bitwarden/mobile
1
0
Fork 0
mirror of https://github.com/bitwarden/mobile synced 2025-12-15 07:43:37 +00:00
Code Issues Releases Wiki Activity

[PM-5732] feat: finish authenticator assertion implementation

Browse Source 
note: CryptoFunctionService still needs Sign implemenation
This commit is contained in:
Andreas Coroiu
2024-01-23 10:27:41 +01:00
parent e8f6c37c06
commit b23d58c0b1
7 changed files with 80 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Core/Abstractions/ICryptoFunctionService.cs
View File

@@ -1,6 +1,7 @@
using System; using System;
using System.Threading.Tasks; using System.Threading.Tasks;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Domain;
namespace Bit.Core.Abstractions namespace Bit.Core.Abstractions
{ {
@@ -20,6 +21,7 @@ namespace Bit.Core.Abstractions
Task<byte[]> HkdfAsync(byte[] ikm, byte[] salt, byte[] info, int outputByteSize, HkdfAlgorithm algorithm); Task<byte[]> HkdfAsync(byte[] ikm, byte[] salt, byte[] info, int outputByteSize, HkdfAlgorithm algorithm);
Task<byte[]> HkdfExpandAsync(byte[] prk, string info, int outputByteSize, HkdfAlgorithm algorithm); Task<byte[]> HkdfExpandAsync(byte[] prk, string info, int outputByteSize, HkdfAlgorithm algorithm);
Task<byte[]> HkdfExpandAsync(byte[] prk, byte[] info, int outputByteSize, HkdfAlgorithm algorithm); Task<byte[]> HkdfExpandAsync(byte[] prk, byte[] info, int outputByteSize, HkdfAlgorithm algorithm);
Task<byte[]> SignAsync(byte[] data, byte[] privateKey, ICryptoSignOptions options);
Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm); Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm);
Task<byte[]> HashAsync(byte[] value, CryptoHashAlgorithm algorithm); Task<byte[]> HashAsync(byte[] value, CryptoHashAlgorithm algorithm);
Task<byte[]> HmacAsync(byte[] value, byte[] key, CryptoHashAlgorithm algorithm); Task<byte[]> HmacAsync(byte[] value, byte[] key, CryptoHashAlgorithm algorithm);

17
src/Core/Models/Domain/CryptoSignEcdsaOptions.cs Normal file
View File

@@ -0,0 +1,17 @@
namespace Bit.Core.Models.Domain
{
public struct CryptoSignEcdsaOptions : ICryptoSignOptions
{
public enum EcdsaAlgorithm : byte {
EcdsaP256Sha256 = 0,
}
public enum DsaSignatureFormat : byte {
IeeeP1363FixedFieldConcatenation = 0,
Rfc3279DerSequence = 1
}
public EcdsaAlgorithm Algorithm { get; set; }
public DsaSignatureFormat SignatureFormat { get; set; }
}
}

6
src/Core/Models/Domain/ICryptoSignOptions.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace Bit.Core.Models.Domain
{
public interface ICryptoSignOptions
{
}
}

5
src/Core/Models/View/Fido2CredentialView.cs
View File

@@ -38,6 +38,11 @@ namespace Bit.Core.Models.View
set => UserHandle = value == null ? null : CoreHelpers.Base64UrlEncode(value); set => UserHandle = value == null ? null : CoreHelpers.Base64UrlEncode(value);
} }
public byte[] KeyBytes {
get => KeyValue == null ? null : CoreHelpers.Base64UrlDecode(KeyValue);
set => KeyValue = value == null ? null : CoreHelpers.Base64UrlEncode(value);
}
public override string SubTitle => UserName; public override string SubTitle => UserName;
public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>(); public override List<KeyValuePair<string, LinkedIdType>> LinkedFieldOptions => new List<KeyValuePair<string, LinkedIdType>>();
public bool IsDiscoverable => bool.TryParse(Discoverable, out var isDiscoverable) && isDiscoverable; public bool IsDiscoverable => bool.TryParse(Discoverable, out var isDiscoverable) && isDiscoverable;

32
src/Core/Services/Fido2AuthenticatorService.cs
View File

@@ -1,6 +1,7 @@
using Bit.Core.Abstractions; using Bit.Core.Abstractions;
using Bit.Core.Models.View; using Bit.Core.Models.View;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Domain;
using Bit.Core.Utilities.Fido2; using Bit.Core.Utilities.Fido2;
using System.Buffers.Binary; using System.Buffers.Binary;
@@ -88,15 +89,15 @@ namespace Bit.Core.Services
rpId: selectedFido2Credential.RpId, rpId: selectedFido2Credential.RpId,
userPresence: true, userPresence: true,
userVerification: userVerified, userVerification: userVerified,
counter: selectedFido2Credential.CounterValue); counter: selectedFido2Credential.CounterValue
);
// const signature = await generateSignature({ var signature = await GenerateSignature(
// authData: authenticatorData, authData: authenticatorData,
// clientDataHash: params.hash, clientDataHash: assertionParams.Hash,
// privateKey: await getPrivateKeyFromFido2Credential(selectedFido2Credential), privateKey: selectedFido2Credential.KeyBytes
// }); );
// TODO: IMPLEMENT this
return new Fido2AuthenticatorGetAssertionResult return new Fido2AuthenticatorGetAssertionResult
{ {
SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential
@@ -105,7 +106,7 @@ namespace Bit.Core.Services
UserHandle = selectedFido2Credential.UserHandleValue UserHandle = selectedFido2Credential.UserHandleValue
}, },
AuthenticatorData = authenticatorData, AuthenticatorData = authenticatorData,
Signature = new byte[8] Signature = signature
}; };
} catch { } catch {
_logService.Info( _logService.Info(
@@ -204,6 +205,21 @@ namespace Bit.Core.Services
return flags; return flags;
} }
private async Task<byte[]> GenerateSignature(
byte[] authData,
byte[] clientDataHash,
byte[] privateKey
)
{
var sigBase = authData.Concat(clientDataHash).ToArray();
var signature = await _cryptoFunctionService.SignAsync(sigBase, privateKey, new CryptoSignEcdsaOptions
{
Algorithm = CryptoSignEcdsaOptions.EcdsaAlgorithm.EcdsaP256Sha256,
SignatureFormat = CryptoSignEcdsaOptions.DsaSignatureFormat.Rfc3279DerSequence
});
return signature;
}
private string GuidToStandardFormat(byte[] bytes) private string GuidToStandardFormat(byte[] bytes)
{ {

11
src/Core/Services/PclCryptoFunctionService.cs
View File

@@ -4,6 +4,7 @@ using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
using Bit.Core.Abstractions; using Bit.Core.Abstractions;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Domain;
using PCLCrypto; using PCLCrypto;
using static PCLCrypto.WinRTCrypto; using static PCLCrypto.WinRTCrypto;
@@ -121,6 +122,16 @@ namespace Bit.Core.Services
return okm.Take(outputByteSize).ToArray(); return okm.Take(outputByteSize).ToArray();
} }
public Task<byte[]> SignAsync(byte[] data, byte[] privateKey, ICryptoSignOptions options)
{
throw new NotSupportedException();
// Not supported on iOS and Android
// var provider = AsymmetricKeyAlgorithmProvider.OpenAlgorithm(AsymmetricAlgorithm.EcdsaP256Sha256);
// var cryptoKey = provider.ImportKeyPair(privateKey, CryptographicPrivateKeyBlobType.Pkcs8RawPrivateKeyInfo);
// return Task.FromResult(CryptographicEngine.Sign(cryptoKey, data));
}
public Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm) public Task<byte[]> HashAsync(string value, CryptoHashAlgorithm algorithm)
{ {
return HashAsync(Encoding.UTF8.GetBytes(value), algorithm); return HashAsync(Encoding.UTF8.GetBytes(value), algorithm);

21
test/Core.Test/Services/Fido2AuthenticatorTests.cs
View File

@@ -306,6 +306,15 @@ namespace Bit.Core.Test.Services
var rpIdHashMock = RandomBytes(32); var rpIdHashMock = RandomBytes(32);
sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(aParams.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock); sutProvider.GetDependency<ICryptoFunctionService>().HashAsync(aParams.RpId, CryptoHashAlgorithm.Sha256).Returns(rpIdHashMock);
cipherView.Login.MainFido2Credential.CounterValue = 9000; cipherView.Login.MainFido2Credential.CounterValue = 9000;
var signatureMock = RandomBytes(32);
sutProvider.GetDependency<ICryptoFunctionService>().SignAsync(
Arg.Any<byte[]>(),
Arg.Any<byte[]>(),
new CryptoSignEcdsaOptions {
Algorithm = CryptoSignEcdsaOptions.EcdsaAlgorithm.EcdsaP256Sha256,
SignatureFormat = CryptoSignEcdsaOptions.DsaSignatureFormat.Rfc3279DerSequence
}
).Returns(signatureMock);
// Act // Act
var result = await sutProvider.Sut.GetAssertionAsync(aParams); var result = await sutProvider.Sut.GetAssertionAsync(aParams);
@@ -316,12 +325,12 @@ namespace Bit.Core.Test.Services
var flags = encAuthData.Skip(32).Take(1); var flags = encAuthData.Skip(32).Take(1);
var counter = encAuthData.Skip(33).Take(4); var counter = encAuthData.Skip(33).Take(4);
Assert.Equal(result.SelectedCredential.Id, Guid.Parse(cipherView.Login.MainFido2Credential.CredentialId).ToByteArray()); Assert.Equal(Guid.Parse(cipherView.Login.MainFido2Credential.CredentialId).ToByteArray(), result.SelectedCredential.Id);
Assert.Equal(result.SelectedCredential.UserHandle, CoreHelpers.Base64UrlDecode(cipherView.Login.MainFido2Credential.UserHandle)); Assert.Equal(CoreHelpers.Base64UrlDecode(cipherView.Login.MainFido2Credential.UserHandle), result.SelectedCredential.UserHandle);
Assert.Equal(rpIdHash, rpIdHashMock); Assert.Equal(rpIdHashMock, rpIdHash);
Assert.Equal(flags, new byte[] { 0b00000101 }); // UP = true, UV = true Assert.Equal(new byte[] { 0b00000101 }, flags); // UP = true, UV = true
Assert.Equal(counter, new byte[] { 0, 0, 0x23, 0x29 }); // 9001 in binary big-endian format Assert.Equal(new byte[] { 0, 0, 0x23, 0x29 }, counter); // 9001 in binary big-endian format
// TODO: Assert signature... Assert.Equal(signatureMock, result.Signature);
} }
[Theory] [Theory]