Skip to content

Commit

Permalink
Update Webauthn and Base64 (kanidm#2734)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Firstyear
Firstyear authored May 1, 2024
1 parent 5916223 commit 1fb8165
Show file tree
Hide file tree
Showing 12 changed files with 238 additions and 314 deletions.
373 changes: 157 additions & 216 deletions Cargo.lock
View file

Large diffs are not rendered by default.

53 changes: 23 additions & 30 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ members = [
]

[workspace.package]
version = "1.2.0-dev"
version = "1.3.0-dev"
authors = [
"William Brown <[email protected]>",
"James Hodgkinson <[email protected]>",
Expand Down Expand Up @@ -61,13 +61,6 @@ repository = "https://github.com/kanidm/kanidm/"
# scim_proto = { path = "../scim/proto" }
# scim_proto = { git = "https://github.com/kanidm/scim.git" }

base64urlsafedata = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }
webauthn-authenticator-rs = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }
webauthn-rs = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }
webauthn-rs-core = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }
webauthn-rs-proto = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }
sshkey-attest = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6ad8e41e336b4b6554b6e8e171c929952bf73" }

# base64urlsafedata = { path = "../webauthn-rs/base64urlsafedata" }
# webauthn-authenticator-rs = { path = "../webauthn-rs/webauthn-authenticator-rs" }
# webauthn-rs = { path = "../webauthn-rs/webauthn-rs" }
Expand All @@ -78,19 +71,19 @@ sshkey-attest = { git = "https://github.com/kanidm/webauthn-rs.git", rev = "24b6
# kanidm-hsm-crypto = { path = "../hsm-crypto" }

[workspace.dependencies]
kanidmd_core = { path = "./server/core", version = "=1.2.0-dev" }
kanidmd_lib = { path = "./server/lib", version = "=1.2.0-dev" }
kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0-dev" }
kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0-dev" }
kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0-dev" }
kanidm_client = { path = "./libs/client", version = "=1.2.0-dev" }
kanidmd_core = { path = "./server/core", version = "=1.3.0-dev" }
kanidmd_lib = { path = "./server/lib", version = "=1.3.0-dev" }
kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.3.0-dev" }
kanidmd_testkit = { path = "./server/testkit", version = "=1.3.0-dev" }
kanidm_build_profiles = { path = "./libs/profiles", version = "=1.3.0-dev" }
kanidm_client = { path = "./libs/client", version = "=1.3.0-dev" }
kanidm-hsm-crypto = "^0.1.6"
kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0-dev" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0-dev" }
kanidm_proto = { path = "./proto", version = "=1.2.0-dev" }
kanidm_unix_int = { path = "./unix_integration", version = "=1.2.0-dev" }
kanidm_utils_users = { path = "./libs/users", version = "=1.2.0-dev" }
sketching = { path = "./libs/sketching", version = "=1.2.0-dev" }
kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.3.0-dev" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.3.0-dev" }
kanidm_proto = { path = "./proto", version = "=1.3.0-dev" }
kanidm_unix_int = { path = "./unix_integration", version = "=1.3.0-dev" }
kanidm_utils_users = { path = "./libs/users", version = "=1.3.0-dev" }
sketching = { path = "./libs/sketching", version = "=1.3.0-dev" }

serde_with = "3.7.0"
argon2 = { version = "0.5.3", features = ["alloc"] }
Expand All @@ -110,14 +103,14 @@ axum = { version = "0.6.20", features = [
axum-csp = { version = "0.0.5" }
base32 = "^0.4.0"
base64 = "^0.21.7"
base64urlsafedata = "0.1.3"
base64urlsafedata = "0.5.0"
bitflags = "^2.4.2"
bytes = "^1.5.0"
clap = { version = "^4.5.3", features = ["derive", "env"] }
clap_complete = "^4.5.1"
# Forced by saffron/cron
chrono = "^0.4.35"
compact_jwt = { version = "^0.4.0-dev", default-features = false }
compact_jwt = { version = "^0.4.1", default-features = false }
concread = "^0.5.0"
cron = "0.12.1"
crossbeam = "0.8.4"
Expand Down Expand Up @@ -151,8 +144,8 @@ js-sys = "^0.3.69"
kanidmd_web_ui_shared = { path = "./server/web_ui/shared" }
# REMOVE this
lazy_static = "^1.4.0"
ldap3_client = "^0.4.4"
ldap3_proto = { version = "^0.4.3", features = ["serde"] }
ldap3_client = "^0.5"
ldap3_proto = { version = "^0.5", features = ["serde"] }

libc = "^0.2.153"
libnss = "^0.4.0"
Expand Down Expand Up @@ -197,7 +190,7 @@ reqwest = { version = "0.11.26", default-features = false, features = [
rpassword = "^7.3.1"
rusqlite = { version = "^0.28.0", features = ["array", "bundled"] }

scim_proto = "^0.2.1"
scim_proto = "^0.2.2"
sd-notify = "^0.4.1"
selinux = "^0.4.3"
serde = "^1.0.197"
Expand All @@ -207,7 +200,7 @@ serde-wasm-bindgen = "0.5"
shellexpand = "^2.1.2"
smartstring = "^1.0.1"
smolset = "^1.3.1"
sshkey-attest = "^0.5.0-dev"
sshkey-attest = "^0.5.0"
svg = "0.13.1"
syn = { version = "2.0.53", features = ["full"] }
tempfile = "3.10.1"
Expand Down Expand Up @@ -239,14 +232,14 @@ wasm-bindgen = "^0.2.92"
wasm-bindgen-futures = "^0.4.42"
wasm-bindgen-test = "0.3.42"

webauthn-authenticator-rs = { version = "0.5.0-dev", features = [
webauthn-authenticator-rs = { version = "0.5.0", features = [
"softpasskey",
"softtoken",
"mozilla",
] }
webauthn-rs = { version = "0.5.0-dev", features = ["preview-features"] }
webauthn-rs-core = "0.5.0-dev"
webauthn-rs-proto = "0.5.0-dev"
webauthn-rs = { version = "0.5.0", features = ["preview-features"] }
webauthn-rs-core = "0.5.0"
webauthn-rs-proto = "0.5.0"

web-sys = "^0.3.69"
whoami = "^1.5.1"
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
IMAGE_BASE ?= kanidm
IMAGE_VERSION ?= devel
IMAGE_EXT_VERSION ?= 1.2.0-dev
IMAGE_EXT_VERSION ?= 1.3.0-dev
CONTAINER_TOOL_ARGS ?=
IMAGE_ARCH ?= "linux/amd64,linux/arm64"
CONTAINER_BUILD_ARGS ?=
Expand Down
28 changes: 14 additions & 14 deletions libs/crypto/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -507,8 +507,8 @@ impl TryFrom<&ReplPasswordV1> for Password {
t_cost: *t_cost,
p_cost: *p_cost,
version: *version,
salt: salt.0.clone(),
key: key.0.clone(),
salt: salt.to_vec(),
key: key.to_vec(),
},
}),
ReplPasswordV1::ARGON2ID {
Expand All @@ -524,39 +524,39 @@ impl TryFrom<&ReplPasswordV1> for Password {
t_cost: *t_cost,
p_cost: *p_cost,
version: *version,
salt: salt.0.clone(),
key: key.0.clone(),
salt: salt.to_vec(),
key: key.to_vec(),
},
}),
ReplPasswordV1::PBKDF2 { cost, salt, hash } => Ok(Password {
material: Kdf::PBKDF2(*cost, salt.0.clone(), hash.0.clone()),
material: Kdf::PBKDF2(*cost, salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::PBKDF2_SHA1 { cost, salt, hash } => Ok(Password {
material: Kdf::PBKDF2_SHA1(*cost, salt.0.clone(), hash.0.clone()),
material: Kdf::PBKDF2_SHA1(*cost, salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::PBKDF2_SHA512 { cost, salt, hash } => Ok(Password {
material: Kdf::PBKDF2_SHA512(*cost, salt.0.clone(), hash.0.clone()),
material: Kdf::PBKDF2_SHA512(*cost, salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::SHA1 { hash } => Ok(Password {
material: Kdf::SHA1(hash.0.clone()),
material: Kdf::SHA1(hash.to_vec()),
}),
ReplPasswordV1::SSHA1 { salt, hash } => Ok(Password {
material: Kdf::SSHA1(salt.0.clone(), hash.0.clone()),
material: Kdf::SSHA1(salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::SHA256 { hash } => Ok(Password {
material: Kdf::SHA256(hash.0.clone()),
material: Kdf::SHA256(hash.to_vec()),
}),
ReplPasswordV1::SSHA256 { salt, hash } => Ok(Password {
material: Kdf::SSHA256(salt.0.clone(), hash.0.clone()),
material: Kdf::SSHA256(salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::SHA512 { hash } => Ok(Password {
material: Kdf::SHA512(hash.0.clone()),
material: Kdf::SHA512(hash.to_vec()),
}),
ReplPasswordV1::SSHA512 { salt, hash } => Ok(Password {
material: Kdf::SSHA512(salt.0.clone(), hash.0.clone()),
material: Kdf::SSHA512(salt.to_vec(), hash.to_vec()),
}),
ReplPasswordV1::NT_MD4 { hash } => Ok(Password {
material: Kdf::NT_MD4(hash.0.clone()),
material: Kdf::NT_MD4(hash.to_vec()),
}),
}
}
Expand Down
2 changes: 1 addition & 1 deletion server/lib/src/credential/totp.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ impl TryFrom<&ReplTotpV1> for Totp {
let digits = TotpDigits::try_from(value.digits)?;

Ok(Totp {
secret: value.key.0.clone(),
secret: value.key.to_vec(),
step: value.step,
algo,
digits,
Expand Down
15 changes: 7 additions & 8 deletions server/lib/src/idm/oauth2.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1009,7 +1009,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
hasher.update(code_verifier.as_bytes());
let code_verifier_hash: Vec<u8> = hasher.finish().to_vec();

if code_challenge.0 != code_verifier_hash {
if code_challenge != code_verifier_hash {
security_info!(
"PKCE code verification failed - this may indicate malicious activity"
);
Expand Down Expand Up @@ -2607,7 +2607,6 @@ mod tests {
use std::str::FromStr;
use std::time::Duration;

use base64urlsafedata::Base64UrlSafeData;
use compact_jwt::{
compact::JwkUse, crypto::JwsRs256Verifier, dangernoverify::JwsDangerReleaseWithoutVerify,
JwaAlg, Jwk, JwsCompact, JwsEs256Verifier, JwsVerifier, OidcSubject, OidcUnverified,
Expand Down Expand Up @@ -2658,7 +2657,7 @@ mod tests {
client_id: "test_resource_server".to_string(),
state: "123".to_string(),
pkce_request: Some(PkceRequest {
code_challenge: Base64UrlSafeData($code_challenge),
code_challenge: $code_challenge.into(),
code_challenge_method: CodeChallengeMethod::S256,
}),
redirect_uri: Url::parse("https://demo.example.com/oauth2/result").unwrap(),
Expand Down Expand Up @@ -3129,7 +3128,7 @@ mod tests {
let (_code_verifier, code_challenge) = create_code_verifier!("Whar Garble");

let pkce_request = Some(PkceRequest {
code_challenge: Base64UrlSafeData(code_challenge),
code_challenge: code_challenge.into(),
code_challenge_method: CodeChallengeMethod::S256,
});

Expand Down Expand Up @@ -4851,7 +4850,7 @@ mod tests {
client_id: "test_resource_server".to_string(),
state: "123".to_string(),
pkce_request: Some(PkceRequest {
code_challenge: Base64UrlSafeData(code_challenge),
code_challenge: code_challenge.into(),
code_challenge_method: CodeChallengeMethod::S256,
}),
redirect_uri: Url::parse("https://demo.example.com/oauth2/result").unwrap(),
Expand Down Expand Up @@ -4911,7 +4910,7 @@ mod tests {
client_id: "test_resource_server".to_string(),
state: "123".to_string(),
pkce_request: Some(PkceRequest {
code_challenge: Base64UrlSafeData(code_challenge),
code_challenge: code_challenge.into(),
code_challenge_method: CodeChallengeMethod::S256,
}),
redirect_uri: Url::parse("https://demo.example.com/oauth2/result").unwrap(),
Expand Down Expand Up @@ -5132,7 +5131,7 @@ mod tests {
client_id: "test_resource_server".to_string(),
state: "123".to_string(),
pkce_request: Some(PkceRequest {
code_challenge: Base64UrlSafeData(code_challenge.clone()),
code_challenge: code_challenge.clone().into(),
code_challenge_method: CodeChallengeMethod::S256,
}),
redirect_uri: Url::parse("http://demo.example.com/oauth2/result").unwrap(),
Expand Down Expand Up @@ -5914,7 +5913,7 @@ mod tests {
client_id: "test_resource_server".to_string(),
state: "123".to_string(),
pkce_request: Some(PkceRequest {
code_challenge: Base64UrlSafeData(code_challenge),
code_challenge: code_challenge.into(),
code_challenge_method: CodeChallengeMethod::S256,
}),
redirect_uri: Url::parse("http://localhost:8765/oauth2/result").unwrap(),
Expand Down
Loading

0 comments on commit 1fb8165

Please sign in to comment.