-
Notifications
You must be signed in to change notification settings - Fork 0
/
bankid.go
556 lines (518 loc) · 18.4 KB
/
bankid.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
package bankid
// Package bankid provide structs and methods to access the Swedish BankID service through the v.5.1 appapi.
import (
"bytes"
"crypto/hmac"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
"os"
"strconv"
"sync"
"time"
"github.com/rs/xid"
"github.com/skip2/go-qrcode"
"github.com/hossner/bankid/internal/config"
"golang.org/x/crypto/pkcs12"
)
const (
version = "0.1"
internalErrorMsg = "error"
)
// The definition of log levels
const (
DEBUG = iota
INFO
WARN
ERROR
FATAL
PANIC
)
var logLevel = 0 // Loggin disabled by default
var logFile *os.File
var logLevels []string
var connection *Connection
// Connection holds the connection with the BankID server. The same connection will be
// reused if multiple calls to 'New' are made.
type Connection struct {
Version string
funcOnResponse FOnResponse
cfg *config.Config
httpClient *http.Client
transQueues map[string]chan byte
orderRefs map[string]string
autoStarts map[string]string
qrQuits map[string]chan struct{}
mu sync.Mutex
}
// Requirements is used when specific requirements for the sign/auth request are needed.
type Requirements struct {
PersonalNumber string `json:"-"` // 12 digits
UserNonVisibleData string `json:"-"` // 40.000 bytes/chars
CardReader string `json:"cardReader,omitempty"` //"class1" or "class2"
CertificatePolicies []string `json:"certificatePolicies,omitempty"`
IssuerCN []string `json:"issuerCn,omitempty"`
// AutoStartTokenRequired bool `json:"autoStartTokenRequired,omitempty"`
TokenStartRequired bool `json:"tokenStartRequired,omitempty"`
AllowFingerprint bool `json:"allowFingerprint,omitempty"`
}
// FOnResponse is the call back function used to return status updates after a auth/sign request has been made
// Returns: requestID, status, message
type FOnResponse func(requestID, status, message string)
// FOnNewQRCode is a call back function, used as an argument to SendRequest, that is called every second after
// the request, providing a new QR code
type FOnNewQRCode func(QRCode []byte, requestID string)
/*
=========================================================================================
==================================== Connection =========================================
=========================================================================================
*/
// New returns a server connection. If a connection allready exists, it will be reused
func New(configFileName string, responseCallBack FOnResponse) (*Connection, error) {
if connection != nil { // Reuse if multiple calls are made. No hot reload of change of config in this version
return connection, nil
}
if responseCallBack == nil {
return nil, errors.New("no call back function provided")
}
cfg, err := config.New(configFileName)
if err != nil {
return nil, fmt.Errorf("could not create configuration: %v", err)
}
setupLoggin(cfg)
cl, err := getHTTPClient(cfg)
if err != nil {
logprint(ERROR, "could not create an HTTP client:", err.Error())
return nil, fmt.Errorf("could not create an HTTP client: %v", err)
}
var sc Connection
sc.Version = version
sc.funcOnResponse = responseCallBack
sc.cfg = cfg
sc.httpClient = cl
sc.transQueues = make(map[string]chan byte)
sc.orderRefs = make(map[string]string)
sc.qrQuits = make(map[string]chan struct{})
sc.autoStarts = make(map[string]string)
return &sc, nil
}
// SendRequest sends an auth/sign request to the BankID server. If textToBeSigned is provided it is a sign request,
// otherwise it's an authentication request. Returns a request ID; the same as the requestID parameter if provided,
// otherwise a generated one
func (sc *Connection) SendRequest(endUserIP, requestID, textToBeSigned string, requirements *Requirements, onQRCodeFunc FOnNewQRCode) string {
if requestID == "" {
requestID = xid.New().String()
logprint(DEBUG, "requestID", requestID, "created")
}
logprint(DEBUG, requestID, ": new request to send")
ch := make(chan byte, 1)
sc.transQueues[requestID] = ch
go sc.handleAuthSignRequest(endUserIP, textToBeSigned, requestID, requirements, ch, onQRCodeFunc)
return requestID
}
// CancelRequest cancels an ongoing session
func (sc *Connection) CancelRequest(requestID string) {
if _, ex := sc.orderRefs[requestID]; !ex {
logprint(WARN, requestID, ": could not cancel requestID", requestID, " - not found")
sc.funcOnResponse(requestID, internalErrorMsg, "no session with provided ID")
return
}
delete(sc.orderRefs, requestID)
sc.transQueues[requestID] <- 1
}
// GenerateQRCode generates a QR code based on the request ID received through the SendRequest function. The result is an PNG file
// returned as a byte slice. Note that if an FOnNewQRCode function was passed as argument to the SendRequest function - meaning that
// animated QR codes are to be used - the GenerateQRCode function will return an empty byte slice and an error
func (sc *Connection) GenerateQRCode(reqID string, size int) ([]byte, error) {
if sc.qrQuits[reqID] != nil {
return []byte{}, errors.New("Animated QR codes are used for this request")
}
as, ok := sc.autoStarts[reqID]
if !ok {
return []byte{}, errors.New("Provided Request ID not found")
}
var png []byte
png, err := qrcode.Encode("bankid:///?autostarttoken="+as, qrcode.Low, size)
if err != nil {
logprint(ERROR, "", ": failed to generate static QR code", err.Error())
return []byte{}, errors.New("Failed to generate QR code")
}
return png, nil
}
// Close the Connection
func (sc *Connection) Close() {
// Todo: Loop through sc.transQueues and cancel any ongoing requests...
logprint(DEBUG, "log closing")
logFile.Close()
}
func validateParameters(endUserIP, textToBeSigned, requestID string, requirements *Requirements) string {
if net.ParseIP(endUserIP) == nil {
logprint(ERROR, requestID, ": could not validate IP address", endUserIP)
return "invalid IP address: " + endUserIP
}
if textToBeSigned != "" {
if err := validateTTBS(textToBeSigned); err != nil {
logprint(ERROR, requestID, ": could not validate textToBeSigned:", err.Error())
return err.Error()
}
}
if requirements != nil {
logprint(DEBUG, requestID, ": requirements struct provided")
if err := validateRequirements(requirements); err != nil {
logprint(ERROR, requestID, ": could not validate requirements:", err.Error())
return err.Error()
}
}
logprint(DEBUG, requestID, ": parameters validated")
return ""
}
func (sc *Connection) generateQRCode(qr1, qr2, requestID string, fOnCode FOnNewQRCode) chan struct{} {
if fOnCode == nil {
return nil
}
nr := 0
ticker := time.NewTicker(1 * time.Second)
quit := make(chan struct{})
go func() {
for {
select {
case <-ticker.C:
var png []byte
h := hmac.New(sha256.New, []byte(qr2))
h.Write([]byte(strconv.Itoa(nr)))
png, err := qrcode.Encode("bankid."+qr1+"."+strconv.Itoa(nr)+"."+hex.EncodeToString(h.Sum(nil)), qrcode.Low, -5)
if err != nil {
logprint(ERROR, "", ": failed to generate QR code", err.Error())
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
}
fOnCode(png, requestID)
nr++
case <-quit:
ticker.Stop()
return
}
}
}()
return quit
}
func cancelQRCode(ch chan struct{}, fnq FOnNewQRCode) {
if fnq != nil {
close(ch)
}
}
// handleAuthSignRequest is called as a go routine. Veryfies the request and, if validated,
// transmits it to the server
// Todo: Break this method up in pieces...
func (sc *Connection) handleAuthSignRequest(endUserIP, textToBeSigned, requestID string, requirements *Requirements, queue chan byte, onQRCodeFunc FOnNewQRCode) {
if erMsg := validateParameters(endUserIP, textToBeSigned, requestID, requirements); erMsg != "" {
sc.funcOnResponse(requestID, internalErrorMsg, erMsg)
return
}
// Create and populate the auth/sign request going to the server...
reqType, jsonStr, err := requestToJSON(endUserIP, textToBeSigned, requestID, requirements)
if err != nil {
logprint(ERROR, requestID, ": could not create JSON from request:", err.Error())
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
// Handle the initial request/response with the server...
code, resp, err := sc.transmitRequest(reqType, jsonStr)
if err != nil {
logprint(ERROR, requestID, ": failed to transmit request:", err.Error())
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
if code != 200 {
er, msg := handleServerError(code, resp)
logprint(ERROR, requestID, ": received HTTP error", strconv.Itoa(code), ":", er, msg)
sc.funcOnResponse(requestID, er, msg)
return
}
var sr serverResponse // Should contain orderRef, autoStartToken, qrStartToken and qrStartSecret
err = json.Unmarshal(resp, &sr)
if err != nil {
logprint(ERROR, requestID, ": failed to JSON decode server response:", err.Error())
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
or := sr.OrderRef
sc.orderRefs[requestID] = or
sr.Status = "pending"
sr.HintCode = ""
oldHint := sr.HintCode // Should be ""
sc.autoStarts[requestID] = sr.AutoStartToken
sc.funcOnResponse(requestID, "sent", sr.AutoStartToken)
if onQRCodeFunc != nil {
sc.qrQuits[requestID] = sc.generateQRCode(sr.QRStartToken, sr.QRStartSecret, requestID, onQRCodeFunc)
}
for sr.Status == "pending" {
select {
case _ = <-queue: // Cancel requested...
logprint(DEBUG, requestID, ": received cancel command")
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
code, resp, err = sc.transmitRequest("cancel", []byte(`{"orderRef":"`+or+`"}`))
if err != nil {
logprint(ERROR, requestID, ": failed to send cancel request to server:", err.Error())
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
if code != 200 {
er, msg := handleServerError(code, resp)
logprint(ERROR, requestID, ": received HTTP error", strconv.Itoa(code), ":", er, msg)
sc.funcOnResponse(requestID, er, msg)
return
}
delete(sc.transQueues, requestID)
logprint(DEBUG, requestID, ": cancelled")
sc.funcOnResponse(requestID, "cancelled", "")
return
default:
code, resp, err = sc.transmitRequest("collect", []byte(`{"orderRef":"`+or+`"}`))
if err != nil {
logprint(ERROR, requestID, ": failed to send collect request to server:", err.Error())
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
if code != 200 {
er, msg := handleServerError(code, resp)
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
logprint(ERROR, requestID, ": received HTTP error", strconv.Itoa(code), ":", er, msg)
sc.funcOnResponse(requestID, er, msg)
return
}
err = json.Unmarshal(resp, &sr)
if err != nil {
logprint(ERROR, requestID, ": failed to JSON decode server response:", err.Error())
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
sc.funcOnResponse(requestID, internalErrorMsg, err.Error())
return
}
switch sr.Status {
case "pending":
if sr.HintCode != oldHint {
logprint(DEBUG, requestID, ": status changed to", sr.HintCode)
sc.funcOnResponse(requestID, sr.HintCode, sr.Status)
oldHint = sr.HintCode
}
time.Sleep(time.Duration(sc.cfg.PollDelay) * time.Millisecond)
case "failed": // "failed" or "complete"
logprint(DEBUG, requestID, ": status changed to", sr.HintCode)
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
sc.funcOnResponse(requestID, sr.Status, sr.HintCode)
return
case "complete":
logprint(DEBUG, requestID, ": status changed to", sr.HintCode)
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
sc.funcOnResponse(requestID, sr.Status, sr.CompletionData.User.Name+"\n"+sr.CompletionData.User.PersonalNumber)
return
default:
logprint(DEBUG, requestID, ": unknown status", sr.Status, "in response from server")
cancelQRCode(sc.qrQuits[requestID], onQRCodeFunc)
sc.funcOnResponse(requestID, internalErrorMsg, "unknown status in response from server")
return
}
}
}
}
// transmitRequest handles the communication with the server
// Returns HTTP response code, HTTP body and an error
func (sc *Connection) transmitRequest(reqType string, jsonStr []byte) (int, []byte, error) {
req, err := http.NewRequest("POST", sc.cfg.ServiceURL+"/"+reqType, bytes.NewBuffer(jsonStr))
if err != nil {
return 0, nil, err
}
req.Header.Set("Host", sc.cfg.HTTPClientConfig.RequestHeader.Host)
req.Header.Set("Content-Type", sc.cfg.HTTPClientConfig.RequestHeader.ContentType)
sc.mu.Lock()
resp, err := sc.httpClient.Do(req)
defer sc.mu.Unlock()
if err != nil {
return 0, nil, err
}
defer resp.Body.Close()
bd, err := ioutil.ReadAll(resp.Body)
if err != nil {
return 0, nil, err
}
return resp.StatusCode, bd, nil
}
// validateRequirements parses through the caller provided Requirements struct and checks to
// verify that all parameters are correct. If so, a authSignRequestRequirements struct is
// filled and the pointer to that struct is returned
func validateRequirements(req *Requirements) error {
if len(req.PersonalNumber) > 0 {
if _, err := strconv.Atoi(req.PersonalNumber); err != nil {
return errors.New("parameter personalNumber malformed")
}
if len(req.PersonalNumber) > 0 && len(req.PersonalNumber) != 12 {
return errors.New("parameter personalNumber must be 12 digits long")
}
}
if len(req.UserNonVisibleData) > 200000 {
return errors.New("parameter userNonVisibleData data too long")
}
if len(req.CardReader) > 0 && req.CardReader != "class1" && req.CardReader != "class2" {
return errors.New("parameter cardReader set to invalid value")
}
// Todo: Validate CertificatePolicies and IssuerCN
return nil
}
/*
// ================================================================================================
*/
// authSignRequest is an internal structure to hold the auth/sign request, which is converted
// to a JSON string before sent to the server
type authSignRequest struct {
RequestID string `json:"-"`
PersonalNumber string `json:"personalNumber,omitempty"` // 12 digits
EndUserIP string `json:"endUserIp"` // IPv4 or IPv6 format
UserVisibleData string `json:"userVisibleData,omitempty"` // 2.000 bytes/chars
UserNonVisibleData string `json:"userNonVisibleData,omitempty"` // 40.000 bytes/chars
Requirement *Requirements `json:"requirement,omitempty"`
}
type serverResponse struct {
AutoStartToken string `json:"autoStartToken,omitempty"` // Format: "131daac9-16c6-4618-beb0-365768f37288"
QRStartToken string `json:"qrStartToken,omitempty"`
QRStartSecret string `json:"qrStartSecret,omitempty"`
OrderRef string `json:"orderRef,omitempty"`
Status string `json:"status"`
HintCode string `json:"hintCode,omitempty"`
CompletionData struct {
User struct {
PersonalNumber string `json:"personalNumber"`
Name string `json:"name"`
GivenName string `json:"givenName"`
Surname string `json:"surname"`
Device struct {
IPAddress string `json:"ipAddress,omitempty"`
} `json:"device,omitempty"`
Cert struct {
NotBefore string `json:"notBefore"`
NotAfter string `json:"notAfter"`
} `json:"cert"`
Signature string `json:"signature"`
OSCPResponse string `json:"ocspResponse"`
} `json:"user,omitempty"`
} `json:"completionData,omitempty"`
}
type serverError struct {
ErrorCode string `json:"errorCode"`
Details string `json:"details"`
}
func requestToJSON(endUserIP, textToBeSigned, requestID string, requirements *Requirements) (string, []byte, error) {
reqType := "auth"
var req authSignRequest
req.RequestID = requestID
req.EndUserIP = endUserIP
req.UserVisibleData = textToBeSigned
req.Requirement = requirements
if requirements != nil {
if requirements.UserNonVisibleData != "" {
req.UserNonVisibleData = requirements.UserNonVisibleData
reqType = "sign"
}
req.PersonalNumber = requirements.PersonalNumber
}
json, err := json.Marshal(req)
return reqType, json, err
}
func handleServerError(code int, resp []byte) (string, string) {
var se serverError
if err := json.Unmarshal(resp, &se); err != nil {
return internalErrorMsg, err.Error()
}
return se.ErrorCode, se.Details
}
// Initialize a http.Client
func getHTTPClient(cfg *config.Config) (*http.Client, error) {
tlsCfg, err := getTLSConfig(cfg)
if err != nil {
return nil, err
}
tr := &http.Transport{TLSClientConfig: tlsCfg}
return &http.Client{Transport: tr}, nil
}
// Initialize a tls.Config struct based on the client and server certs
func getTLSConfig(cfg *config.Config) (*tls.Config, error) {
// Todo: Handle case where P12 is split into cert and key file
p12, err := ioutil.ReadFile(cfg.GetFilePath("userP12FileName"))
if err != nil {
return nil, err
}
blocks, err := pkcs12.ToPEM(p12, cfg.CertStore.UserPrivateKeyPassword)
if err != nil {
return nil, err
}
var pemData []byte
for _, b := range blocks {
pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)
if err != nil {
return nil, err
}
// Handle the CA certificate
ca, err := ioutil.ReadFile(cfg.GetFilePath("caCertFileName"))
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(ca) {
return nil, errors.New("Failed appending certs")
}
tlsCfg := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientCAs: certPool,
InsecureSkipVerify: true, // <- This to accept the self-signed CA cert
}
return tlsCfg, nil
}
func validateTTBS(ttbs string) error {
// TODO: Validate that ttbs is valid Base64
if len(ttbs) > 40000 {
return errors.New("parameter userVisibleData data too long")
}
return nil
}
func setupLoggin(cfg *config.Config) {
logLevel = cfg.LogLevel
logLevels = cfg.LogPrefixes
log.SetOutput(os.Stderr)
if cfg.LogLevel < 1 {
return
}
if cfg.LogFileName != "" {
lf, err := os.OpenFile(cfg.GetFilePath("logFile"), os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
if err != nil {
logprint(ERROR, "could not open log file", cfg.GetFilePath("logFile"), ":", err.Error())
return
}
logFile = lf
log.SetOutput(lf)
logprint(DEBUG, "log started")
}
}
func logprint(lvl int, a ...string) {
if logLevel < 1 || lvl+1 < logLevel || lvl < 0 {
return
}
if lvl >= len(logLevels) {
lvl = len(logLevels)
log.Println("ERROR: missing log level prefixes in config file!")
}
if lvl < 0 {
log.Println("ERROR:", a)
return
}
log.Println(logLevels[lvl], a)
}