Initial commit

.gitignore

@@ -0,0 +1,28 @@
+.gradle
+/build/
+!gradle/wrapper/gradle-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+.swp
+/.nb-gradle/
+**/build/

README.md

@@ -0,0 +1,142 @@
+
+<img src="images/fido2_certificate.jpg" height="500" align="center" alt=""/>
+
+## Overview
+
+FIDO (Fast IDentity Online) is open standard for online authentication. It is designed for solving the password problems which is stems from a lot of security problems as we are suffering today.
+
+Rather than relying on symmetric credentials (like password or pin, typically which is knowledge based factor), FIDO is based on public key cryptography algorithm which is based on asymmetric credentials.
+
+Simply, the device generates the key pair and stores the private key within the secure area and send corresponding public key (as the name implies it is okay to be public) to the server.
+
+Then, if the authentication is needed, the server sends challenges to the device and the device generates the digital signature with the private key and send it to the server.
+
+Finally, the server can validate the signature with the registered public key.
+
+### What is FIDO2
+FIDO2 is an improved standard for use on the web and other platforms as well as mobile. Various web browsers and OS platforms currently support the FIDO2 standard API.
+
+Basically, FIDO2 has following operations - Registration, Authentication.
+
+#### Registration
+- User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
+- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
+- User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
+- Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
+
+#### Authentication
+- Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
+- User unlocks the FIDO authenticator using the same method as at Registration time.
+- Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
+- Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.
+
+  
+## Screenshots
+### Chrome on Mac with TouchId
+<img src="images/chrome_mac_touchid.gif" height="500" align="center" alt="registration_flow"/>
+
+### Chrome on Mac with Secret Key (2FA)
+<img src="images/chrome_mac_secretkey.gif" height="500" align="center" alt="registration_flow"/>
+
+### Chrome on Android with Fingerprint (Reg)
+<img src="images/chrome_android_fingerprint_reg.GIF" height="500" align="center" alt="registration_flow"/>
+
+### Chrome on Android with Fingerprint (Auth)
+<img src="images/chrome_android_fingerprint_auth.GIF" height="500" align="center" alt="registration_flow"/>
+
+## Modules
+- common: fido2 related common models
+- rp-server: simple rp server implementation
+- server: fido2 server
+- spring-boot-stater: Fido2 server wrapped in a spring boot starter
+
+## Features
+- Supported browsers (Supported authenticators and interfaces may be different depending on the current browsers implementations)
+ - Chrome
+ - Opera (inherited from Chrome)
+ - Firefox
+ - MS Edge (Windows 10 /w 2018 October Update)
+ - MS Edge on Chromium
+ - Safari
+- Supported authenticators (Platforms and externals)
+ - Any FIDO2 authenticators and U2F authenticators with None attestation
+- Signature algorithms
+ - RS1 (RSASSA-PKCS1-v1_5 w/ SHA-1)
+ - RS256 (RSASSA-PKCS1-v1_5 w/ SHA-256)
+ - RS384 (RSASSA-PKCS1-v1_5 w/ SHA-384)
+ - RS512 (RSASSA-PKCS1-v1_5 w/ SHA-512)
+ - PS256 (RSASSA-PSS w/ SHA-256)
+ - PS384 (RSASSA-PSS w/ SHA-384)
+ - PS512 (RSASSA-PSS w/ SHA-512)
+ - EDDSA (EdDSA)
+ - ES256 (ECDSA w/ SHA-256)
+ - ES384 (ECDSA w/ SHA-384)
+ - ES512 (ECDSA w/ SHA-512)
+ - ES256K (ECDSA using P-256K and SHA-256)
+- Supported attestation types
+ - Basic
+ - Self
+ - Attestation CA (a.k.a Privacy CA)
+ - None
+ - Anonymization CA
+- Supported attestation formats
+ - Packed (FIDO2)
+ - Tpm (Windows10 devices)
+ - Android key attestation
+ - Android safetynet (Any Android devices running 7+)
+ - FIDO U2F (Legacy U2F authenticators)
+ - Apple Anonymous
+ - None
+- Metadata service integration
+ - FIDO MDSv2
+- Supported extensions
+ - credProps
+ - credProtect
+
+## How to play with
+You need to run FIDO2 server and RP Server first.
+
+If you want to integrate your own RP Server, please implement APIs by referring the sample codes. Regarding client sides, you may implement the web app for communicating with RP server.
+
+## Local DB
+FIDO2 Server running on local environments uses h2 as an embedded DB. For other environments such as stg, beta or real, this need to be replaced with commercial standalone DB.
+
+In case of local environment, you can use h2 console. Add following path /h2-console to the fido server url to access h2 web console.
+
+e.g., http:https://localhost:8081/h2-console
+
+## Spring Boot Starter
+We also provide our server in the form of spring boot starter.
+
+Check out the spring-boot-starter directory.
+
+## How to run
+```bash
+# Start RP Server
+cd rpserver
+./gradlew bootRun
+
+# Start FIDO2 Server or Line-fido2-spring-boot Demo
+cd server
+./gradlew bootRun
+
+cd spring-boot-starter/line-fido2-spring-boot-demo
+./gradlew bootRun
+```
+
+## Issues
+- If data.sql doesn't work well in an IntelliJ environment,
+ try commenting on this part in build.gradle.
+```groovy
+jar {
+ processResources {
+ exclude("**/*.sql")
+ }
+}
+```
+
+## Lombok
+This project utilizes Lombok to reduce implementing getter/setter/constructors. You need lombok plugin to build with IntelliJ and Eclipse.
+See following web pages to get information.
+
+https://projectlombok.org/

build.gradle

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2018 LINE Corporation. All rights reserved.
+ * LINE Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
+ */
+
+group 'com.linecorp.line.auth.fido.fido2'
+version '1.0-SNAPSHOT'

common/build.gradle

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2018 LINE Corporation. All rights reserved.
+ * LINE Corporation PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
+ */
+
+plugins {
+ id 'java'
+}
+
+apply plugin: 'maven'
+group 'com.linecorp.line.auth.fido.fido2'
+version '1.1.1-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+ mavenCentral()
+}
+
+
+dependencies {
+ compile('com.fasterxml.jackson.core:jackson-databind:2.9.6')
+ compile('com.fasterxml.jackson.core:jackson-core:2.9.6')
+ compile('com.fasterxml.jackson.core:jackson-annotations:2.9.6')
+ compileOnly 'org.projectlombok:lombok:1.18.18'
+ annotationProcessor 'org.projectlombok:lombok:1.18.18'
+ testCompile group: 'junit', name: 'junit', version: '4.12'
+}

common/src/main/java/com/linecorp/line/auth/fido/fido2/common/AttestationConveyancePreference.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2021 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.linecorp.line.auth.fido.fido2.common;
+
+public enum AttestationConveyancePreference {
+ none, indirect, direct
+}

common/src/main/java/com/linecorp/line/auth/fido/fido2/common/AuthenticatorAttachment.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2021 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.linecorp.line.auth.fido.fido2.common;
+
+import java.util.Arrays;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+@AllArgsConstructor
+public enum AuthenticatorAttachment {
+ PLATFORM("platform"),
+ CROSS_PLATFORM("cross-platform");
+
+ @JsonValue
+ @Getter private final String value;
+
+ @JsonCreator(mode=JsonCreator.Mode.DELEGATING)
+ public static AuthenticatorAttachment fromValue(String value) {
+ return Arrays.stream(AuthenticatorAttachment.values())
+ .filter(e -> e.value.equals(value))
+ .findFirst()
+ .get();
+ }
+}

common/src/main/java/com/linecorp/line/auth/fido/fido2/common/AuthenticatorSelectionCriteria.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2021 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.linecorp.line.auth.fido.fido2.common;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+
+import lombok.Data;
+
+@Data
+@JsonInclude(Include.NON_NULL)
+public class AuthenticatorSelectionCriteria {
+ private AuthenticatorAttachment authenticatorAttachment;
+ private boolean requireResidentKey;
+ private UserVerificationRequirement userVerification;
+}

common/src/main/java/com/linecorp/line/auth/fido/fido2/common/AuthenticatorTransport.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.linecorp.line.auth.fido.fido2.common;
+
+import java.util.Arrays;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+@AllArgsConstructor
+public enum AuthenticatorTransport {
+ USB("usb"),
+ NFC("nfc"),
+ BLE("ble"),
+ INTERNAL("internal");
+
+ @JsonValue
+ @Getter private final String value;
+
+ @JsonCreator(mode=JsonCreator.Mode.DELEGATING)
+ public static AuthenticatorTransport fromValue(String value) {
+ return Arrays.stream(AuthenticatorTransport.values())
+ .filter(e -> e.value.equals(value))
+ .findFirst()
+ .get();
+ }
+}