1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
|
#
# This file is part of Authen-U2F-Tester
#
# This software is copyright (c) 2017 by Michael Schout.
#
# This is free software; you can redistribute it and/or modify it under
# the same terms as the Perl 5 programming language system itself.
#
package Authen::U2F::Tester;
$Authen::U2F::Tester::VERSION = '0.03';
# ABSTRACT: FIDO/U2F Authentication Test Client
use Moose;
use strictures 2;
use Authen::U2F::Tester::Const qw(OK DEVICE_INELIGIBLE);
use Authen::U2F::Tester::Error;
use Authen::U2F::Tester::Keypair;
use Authen::U2F::Tester::RegisterResponse;
use Authen::U2F::Tester::SignResponse;
use Crypt::OpenSSL::X509;
use Crypt::PK::ECC;
use Digest::SHA qw(sha256);
use JSON::MaybeXS qw(encode_json);
use List::Util qw(first);
use MIME::Base64 qw(encode_base64url decode_base64url);
use namespace::autoclean;
my $COUNTER = 0;
has key => (
is => 'ro',
isa => 'Crypt::PK::ECC',
required => 1);
has keystore => (
is => 'ro',
does => 'Authen::U2F::Tester::Role::Keystore',
required => 1);
has certificate => (
is => 'ro',
isa => 'Crypt::OpenSSL::X509',
required => 1);
around BUILDARGS => sub {
my ($orig, $self) = splice @_, 0, 2;
if (@_ > 1) {
my %args = @_;
if (my $keyfile = delete $args{key_file}) {
$args{key} = Crypt::PK::ECC->new($keyfile);
}
if (my $certfile = delete $args{cert_file}) {
$args{certificate} = Crypt::OpenSSL::X509->new_from_file($certfile);
}
# if no keystore was given, use the wrapped keystore
unless (defined $args{keystore}) {
require Authen::U2F::Tester::Keystore::Wrapped;
$args{keystore} = Authen::U2F::Tester::Keystore::Wrapped->new(key => $args{key});
}
return $self->$orig(%args);
}
else {
return $self->$orig(@_);
}
};
sub register {
my ($self, $app_id, $challenge, @registered_handles) = @_;
# check if this device has already been registered
for my $registered (@registered_handles) {
if ($self->keystore->exists($registered)) {
return Authen::U2F::Tester::Error->new(DEVICE_INELIGIBLE);
}
}
# generate a new keypair for this application
my $keypair = Authen::U2F::Tester::Keypair->new;
my $handle = $self->keystore->put($keypair->private_key);
my $cert = $self->certificate->as_string(Crypt::OpenSSL::X509::FORMAT_ASN1);
my %client_data = (
typ => 'navigator.id.finishEnrollment',
challenge => $challenge,
origin => $app_id,
cid_pubkey => 'unused');
my $client_data = encode_json(\%client_data);
my $sign_data = pack 'x a32 a32 a* a65',
sha256($app_id),
sha256($client_data),
$handle,
$keypair->public_key;
my $signature = $self->key->sign_hash(sha256($sign_data));
my $response = pack 'a a65 C/a* a* a*',
chr(0x05), $keypair->public_key, $handle, $cert, $signature;
return Authen::U2F::Tester::RegisterResponse->new(
error_code => OK,
response => $response,
client_data => encode_base64url($client_data));
}
sub sign {
my ($self, $app_id, $challenge, @handles) = @_;
my $handle = first { $self->keystore->exists($_) } @handles;
unless (defined $handle) {
return Authen::U2F::Tester::Error->new(DEVICE_INELIGIBLE);
}
my %client_data = (
typ => 'navigator.id.getAssertion',
challenge => $challenge,
origin => $app_id,
cid_pubkey => 'unused');
my $client_data = encode_json(\%client_data);
my $pkec = $self->keystore->get($handle);
my $counter = ++$COUNTER;
# generate the signature
my $sign_data = pack 'a32 a N a32',
sha256($app_id), # 32 byte SHA256 application parameter
chr(0x01), # 1 byte user presence
$counter, # 4 byte counter
sha256($client_data); # 32 byte SHA256 of client data JSON
my $signature = $pkec->sign_hash(sha256($sign_data));
my $response = pack 'a N a*',
chr(0x01),
$counter,
$signature;
return Authen::U2F::Tester::SignResponse->new(
error_code => OK,
response => $response,
key_handle => $handle,
client_data => encode_base64url($client_data));
}
__PACKAGE__->meta->make_immutable;
__END__
=pod
=head1 NAME
Authen::U2F::Tester - FIDO/U2F Authentication Test Client
=head1 VERSION
version 0.03
=head1 SYNOPSIS
my $tester = Authen::U2F::Tester->new(
cert_file => $certfile,
key_file => $keyfile);
#
# Test a U2F registration
#
my $app_id = 'https://www.example.com';
my $challenge = Authen::U2F->challenge;
my $r = $tester->register($app_id, $challenge);
unless ($r->is_success) {
die $r->error_message;
}
print $res->client_data;
print $res->registration_data;
# the fields in $res can be used to verify the registration using
# Authen::U2F
my ($handle, $key) = Authen::U2F->registration_verify(
challenge => $challenge,
app_id => $app_id,
origin => $origin,
registration_data => $res->registration_data,
client_data => $res->client_data);
#
# Test a U2F Signing request
#
$r = $tester->sign($app_id, $challenge, $handle);
unless ($r->is_success) {
die $r->error_message;
}
print $res->client_data;
print $res->signature_data;
# verify the signing request with Authen::U2F
Authen::U2F->signature_verify(
challenge => $challenge,
app_id => $app_id,
origin => $app_id,
key_handle => $handle,
key => $key,
signature_data => $r->signature_data,
client_data => $r->client_data);
=head1 DESCRIPTION
This module implements a FIDO/U2F tester that can be used for testing web
applications that support FIDO/U2F. Think of this module as a "virtual" U2F
security key.
=head1 METHODS
=head2 new(%args)
Constructor.
The following arguments are required:
=over 4
=item *
key_file
The location of the private key file.
=item *
cert_file
The location of the C<X.509> certificate file.
=back
Alternatively, the key and certificate can be passed in directly as objects:
=over 4
=item *
key
An L<Crypt::PK::ECC> object.
=item *
certificate
An L<Crypt::OpenSSL::X509> object.
=back
In order to create and use the tester, you will need both an Elliptic Curve
key, and a SSL X.509 certificate. The key can be generated using OpenSSL:
% openssl ecparam -name secp256r1 -genkey -noout -out key.pem
Then this key can be used to generate a self signed X.509 certificate:
% openssl req -key key.pem -x509 -days 3560 -sha256 \
-subj '/C=US/ST=Texas/O=Untrusted U2F Org/CN=virtual-u2f' \
-out cert.pem
Note that this key is also used to encrypt key handles that the tester
generates for registration requests.
=head2 key(): Crypt::PK::ECC
Get the key for this tester.
=head2 keystore(): Authen::U2F::Tester::Role::Keystore
This returns the key store instance that the tester uses. The default key
store is a "wrapped" key store as described in the FIDO/U2F specs. What this
means is it does not actually store anything, but instead encrypts the private
key using the tester's private key, and returns that as the key handle. This
key store will accept any encrypted private key as a valid key handle so long
as it can be decrypted by the tester's private key. This is similar to how
many physical U2F devices work in the real world. See
L<Authen::U2F::Tester::Keystore::Wrapped> for more information.
=head2 certificate(): Crypt::OpenSSL::X509
Get the SSL certificate that this tester uses.
=head2 register($app_id, $challenge, @keyhandles): Authen::U2F::Tester::RegisterResponse
Complete a registration request.
Returns a L<Authen::U2F::Tester::RegisterResponse> on success, or an
L<Authen::U2F::Error> object on failure.
Arguments are:
=over 4
=item *
app_id: string
The application id
=item *
challenge: string
The challenge parameter, in Base64 URL encoded format
=item *
keyhandles: list (optional)
List of already registered keyhandles for the current user, in Base64 URL format.
=back
Example:
my $app_id = 'https://www.example.com';
my $challenge = Authen::U2F->challenge;
my $res = $tester->register($app_id, $challenge);
unless ($res->is_success) {
die $res->error_message;
}
=head2 sign($app_id, $challenge, @keyhandles)
Complete a U2F signing request. Returns a L<Authen::U2F::Tester::SignResponse>
object on success, L<Authen::U2F::Error> object otherwise.
Arguments are:
=over 4
=item *
app_id
The appId value
=item *
challenge
The challenge parameter, in Base64 URL encoded format
=item *
keyhandles
List of possible keyhandles, in Base64 URL encoded format
=back
Example:
my $app_id = 'https://www.example.com';
my $challenge = Authen::U2F->challenge;
my $res = $tester->sign($app_id, $challenge, $keyhandle);
unless ($res->is_success) {
die $res->error_message;
}
# signature and client data, which should be sent to relaying party for
# verification.
print $res->signature_data;
print $res->client_data;
=for Pod::Coverage OK DEVICE_INELIGIBLE
=head1 SOURCE
The development version is on github at L<http://https://github.com/mschout/perl-authen-u2f-tester>
and may be cloned from L<git://https://github.com/mschout/perl-authen-u2f-tester.git>
=head1 BUGS
Please report any bugs or feature requests on the bugtracker website
L<https://github.com/mschout/perl-authen-u2f-tester/issues>
When submitting a bug or request, please include a test-file or a
patch to an existing test-file that illustrates the bug or desired
feature.
=head1 AUTHOR
Michael Schout <mschout@cpan.org>
=head1 COPYRIGHT AND LICENSE
This software is copyright (c) 2017 by Michael Schout.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
=cut
|
