forked from hesusruiz/VCBackend
-
Notifications
You must be signed in to change notification settings - Fork 0
/
webauthnpb.go
589 lines (465 loc) · 16.6 KB
/
webauthnpb.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
package handlers
import (
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"os"
"github.com/Masterminds/sprig/v3"
"github.com/duo-labs/webauthn/protocol"
"github.com/duo-labs/webauthn/webauthn"
"github.com/evidenceledger/vcdemo/internal/cache"
"github.com/evidenceledger/vcdemo/vault"
"github.com/evidenceledger/vcdemo/vault/x509util"
"github.com/labstack/echo/v5"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwk"
"github.com/lestrrat-go/jwx/v2/jws"
"github.com/lestrrat-go/jwx/v2/jwt"
"github.com/pocketbase/pocketbase"
"github.com/pocketbase/pocketbase/apis"
"github.com/pocketbase/pocketbase/core"
"github.com/pocketbase/pocketbase/tools/template"
"github.com/hesusruiz/vcutils/yaml"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/session"
zlog "github.com/rs/zerolog/log"
_ "github.com/mattn/go-sqlite3"
)
type Map map[string]interface{}
type WalletServer struct {
app *pocketbase.PocketBase
cache *cache.Cache
vault *vault.Vault
webAuthn *webauthn.WebAuthn
webAuthnSession *session.Store
cfg *yaml.YAML
password string
treg *template.Registry
id string
name string
did string
}
func NewWebAuthnHandlerPB(app *pocketbase.PocketBase, cfg *yaml.YAML) *WalletServer {
var err error
jwt.Settings(jwt.WithFlattenAudience(true))
// rpDisplayName := cfg.String("webauthn.RPDisplayName")
// rpID := cfg.String("webauthn.RPID")
// rpOrigin := cfg.String("webauthn.RPOrigin")
// authenticatorAttachment := protocol.AuthenticatorAttachment(cfg.String("webauthn.AuthenticatorAttachment"))
// userVerification := protocol.UserVerificationRequirement(cfg.String("webauthn.UserVerification"))
// requireResidentKey := cfg.Bool("webauthn.RequireResidentKey")
// attestationConveyancePreference := protocol.ConveyancePreference(cfg.String("webauthn.AttestationConveyancePreference"))
// Create the WebAuthn backend server object
s := new(WalletServer)
s.app = app
s.cfg = cfg
s.id = cfg.String("id")
s.name = cfg.String("name")
s.password = cfg.String("password")
s.treg = template.NewRegistry()
s.treg.AddFuncs(sprig.FuncMap())
// Connect to the vault
if s.vault, err = vault.New(cfg); err != nil {
panic(err)
}
// Create a default wallet user
user, err := s.vault.CreateOrGetUserWithDIDKey(s.id, s.name, "legalperson", s.password)
if err != nil {
panic(err)
}
s.did = user.DID()
zlog.Info().Str("id", s.id).Str("name", s.name).Str("DID", s.did).Msg("starting Wallet backend")
// // Create the cache with expiration
// s.cache = cache.New(1*time.Minute, 5*time.Minute)
// // The session store (in-memory, with cookies)
// s.webAuthnSession = session.New(session.Config{Expiration: 24 * time.Hour})
// s.webAuthnSession.RegisterType(webauthn.SessionData{})
// // Pre-create the options object that will be sent to the authenticator in the client.
// // We are not interested in authenticator attestation, so we do not set the AttestatioPreference field,
// // which means it will default to (attestation: "none") in the WebAuthn API.
// s.webAuthn, err = webauthn.New(&webauthn.Config{
// RPDisplayName: rpDisplayName, // display name for your site
// RPID: rpID, // generally the domain name for your site
// RPOrigin: rpOrigin,
// AuthenticatorSelection: protocol.AuthenticatorSelection{
// AuthenticatorAttachment: authenticatorAttachment, // Can also be "cross-platform" for USB keys or sw implementations
// UserVerification: userVerification,
// RequireResidentKey: &requireResidentKey,
// },
// AttestationPreference: attestationConveyancePreference,
// })
// if err != nil {
// zlog.Panic().Err(err).Msg("failed to create WebAuthn from config")
// }
s.AddRoutesPB(app)
return s
}
func checkeIDASCert(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
// Get the clientCertDer value before processing the request
clientCertDer := c.Request().Header.Get("Tls-Client-Certificate")
if clientCertDer == "" {
zlog.Error().Msg("Client certificate not provided")
return apis.NewBadRequestError("Invalid request", nil)
}
_, issuer, subject, err := x509util.ParseEIDASCertB64Der(clientCertDer)
if err != nil {
zlog.Err(err).Msg("")
return err
}
c.Set("elsiUser", subject)
zlog.Info().Msgf("Subject: %s, Issuer: %s\n", subject.SerialNumber, issuer.Organization)
return next(c) // proceed with the request chain
}
}
func (s *WalletServer) AddRoutesPB(app *pocketbase.PocketBase) {
app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
// Serves static files from the provided public dir (if exists)
e.Router.GET("/*", apis.StaticDirectoryHandler(os.DirFS("./www"), false))
e.Router.POST("/createnaturalperson", s.CreateNaturalPerson)
e.Router.POST("/signtoken", s.SignToken)
// Add Issuer routes
iss := e.Router.Group("/issuerapi", checkeIDASCert)
iss.GET("/home", s.IssuerHome)
// The WebAuthn routes for biometric authentication
e.Router.GET("/webauthn/register/begin/:username", s.BeginRegistrationPB)
e.Router.POST("/webauthn/register/finish/:username", s.FinishRegistrationPB)
e.Router.GET("/webauthn/login/begin/:username", s.BeginLoginPB)
e.Router.POST("/webauthn/login/finish/:username", s.FinishLoginPB)
return nil
})
}
func (s *WalletServer) IssuerHome(c echo.Context) error {
name := c.PathParam("name")
html, err := s.treg.LoadFiles(
"views/layouts/layout.html",
"views/pages/issuer_home.html",
).Render(map[string]any{
"name": name,
})
if err != nil {
// or redirect to a dedicated 404 HTML page
return apis.NewNotFoundError("", err)
}
return c.HTML(http.StatusOK, html)
}
type SignTokenRequest struct {
SubjectDID string `json:"subjectDID"`
Headers string `json:"headers"`
Payload string `json:"payload"`
}
func (s *WalletServer) SignToken(c echo.Context) error {
var err error
zlog.Info().Msg("SignToken started")
sts := &SignTokenRequest{}
if err := c.Bind(sts); err != nil {
return err
}
zlog.Info().Str("SubjectDID", sts.SubjectDID).Str("headers", sts.Headers).Str("payload", sts.Payload).Msg("")
var headers map[string]any
err = json.Unmarshal([]byte(sts.Headers), &headers)
if err != nil {
return err
}
var payload map[string]any
err = json.Unmarshal([]byte(sts.Payload), &payload)
if err != nil {
return err
}
// Get the private key corresponding to the first (main) DID of the issuer of the token
privkey, err := s.vault.DIDKeyToPrivateKey(sts.SubjectDID)
if err != nil {
return err
}
keyId, err := vault.DIDKeyIdentifier(sts.SubjectDID)
if err != nil {
return err
}
err = privkey.Set(jwk.KeyIDKey, keyId)
if err != nil {
return err
}
jsonbuf, err := json.Marshal(privkey)
if err != nil {
return err
}
fmt.Println(string(jsonbuf))
tok := jwt.New()
for k, v := range payload {
tok.Set(k, v)
}
hdrs := jws.NewHeaders()
typHeader := headers["typ"]
hdrs.Set(jws.TypeKey, typHeader)
// hdrs.Set(jws.TypeKey, `openid4vci-proof+jwt`)
keyOption := jwt.WithKey(jwa.ES256, privkey, jws.WithProtectedHeaders(hdrs))
signedBytes, err := jwt.Sign(tok, keyOption)
if err != nil {
return err
}
signedString := string(signedBytes)
// encodedHeaders := base64.RawURLEncoding.EncodeToString([]byte(sts.Headers))
// encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(sts.Payload))
// signedString, err := s.vault.SignWithDIDKey(sts.SubjectDID, encodedHeaders+"."+encodedPayload)
// if err != nil {
// return err
// }
zlog.Info().Str("signedString", signedString).Msg("Signature performed")
// Verify that it is correct
_, err = s.vault.VerifyJWTtoken([]byte(signedString), sts.SubjectDID)
if err != nil {
return err
}
zlog.Info().Msg("Token signature verified successfuly")
return c.JSON(http.StatusOK, Map{
"signedString": signedString,
})
}
type CreateNaturalPersonRequest struct {
Email string `json:"email"`
Name string `json:"name"`
}
func (s *WalletServer) CreateNaturalPerson(c echo.Context) error {
sts := &CreateNaturalPersonRequest{}
if err := c.Bind(sts); err != nil {
return err
}
zlog.Info().Str("name", sts.Name).Str("email", sts.Email).Msg("CreateDIDkey started")
// Get user from the Storage. The user is automatically created if it does not exist
user, err := s.vault.CreateOrGetUserWithDIDKey(sts.Email, sts.Name, "naturalperson", "ThePassword")
if err != nil {
return err
}
zlog.Info().Str("username", user.WebAuthnName()).Str("DID", user.DID()).Msg("User retrieved or created")
privKey, err := s.vault.DIDKeyToPrivateKey(user.DID())
if err != nil {
return err
}
jsonbuf, err := json.Marshal(privKey)
if err != nil {
return err
}
return c.JSON(http.StatusOK, Map{
"did": user.DID(),
"privateKey": string(jsonbuf),
})
}
// BeginRegistration is called from the wallet to start registering a new authenticator device in the server
func (s *WalletServer) BeginRegistrationPB(c echo.Context) error {
// The new WebAuthn credential will be associated to a user via its email
// Get username (we use email as username) from the path of the HTTP request
username := c.PathParam("username")
if username == "" {
errText := "must supply a valid username i.e. foo@bar.com"
err := fmt.Errorf(errText)
zlog.Err(err).Send()
return echo.NewHTTPError(http.StatusBadRequest, errText)
}
zlog.Info().Str("username", username).Msg("BeginRegistration started")
// Get user from the Storage. The user is automatically created if it does not exist
user, err := s.vault.CreateOrGetUserWithDIDKey(username, username, "naturalperson", "ThePassword")
if err != nil {
return err
}
zlog.Info().Str("username", user.WebAuthnName()).Msg("User retrieved or created")
// We should exclude all the credentials already registered
// They will be sent to the authenticator so it does not have to create a new credential if there is already one
registerOptions := func(credCreationOpts *protocol.PublicKeyCredentialCreationOptions) {
credCreationOpts.CredentialExcludeList = user.CredentialExcludeList()
}
// Generate PublicKeyCredentialCreationOptions, session data
options, waSessionData, err := s.webAuthn.BeginRegistration(
user,
registerOptions,
)
if err != nil {
zlog.Error().Err(err).Msg("Error in BeginRegistration")
return err
} else {
zlog.Info().Msg("Successful BeginRegistration")
}
// Create an entry in an expirable cache to track request/reply
s.cache.Set(username, waSessionData, 0)
return c.JSON(http.StatusOK, Map{
"options": options,
"session": username,
})
}
func (s *WalletServer) FinishRegistrationPB(c echo.Context) error {
// Get username from the path of the HTTP request
username := c.PathParam("username")
if username == "" {
err := fmt.Errorf("must supply a valid username i.e. foo@bar.com")
zlog.Error().Err(err).Send()
return err
}
zlog.Info().Str("username", username).Msg("FinishRegistration started")
// Get user from Storage
user, err := s.vault.GetUserById(username)
// It is an error if the user doesn't exist
if err != nil {
zlog.Error().Err(err).Msg("Error in userDB.GetUser")
return err
}
// Parse the request body into the RegistrationResponse structure
p := new(RegistrationResponse)
if err := c.Bind(p); err != nil {
return err
}
// Parse the WebAuthn member
parsedResponse, err := ParseCredentialCreationResponse(p.Response)
if err != nil {
return err
}
// Retrieve the session that was created in BeginRegistration
v, found := s.cache.Get(username)
if !found {
return echo.NewHTTPError(http.StatusInternalServerError, "session expired")
}
if v == nil {
return echo.NewHTTPError(http.StatusInternalServerError, "session object is nil")
}
wasession, ok := v.(*webauthn.SessionData)
if !ok {
return echo.NewHTTPError(http.StatusInternalServerError, "web authn session not found")
}
// Create the credential
credential, err := s.webAuthn.CreateCredential(user, *wasession, parsedResponse)
if err != nil {
return err
}
// Add the new credential to the user
user.WebAuthnAddCredential(*credential)
creds := user.WebAuthnCredentials()
fmt.Println("======== LIST of CREDENTIALS")
printJSON(creds)
// Destroy the session
s.cache.Delete(username)
zlog.Info().Str("username", username).Msg("FinishRegistration started")
return nil
}
// BeginLogin returns to the client app the structure needed by the client to request the Authenticator to
// create an assertion, using a previously created private key.
// The Authenticator will sign our challenge (and other items) with its private key, and the client will invoke
// the FinishLoging API, where we will be able to check the signature with the public key that we stored in
// a previous registration phase.
func (s *WalletServer) BeginLoginPB(c echo.Context) error {
// We need from the client a unique user name (an email address in our case).
// Get username from the path of the HTTP request
username := c.PathParam("username")
if username == "" {
err := fmt.Errorf("must supply a valid username i.e. foo@bar.com")
zlog.Error().Err(err).Send()
return err
}
zlog.Info().Str("username", username).Msg("BeginLogin started")
// The user must have been registered previously, so we check in our user database
user, err := s.vault.GetUserById(username)
// It is an error if the user doesn't exist
if err != nil {
zlog.Error().Err(err).Msg("Error in userDB.GetUser")
return fiber.NewError(fiber.StatusNotFound, "user not found")
}
// Now we create the assertion request.
// Generate PublicKeyCredentialRequestOptions, session data
options, sessionData, err := s.webAuthn.BeginLogin(user)
if err != nil {
zlog.Error().Err(err).Msg("Error in webAuthn.BeginLogin")
return err
}
// Patch the options and sessionData so we control the challenge sent to the client
challenge := []byte("hola que tal")
options.Response.Challenge = challenge
sessionData.Challenge = base64.RawURLEncoding.EncodeToString(challenge)
s.cache.Set(username, sessionData, 0)
zlog.Info().Str("username", username).Msg("BeginLogin finished")
return c.JSON(http.StatusOK, Map{
"options": options,
"session": username,
})
}
func (s *WalletServer) FinishLoginPB(c echo.Context) error {
// Get username from the path of the HTTP request
username := c.PathParam("username")
if username == "" {
err := fmt.Errorf("must supply a valid username i.e. foo@bar.com")
zlog.Error().Err(err).Send()
return err
}
zlog.Info().Str("username", username).Msg("FinishLogin started")
// Get user from Storage
user, err := s.vault.GetUserById(username)
// It is an error if the user doesn't exist
if err != nil {
zlog.Error().Err(err).Msg("Error in userDB.GetUser")
return err
}
p := new(LoginResponse)
if err := c.Bind(p); err != nil {
return err
}
parsedResponse, err := ParseCredentialRequestResponse(p.Response)
if err != nil {
return err
}
// Retrieve the session that was created in BeginLogin
v, found := s.cache.Get(username)
if !found {
return echo.NewHTTPError(http.StatusInternalServerError, "session expired")
}
if v == nil {
return echo.NewHTTPError(http.StatusInternalServerError, "session object is nil")
}
wasession, ok := v.(webauthn.SessionData)
if !ok {
return echo.NewHTTPError(http.StatusInternalServerError, "web authn session not found")
}
// in an actual implementation we should perform additional
// checks on the returned credential
credential, err := s.webAuthn.ValidateLogin(user, wasession, parsedResponse)
if err != nil {
zlog.Error().Err(err).Msg("Error calling webAuthn.FinishLogin")
return err
}
printJSON(credential)
if credential.Authenticator.CloneWarning {
zlog.Warn().Msg("The authenticator may be cloned")
}
zlog.Info().Str("username", username).Msg("FinishLogin finished")
// handle successful login
return c.JSON(http.StatusOK, "Login Success")
}
// User is built to interface with the Relying Party's User entry and
// elaborate the fields and methods needed for WebAuthn
type User interface {
// User ID according to the Relying Party
WebAuthnID() []byte
// User Name according to the Relying Party
WebAuthnName() string
// Display Name of the user
WebAuthnDisplayName() string
// User's icon url
WebAuthnIcon() string
// Credentials owned by the user
WebAuthnCredentials() []webauthn.Credential
}
type defaultUser struct {
id []byte
}
var _ User = (*defaultUser)(nil)
func (user *defaultUser) WebAuthnID() []byte {
return user.id
}
func (user *defaultUser) WebAuthnName() string {
return "newUser"
}
func (user *defaultUser) WebAuthnDisplayName() string {
return "New User"
}
func (user *defaultUser) WebAuthnIcon() string {
return "https://pics.com/avatar.png"
}
func (user *defaultUser) WebAuthnCredentials() []webauthn.Credential {
return []webauthn.Credential{}
}