Crypt::U2F::Server::Simple - Register and Authenticate U2F compatible security
devices
use Crypt::U2F::Server:Simple;
my $crypter = Crypt::U2F::Server::Simple->new(
appId => 'Perl',
origin => 'http://search.cpan.org'
);
# Generate a registration request
my $registerRequest = $crypter->registrationChallenge();
# Give $registerRequest to client, receive $registrationData from client
# NB: if Crypt::U2F::Server::Simple has been recreated (web process for example), challenge
# value must be restored (value only, not JSON blob):
#$crypter->setChallenge($challenge)
my ($keyHandle, $userKey) = $crypter->registrationVerify($registrationData)
# Generate an authentication request (using the previously generated key handle and user key)
my $authrequest = $crypter->authenticationChallenge();
# Send $authrequest to client, receive $authSignature
# NB: if Crypt::U2F::Server::Simple has been recreated (web process for example), challenge
# value must be restored (value only, not JSON blob):
#$crypter->setChallenge($challenge)
my $authok = $crypter->authenticationVerify($authSignature);
This module implements the server side of U2F authentication through Yubico's C
library.
Both registration and authentication are two step processes that each must be
run in the same instance of this perl module. To clarify You can run
registration from another instance than authentication, or even in another
program on another server. But, as far as it is currently implemented, you
must run both registration steps in the same instance of this module, the same
goes for authentication. Needs more testing, really.
A successful registration of a key yields to two scalars, a key handle and a
public key. It is
your responsibility to keep them safe somewhere and
reload them into this module whenever you want to do authentication.
This module requires the Yubico u2f-server shared library installed, please see
the official project page at
<
https://developers.yubico.com/libu2f-server/> on how to do that.
The way this is currently implemented, i doubt very much that multithreadingm
will work. Multi-Forking should be OK as long as you only call
new()
after forking, though. Also using more than one instance of this module
in your program. This isn't really tested at the moment, though...
As already stated above, at this time Crypt::U2F::Server and
Crypt::U2F::Server::Simple have seen only very limited testing and the modules
are still subject to change.
That isn't to say that you shouldn't use this at all. Rather, if you are
interested, you should test this a lot and report any bugs you find!
Probably the most important function of all, therefore mention first. If
something goes wrong (but not HorriblyWrong[tm]), you'll get the last error
description of whatever happened.
If something fails during
new(), call it with the full name:
my $oooops = Crypt::U2F::Server::Simple::lastError();
If you already got an instance, you can use that as well:
my $oooops = $auth->lastError();
Errors are global over all instances of this module.
If things go HorriblyWrong[tm], your program might crash. Or get
remote-buffer-overflow-exploited or something. In these case,
lastError() might not work reliably. You know, just the usual crypto
stuff...
This comes in two forms, depending if you do authentication in the same instance
as the registration steps.
The simple form (only registration or registration+authentication) only requires
the arguments appId and origin:
my $auth = Crypt::U2F::Server::Simple->new(
appId => 'Perl',
origin => 'http://search.cpan.org'
);
If you only do authentication, you have to supply the keyHandle and publicKey
data as well:
my $auth = Crypt::U2F::Server::Simple->new(
appId => 'Perl',
origin => 'http://search.cpan.org',
keyHandle => $keyHandleData
publicKey => $publicKeyData
);
For security, i would recommend creating a new instance for each and every
authentication request.
If something goes wrong during initialization, $auth will be
undef.
To enable Yubico library debug, set debug to 1:
my $auth = Crypt::U2F::Server::Simple->new(
appId => 'Perl',
origin => 'http://search.cpan.org',
debug => 1
);
my $challenge = $auth->registrationChallenge();
Gives you a unique registration challenge on every call. This is a JSON string
and should be send to the client (called a "host" for whatever
reason) as is.
If something goes wrong, $challenge will be
undef.
$challenge is a JSON blob that contains a hash. Here are the main keys
- version: the protocol version
- appId: the appId given in new()
- challenge: the challenge value
my ($keyHandle, $publicKey) = $auth->registrationVerify($reply);
If the client (the "host") accepts the challenge, it will send you
another JSON blob ($reply).
If everything goes well and registration succeeds, you will get the key handle
and public key of, well client key. If it fails, you will get
undef.
$keyHandle and $publicKey will get set internally for direct following
authentication in the same instance, you need to store it in some persistent
way yourself for future authentication.
As an added bonus, $publicKey will be a binary blob, so you may have to convert
it to something like Base64 for easier handling. See MIME::Base64 on how to do
that. Make sure you un-encode before loading it into this module!
This function generates an authentication challenge. To do that, it needs
keyHandle and publicKey, since this is key dependent.
my $challenge = $auth->authenticationChallenge();
Otherwise, this works the same as the registration challenge. You get a JSON
blob, send that to the client and get an answer.
The JSON blob structure is described in
registrationChallenge() doc.
After you get the authentication answer, you need to verify it:
my $isValid = $auth->authenticationVerify($reply);
$isValid is true if authentication succeedsr. If something went wrong (library
error, fake user), $isValid is false, in which case you can look into
lastError() to see what went wrong.
If Crypt::U2F::Server::Simple has been recreated since
registrationChallenge() or
authenticationChallenge() usage,
challenge value must be restored:
$auth->setChallenge($challenge)
Note that $challenge must be the string value of challenge, not the JSON blob.
See
registrationChallenge() doc to get challenge description.
See Crypt::U2F::Server for the low level library if you want better headaches.
There are two examples in the tarball for registration and authentication.
Yes, there should be some in there. First of all, this is crypto stuff, so it's
broken by default (it only depends on the time it takes to happen).
Also, at the moment, this module has seen only very limited testing.
- Rene Schickbauer,
<[email protected]>
- Xavier Guimard, <[email protected]>
Adapted as a Perl library by Rene 'cavac' Schickbauer
This roughly based on u2f-server.c from Yubico's C library, see
<
https://developers.yubico.com/libu2f-server/>
In order for this to work, you need to install that library.
This adaption is (C) 2014-2018 Rene 'cavac' Schickbauer and 2018 Xavier Guimard,
but as it is based on Yubico's code, the licence below applies!
We, the community, would hereby thank Yubico for open sourcing their
code!
/*
* Copyright (c) 2014 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/