open Lwt.Infix
let users : (string, (Mirage_crypto_ec.P256.Dsa.pub * string * X509.Certificate.t option) list) Hashtbl.t = Hashtbl.create 7
module KhPubHashtbl = Hashtbl.Make(struct
type t = Webauthn.key_handle * Mirage_crypto_ec.P256.Dsa.pub
let cs_of_pub = Mirage_crypto_ec.P256.Dsa.pub_to_cstruct
let equal (kh, pub) (kh', pub') =
String.equal kh kh' && Cstruct.equal (cs_of_pub pub) (cs_of_pub pub')
let hash (kh, pub) = Hashtbl.hash (kh, Cstruct.to_string (cs_of_pub pub ))
end)
let counters = KhPubHashtbl.create 7
let check_counter kh_pub counter =
let r =
match KhPubHashtbl.find_opt counters kh_pub with
| Some counter' -> Int32.unsigned_compare counter counter' > 0
| None -> true
in
if r
then KhPubHashtbl.replace counters kh_pub counter;
r
let challenges : (string, string) Hashtbl.t = Hashtbl.create 7
let to_string err = Format.asprintf "%a" Webauthn.pp_error err
let gen_data ?(pad = false) ?alphabet length =
Base64.encode_string ~pad ?alphabet
(Cstruct.to_string (Mirage_crypto_rng.generate length))
let add_routes t =
let main req =
let authenticated_as = Dream.session "authenticated_as" req in
let flash = Flash_message.get_flash req |> List.map snd in
Dream.html (Template.overview flash authenticated_as users)
in
let register req =
let user =
(* match Dream.session "authenticated_as" req with
| None -> *) gen_data ~alphabet:Base64.uri_safe_alphabet 8
(* | Some username -> username *)
in
let _key_handles = match Hashtbl.find_opt users user with
| None -> []
| Some keys -> List.map (fun (_, kh, _) -> kh) keys
in
let challenge = Cstruct.to_string (Mirage_crypto_rng.generate 16)
and userid = Base64.encode_string user
in
Hashtbl.replace challenges challenge user;
Dream.put_session "challenge" challenge req >>= fun () ->
Dream.html (Template.register_view (Webauthn.rpid t) user (Base64.encode_string challenge) userid)
in
let register_finish req =
Dream.body req >>= fun body ->
Logs.info (fun m -> m "received body: %s" body);
match Dream.session "challenge" req with
| None ->
Logs.warn (fun m -> m "no challenge found");
Dream.respond ~status:`Bad_Request "Bad request."
| Some challenge ->
match Webauthn.register_response t challenge body with
| Error e ->
Logs.warn (fun m -> m "error %a" Webauthn.pp_error e);
let err = to_string e in
Flash_message.put_flash "" ("Registration failed " ^ err) req;
Dream.redirect req "/"
| Ok (_aaguid, credential_id, pubkey, _client_extensions, user_present,
user_verified, sig_count, _authenticator_extensions, attestation_cert) ->
ignore (check_counter (credential_id, pubkey) sig_count);
Logs.info (fun m -> m "user present %B user verified %B" user_present user_verified);
match Hashtbl.find_opt challenges challenge with
| None ->
Logs.warn (fun m -> m "challenge not registered");
Dream.respond ~status:`Internal_Server_Error
"Internal server error: couldn't find user for challenge"
| Some user ->
Hashtbl.remove challenges challenge;
match Dream.session "authenticated_as" req, Hashtbl.find_opt users user with
| _, None ->
Logs.app (fun m -> m "registered %s" user);
Hashtbl.replace users user [ (pubkey, credential_id, attestation_cert) ];
Dream.invalidate_session req >>= fun () ->
Flash_message.put_flash ""
(Printf.sprintf "Successfully registered as %s! [authenticate]" user user)
req;
Dream.redirect req "/"
| Some session_user, Some keys ->
if String.equal user session_user then begin
Logs.app (fun m -> m "registered %s" user);
Hashtbl.replace users user ((pubkey, credential_id, attestation_cert) :: keys) ;
Dream.invalidate_session req >>= fun () ->
Flash_message.put_flash ""
(Printf.sprintf "Successfully registered as %s! [authenticate]" user user)
req;
Dream.redirect req "/"
end else
Dream.respond ~status:`Forbidden "Forbidden."
| None, Some _keys ->
Dream.respond ~status:`Forbidden "Forbidden."
in
let authenticate req =
let user = Dream.param "user" req in
match Hashtbl.find_opt users user with
| None ->
Logs.warn (fun m -> m "no user found");
Dream.respond ~status:`Bad_Request "Bad request."
| Some keys ->
let credentials = List.map (fun (_, c, _) -> Base64.encode_string c) keys in
let challenge = Cstruct.to_string (Mirage_crypto_rng.generate 16) in
Dream.put_session "challenge" challenge req >>= fun () ->
Dream.put_session "challenge_user" user req >>= fun () ->
Dream.html (Template.authenticate_view (Base64.encode_string challenge) credentials user)
in
let authenticate_finish req =
Dream.body req >>= fun body ->
Logs.info (fun m -> m "received body: %s" body);
match Dream.session "challenge_user" req with
| None -> Dream.respond ~status:`Internal_Server_Error "Internal server error."
| Some user ->
match Dream.session "challenge" req with
| None ->
Logs.warn (fun m -> m "no challenge found");
Dream.respond ~status:`Bad_Request "Bad request."
| Some challenge ->
match Hashtbl.find_opt users user with
| None ->
Logs.warn (fun m -> m "no user found, using empty");
Dream.respond ~status:`Bad_Request "Bad request."
| Some keys ->
let cid_keys = List.map (fun (key, credential_id, _) -> credential_id, key) keys in
match Webauthn.authentication_response t cid_keys challenge body with
| Ok (credential, _client_extensions, _user_present, _user_verified, counter, _authenticator_extensions) ->
if check_counter credential counter
then begin
Flash_message.put_flash "" "Successfully authenticated" req;
Dream.put_session "user" user req >>= fun () ->
Dream.put_session "authenticated_as" user req >>= fun () ->
Dream.redirect req "/"
end else begin
Logs.warn (fun m -> m "credential %S for user %S: counter not strictly increasing! \
Got %ld, expected >%ld. webauthn device compromised?"
(fst credential) user counter (KhPubHashtbl.find counters credential));
Flash_message.put_flash "" "Authentication failure: key compromised?" req;
Dream.redirect req "/"
end
| Error e ->
Logs.warn (fun m -> m "error %a" Webauthn.pp_error e);
let err = to_string e in
Flash_message.put_flash "" ("Authentication failure: " ^ err) req;
Dream.redirect req "/"
in
let logout req =
Dream.invalidate_session req >>= fun () ->
Dream.redirect req "/"
in
let base64 _req =
Dream.respond ~headers:[("Content-type", "application/javascript")]
[%blob "base64.js"]
in
Dream.router [
Dream.get "/" main;
Dream.get "/register" register;
Dream.post "/register_finish" register_finish;
Dream.get "/authenticate/:user" authenticate;
Dream.post "/authenticate_finish" authenticate_finish;
Dream.post "/logout" logout;
Dream.get "/static/base64.js" base64;
]
let setup_app level port host origin https =
let webauthn = Webauthn.create origin in
let level = match level with None -> None | Some Logs.Debug -> Some `Debug | Some Info -> Some `Info | Some Warning -> Some `Warning | Some Error -> Some `Error | Some App -> None in
Dream.initialize_log ?level ();
Dream.run ~port ~interface:host ~https
@@ Dream.logger
@@ Dream.memory_sessions
@@ Flash_message.flash_messages
@@ add_routes webauthn
@@ Dream.not_found
open Cmdliner
let port =
let doc = "port" in
Arg.(value & opt int 5000 & info [ "p"; "port" ] ~doc)
let host =
let doc = "host" in
Arg.(value & opt string "0.0.0.0" & info [ "h"; "host" ] ~doc)
let origin =
let doc = "the webauthn relying party origin - usually protocol://host" in
Arg.(value & opt string "https://webauthn-demo.robur.coop" & info [ "origin" ] ~doc)
let tls =
let doc = "tls" in
Arg.(value & flag & info [ "tls" ] ~doc)
let () =
let term = Term.(pure setup_app $ Logs_cli.level () $ port $ host $ origin $ tls) in
let info = Term.info "Webauthn app" ~doc:"Webauthn app" ~man:[] in
match Term.eval (term, info) with
| `Ok () -> exit 0
| `Error _ -> exit 1
| _ -> exit 0