fix(jans-fido2): U2F attestation and corrected auth_cert link #10911 (#…

…10912) * fix(jans-fido2): U2F attestation and corrected auth_cert link #10911 Signed-off-by: Madhumita Subramaniam <[email protected]> * fix(jans-fido2): #10911 fix sonar issues Signed-off-by: Madhumita Subramaniam <[email protected]> * fix(jans-fido2) :#10911 test cases + minor code fixes Signed-off-by: Madhumita Subramaniam <[email protected]> * fix(jans-fido2) : #10911 code smells fixed Signed-off-by: Madhumita Subramaniam <[email protected]> * fix(jans-cli-tui): typo Signed-off-by: Mustafa Baser <[email protected]> * fix(jans-linux-setup): typo Signed-off-by: Mustafa Baser <[email protected]> * fix(jans-linux-setup): remove unused python2 scripts Signed-off-by: Mustafa Baser <[email protected]> * fix(jans-linux-setup): remove unused python2 genSchemaMarkdown.py Signed-off-by: Mustafa Baser <[email protected]> * chore(jans-linux-setup): remove admin_ui_plugin.py, it was flex tool Signed-off-by: Mustafa Baser <[email protected]> * chore(jans-linux-setup): add missing objects in parse_dn.py Signed-off-by: Mustafa Baser <[email protected]> * ci: exclude old py2 scripts Signed-off-by: moabu <[email protected]> --------- Signed-off-by: Madhumita Subramaniam <[email protected]> Signed-off-by: Mustafa Baser <[email protected]> Signed-off-by: moabu <[email protected]> Co-authored-by: Mustafa Baser <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
JanssenProject · Feb 26, 2025 · b47ca75 · b47ca75
1 parent 412ef22
commit b47ca75
Show file tree

Hide file tree

Showing 24 changed files with 825 additions and 1,081 deletions.
diff --git a/.github/workflows/lint-flak8.yml b/.github/workflows/lint-flak8.yml
@@ -50,7 +50,7 @@ jobs:
     - name: Lint with flake8
       run: |
         # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude=jans-linux-setup/jans_setup/setup_app/pylib,jans-linux-setup/jans_setup/static/extension
+        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude=jans_setup/setup_app/pylib,jans_setup/static/extension
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=jans-linux-setup/jans_setup/setup_app/pylib,jans-linux-setup/jans_setup/static/extension
+        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=jans_setup/setup_app/pylib,jans_setup/static/extension
       working-directory: ${{ matrix.python-projects }}
diff --git a/jans-cli-tui/cli_tui/plugins/120_lock/main.py b/jans-cli-tui/cli_tui/plugins/120_lock/main.py
@@ -13,7 +13,7 @@
 
 from utils.multi_lang import _
 from utils.utils import DialogUtils, common_data
-from utils.static import cli_style
+from utils.static import cli_style, common_strings
 
 
 class Plugin(DialogUtils):

diff --git a/jans-fido2/model/src/main/java/io/jans/fido2/model/attestation/AttestationResult.java b/jans-fido2/model/src/main/java/io/jans/fido2/model/attestation/AttestationResult.java
@@ -1,16 +1,17 @@
 package io.jans.fido2.model.attestation;
 
-import java.util.HashMap;
+import java.util.Map;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class AttestationResult {
 	private String id;
 	private String type;
 	private String rawId;
 	private Response response;
-	private HashMap<String, String> clientExtensionResults;
+	private Map<String, Object> clientExtensionResults;
 	private String authentictatorAttachment;
 
 	public String getId() {
@@ -37,11 +38,11 @@ public void setResponse(Response response) {
 		this.response = response;
 	}
 
-	public HashMap<String, String> getClientExtensionResults() {
+	public Map<String, Object> getClientExtensionResults() {
 		return clientExtensionResults;
 	}
 
-	public void setClientExtensionResults(HashMap<String, String> clientExtensionResults) {
+	public void setClientExtensionResults(Map<String, Object> clientExtensionResults) {
 		this.clientExtensionResults = clientExtensionResults;
 	}
 
@@ -61,14 +62,39 @@ public void setRawId(String rawId) {
 		this.rawId = rawId;
 	}
 
-
-
 	@Override
 	public String toString() {
 		return "AttestationResult [id=" + id + ", type=" + type + ", rawId=" + rawId + ", response=" + response
 				+ ", clientExtensionResults=" + clientExtensionResults + ", authentictatorAttachment="
 				+ authentictatorAttachment + "]";
 	}
 
+}
+
+class ClientExtensionResults {
+	@JsonProperty("credProps")
+	private CredProps credProps;
+
+	public CredProps getCredProps() {
+		return credProps;
+	}
+
+	public void setCredProps(CredProps credProps) {
+		this.credProps = credProps;
+	}
+
+}
+
+class CredProps {
+	@JsonProperty("rk")
+	private boolean rk;
+
+	public boolean isRk() {
+		return rk;
+	}
+
+	public void setRk(boolean rk) {
+		this.rk = rk;
+	}
 
 }
diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/model/auth/AuthData.java b/jans-fido2/server/src/main/java/io/jans/fido2/model/auth/AuthData.java
@@ -18,6 +18,8 @@
 
 package io.jans.fido2.model.auth;
 
+import java.util.Arrays;
+
 /**
  * authData structure from https://www.w3.org/TR/webauthn/#authenticator-data
  * @author Yuriy Movchan
@@ -124,4 +126,13 @@ public AuthData setExtensions(byte[] extensions) {
         return this;
 	}
 
+	@Override
+	public String toString() {
+		return "AuthData [rpIdHash=" + Arrays.toString(rpIdHash) + ", flags=" + Arrays.toString(flags) + ", counters="
+				+ Arrays.toString(counters) + ", aaguid=" + Arrays.toString(aaguid) + ", credId="
+				+ Arrays.toString(credId) + ", attestationBuffer=" + Arrays.toString(attestationBuffer) + ", keyType="
+				+ keyType + ", cosePublicKey=" + Arrays.toString(cosePublicKey) + ", extensions="
+				+ Arrays.toString(extensions) + ", authDataDecoded=" + Arrays.toString(authDataDecoded) + "]";
+	}
+
 }
diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/CertificateService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/CertificateService.java
@@ -72,6 +72,7 @@ public X509Certificate getCertificate(InputStream is) {
 
         	return certificate;
         } catch (CertificateException e) {
+
             throw errorResponseFactory.badRequestException(AttestationErrorResponseType.INVALID_CERTIFICATE, e.getMessage(), e);
         }
     }

diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/AttestationCertificateService.java
@@ -164,13 +164,46 @@ private JsonNode getMetadataForAuthenticator(AuthData authData) {
 		return metadataForAuthenticator;
 	}
 
+
+
+	public JsonNode getMetadataForU2fAuthenticator(String attestationCertificateKeyIdentifiers) {
+
+		Fido2Configuration fido2Configuration = appConfiguration.getFido2Configuration();
+		JsonNode metadataForAuthenticator;
+		if (fido2Configuration.isEnterpriseAttestation()) {
+			metadataForAuthenticator = localMdsService.getAuthenticatorsMetadata(attestationCertificateKeyIdentifiers);
+			if (metadataForAuthenticator == null) {
+				metadataForAuthenticator = dataMapperService.createObjectNode();
+			}
+		} else {
+			try {
+				log.info("No Local metadata for authenticator {}. Checking for metadata MDS3 blob",
+						attestationCertificateKeyIdentifiers);
+				if (!fido2Configuration.isDisableMetadataService() ) {
+					JsonNode metadata = mdsService.fetchMetadata(attestationCertificateKeyIdentifiers.getBytes());
+					commonVerifiers.verifyThatMetadataIsValid(metadata);
+					metadataForAuthenticator = metadata;
+				} else {
+					metadataForAuthenticator = dataMapperService.createObjectNode();
+					log.debug("disableMetadataService has been configured as true");
+				}
+			} catch (Fido2RuntimeException ex) {
+				log.warn("Failed to get metadata from Fido2 meta-data server: {}", ex.getMessage(), ex);
+
+				metadataForAuthenticator = dataMapperService.createObjectNode();
+			}
+		}
+		return metadataForAuthenticator;
+	}
+
+
 	public List<X509Certificate> getAttestationRootCertificates(AuthData authData, List<X509Certificate> attestationCertificates) {
 		JsonNode metadataForAuthenticator = getMetadataForAuthenticator(authData);
 		return getAttestationRootCertificates(metadataForAuthenticator, attestationCertificates);
 	}
 
 	public X509TrustManager populateTrustManager(AuthData authData, List<X509Certificate> attestationCertificates) {
-		String aaguid = Hex.encodeHexString(authData.getAaguid());
+		String aaguid = Hex.encodeHexString(authData. getAaguid());
 		List<X509Certificate> trustedCertificates = getAttestationRootCertificates(authData, attestationCertificates);
 		if ((trustedCertificates == null) || (trustedCertificates.size() == 0)) {
 			log.error("Failed to get trusted certificates");

diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/MdsService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/MdsService.java
@@ -36,10 +36,8 @@
 import io.jans.fido2.model.mds.AuthenticatorCertificationStatus;
 import io.jans.fido2.service.Base64Service;
 import io.jans.fido2.service.DataMapperService;
-import io.jans.fido2.service.client.ResteasyClientFactory;
 import io.jans.fido2.service.verifier.CommonVerifiers;
 import io.jans.service.cdi.event.ApplicationInitialized;
-
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.enterprise.event.Observes;
 import jakarta.inject.Inject;
-Original file line number
+Diff line change
@@ Expand Up / @@ -72,6 +72,7 @@ public X509Certificate getCertificate(InputStream is) { @@
             	return certificate;
             } catch (CertificateException e) {
                 throw errorResponseFactory.badRequestException(AttestationErrorResponseType.INVALID_CERTIFICATE, e.getMessage(), e);
             }
         }
@@ Expand Down @@