数据加密>> u2f_ex>> 返回
项目作者: Ianleeclark

项目描述 :
A server-side U2F (Universal Second Factor) library in Elixir
高级语言: Elixir
项目地址: git://github.com/Ianleeclark/u2f_ex.git
创建时间: 2018-08-08T01:28:54Z
项目社区:https://github.com/Ianleeclark/u2f_ex
开源协议:BSD 3-Clause "New" or "Revised" License
下载


U2fEx

CircleCI
Hex.pm
HexDocs

A Pure Elixir implementation of the U2F Protocol.

Installation

If available in Hex, the package can be installed
by adding u2f_ex to your list of dependencies in mix.exs:

  1. def deps do
  2.   [
  3.     {:u2f_ex, "~> 0.4.2"}
  4.   ]
  5. end

PKIStorage

In order to properly use this library, you’re going to need to store metadata and public
keys for any user registering their U2F Token. However, u2f_ex will need to retrieve that
metadata, so you’re get to write a glorious new module implementing our storage behaviour.

Check out some example docs here: PKIStorage Example

Add A New SQL Table

This section assumes that you’ll be using SQL as the primary storage mechanism for these keys,
but, if you plan on using something else, feel free to do so! Skip to the next section and, should
you have any questions, feel free to ask!
First you’ll want to create a model capable of representing the key metadata (you can steal the
following code):

  1. defmodule Example.Users.U2FKey do
  2.   use Ecto.Schema
  3.   import Ecto.Changeset
  5.   alias Example.Users.User
  7.   schema "u2f_keys" do
  8.     field(:public_key, :string, size: 128, null: false)
  9.     field(:key_handle, :string, size: 128, null: false)
  10.     field(:version, :string, size: 10, null: false, default: "U2F_V2")
  11.     field(:app_id, :string, null: false)
  12.     # NOTE: You'll need to update what table this references or change it to a normal field
  13.     belongs_to(:user, User)
  15.     timestamps()
  16.   end
  18.   @doc false
  19.   def changeset(user, attrs) do
  20.     user
  21.     |> cast(attrs, [:public_key, :key_handle, :version, :app_id, :user_id])
  22.     |> validate_required([:public_key, :key_handle, :version, :app_id, :user_id])
  23.     |> validate_b64_string(:public_key)
  24.     |> validate_b64_string(:key_handle)
  25.   end
  27.   @doc false
  28.   def validate_b64_string(changeset, field, opts \\ []) do
  29.     validate_change(changeset, field, fn _, value ->
  30.       case Base.decode64(value, padding: false) do
  31.         {:ok, _result} ->
  32.           []
  34.         _ ->
  35.           [{field, opts[:message] || "Invalid field #{field}. Expected b64 encoded string."}]
  36.       end
  37.     end)
  38.   end
  39. end

Finally, create and run the following migration:

  1. defmodule Example.Repo.Migrations.AddU2fKey do
  2.   use Ecto.Migration
  4.   def change do
  5.     create table(:u2f_keys) do
  6.       add(:public_key, :string, size: 128)
  7.       add(:key_handle, :string, size: 128)
  8.       add(:version, :string, size: 10, default: "U2F_V2")
  9.       add(:app_id, :string)
  10.       # NOTE: You'll need to update what table this references or change it to a normal field
  11.       add(:user_id, references(:users))
  13.       timestamps()
  14.     end
  15.   end
  16. end

Create a PKIStorage Module

Next you’ll need to provide the library a way of storing and fetching metadata about stored U2F keys,
so you’ll implement the Storage Behaviour

An example, that uses Ecto + SQL, will follow, but know that you can use whatever storage mechanism you
want so long as you adhere to the contract.

  1. defmodule Example.PKIStorage do
  2.   @moduledoc false
  4.   import Ecto.Query
  6.   alias Example.Repo
  7.   alias U2FEx.PKIStorageBehaviour
  8.   alias Example.Users.U2FKey
  10.   @behaviour U2FEx.PKIStorageBehaviour
  12.   @impl PKIStorageBehaviour
  13.   def list_key_handles_for_user(user_id) do
  14.     q =
  15.       from(u in U2FKey,
  16.         where: u.user_id == ^user_id
  17.       )
  19.     x =
  20.       q
  21.       |> Repo.all()
  22.       |> Enum.map(fn %U2FKey{version: version, key_handle: key_handle, app_id: app_id} ->
  23.         %{version: version, key_handle: key_handle, app_id: app_id}
  24.       end)
  26.     {:ok, x}
  27.   end
  29.   @impl PKIStorageBehaviour
  30.   def get_public_key_for_user(user_id, key_handle) do
  31.     q = from(u in U2FKey, where: u.user_id == ^user_id and u.key_handle == ^key_handle)
  33.     q
  34.     |> Repo.one()
  35.     |> case do
  36.       nil -> {:error, :public_key_not_found}
  37.       %U2FKey{public_key: public_key} -> {:ok, public_key}
  38.     end
  39.   end
  40. end

Config Value

Next you’ll need to update your configuration to set the PKIStorage model:

  1. config :u2f_ex,
  2.     pki_storage: PKIStorage,
  3.     app_id: "https://yoursite.com"
NOTE: The should be your site.

Create a Controller

You’ll need a controller capable of handling these interactions:

  1. defmodule ExampleWeb.U2FController do
  2.   use ExampleWeb, :controller
  4.   alias Example.Users
  5.   alias Example.Users.U2FKey
  6.   alias U2FEx.KeyMetadata
  8.   @doc """
  9.   This is the first interaction in the u2f flow. We'll challenge the u2f token to
  10.   provide a public key and sign our challenge (+ other info) proving their ownership
  11.   of the corresponding private key.
  12.   """
  13.   def start_registration(conn, _params) do
  14.     with {:ok, registration_data} <- U2FEx.start_registration(get_user_id(conn)) do
  15.       output = %{
  16.         registerRequests: [
  17.           %{
  18.             appId: registration_data.appId,
  19.             padding: false,
  20.             version: "U2F_V2",
  21.             challenge: registration_data.challenge,
  22.             padding: false
  23.           }
  24.         ],
  25.         registeredKeys: []
  26.       }
  28.       conn
  29.       |> json(output)
  30.     end
  31.   end
  33.   @doc """
  34.   This is the second step of the registration where we'll store their key metadata for
  35.   use later in the authentication portion of the flow.
  36.   """
  37.   def finish_registration(conn, device_response) do
  38.     user_id = get_user_id(conn)
  40.     with {:ok, %KeyMetadata{} = key_metadata} <-
  41.            U2FEx.finish_registration(user_id, device_response),
  42.          :ok <- store_key_data(user_id, key_metadata) do
  43.       conn
  44.       |> json(%{"success" => true})
  45.     else
  46.       _error ->
  47.         conn |> put_status(:bad_request) |> json(%{"success" => false})
  48.     end
  49.   end
  51.   @doc """
  52.   Should the user be logging in, and they have a u2f key registered in our system, we
  53.   should challenge that user to prove their identity and ownership of the u2f device.
  54.   """
  55.   def start_authentication(conn, _params) do
  56.     with {:ok, %{} = sign_request} <- U2FEx.start_authentication(get_user_id(conn)) do
  57.       conn
  58.       |> json(sign_request)
  59.     end
  60.   end
  62.   @doc """
  63.   After the user has attempted to verify their identity, U2FEx will verify they actually who are
  64.   they say they are. Once this step has exited successfully, then we can be reasonably assured the
  65.   user is who they claim to be.
  66.   """
  67.   def finish_authentication(conn, device_response) do
  68.     with :ok <- U2FEx.finish_authentication(get_user_id(conn), device_response |> Jason.encode!()) do
  69.       conn
  70.       |> json(%{"success" => true})
  71.     else
  72.       _ -> json(conn, %{"success" => false})
  73.     end
  74.   end
  76.   @doc """
  77.   Fill in with however you want to persist keys. See U2FEx.KeyMetadata struct for more info
  78.   """
  79.   @spec store_key_data(user_id :: any(), KeyMetadata.t()) :: :ok | {:error, any()}
  80.   def store_key_data(user_id, key_metadata) do
  81.     with {:ok, %U2FKey{}} <- Users.create_u2f_key(user_id, key_metadata) do
  82.       :ok
  83.     end
  84.   end
  86.   @spec get_user_id(Plug.Conn.t()) :: String.t()
  87.   defp get_user_id(_conn) do
  88.     "1"
  89.   end
  90. end

Moreover, you’re going to need to add routes (feel free to change, but you need these four routes specifically).

  1.     post("/u2f/start_registration", U2FController, :start_registration)
  2.     post("/u2f/finish_registration", U2FController, :finish_registration)
  3.     post("/u2f/start_authentication", U2FController, :start_authentication)
  4.     post("/u2f/finish_authentication", U2FController, :finish_authentication)

Finally, finish up with some javascript

Vendor google’s u2f-api-polyfill.js (Can be found here or here).

Finally, you’ll need to handle events for talking to the device. This assumes jquery, but it can be
easily swapped out and work in vanilla Javascript, React, Vue, &c.

  1. import $ from "jquery";
  3. $(document).ready(() => {
  4.   const appId = "https://localhost";
  5.   const u2f = window.u2f;
  6.   const post = (url, csrf, data) => {
  7.     return $.ajax({
  8.       url: url,
  9.       type: "POST",
  10.       dataType: "json",
  11.       contentType: "application/json",
  12.       data: JSON.stringify(data),
  13.       beforeSend: xhr => {
  14.         xhr.setRequestHeader("X-CSRF-TOKEN", csrf);
  15.       }
  16.     });
  17.   };
  19.   $("#register").click(() => {
  20.     const csrf = $("meta[name='csrf-token']").attr("content");
  21.     post("/u2f/start_registration", csrf).then(
  22.       ({ appId, registerRequests, registeredKeys }) => {
  23.         u2f.register(appId, registerRequests, registeredKeys, response => {
  24.           post("/u2f/finish_registration", csrf, response)
  25.             // NOTE: Handle finishing registration here
  26.                 .then(x => console.log("Finished Registration"));
  27.         });
  28.       },
  29.       error => {
  30.         console.error(error);
  31.       }
  32.     );
  33.   });
  35.   $("#sign").click(() => {
  36.     const csrf = $("meta[name='csrf-token']").attr("content");
  37.     post("/u2f/start_authentication", csrf).then(
  38.       ({ challenge, registeredKeys }) => {
  39.         u2f
  40.           .sign(appId, challenge, registeredKeys, response1 => {
  41.             post("/u2f/finish_authentication", csrf, response1).then(
  42.               // NOTE: Handle finishing authentication here
  43.               x => console.log("Finished Authentication")
  44.             );
  45.           });
  46.       },
  47.       error => {
  48.         console.error(error);
  49.       }
  50.     );
  51.   });
  52. });