mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12628 Commits
17 Branches
Tree: 35c3553870
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35c3553870'
${ noResults }
gitea/vendor/github.com/duo-labs/webauthn/webauthn/registration.go

registration.go 5.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. package webauthn

  2. 

  3. import (

  4. 	"bytes"

  5. 	"encoding/base64"

  6. 	"net/http"

  7. 

  8. 	"github.com/duo-labs/webauthn/protocol"

  9. 	"github.com/duo-labs/webauthn/protocol/webauthncose"

  10. )

  11. 

  12. // BEGIN REGISTRATION

  13. // These objects help us creat the CredentialCreationOptions

  14. // that will be passed to the authenticator via the user client

  15. 

  16. type RegistrationOption func(*protocol.PublicKeyCredentialCreationOptions)

  17. 

  18. // Generate a new set of registration data to be sent to the client and authenticator.

  19. func (webauthn *WebAuthn) BeginRegistration(user User, opts ...RegistrationOption) (*protocol.CredentialCreation, *SessionData, error) {

  20. 	challenge, err := protocol.CreateChallenge()

  21. 	if err != nil {

  22. 		return nil, nil, err

  23. 	}

  24. 

  25. 	webAuthnUser := protocol.UserEntity{

  26. 		ID:          user.WebAuthnID(),

  27. 		DisplayName: user.WebAuthnDisplayName(),

  28. 		CredentialEntity: protocol.CredentialEntity{

  29. 			Name: user.WebAuthnName(),

  30. 			Icon: user.WebAuthnIcon(),

  31. 		},

  32. 	}

  33. 

  34. 	relyingParty := protocol.RelyingPartyEntity{

  35. 		ID: webauthn.Config.RPID,

  36. 		CredentialEntity: protocol.CredentialEntity{

  37. 			Name: webauthn.Config.RPDisplayName,

  38. 			Icon: webauthn.Config.RPIcon,

  39. 		},

  40. 	}

  41. 

  42. 	credentialParams := defaultRegistrationCredentialParameters()

  43. 

  44. 	creationOptions := protocol.PublicKeyCredentialCreationOptions{

  45. 		Challenge:              challenge,

  46. 		RelyingParty:           relyingParty,

  47. 		User:                   webAuthnUser,

  48. 		Parameters:             credentialParams,

  49. 		AuthenticatorSelection: webauthn.Config.AuthenticatorSelection,

  50. 		Timeout:                webauthn.Config.Timeout,

  51. 		Attestation:            webauthn.Config.AttestationPreference,

  52. 	}

  53. 

  54. 	for _, setter := range opts {

  55. 		setter(&creationOptions)

  56. 	}

  57. 

  58. 	response := protocol.CredentialCreation{Response: creationOptions}

  59. 	newSessionData := SessionData{

  60. 		Challenge:        base64.RawURLEncoding.EncodeToString(challenge),

  61. 		UserID:           user.WebAuthnID(),

  62. 		UserVerification: creationOptions.AuthenticatorSelection.UserVerification,

  63. 	}

  64. 

  65. 	if err != nil {

  66. 		return nil, nil, protocol.ErrParsingData.WithDetails("Error packing session data")

  67. 	}

  68. 

  69. 	return &response, &newSessionData, nil

  70. }

  71. 

  72. // Provide non-default parameters regarding the authenticator to select.

  73. func WithAuthenticatorSelection(authenticatorSelection protocol.AuthenticatorSelection) RegistrationOption {

  74. 	return func(cco *protocol.PublicKeyCredentialCreationOptions) {

  75. 		cco.AuthenticatorSelection = authenticatorSelection

  76. 	}

  77. }

  78. 

  79. // Provide non-default parameters regarding credentials to exclude from retrieval.

  80. func WithExclusions(excludeList []protocol.CredentialDescriptor) RegistrationOption {

  81. 	return func(cco *protocol.PublicKeyCredentialCreationOptions) {

  82. 		cco.CredentialExcludeList = excludeList

  83. 	}

  84. }

  85. 

  86. // Provide non-default parameters regarding whether the authenticator should attest to the credential.

  87. func WithConveyancePreference(preference protocol.ConveyancePreference) RegistrationOption {

  88. 	return func(cco *protocol.PublicKeyCredentialCreationOptions) {

  89. 		cco.Attestation = preference

  90. 	}

  91. }

  92. 

  93. // Provide extension parameter to registration options

  94. func WithExtensions(extension protocol.AuthenticationExtensions) RegistrationOption {

  95. 	return func(cco *protocol.PublicKeyCredentialCreationOptions) {

  96. 		cco.Extensions = extension

  97. 	}

  98. }

  99. 

  100. // Take the response from the authenticator and client and verify the credential against the user's credentials and

  101. // session data.

  102. func (webauthn *WebAuthn) FinishRegistration(user User, session SessionData, response *http.Request) (*Credential, error) {

  103. 	parsedResponse, err := protocol.ParseCredentialCreationResponse(response)

  104. 	if err != nil {

  105. 		return nil, err

  106. 	}

  107. 

  108. 	return webauthn.CreateCredential(user, session, parsedResponse)

  109. }

  110. 

  111. // CreateCredential verifies a parsed response against the user's credentials and session data.

  112. func (webauthn *WebAuthn) CreateCredential(user User, session SessionData, parsedResponse *protocol.ParsedCredentialCreationData) (*Credential, error) {

  113. 	if !bytes.Equal(user.WebAuthnID(), session.UserID) {

  114. 		return nil, protocol.ErrBadRequest.WithDetails("ID mismatch for User and Session")

  115. 	}

  116. 

  117. 	shouldVerifyUser := session.UserVerification == protocol.VerificationRequired

  118. 

  119. 	invalidErr := parsedResponse.Verify(session.Challenge, shouldVerifyUser, webauthn.Config.RPID, webauthn.Config.RPOrigin)

  120. 	if invalidErr != nil {

  121. 		return nil, invalidErr

  122. 	}

  123. 

  124. 	return MakeNewCredential(parsedResponse)

  125. }

  126. 

  127. func defaultRegistrationCredentialParameters() []protocol.CredentialParameter {

  128. 	return []protocol.CredentialParameter{

  129. 		protocol.CredentialParameter{

  130. 			Type:      protocol.PublicKeyCredentialType,

  131. 			Algorithm: webauthncose.AlgES256,

  132. 		},

  133. 		protocol.CredentialParameter{

  134. 			Type:      protocol.PublicKeyCredentialType,

  135. 			Algorithm: webauthncose.AlgES384,

  136. 		},

  137. 		protocol.CredentialParameter{

  138. 			Type:      protocol.PublicKeyCredentialType,

  139. 			Algorithm: webauthncose.AlgES512,

  140. 		},

  141. 		protocol.CredentialParameter{

  142. 			Type:      protocol.PublicKeyCredentialType,

  143. 			Algorithm: webauthncose.AlgRS256,

  144. 		},

  145. 		protocol.CredentialParameter{

  146. 			Type:      protocol.PublicKeyCredentialType,

  147. 			Algorithm: webauthncose.AlgRS384,

  148. 		},

  149. 		protocol.CredentialParameter{

  150. 			Type:      protocol.PublicKeyCredentialType,

  151. 			Algorithm: webauthncose.AlgRS512,

  152. 		},

  153. 		protocol.CredentialParameter{

  154. 			Type:      protocol.PublicKeyCredentialType,

  155. 			Algorithm: webauthncose.AlgPS256,

  156. 		},

  157. 		protocol.CredentialParameter{

  158. 			Type:      protocol.PublicKeyCredentialType,

  159. 			Algorithm: webauthncose.AlgPS384,

  160. 		},

  161. 		protocol.CredentialParameter{

  162. 			Type:      protocol.PublicKeyCredentialType,

  163. 			Algorithm: webauthncose.AlgPS512,

  164. 		},

  165. 		protocol.CredentialParameter{

  166. 			Type:      protocol.PublicKeyCredentialType,

  167. 			Algorithm: webauthncose.AlgEdDSA,

  168. 		},

  169. 	}

  170. }