Платформа ЦРНП "Мирокод" для разработки проектов
https://git.mirocod.ru
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
3.0 KiB
125 lines
3.0 KiB
// Go FIDO U2F Library |
|
// Copyright 2015 The Go FIDO U2F Library Authors. All rights reserved. |
|
// Use of this source code is governed by the MIT |
|
// license that can be found in the LICENSE file. |
|
|
|
/* |
|
Package u2f implements the server-side parts of the |
|
FIDO Universal 2nd Factor (U2F) specification. |
|
|
|
Applications will usually persist Challenge and Registration objects in a |
|
database. |
|
|
|
To enrol a new token: |
|
|
|
app_id := "http://localhost" |
|
c, _ := NewChallenge(app_id, []string{app_id}) |
|
req, _ := u2f.NewWebRegisterRequest(c, existingTokens) |
|
// Send the request to the browser. |
|
var resp RegisterResponse |
|
// Read resp from the browser. |
|
reg, err := Register(resp, c) |
|
if err != nil { |
|
// Registration failed. |
|
} |
|
// Store reg in the database. |
|
|
|
To perform an authentication: |
|
|
|
var regs []Registration |
|
// Fetch regs from the database. |
|
c, _ := NewChallenge(app_id, []string{app_id}) |
|
req, _ := c.SignRequest(regs) |
|
// Send the request to the browser. |
|
var resp SignResponse |
|
// Read resp from the browser. |
|
new_counter, err := reg.Authenticate(resp, c) |
|
if err != nil { |
|
// Authentication failed. |
|
} |
|
reg.Counter = new_counter |
|
// Store updated Registration in the database. |
|
|
|
The FIDO U2F specification can be found here: |
|
https://fidoalliance.org/specifications/download |
|
*/ |
|
package u2f |
|
|
|
import ( |
|
"crypto/rand" |
|
"crypto/subtle" |
|
"encoding/base64" |
|
"encoding/json" |
|
"errors" |
|
"strings" |
|
"time" |
|
) |
|
|
|
const u2fVersion = "U2F_V2" |
|
const timeout = 5 * time.Minute |
|
|
|
func decodeBase64(s string) ([]byte, error) { |
|
for i := 0; i < len(s)%4; i++ { |
|
s += "=" |
|
} |
|
return base64.URLEncoding.DecodeString(s) |
|
} |
|
|
|
func encodeBase64(buf []byte) string { |
|
s := base64.URLEncoding.EncodeToString(buf) |
|
return strings.TrimRight(s, "=") |
|
} |
|
|
|
// Challenge represents a single transaction between the server and |
|
// authenticator. This data will typically be stored in a database. |
|
type Challenge struct { |
|
Challenge []byte |
|
Timestamp time.Time |
|
AppID string |
|
TrustedFacets []string |
|
} |
|
|
|
// NewChallenge generates a challenge for the given application. |
|
func NewChallenge(appID string, trustedFacets []string) (*Challenge, error) { |
|
challenge := make([]byte, 32) |
|
n, err := rand.Read(challenge) |
|
if err != nil { |
|
return nil, err |
|
} |
|
if n != 32 { |
|
return nil, errors.New("u2f: unable to generate random bytes") |
|
} |
|
|
|
var c Challenge |
|
c.Challenge = challenge |
|
c.Timestamp = time.Now() |
|
c.AppID = appID |
|
c.TrustedFacets = trustedFacets |
|
return &c, nil |
|
} |
|
|
|
func verifyClientData(clientData []byte, challenge Challenge) error { |
|
var cd ClientData |
|
if err := json.Unmarshal(clientData, &cd); err != nil { |
|
return err |
|
} |
|
|
|
foundFacetID := false |
|
for _, facetID := range challenge.TrustedFacets { |
|
if facetID == cd.Origin { |
|
foundFacetID = true |
|
break |
|
} |
|
} |
|
if !foundFacetID { |
|
return errors.New("u2f: untrusted facet id") |
|
} |
|
|
|
c := encodeBase64(challenge.Challenge) |
|
if len(c) != len(cd.Challenge) || |
|
subtle.ConstantTimeCompare([]byte(c), []byte(cd.Challenge)) != 1 { |
|
return errors.New("u2f: challenge does not match") |
|
} |
|
|
|
return nil |
|
}
|
|
|