app_id=app_id.decode("ascii"),
rp=rp,
verify_u2f_origin=verify_u2f_origin)
state = {
"challenge": "GAZPACHO!",
"user_verification": UserVerificationRequirement.PREFERRED,
}
client_data = CollectedClientData.create(
CollectedClientData.TYPE.GET,
"GAZPACHO!",
"https://oauth.example.com",
)
param = b"TOMATO GIVES "
device = U2FDevice(param, app_id)
auth_data = AttestedCredentialData.from_ctap1(param,
device.public_key_bytes)
authenticator_data, signature = device.sign(client_data)
server.authenticate_complete(
state,
[auth_data],
device.credential_id,
client_data,
authenticator_data,
signature,
)
# Now with something not whitelisted
client_data = CollectedClientData.create(
CollectedClientData.TYPE.GET,
"GAZPACHO!",
"https://publicthingy.example.com",
)
authenticator_data, signature = device.sign(client_data)
with self.assertRaisesRegex(ValueError,
"Invalid origin in CollectedClientData."):
server.authenticate_complete(
state,
[auth_data],
device.credential_id,
client_data,
authenticator_data,
signature,
)
def test_u2f(self):
rp = PublicKeyCredentialRpEntity("Example", "example.com")
app_id = b"https://example.com"
server = U2FFido2Server(app_id=app_id.decode("ascii"), rp=rp)
state = {
"challenge": "GAZPACHO!",
"user_verification": UserVerificationRequirement.PREFERRED,
}
client_data = CollectedClientData.create(
CollectedClientData.TYPE.GET,
"GAZPACHO!",
"https://example.com",
)
param = b"TOMATO GIVES "
device = U2FDevice(param, app_id)
auth_data = AttestedCredentialData.from_ctap1(param,
device.public_key_bytes)
authenticator_data, signature = device.sign(client_data)
server.authenticate_complete(
state,
[auth_data],
device.credential_id,
client_data,
authenticator_data,
signature,
)
def test_authenticate_complete_invalid_signature(self):
rp = PublicKeyCredentialRpEntity("Example", "example.com")
server = Fido2Server(rp)
state = {
"challenge": "GAZPACHO!",
"user_verification": UserVerificationRequirement.PREFERRED,
}
client_data = CollectedClientData.create(
CollectedClientData.TYPE.GET,
"GAZPACHO!",
"https://example.com",
)
_AUTH_DATA = bytes.fromhex(
"A379A6F6EEAFB9A55E378C118034E2751E682FAB9F2D30AB13D2125586CE1947010000001D"
)
with self.assertRaisesRegex(ValueError, "Invalid signature."):
server.authenticate_complete(
state,
[AttestedCredentialData(_ATT_CRED_DATA)],
_CRED_ID,
client_data,
AuthenticatorData(_AUTH_DATA),
b"INVALID",
)
def register_complete():
data = cbor.decode(request.get_data())
client_data = CollectedClientData(data["clientDataJSON"])
att_obj = AttestationObject(data["attestationObject"])
print("clientData", client_data)
print("AttestationObject:", att_obj)
auth_data = server.register_complete(session["state"], client_data, att_obj)
credentials.append(auth_data.credential_data)
print("REGISTERED CREDENTIAL:", auth_data.credential_data)
return cbor.encode({"status": "OK"})
def test_collected_client_data(self):
o = CollectedClientData(
b'{"type":"webauthn.create","challenge":"cdySOP-1JI4J_BpOeO9ut25rlZJueF16aO6auTTYAis","origin":"https://demo.yubico.com","crossOrigin":false}' # noqa
)
assert o.type == "webauthn.create"
assert o.origin == "https://demo.yubico.com"
assert o.challenge == bytes.fromhex(
"71dc9238ffb5248e09fc1a4e78ef6eb76e6b95926e785d7a68ee9ab934d8022b")
assert o.cross_origin is False
assert (
o.b64 ==
"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiY2R5U09QLTFKSTRKX0JwT2VPOXV0MjVybFpKdWVGMTZhTzZhdVRUWUFpcyIsIm9yaWdpbiI6Imh0dHBzOi8vZGVtby55dWJpY28uY29tIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ" # noqa
)
assert o.hash == bytes.fromhex(
"8b20a0b904b4747aacae71d55bf60b4eb2583f7e639f55f40baac23c2600c178")
assert o == CollectedClientData.create(
"webauthn.create",
"cdySOP-1JI4J_BpOeO9ut25rlZJueF16aO6auTTYAis",
"https://demo.yubico.com",
)
def authenticate_complete():
if not credentials:
abort(404)
data = cbor.decode(request.get_data())
credential_id = data["credentialId"]
client_data = CollectedClientData(data["clientDataJSON"])
auth_data = AuthenticatorData(data["authenticatorData"])
signature = data["signature"]
print("clientData", client_data)
print("AuthenticatorData", auth_data)
server.authenticate_complete(
session.pop("state"),
credentials,
credential_id,
client_data,
auth_data,
signature,
)
print("ASSERTION OK")
return cbor.encode({"status": "OK"})