org.xdi.oxauth.service.fido.u2f.AuthenticationService クラス

org.xdi.oxauth.service.fido.u2f.AuthenticationService の継承関係図

org.xdi.oxauth.service.fido.u2f.AuthenticationService 連携図

公開メンバ関数
AuthenticateRequestMessage	buildAuthenticateRequestMessage (String appId, String userInum) throws BadInputException, NoEligableDevicesException
AuthenticateRequest	startAuthentication (String appId, DeviceRegistration device) throws DeviceCompromisedException
AuthenticateRequest	startAuthentication (String appId, DeviceRegistration device, byte[] challenge) throws DeviceCompromisedException
DeviceRegistrationResult	finishAuthentication (AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum) throws BadInputException, DeviceCompromisedException
DeviceRegistrationResult	finishAuthentication (AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum, Set< String > facets) throws BadInputException, DeviceCompromisedException
AuthenticateRequest	getAuthenticateRequest (AuthenticateRequestMessage requestMessage, AuthenticateResponse response) throws BadInputException
void	storeAuthenticationRequestMessage (AuthenticateRequestMessage requestMessage, String userInum, String sessionId)
AuthenticateRequestMessage	getAuthenticationRequestMessage (String oxId)
AuthenticateRequestMessageLdap	getAuthenticationRequestMessageByRequestId (String requestId)
void	removeAuthenticationRequestMessage (AuthenticateRequestMessageLdap authenticateRequestMessageLdap)
String	getUserInumByKeyHandle (String appId, String keyHandle) throws InvalidKeyHandleDeviceException
String	getDnForAuthenticateRequestMessage (String oxId)
List< RequestMessageLdap >	getExpiredRequestMessages (BatchOperation< RequestMessageLdap > batchOperation, Date expirationDate, String[] returnAttributes, int sizeLimit, int chunkSize)
void	removeRequestMessage (RequestMessageLdap requestMessageLdap)

非公開変数類
Logger	log
PersistenceEntryManager	ldapEntryManager
ApplicationService	applicationService
RawAuthenticationService	rawAuthenticationService
ClientDataValidationService	clientDataValidationService
DeviceRegistrationService	deviceRegistrationService
UserService	userService
ChallengeGenerator	challengeGenerator
StaticConfiguration	staticConfiguration

詳解

Provides operations with U2F authentication request

著者

Yuriy Movchan

バージョン

August 9, 2017

関数詳解

buildAuthenticateRequestMessage()

AuthenticateRequestMessage org.xdi.oxauth.service.fido.u2f.AuthenticationService.buildAuthenticateRequestMessage ( String  appId, String  userInum  ) throws BadInputException, NoEligableDevicesException

inline

                                                                                                                                                          {
        if (applicationService.isValidateApplication()) {
            applicationService.checkIsValid(appId);
        }

        List<AuthenticateRequest> authenticateRequests = new ArrayList<AuthenticateRequest>();
        byte[] challenge = challengeGenerator.generateChallenge();

        List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
        for (DeviceRegistration deviceRegistration : deviceRegistrations) {
            if (!deviceRegistration.isCompromised()) {
                AuthenticateRequest request;
                try {
                    request = startAuthentication(appId, deviceRegistration, challenge);
                    authenticateRequests.add(request);
                } catch (DeviceCompromisedException ex) {
                    log.error("Faield to authenticate device", ex);
                }
            }
        }

        if (authenticateRequests.isEmpty()) {
            if (deviceRegistrations.isEmpty()) {
                throw new NoEligableDevicesException(deviceRegistrations, "No devices registrered");
            } else {
                throw new NoEligableDevicesException(deviceRegistrations, "All devices compromised");
            }
        }

        return new AuthenticateRequestMessage(authenticateRequests);
    }

finishAuthentication() [1/2]

DeviceRegistrationResult org.xdi.oxauth.service.fido.u2f.AuthenticationService.finishAuthentication ( AuthenticateRequestMessage  requestMessage, AuthenticateResponse  response, String  userInum  ) throws BadInputException, DeviceCompromisedException

inline

                                                                 {
        return finishAuthentication(requestMessage, response, userInum, null);
    }

finishAuthentication() [2/2]

DeviceRegistrationResult org.xdi.oxauth.service.fido.u2f.AuthenticationService.finishAuthentication ( AuthenticateRequestMessage  requestMessage, AuthenticateResponse  response, String  userInum, Set< String >  facets  ) throws BadInputException, DeviceCompromisedException

inline

                                                                 {
        List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, requestMessage.getAppId());

        final AuthenticateRequest request = getAuthenticateRequest(requestMessage, response);

        DeviceRegistration usedDeviceRegistration = null;
        for (DeviceRegistration deviceRegistration : deviceRegistrations) {
            if (StringHelper.equals(request.getKeyHandle(), deviceRegistration.getKeyHandle())) {
                usedDeviceRegistration = deviceRegistration;
                break;
            }
        }

        if (usedDeviceRegistration == null) {
            throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
        }

        if (usedDeviceRegistration.isCompromised()) {
            throw new DeviceCompromisedException(usedDeviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
        }

        ClientData clientData = response.getClientData();
        clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, request.getChallenge(), facets);

        RawAuthenticateResponse rawAuthenticateResponse = rawAuthenticationService.parseRawAuthenticateResponse(response.getSignatureData());
        rawAuthenticationService.checkSignature(request.getAppId(), clientData, rawAuthenticateResponse,
                Base64Util.base64urldecode(usedDeviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
        rawAuthenticateResponse.checkUserPresence();
        usedDeviceRegistration.checkAndUpdateCounter(rawAuthenticateResponse.getCounter());

        usedDeviceRegistration.setLastAccessTime(new Date());

        deviceRegistrationService.updateDeviceRegistration(userInum, usedDeviceRegistration);

        DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;

        boolean approved = StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp());
        if (!approved) {
            status = DeviceRegistrationResult.Status.CANCELED;
            log.debug("Authentication request with keyHandle '{}' was canceled", response.getKeyHandle());
        }

        return new DeviceRegistrationResult(usedDeviceRegistration, status);
    }

getAuthenticateRequest()

AuthenticateRequest org.xdi.oxauth.service.fido.u2f.AuthenticationService.getAuthenticateRequest ( AuthenticateRequestMessage  requestMessage, AuthenticateResponse  response  ) throws BadInputException

inline

                                                                                                                                                         {
        if (!StringHelper.equals(requestMessage.getRequestId(), response.getRequestId())) {
            throw new BadInputException("Wrong request for response data");
        }

        for (AuthenticateRequest request : requestMessage.getAuthenticateRequests()) {
            if (StringHelper.equals(request.getKeyHandle(), response.getKeyHandle())) {
                return request;
            }
        }

        throw new BadInputException("Responses keyHandle does not match any contained request");
    }

getAuthenticationRequestMessage()

AuthenticateRequestMessage org.xdi.oxauth.service.fido.u2f.AuthenticationService.getAuthenticationRequestMessage ( String  oxId )

inline

                                                                                   {
        String requestDn = getDnForAuthenticateRequestMessage(oxId);

        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = ldapEntryManager.find(AuthenticateRequestMessageLdap.class, requestDn);
        if (authenticateRequestMessageLdap == null) {
            return null;
        }

        return authenticateRequestMessageLdap.getAuthenticateRequestMessage();
    }

getAuthenticationRequestMessageByRequestId()

AuthenticateRequestMessageLdap org.xdi.oxauth.service.fido.u2f.AuthenticationService.getAuthenticationRequestMessageByRequestId ( String  requestId )

inline

                                                                                                       {
        String baseDn = getDnForAuthenticateRequestMessage(null);
        Filter requestIdFilter = Filter.createEqualityFilter("oxRequestId", requestId);

        List<AuthenticateRequestMessageLdap> authenticateRequestMessagesLdap = ldapEntryManager.findEntries(baseDn, AuthenticateRequestMessageLdap.class,
                requestIdFilter);
        if ((authenticateRequestMessagesLdap == null) || authenticateRequestMessagesLdap.isEmpty()) {
            return null;
        }

        return authenticateRequestMessagesLdap.get(0);
    }

getDnForAuthenticateRequestMessage()

String org.xdi.oxauth.service.fido.u2f.AuthenticationService.getDnForAuthenticateRequestMessage ( String  oxId )

inline

Build DN string for U2F authentication request

                                                                  {
        final String u2fBaseDn = staticConfiguration.getBaseDn().getU2fBase(); // ou=authentication_requests,ou=u2f,o=@!1111,o=gluu
        if (StringHelper.isEmpty(oxId)) {
            return String.format("ou=authentication_requests,%s", u2fBaseDn);
        }

        return String.format("oxid=%s,ou=authentication_requests,%s", oxId, u2fBaseDn);
    }

getExpiredRequestMessages()

List<RequestMessageLdap> org.xdi.oxauth.service.fido.u2f.RequestService.getExpiredRequestMessages ( BatchOperation< RequestMessageLdap >  batchOperation, Date  expirationDate, String []  returnAttributes, int  sizeLimit, int  chunkSize  )

inlineinherited

                                                                                                                                                                                                   {
                final String u2fBaseDn = staticConfiguration.getBaseDn().getU2fBase(); // ou=u2f,o=@!1111,o=gluu
                Filter expirationFilter = Filter.createLessOrEqualFilter("creationDate", ldapEntryManager.encodeTime(expirationDate));

                List<RequestMessageLdap> requestMessageLdap = ldapEntryManager.findEntries(u2fBaseDn, RequestMessageLdap.class, expirationFilter, SearchScope.SUB, returnAttributes, batchOperation, 0, sizeLimit, chunkSize);

                return requestMessageLdap;
        }

getUserInumByKeyHandle()

String org.xdi.oxauth.service.fido.u2f.AuthenticationService.getUserInumByKeyHandle ( String  appId, String  keyHandle  ) throws InvalidKeyHandleDeviceException

inline

                                                                                                                {
        if (org.xdi.util.StringHelper.isEmpty(appId) || StringHelper.isEmpty(keyHandle)) {
            return null;
        }

        List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, keyHandle, "oxId");
        if (deviceRegistrations.isEmpty()) {
            throw new InvalidKeyHandleDeviceException(String.format("Failed to find device by keyHandle '%s' in LDAP", keyHandle));
        }

        if (deviceRegistrations.size() != 1) {
            throw new BadInputException(String.format("There are '%d' devices with keyHandle '%s' in LDAP", deviceRegistrations.size(), keyHandle));
        }

        DeviceRegistration deviceRegistration = deviceRegistrations.get(0);

        return userService.getUserInumByDn(deviceRegistration.getDn());
    }

removeAuthenticationRequestMessage()

void org.xdi.oxauth.service.fido.u2f.AuthenticationService.removeAuthenticationRequestMessage ( AuthenticateRequestMessageLdap  authenticateRequestMessageLdap )

inline

                                                                                                                  {
        removeRequestMessage(authenticateRequestMessageLdap);
    }

removeRequestMessage()

void org.xdi.oxauth.service.fido.u2f.RequestService.removeRequestMessage ( RequestMessageLdap  requestMessageLdap )

inlineinherited

                                                                                {
                ldapEntryManager.remove(requestMessageLdap);
        }

startAuthentication() [1/2]

AuthenticateRequest org.xdi.oxauth.service.fido.u2f.AuthenticationService.startAuthentication ( String  appId, DeviceRegistration  device  ) throws DeviceCompromisedException

inline

                                                                                                                              {
        return startAuthentication(appId, device, challengeGenerator.generateChallenge());
    }

startAuthentication() [2/2]

AuthenticateRequest org.xdi.oxauth.service.fido.u2f.AuthenticationService.startAuthentication ( String  appId, DeviceRegistration  device, byte []  challenge  ) throws DeviceCompromisedException

inline

                                                                                                                                                {
        if (device.isCompromised()) {
            throw new DeviceCompromisedException(device, "Device has been marked as compromised, cannot authenticate");
        }

        return new AuthenticateRequest(Base64Util.base64urlencode(challenge), appId, device.getKeyHandle());
    }

storeAuthenticationRequestMessage()

void org.xdi.oxauth.service.fido.u2f.AuthenticationService.storeAuthenticationRequestMessage ( AuthenticateRequestMessage  requestMessage, String  userInum, String  sessionId  )

inline

                                                                                                                                {
        Date now = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
        final String authenticateRequestMessageId = UUID.randomUUID().toString();

        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = new AuthenticateRequestMessageLdap(getDnForAuthenticateRequestMessage(authenticateRequestMessageId),
                authenticateRequestMessageId, now, sessionId, userInum, requestMessage);

        ldapEntryManager.persist(authenticateRequestMessageLdap);
    }

メンバ詳解

applicationService

ApplicationService org.xdi.oxauth.service.fido.u2f.AuthenticationService.applicationService

private

challengeGenerator

ChallengeGenerator org.xdi.oxauth.service.fido.u2f.AuthenticationService.challengeGenerator

private

clientDataValidationService

ClientDataValidationService org.xdi.oxauth.service.fido.u2f.AuthenticationService.clientDataValidationService

private

deviceRegistrationService

DeviceRegistrationService org.xdi.oxauth.service.fido.u2f.AuthenticationService.deviceRegistrationService

private

ldapEntryManager

PersistenceEntryManager org.xdi.oxauth.service.fido.u2f.AuthenticationService.ldapEntryManager

private

log

Logger org.xdi.oxauth.service.fido.u2f.AuthenticationService.log

private

rawAuthenticationService

RawAuthenticationService org.xdi.oxauth.service.fido.u2f.AuthenticationService.rawAuthenticationService

private

staticConfiguration

StaticConfiguration org.xdi.oxauth.service.fido.u2f.AuthenticationService.staticConfiguration

private

userService

UserService org.xdi.oxauth.service.fido.u2f.AuthenticationService.userService

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/service/fido/u2f/AuthenticationService.java