gitea/vendor/github.com/tstranex/u2f/util.go

// Go FIDO U2F Library
// Copyright 2015 The Go FIDO U2F Library Authors. All rights reserved.
// Use of this source code is governed by the MIT
// license that can be found in the LICENSE file.

/*
Package u2f implements the server-side parts of the
FIDO Universal 2nd Factor (U2F) specification.

Applications will usually persist Challenge and Registration objects in a
database.

To enrol a new token:

    app_id := "http://localhost"
    c, _ := NewChallenge(app_id, []string{app_id})
    req, _ := u2f.NewWebRegisterRequest(c, existingTokens)
    // Send the request to the browser.
    var resp RegisterResponse
    // Read resp from the browser.
    reg, err := Register(resp, c)
    if err != nil {
         // Registration failed.
    }
    // Store reg in the database.

To perform an authentication:

    var regs []Registration
    // Fetch regs from the database.
    c, _ := NewChallenge(app_id, []string{app_id})
    req, _ := c.SignRequest(regs)
    // Send the request to the browser.
    var resp SignResponse
    // Read resp from the browser.
    new_counter, err := reg.Authenticate(resp, c)
    if err != nil {
        // Authentication failed.
    }
    reg.Counter = new_counter
    // Store updated Registration in the database.

The FIDO U2F specification can be found here:
https://fidoalliance.org/specifications/download
*/
package u2f

import (
	"crypto/rand"
	"crypto/subtle"
	"encoding/base64"
	"encoding/json"
	"errors"
	"strings"
	"time"
)

const u2fVersion = "U2F_V2"
const timeout = 5 * time.Minute

func decodeBase64(s string) ([]byte, error) {
	for i := 0; i < len(s)%4; i++ {
		s += "="
	}
	return base64.URLEncoding.DecodeString(s)
}

func encodeBase64(buf []byte) string {
	s := base64.URLEncoding.EncodeToString(buf)
	return strings.TrimRight(s, "=")
}

// Challenge represents a single transaction between the server and
// authenticator. This data will typically be stored in a database.
type Challenge struct {
	Challenge     []byte
	Timestamp     time.Time
	AppID         string
	TrustedFacets []string
}

// NewChallenge generates a challenge for the given application.
func NewChallenge(appID string, trustedFacets []string) (*Challenge, error) {
	challenge := make([]byte, 32)
	n, err := rand.Read(challenge)
	if err != nil {
		return nil, err
	}
	if n != 32 {
		return nil, errors.New("u2f: unable to generate random bytes")
	}

	var c Challenge
	c.Challenge = challenge
	c.Timestamp = time.Now()
	c.AppID = appID
	c.TrustedFacets = trustedFacets
	return &c, nil
}

func verifyClientData(clientData []byte, challenge Challenge) error {
	var cd ClientData
	if err := json.Unmarshal(clientData, &cd); err != nil {
		return err
	}

	foundFacetID := false
	for _, facetID := range challenge.TrustedFacets {
		if facetID == cd.Origin {
			foundFacetID = true
			break
		}
	}
	if !foundFacetID {
		return errors.New("u2f: untrusted facet id")
	}

	c := encodeBase64(challenge.Challenge)
	if len(c) != len(cd.Challenge) ||
		subtle.ConstantTimeCompare([]byte(c), []byte(cd.Challenge)) != 1 {
		return errors.New("u2f: challenge does not match")
	}

	return nil
}
Add support for FIDO U2F (#3971) * Add support for U2F Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add vendor library Add missing translations Signed-off-by: Jonas Franz <info@jonasfranz.software> * Minor improvements Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add U2F support for Firefox, Chrome (Android) by introducing a custom JS library Add U2F error handling Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add U2F login page to OAuth Signed-off-by: Jonas Franz <info@jonasfranz.software> * Move U2F user settings to a separate file Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add unit tests for u2f model Renamed u2f table name Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix problems caused by refactoring Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add U2F documentation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Remove not needed console.log-s Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add default values to app.ini.sample Add FIDO U2F to comparison Signed-off-by: Jonas Franz <info@jonasfranz.software> 7 years ago			`// Go FIDO U2F Library`
			`// Copyright 2015 The Go FIDO U2F Library Authors. All rights reserved.`
			`// Use of this source code is governed by the MIT`
			`// license that can be found in the LICENSE file.`

			`/*`
			`Package u2f implements the server-side parts of the`
			`FIDO Universal 2nd Factor (U2F) specification.`

			`Applications will usually persist Challenge and Registration objects in a`
			`database.`

			`To enrol a new token:`

			`app_id := "http://localhost"`
			`c, _ := NewChallenge(app_id, []string{app_id})`
			`req, _ := u2f.NewWebRegisterRequest(c, existingTokens)`
			`// Send the request to the browser.`
			`var resp RegisterResponse`
			`// Read resp from the browser.`
			`reg, err := Register(resp, c)`
			`if err != nil {`
			`// Registration failed.`
			`}`
			`// Store reg in the database.`

			`To perform an authentication:`

			`var regs []Registration`
			`// Fetch regs from the database.`
			`c, _ := NewChallenge(app_id, []string{app_id})`
			`req, _ := c.SignRequest(regs)`
			`// Send the request to the browser.`
			`var resp SignResponse`
			`// Read resp from the browser.`
			`new_counter, err := reg.Authenticate(resp, c)`
			`if err != nil {`
			`// Authentication failed.`
			`}`
			`reg.Counter = new_counter`
			`// Store updated Registration in the database.`

			`The FIDO U2F specification can be found here:`
			`https://fidoalliance.org/specifications/download`
			`*/`
			`package u2f`

			`import (`
			`"crypto/rand"`
			`"crypto/subtle"`
			`"encoding/base64"`
			`"encoding/json"`
			`"errors"`
			`"strings"`
			`"time"`
			`)`

			`const u2fVersion = "U2F_V2"`
			`const timeout = 5 * time.Minute`

			`func decodeBase64(s string) ([]byte, error) {`
			`for i := 0; i < len(s)%4; i++ {`
			`s += "="`
			`}`
			`return base64.URLEncoding.DecodeString(s)`
			`}`

			`func encodeBase64(buf []byte) string {`
			`s := base64.URLEncoding.EncodeToString(buf)`
			`return strings.TrimRight(s, "=")`
			`}`

			`// Challenge represents a single transaction between the server and`
			`// authenticator. This data will typically be stored in a database.`
			`type Challenge struct {`
			`Challenge []byte`
			`Timestamp time.Time`
			`AppID string`
			`TrustedFacets []string`
			`}`

			`// NewChallenge generates a challenge for the given application.`
			`func NewChallenge(appID string, trustedFacets []string) (*Challenge, error) {`
			`challenge := make([]byte, 32)`
			`n, err := rand.Read(challenge)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if n != 32 {`
			`return nil, errors.New("u2f: unable to generate random bytes")`
			`}`

			`var c Challenge`
			`c.Challenge = challenge`
			`c.Timestamp = time.Now()`
			`c.AppID = appID`
			`c.TrustedFacets = trustedFacets`
			`return &c, nil`
			`}`

			`func verifyClientData(clientData []byte, challenge Challenge) error {`
			`var cd ClientData`
			`if err := json.Unmarshal(clientData, &cd); err != nil {`
			`return err`
			`}`

			`foundFacetID := false`
			`for _, facetID := range challenge.TrustedFacets {`
			`if facetID == cd.Origin {`
			`foundFacetID = true`
			`break`
			`}`
			`}`
			`if !foundFacetID {`
			`return errors.New("u2f: untrusted facet id")`
			`}`

			`c := encodeBase64(challenge.Challenge)`
			`if len(c) != len(cd.Challenge) \|\|`
			`subtle.ConstantTimeCompare([]byte(c), []byte(cd.Challenge)) != 1 {`
			`return errors.New("u2f: challenge does not match")`
			`}`

			`return nil`
			`}`