ClientData class now performs all client data related operations

Author: Henrik Stråth

u2flib-server-core/src/main/java/com/yubico/u2f/ClientDataUtils.java

@@ -10,17 +10,14 @@
 package com.yubico.u2f;
 
 import com.google.common.base.Optional;
+import com.yubico.u2f.data.messages.*;
 import com.yubico.u2f.data.messages.key.RawAuthenticateResponse;
 import com.yubico.u2f.data.messages.key.RawRegisterResponse;
 import com.yubico.u2f.data.Device;
 import com.yubico.u2f.crypto.ChallengeGenerator;
 import com.yubico.u2f.crypto.Crypto;
 import com.yubico.u2f.crypto.BouncyCastleCrypto;
 import com.yubico.u2f.crypto.RandomChallengeGenerator;
-import com.yubico.u2f.data.messages.StartedAuthentication;
-import com.yubico.u2f.data.messages.StartedRegistration;
-import com.yubico.u2f.data.messages.AuthenticateResponse;
-import com.yubico.u2f.data.messages.RegisterResponse;
 import org.apache.commons.codec.binary.Base64;
 
 import java.util.Set;
@@ -31,7 +28,7 @@ public class U2F {
   private static final ChallengeGenerator challengeGenerator = new RandomChallengeGenerator();
   public static final Crypto crypto = new BouncyCastleCrypto();
   public static final String AUTHENTICATE_TYP = "navigator.id.getAssertion";
-  public static final String REGISTER_TYP = "navigator.id.finishEnrollment";
+  public static final String REGISTER_TYPE = "navigator.id.finishEnrollment";
 
   /**
    * Initiates the registration of a device.
@@ -60,14 +57,11 @@ public static Device finishRegistration(StartedRegistration startedRegistration,
   }
 
   public static Device finishRegistration(StartedRegistration startedRegistration, RegisterResponse tokenResponse, Set<String> facets) throws U2fException {
-    byte[] clientData = ClientDataUtils.checkClientData(
-            tokenResponse.getClientData().toString(),
-            REGISTER_TYP,
-            startedRegistration.getChallenge(),
-            Optional.fromNullable(facets)
-    );
+    ClientData clientData = tokenResponse.getClientData();
+    clientData.checkContent(REGISTER_TYPE, startedRegistration.getChallenge(), Optional.fromNullable(facets));
+
     RawRegisterResponse rawRegisterResponse = RawRegisterResponse.fromBase64(tokenResponse.getRegistrationData());
-    rawRegisterResponse.checkSignature(startedRegistration.getAppId(), clientData);
+    rawRegisterResponse.checkSignature(startedRegistration.getAppId(), clientData.getRawClientData());
     return rawRegisterResponse.createDevice();
   }
 
@@ -102,14 +96,16 @@ public static int finishAuthentication(StartedAuthentication startedAuthenticati
   }
 
   public static int finishAuthentication(StartedAuthentication startedAuthentication, AuthenticateResponse response, Device device, Set<String> facets) throws U2fException {
-    byte[] clientData = ClientDataUtils.checkClientData(
-            response.getClientData().toString(),
-            AUTHENTICATE_TYP,
-            startedAuthentication.getChallenge(),
-            Optional.fromNullable(facets)
-    );
+    ClientData clientData = response.getClientData();
+    clientData.checkContent(AUTHENTICATE_TYP, startedAuthentication.getChallenge(), Optional.fromNullable(facets));
+
+
     RawAuthenticateResponse rawAuthenticateResponse = RawAuthenticateResponse.fromBase64(response.getSignatureData());
-    rawAuthenticateResponse.checkSignature(startedAuthentication.getAppId(), clientData, device.getPublicKey());
+    rawAuthenticateResponse.checkSignature(
+            startedAuthentication.getAppId(),
+            clientData.getRawClientData(),
+            device.getPublicKey()
+    );
     rawAuthenticateResponse.checkUserPresence();
     return device.checkAndIncrementCounter(rawAuthenticateResponse.getCounter());
   }

u2flib-server-core/src/main/java/com/yubico/u2f/U2F.java

@@ -11,6 +11,7 @@
 
 import com.google.common.base.Objects;
 import com.google.gson.Gson;
+import com.yubico.u2f.U2fException;
 import com.yubico.u2f.data.DataObject;
 
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -32,7 +33,7 @@ public AuthenticateResponse(String clientData, String signatureData, String chal
     this.challenge = checkNotNull(challenge);
   }
 
-  public ClientData getClientData() {
+  public ClientData getClientData() throws U2fException {
     return new ClientData(clientData);
   }
 

u2flib-server-core/src/main/java/com/yubico/u2f/data/messages/AuthenticateResponse.java

@@ -1,26 +1,99 @@
 package com.yubico.u2f.data.messages;
 
+import com.google.common.base.Optional;
+import com.google.common.collect.ImmutableSet;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
 import com.yubico.u2f.U2fException;
-import com.yubico.u2f.ClientDataUtils;
 import org.apache.commons.codec.binary.Base64;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Set;
+
 import static com.google.common.base.Preconditions.checkNotNull;
 
 public class ClientData {
 
-  private final String clientData;
+  private static final String TYPE_PARAM = "typ";
+  private static final String CHALLENGE_PARAM = "challenge";
+  private static final String ORIGIN_PARAM = "origin";
+
+  private final String type;
+  private final String challenge;
+  private final String origin;
+  private final byte[] rawClientData;
+
+  public byte[] getRawClientData() {
+    return rawClientData;
+  }
+
+  public ClientData(String rawClientData) throws U2fException {
+    this(rawClientData.getBytes());
+  }
+
+  public ClientData(byte[] clientData) throws U2fException {
 
-  public ClientData(String clientData) {
-    this.clientData = checkNotNull(clientData);
+    this.rawClientData = Base64.decodeBase64(clientData);
+    JsonElement clientDataAsElement = new JsonParser().parse(new String(rawClientData));
+    if (!clientDataAsElement.isJsonObject()) {
+      throw new U2fException("ClientData has wrong format");
+    }
+    JsonObject jsonObject = clientDataAsElement.getAsJsonObject();
+    if (!jsonObject.has(TYPE_PARAM)) {
+      throw new U2fException("Bad clientData: missing 'typ' param");
+    }
+    this.type = jsonObject.get(TYPE_PARAM).getAsString();
+    if (!jsonObject.has(CHALLENGE_PARAM)) {
+      throw new U2fException("Bad clientData: missing 'challenge' param");
+    }
+    this.challenge = jsonObject.get(CHALLENGE_PARAM).getAsString();
+    this.origin = checkNotNull(jsonObject.get(ORIGIN_PARAM).getAsString());
   }
 
   @Override
   public String toString() {
-    return clientData;
+    return new String(rawClientData);
+  }
+
+  public String getChallenge() {
+    return challenge;
+  }
+
+  public void checkContent(String type, String challenge, Optional<Set<String>> facets) throws U2fException {
+    if (!type.equals(this.type)) {
+      throw new U2fException("Bad clientData: bad type " + this.type);
+    }
+    if (!challenge.equals(this.challenge)) {
+      throw new U2fException("Wrong challenge signed in clientData");
+    }
+    if(facets.isPresent()) {
+        verifyOrigin(origin, canonicalizeOrigins(facets.get()));
+    }
+  }
+
+  private static void verifyOrigin(String origin, Set<String> allowedOrigins) throws U2fException {
+    if (!allowedOrigins.contains(canonicalizeOrigin(origin))) {
+      throw new U2fException(origin +
+              " is not a recognized home origin for this backend");
+    }
+  }
+
+  public static Set<String> canonicalizeOrigins(Set<String> origins) {
+    ImmutableSet.Builder<String> result = ImmutableSet.builder();
+    for (String origin : origins) {
+      result.add(canonicalizeOrigin(origin));
+    }
+    return result.build();
   }
 
-  public String getChallenge() throws U2fException {
-    return ClientDataUtils.toJsonObject(Base64.decodeBase64(clientData.getBytes()))
-            .get(ClientDataUtils.CHALLENGE_PARAM).getAsString();
+  public static String canonicalizeOrigin(String url) {
+    try {
+      URI uri = new URI(url);
+      return uri.getScheme() + "://" + uri.getAuthority();
+    } catch (URISyntaxException e) {
+      throw new AssertionError("specified bad origin", e);
+    }
   }
 }

u2flib-server-core/src/main/java/com/yubico/u2f/data/messages/ClientData.java

@@ -10,6 +10,7 @@
 package com.yubico.u2f.data.messages;
 
 import com.google.common.base.Objects;
+import com.yubico.u2f.U2fException;
 import com.yubico.u2f.data.DataObject;
 
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -30,7 +31,7 @@ public String getRegistrationData() {
     return registrationData;
   }
 
-  public ClientData getClientData() {
+  public ClientData getClientData() throws U2fException {
     return new ClientData(clientData);
   }
 

u2flib-server-core/src/main/java/com/yubico/u2f/data/messages/RegisterResponse.java

@@ -57,8 +57,7 @@ public void checkSignature(String appId, byte[] clientData, byte[] publicKey) th
     );
   }
 
-  public static byte[] packBytesToSign(byte[] appIdHash, byte userPresence,
-                                       int counter, byte[] challengeHash) {
+  public static byte[] packBytesToSign(byte[] appIdHash, byte userPresence, int counter, byte[] challengeHash) {
     return ByteSink.create()
             .put(appIdHash)
             .put(userPresence)

u2flib-server-core/src/main/java/com/yubico/u2f/data/messages/key/RawAuthenticateResponse.java

@@ -12,13 +12,9 @@
 import com.google.common.collect.ImmutableSet;
 import com.yubico.u2f.TestVectors;
 import com.yubico.u2f.U2fException;
-import com.yubico.u2f.ClientDataUtils;
 import com.yubico.u2f.U2F;
 import com.yubico.u2f.data.Device;
-import com.yubico.u2f.data.messages.StartedAuthentication;
-import com.yubico.u2f.data.messages.StartedRegistration;
-import com.yubico.u2f.data.messages.AuthenticateResponse;
-import com.yubico.u2f.data.messages.RegisterResponse;
+import com.yubico.u2f.data.messages.*;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -44,13 +40,13 @@ public void setup() throws Exception {
 
   @Test
   public void testSanitizeOrigin() {
-    assertEquals("http://example.com", ClientDataUtils.canonicalizeOrigin("http://example.com"));
-    assertEquals("http://example.com", ClientDataUtils.canonicalizeOrigin("http://example.com/"));
-    assertEquals("http://example.com", ClientDataUtils.canonicalizeOrigin("http://example.com/foo"));
-    assertEquals("http://example.com", ClientDataUtils.canonicalizeOrigin("http://example.com/foo?bar=b"));
-    assertEquals("http://example.com", ClientDataUtils.canonicalizeOrigin("http://example.com/foo#fragment"));
-    assertEquals("https://example.com", ClientDataUtils.canonicalizeOrigin("https://example.com"));
-    assertEquals("https://example.com", ClientDataUtils.canonicalizeOrigin("https://example.com/foo"));
+    assertEquals("http://example.com", ClientData.canonicalizeOrigin("http://example.com"));
+    assertEquals("http://example.com", ClientData.canonicalizeOrigin("http://example.com/"));
+    assertEquals("http://example.com", ClientData.canonicalizeOrigin("http://example.com/foo"));
+    assertEquals("http://example.com", ClientData.canonicalizeOrigin("http://example.com/foo?bar=b"));
+    assertEquals("http://example.com", ClientData.canonicalizeOrigin("http://example.com/foo#fragment"));
+    assertEquals("https://example.com", ClientData.canonicalizeOrigin("https://example.com"));
+    assertEquals("https://example.com", ClientData.canonicalizeOrigin("https://example.com/foo"));
   }
 
   @Test