Permalink
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
| using System; | |
| using System.Text; | |
| using System.Web.Script.Serialization; | |
| using System.Security.Cryptography; | |
| /* | |
| * The App class is a simple example using pre-defined constants to be able to test the | |
| * FidoAuthenticator class. These constants are examples of what would be generated in the | |
| * browser when using the Web Authentication APIs. | |
| */ | |
| class App { | |
| const string challenge = "Y2xpbWIgYSBtb3VudGFpbg"; | |
| const string pk = "{ \"kty\" : \"RSA\", \"alg\" : \"RS256\", \"ext\" : false, \"n\" : \"k-d_ZbVlAu-EBhRNlevnd0cBqJEPlhBefOMMLgHeGTS28Uev6_xHVCZ774I2XdtVF-M5En0aTdekAX82K2SVnO9TEZ4GdJFR1kW1jppLtrlUyjQqggq60OwkUxHM14XDQBhvgeW3fjpETraB-R_scyGeK7lNWMF8jW-NjvU_nljTyuHoDVnYJxPuCunlQ7uzg80iURp0jFKhw7FedPkzyQllG0HRRfzwQG1WOyECxkdPmMk7iPdF-B-Z78S9Fd8Dx2R8OZHEpFMdQ3Z3bMLG8prSbXcmBXlBtmwSLPzEEb3FuPdJQtXzVyg2i3jAR25zWA_XemXHBv7XE5Mf3JYldQ\", \"e\" : \"AQAB\" }"; | |
| const string d = "ew0KCSJjaGFsbGVuZ2UiIDogIlkyeHBiV0lnWVNCdGIzVnVkR0ZwYmciLA0KCSJ1c2VyUHJvbXB0IiA6ICJIZWxsbyEiDQp9AA"; | |
| const string s = "M-GT64y3FXoFQI8fRPq8ogckxuVYqv65R2eJEXGpbmVtm3Zn9Oa6ik4nClFMsN4h42e9bSBslMTEKW-J1oAoxF8n4JkDH82b9j4bFhhSRMHCbmE-uZm1RX8zVrGIgoWnXDy2nGQSu5xN-BhGubru1x0sXo9ZAdXKc-5hkp6SfIdXAY15o9flsag_H_CpIJ1_L1-vO5K8xhya_iOezflNlqa8-D1lI-xMJ7dOqyPwqg33ryW4l6iTtexuiYhZaGOOyJ5ZxzchjKrw9zMgQOsjbsrM7Q6bu7K7YvOoULxM5WJFdCLj0OBZznrskEHlLrSe0TSr_WrY1SkLhRaUCetKkg"; | |
| const string a = "AQAAAAA"; | |
| static void Main() { | |
| var v = FidoAuthenticator.validateSignature(pk,d,a,s,challenge) ? "verified" : "unverified"; | |
| Console.WriteLine(v); | |
| } | |
| } | |
| /* | |
| * The FidoAuthenticator class contains the logic for validating the signature returned from getAssertion in the | |
| * browser. This code is currently specific to the early implementation in Microsoft Edge and will need to change | |
| * when the final standard is adopted. This code would run on the server in order to validate that the user | |
| * really is able to validate using the credentials previously created with the makeCredential API. | |
| * | |
| * The public key in pk would have been stored on the server using the results of makeCredential. The challenge | |
| * would have been created on ther server and sent to the client for use in the getAssertion call. The other | |
| * parameters are returned by getAssertion and transmitted from the browser to the server for validation. | |
| */ | |
| class FidoAuthenticator { | |
| public static bool validateSignature(string pk, string clientData, string authnrData, string signature, string challenge) | |
| { | |
| try { | |
| var c = rfc4648_base64_url_decode(clientData); | |
| var a = rfc4648_base64_url_decode(authnrData); | |
| var s = rfc4648_base64_url_decode(signature); | |
| // Make sure the challenge in the client data matches the expected challenge | |
| var cc = Encoding.ASCII.GetString(c); | |
| cc = cc.Replace("\0","").Trim(); | |
| var json = new JavaScriptSerializer(); | |
| var j = (System.Collections.Generic.Dictionary<string,object>)json.DeserializeObject(cc); | |
| if((string)j["challenge"] != challenge) return false; | |
| // Hash data with sha-256 | |
| var hash = new SHA256Managed(); | |
| var h = hash.ComputeHash(c); | |
| // Create data buffer to verify signature over | |
| var b = new byte[a.Length + h.Length]; | |
| a.CopyTo(b,0); | |
| h.CopyTo(b,a.Length); | |
| // Load public key | |
| j = (System.Collections.Generic.Dictionary<string,object>)json.DeserializeObject(pk); | |
| var keyinfo = new RSAParameters(); | |
| keyinfo.Modulus = rfc4648_base64_url_decode((string)j["n"]); | |
| keyinfo.Exponent = rfc4648_base64_url_decode((string)j["e"]); | |
| var rsa = new RSACng(); | |
| rsa.ImportParameters(keyinfo); | |
| // Verify signature is correct for authnrData + hash | |
| return rsa.VerifyData(b,s,HashAlgorithmName.SHA256,RSASignaturePadding.Pkcs1); | |
| } catch(Exception) { | |
| return false; | |
| } | |
| } | |
| private static byte[] rfc4648_base64_url_decode(string url) { | |
| url = url.Replace('-','+'); | |
| url = url.Replace('_','/'); | |
| switch(url.Length % 4) { // Pad with trailing '='s | |
| case 0: | |
| // No pad chars in this case | |
| break; | |
| case 2: | |
| // Two pad chars | |
| url += "=="; | |
| break; | |
| case 3: | |
| // One pad char | |
| url += "="; | |
| break; | |
| default: | |
| throw new Exception("Invalid string."); | |
| } | |
| return Convert.FromBase64String(url); | |
| } | |
| } |