You've already forked python-fido2
mirror of
https://github.com/solokeys/python-fido2.git
synced 2026-03-11 17:13:23 -07:00
231 lines
6.9 KiB
Python
231 lines
6.9 KiB
Python
# Copyright (c) 2018 Yubico AB
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or
|
|
# without modification, are permitted provided that the following
|
|
# conditions are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# 2. Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
"""
|
|
Example demo server to use a supported web browser to call the WebAuthn APIs
|
|
to register and use a credential.
|
|
|
|
To run (using a virtualenv is recommended):
|
|
$ pip install -r requirements.txt
|
|
$ python server.py
|
|
|
|
Now navigate to https://localhost:5000 in a supported web browser.
|
|
"""
|
|
from __future__ import print_function, absolute_import, unicode_literals
|
|
|
|
from fido2.client import ClientData
|
|
from fido2.ctap2 import AttestationObject, AuthenticatorData
|
|
from flask import Flask, request
|
|
import os
|
|
|
|
|
|
HTML = """
|
|
<html>
|
|
<head><title>Fido 2.0 webauthn demo</title></head>
|
|
<body>
|
|
<h1>Webauthn demo</h1>
|
|
<p>
|
|
<strong>This demo requires a browser supporting the WebAuthn API!</strong>
|
|
</p>
|
|
<hr>
|
|
{content}
|
|
</body>
|
|
</html>
|
|
"""
|
|
|
|
INDEX_HTML = HTML.format(content="""
|
|
<a href="/register">Register</a><br>
|
|
<a href="/authenticate">Authenticate</a><br>
|
|
""")
|
|
|
|
REGISTER_HTML = HTML.format(content="""
|
|
<h2>Register a credential</h2>
|
|
<p>Touch your authenticator device now...</p>
|
|
<script>
|
|
navigator.credentials.create({{
|
|
publicKey: {{
|
|
rp: {{
|
|
id: document.domain,
|
|
name: 'Demo server'
|
|
}},
|
|
user: {{
|
|
id: {user_id},
|
|
name: 'a_user',
|
|
displayName: 'A. User',
|
|
icon: 'https://example.com/image.png'
|
|
}},
|
|
challenge: {challenge},
|
|
pubKeyCredParams: [
|
|
{{
|
|
alg: -7,
|
|
type: 'public-key'
|
|
}}
|
|
],
|
|
excludeCredentials: [],
|
|
attestation: 'direct',
|
|
timeout: 60000
|
|
}}
|
|
}}).then(function(attestation) {{
|
|
console.log(attestation);
|
|
console.log(JSON.stringify({{
|
|
attestationObject: Array.from(new Uint8Array(attestation.response.attestationObject)),
|
|
clientData: Array.from(new Uint8Array(attestation.response.clientDataJSON))
|
|
}}));
|
|
fetch('/register', {{
|
|
method: 'POST',
|
|
body: JSON.stringify({{
|
|
attestationObject: Array.from(new Uint8Array(attestation.response.attestationObject)),
|
|
clientData: Array.from(new Uint8Array(attestation.response.clientDataJSON))
|
|
}})
|
|
}}).then(function() {{
|
|
alert('Registration successful. More details in server log...');
|
|
window.location = '/';
|
|
}});
|
|
}}, function(reason) {{
|
|
console.log('Failed', reason);
|
|
}});
|
|
</script>
|
|
""") # noqa
|
|
|
|
|
|
AUTH_HTML = HTML.format(content="""
|
|
<h2>Authenticate using a credential</h2>
|
|
<p>Touch your authenticator device now...</p>
|
|
<script>
|
|
navigator.credentials.get({{
|
|
publicKey: {{
|
|
rpId: document.domain,
|
|
challenge: {challenge},
|
|
allowCredentials: [
|
|
{{
|
|
type: 'public-key',
|
|
id: {credential_id}
|
|
}}
|
|
],
|
|
timeout: 60000
|
|
}}
|
|
}}).then(function(attestation) {{
|
|
console.log(attestation);
|
|
fetch('/authenticate', {{
|
|
method: 'POST',
|
|
body: JSON.stringify({{
|
|
authenticatorData: Array.from(new Uint8Array(attestation.response.authenticatorData)),
|
|
clientData: Array.from(new Uint8Array(attestation.response.clientDataJSON)),
|
|
signature: Array.from(new Uint8Array(attestation.response.signature))
|
|
}})
|
|
}}).then(function() {{
|
|
alert('Authentication successful. More details in server log...');
|
|
window.location = '/';
|
|
}});
|
|
}}, function(reason) {{
|
|
console.log('Failed', reason);
|
|
}});
|
|
</script>
|
|
""") # noqa
|
|
|
|
|
|
def to_js_array(value):
|
|
return 'new Uint8Array(%r)' % list(bytearray(value))
|
|
|
|
|
|
def from_js_array(value):
|
|
return bytes(bytearray(value))
|
|
|
|
|
|
app = Flask(__name__)
|
|
|
|
global credential, last_challenge
|
|
credential, last_challenge = None, None
|
|
|
|
|
|
@app.route('/')
|
|
def index():
|
|
return INDEX_HTML
|
|
|
|
|
|
@app.route('/register', methods=['GET', 'POST'])
|
|
def register():
|
|
global credential, last_challenge
|
|
if request.method == 'POST':
|
|
data = request.get_json(force=True)
|
|
client_data = ClientData(from_js_array(data['clientData']))
|
|
att_obj = AttestationObject(from_js_array(data['attestationObject']))
|
|
print('clientData', client_data)
|
|
print('AttestationObject:', att_obj)
|
|
|
|
# Verify the challenge
|
|
if client_data.challenge != last_challenge:
|
|
raise ValueError('Challenge mismatch!')
|
|
|
|
# Verify the signature
|
|
att_obj.verify(client_data.hash)
|
|
credential = att_obj.auth_data.credential_data
|
|
print('REGISTERED CREDENTIAL:', credential)
|
|
return 'OK'
|
|
|
|
last_challenge = os.urandom(32)
|
|
return REGISTER_HTML.format(
|
|
user_id=to_js_array(b'user_id'),
|
|
challenge=to_js_array(last_challenge)
|
|
)
|
|
|
|
|
|
@app.route('/authenticate', methods=['GET', 'POST'])
|
|
def authenticate():
|
|
global credential, last_challenge
|
|
if not credential:
|
|
return HTML.format(content='No credential registered!')
|
|
|
|
if request.method == 'POST':
|
|
data = request.get_json(force=True)
|
|
client_data = ClientData(from_js_array(data['clientData']))
|
|
auth_data = AuthenticatorData(from_js_array(data['authenticatorData']))
|
|
signature = from_js_array(data['signature'])
|
|
print('clientData', client_data)
|
|
print('AuthenticatorData', auth_data)
|
|
|
|
# Verify the challenge
|
|
if client_data.challenge != last_challenge:
|
|
raise ValueError('Challenge mismatch!')
|
|
|
|
# Verify the signature
|
|
credential.public_key.verify(auth_data + client_data.hash, signature)
|
|
print('ASSERTION OK')
|
|
return 'OK'
|
|
|
|
last_challenge = os.urandom(32)
|
|
return AUTH_HTML.format(
|
|
challenge=to_js_array(last_challenge),
|
|
credential_id=to_js_array(credential.credential_id)
|
|
)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
print(__doc__)
|
|
|
|
app.run(ssl_context='adhoc', debug=True)
|