Resident Key is done

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
-## 2.6.0 (dev)
+## 2.6.1
+* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
+  Thanks to 'SSE (Secure Systems Engineering)'
+
+## 2.5.1
+* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
+  Thanks to 'SSE (Secure Systems Engineering)' 
+
+## 2.6.0
    * Adding Backup Recovery Codes (Recovery) as a method.
      Thanks to @Spitfireap for work, and  @peterthomassen for guidance.
    * Added: `RECOVERY_ITERATION` to set the number of iteration when hashing recovery token

README.md

@@ -1,6 +1,7 @@
 # django-mfa2
 A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Web Authn), Email Tokens , Trusted  Devices and backup codes.
 
+[![Works with PassKeys](https://github.com/mkalioby/django-mfa2/raw/master/img/Works%20with%20PassKeys-black.png)](https://fidoalliance.org/passkeys/)
 ### Pip Stats
 [![PyPI version](https://badge.fury.io/py/django-mfa2.svg)](https://badge.fury.io/py/django-mfa2)
 [![Downloads Count](https://static.pepy.tech/personalized-badge/django-mfa2?period=total&units=international_system&left_color=black&right_color=green&left_text=Downloads)](https://pepy.tech/project/django-mfa2)
@@ -89,6 +90,10 @@ Depends on
    U2F_APPID="https://localhost"    #URL For U2F
    FIDO_SERVER_ID=u"localehost"      # Server rp id for FIDO2, it is the full domain of your project
    FIDO_SERVER_NAME=u"PROJECT_NAME"
+   MFA_FIDO2_RESIDENT_KEY = mfa.ResidentKey.DISCOURAGED  # Resident Key allows a special User Handle
+   MFA_FIDO2_AUTHENTICATOR_ATTACHMENT = None  # Let the user choose
+   MFA_FIDO2_USER_VERIFICATION = None         # Verify User Presence
+   MFA_FIDO2_ATTESTATION_PREFERENCE = mfa.AttestationPreference.NONE
    ```
    **Method Names**
    * U2F
@@ -103,8 +108,10 @@ Depends on
     * Starting version 1.7.0, Key owners can be specified.
     * Starting version 2.2.0
         * Added: `MFA_SUCCESS_REGISTRATION_MSG` & `MFA_REDIRECT_AFTER_REGISTRATION`
-    Start version 2.6.0
+    * Starting version 2.6.0
         * Added: `MFA_ALWAYS_GO_TO_LAST_METHOD`, `MFA_RENAME_METHODS`, `MFA_ENFORCE_RECOVERY_METHOD` & `RECOVERY_ITERATION`
+    * Starting version 2.7.0
+        * Added: `MFA_FIDO2_RESIDENT_KEY`, `MFA_FIDO2_AUTHENTICATOR_ATTACHMENT`, `MFA_FIDO2_USER_VERIFICATION`, `MFA_FIDO2_ATTESTATION_PREFERENCE`
 4. Break your login function
 
    Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change
@@ -196,6 +203,8 @@ function some_func() {
 * [AndreasDickow](https://github.com/AndreasDickow)
 * [mnelson4](https://github.com/mnelson4)
 * [ezrajrice](https://github.com/ezrajrice)
+* [Spitfireap](https://github.com/Spitfireap)
+* [peterthomassen](https://github.com/peterthomassen)
 
 
  # Security contact information

example/example/settings.py

@@ -13,6 +13,8 @@ https://docs.djangoproject.com/en/2.0/ref/settings/
 import os
 from django.conf.global_settings import PASSWORD_HASHERS as DEFAULT_PASSWORD_HASHERS
 
+import mfa
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -145,6 +147,10 @@ MFA_REDIRECT_AFTER_REGISTRATION="registered"
 MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
 MFA_ALWAYS_GO_TO_LAST_METHOD = True
 MFA_ENFORCE_RECOVERY_METHOD = True
+MFA_FIDO2_RESIDENT_KEY = mfa.ResidentKey.REQUIRED  # Resident Key allows a special User Handle
+MFA_FIDO2_AUTHENTICATOR_ATTACHMENT = None  # Let the user choose
+MFA_FIDO2_USER_VERIFICATION = None         # Verify User Presence
+MFA_FIDO2_ATTESTATION_PREFERENCE = mfa.AttestationPreference.NONE
 MFA_RENAME_METHODS = {"RECOVERY":"Backup Codes","FIDO2":"Biometric Authentication"}
 PASSWORD_HASHERS = DEFAULT_PASSWORD_HASHERS #Comment if PASSWORD_HASHER already set
 PASSWORD_HASHERS += ['mfa.recovery.Hash']

example/example/templates/login.html

@@ -44,7 +44,9 @@
             </div>
           </div>
 
-          <button class="btn btn-primary btn-block" type="submit">Login</button>
+          <button class="btn btn-primary btn-block" type="submit">Login</button><br/>
+
+            <button class="btn btn-primary btn-block" type="button" onclick="authen()">Login By Security Key</button>
         </form>
       </div>
     </div>
@@ -56,7 +58,7 @@
 
   <!-- Core plugin JavaScript-->
   <script src="{% static 'vendor/jquery-easing/jquery.easing.min.js'%}"></script>
-
+    {% include 'FIDO2/Auth_JS.html'%}
 </body>
 
 </html>

mfa/FIDO2.py

@@ -16,7 +16,7 @@ from .views import login, reset_cookie
 import datetime
 from .Common import get_redirect_url
 from django.utils import timezone
-
+from django.http import JsonResponse
 
 def recheck(request):
     """Starts FIDO2 recheck"""
@@ -28,18 +28,25 @@ def recheck(request):
 
 def getServer():
     """Get Server Info from settings and returns a Fido2Server"""
+    from mfa import AttestationPreference
     rp = PublicKeyCredentialRpEntity(id=settings.FIDO_SERVER_ID, name=settings.FIDO_SERVER_NAME)
-    return Fido2Server(rp)
+    attestation= getattr(settings,'MFA_FIDO2_ATTESTATION_PREFERENCE', AttestationPreference.NONE )
+    return Fido2Server(rp,attestation=attestation)
 
 
 def begin_registeration(request):
     """Starts registering a new FIDO Device, called from API"""
     server = getServer()
+    from mfa import ResidentKey
+    resident_key = getattr(settings,'MFA_FIDO2_RESIDENT_KEY', ResidentKey.DISCOURAGED)
+    auth_attachment = getattr(settings,'MFA_FIDO2_AUTHENTICATOR_ATTACHMENT', None)
+    user_verification = getattr(settings,'MFA_FIDO2_USER_VERIFICATION', None)
     registration_data, state = server.register_begin({
         u'id': request.user.username.encode("utf8"),
         u'name': (request.user.first_name + " " + request.user.last_name),
         u'displayName': request.user.username,
-    }, getUserCredentials(request.user.username))
+    }, getUserCredentials(request.user.username),user_verification = user_verification,
+        resident_key_requirement = resident_key, authenticator_attachment = auth_attachment)
     request.session['fido_state'] = state
 
     return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')
@@ -49,13 +56,15 @@ def begin_registeration(request):
 def complete_reg(request):
     """Completes the registeration, called by API"""
     try:
+        if not "fido_state" in request.session:
+            return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
         data = cbor.decode(request.body)
 
         client_data = CollectedClientData(data['clientDataJSON'])
         att_obj = AttestationObject((data['attestationObject']))
         server = getServer()
         auth_data = server.register_complete(
-            request.session['fido_state'],
+            request.session.pop('fido_state'),
             client_data,
             att_obj
         )
@@ -65,6 +74,8 @@ def complete_reg(request):
         uk.properties = {"device": encoded, "type": att_obj.fmt, }
         uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
         uk.key_type = "FIDO2"
+        if auth_data.credential_data.credential_id:
+            uk.user_handle = auth_data.credential_data.credential_id
         uk.save()
         if getattr(settings, 'MFA_ENFORCE_RECOVERY_METHOD', False) and not User_Keys.objects.filter(key_type = "RECOVERY", username=request.user.username).exists():
             request.session["mfa_reg"] = {"method":"FIDO2","name": getattr(settings, "MFA_RENAME_METHODS", {}).get("FIDO2", "FIDO2")}
@@ -79,7 +90,7 @@ def complete_reg(request):
             client.captureException()
         except:
             pass
-        return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"}))
+        return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"})
 
 
 def start(request):
@@ -105,6 +116,13 @@ def auth(request):
 
 def authenticate_begin(request):
     server = getServer()
+    credentials=[]
+    username = None
+    if "base_username" in request.session:
+        username = request.session["base_username"]
+    if request.user.is_authenticated:
+        username = request.user.username
+    if username:
         credentials = getUserCredentials(request.session.get("base_username", request.user.username))
     auth_data, state = server.authenticate_begin(credentials)
     request.session['fido_state'] = state
@@ -115,11 +133,22 @@ def authenticate_begin(request):
 def authenticate_complete(request):
     try:
         credentials = []
-        username = request.session.get("base_username", request.user.username)
+        username = None
+        keys = None
+        if "base_username" in request.session:
+            username = request.session["base_username"]
+        if request.user.is_authenticated:
+            username = request.user.username
         server = getServer()
-        credentials = getUserCredentials(username)
         data = cbor.decode(request.body)
         credential_id = data['credentialId']
+        if credential_id and username is None:
+            keys = User_Keys.objects.filter(user_handle = credential_id)
+            if keys.exists():
+                credentials=[AttestedCredentialData(websafe_decode(keys[0].properties["device"]))]
+        else:
+            credentials = getUserCredentials(username)
+
         client_data = CollectedClientData(data['clientDataJSON'])
         auth_data = AuthenticatorData(data['authenticatorData'])
         signature = data['signature']
@@ -153,6 +182,7 @@ def authenticate_complete(request):
                                 content_type = "application/json")
         else:
             import random
+            if keys is None:
                 keys = User_Keys.objects.filter(username = username, key_type = "FIDO2", enabled = 1)
             for k in keys:
                 if AttestedCredentialData(websafe_decode(k.properties["device"])).credential_id == cred.credential_id:
@@ -168,7 +198,7 @@ def authenticate_complete(request):
                     except:
                         authenticated = request.user.is_authenticated()
                     if not authenticated:
-                        res = login(request)
+                        res = login(request,k.username)
                         if not "location" in res: return reset_cookie(request)
                         return HttpResponse(simplejson.dumps({'status': "OK", "redirect": res["location"]}),
                                             content_type = "application/json")

mfa/__init__.py

@@ -1 +1,5 @@
-__version__="2.2.0"
+__version__="2.7.1"
+from fido2.webauthn import ResidentKeyRequirement as ResidentKey
+from fido2.webauthn import AuthenticatorAttachment as Attachment
+from fido2.webauthn import UserVerificationRequirement as UserVerification
+from fido2.webauthn import AttestationConveyancePreference as AttestationPreference

mfa/migrations/0012_user_keys_userhandle.py

@@ -0,0 +1,17 @@
+# Generated by Django 2.2 on 2022-10-16 14:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('mfa', '0011_auto_20210530_0622'),
+    ]
+    operations = [
+        migrations.AddField(
+            model_name='user_keys',
+            name='user_handle',
+            field=models.CharField(blank=True, default=None, max_length=255, null=True),
+        ),
+    ]

mfa/models.py

@@ -16,6 +16,7 @@ class User_Keys(models.Model):
     expires=models.DateTimeField(null=True,default=None,blank=True)
     last_used=models.DateTimeField(null=True,default=None,blank=True)
     owned_by_enterprise=models.BooleanField(default=None,null=True,blank=True)
+    user_handle = models.CharField(default = None, null = True, blank = True, max_length = 255)
 
     def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
         if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":

mfa/templates/FIDO2/Add.html

@@ -12,7 +12,7 @@
       }
       throw new Error('Error getting registration data!');
     }).then(CBOR.decode).then(function(options) {
-        options.publicKey.attestation="direct"
+        //options.publicKey.attestation="direct"
         console.log(options)
 
       return navigator.credentials.create(options);

mfa/templates/FIDO2/Auth_JS.html

@@ -0,0 +1,71 @@
+{% load static %}
+<script type="application/javascript" src="{% static 'mfa/js/cbor.js' %}"></script>
+<script type="application/javascript" src="{% static 'mfa/js/ua-parser.min.js' %}"></script>
+<script type="text/javascript">
+        function authen()
+        {
+                         fetch('{% url 'fido2_begin_auth' %}', {
+      method: 'GET',
+    }).then(function(response) {
+      if(response.ok) return response.arrayBuffer();
+      throw new Error('No credential available to authenticate!');
+    }).then(CBOR.decode).then(function(options) {
+        console.log(options)
+      return navigator.credentials.get(options);
+    }).then(function(assertion) {
+        res=CBOR.encode({
+          "credentialId": new Uint8Array(assertion.rawId),
+          "authenticatorData": new Uint8Array(assertion.response.authenticatorData),
+          "clientDataJSON": new Uint8Array(assertion.response.clientDataJSON),
+          "signature": new Uint8Array(assertion.response.signature)
+        });
+
+      return fetch('{% url 'fido2_complete_auth' %}', {
+
+        method: 'POST',
+        headers: {'Content-Type': 'application/cbor'},
+        body:res,
+
+      }).then(function (response) {if (response.ok) return res = response.json()}).then(function (res) {
+          if (res.status=="OK")
+          {
+              $("#msgdiv").addClass("alert alert-success").removeClass("alert-danger")
+             $("#msgdiv").html("Verified....please wait")
+          {%  if mode == "auth" or mode == None %}
+          window.location.href=res.redirect;
+          {% elif mode == "recheck" %}
+              mfa_success_function();
+          {% endif %}
+          }
+          else {
+              $("#msgdiv").addClass("alert alert-danger").removeClass("alert-success")
+                $("#msgdiv").html("Verification Failed as " + res.message + ", <a href='javascript:void(0)' onclick='authen())'> try again</a> or <a href='javascript:void(0)' onclick='history.back()'> Go Back</a>")
+
+              {%  if mode == "auth" %}
+
+              {% elif mode == "recheck" %}
+
+                mfa_failed_function();
+              {% endif %}
+          }
+      })
+
+                 })
+
+        }
+    $(document).ready(function () {
+        if (location.protocol != 'https:') {
+            $("#main_paragraph").addClass("alert alert-danger")
+            $("#main_paragraph").html("FIDO2 must work under secure context")
+        } else {
+            ua=new UAParser().getResult()
+            if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" || ua.os.name == "iOS" || ua.os.name == "iPadOS")
+                $("#res").html("<button class='btn btn-success' onclick='authen()'>Authenticate...</button>")
+            else
+                authen()
+        }
+    });
+
+
+
+    </script>

mfa/templates/FIDO2/recheck.html

@@ -1,6 +1,4 @@
 {%  load static %}
-<script type="application/javascript" src="{% static 'mfa/js/cbor.js' %}"></script>
-<script type="application/javascript" src="{% static 'mfa/js/ua-parser.min.js' %}"></script>
 <div class="row">
 
 <div class="col-sm-10 col-sm-offset-1 col-xs-12 col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2 offset-2 col-8">
@@ -47,71 +45,4 @@
 </div>
 </div>
 
-    <script type="text/javascript">
+    {% include 'FIDO2/Auth_JS.html' %}
-        function authen()
-        {
-                         fetch('{% url 'fido2_begin_auth' %}', {
-      method: 'GET',
-    }).then(function(response) {
-      if(response.ok) return response.arrayBuffer();
-      throw new Error('No credential available to authenticate!');
-    }).then(CBOR.decode).then(function(options) {
-        console.log(options)
-      return navigator.credentials.get(options);
-    }).then(function(assertion) {
-        res=CBOR.encode({
-          "credentialId": new Uint8Array(assertion.rawId),
-          "authenticatorData": new Uint8Array(assertion.response.authenticatorData),
-          "clientDataJSON": new Uint8Array(assertion.response.clientDataJSON),
-          "signature": new Uint8Array(assertion.response.signature)
-        });
-
-      return fetch('{% url 'fido2_complete_auth' %}', {
-
-        method: 'POST',
-        headers: {'Content-Type': 'application/cbor'},
-        body:res,
-
-      }).then(function (response) {if (response.ok) return res = response.json()}).then(function (res) {
-          if (res.status=="OK")
-          {
-              $("#msgdiv").addClass("alert alert-success").removeClass("alert-danger")
-             $("#msgdiv").html("Verified....please wait")
-          {%  if mode == "auth" %}
-          window.location.href=res.redirect;
-          {% elif mode == "recheck" %}
-              mfa_success_function();
-          {% endif %}
-          }
-          else {
-              $("#msgdiv").addClass("alert alert-danger").removeClass("alert-success")
-                $("#msgdiv").html("Verification Failed as " + res.message + ", <a href='javascript:void(0)' onclick='authen())'> try again</a> or <a href='javascript:void(0)' onclick='history.back()'> Go Back</a>")
-
-              {%  if mode == "auth" %}
-
-              {% elif mode == "recheck" %}
-
-                mfa_failed_function();
-              {% endif %}
-          }
-      })
-
-                 })
-
-        }
-    $(document).ready(function () {
-        if (location.protocol != 'https:') {
-            $("#main_paragraph").addClass("alert alert-danger")
-            $("#main_paragraph").html("FIDO2 must work under secure context")
-        } else {
-            ua=new UAParser().getResult()
-            if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" || ua.os.name == "iOS" || ua.os.name == "iPadOS")
-                $("#res").html("<button class='btn btn-success' onclick='authen()'>Authenticate...</button>")
-            else
-                authen()
-        }
-    });
-
-
-
-    </script>

mfa/views.py

@@ -60,11 +60,13 @@ def reset_cookie(request):
     response.delete_cookie("base_username")
     return response
 
-def login(request):
+def login(request,username = None):
     from django.contrib import auth
     from django.conf import settings
     callable_func = __get_callable_function__(settings.MFA_LOGIN_CALLBACK)
-    return callable_func(request,username=request.session["base_username"])
+    if not username:
+        username = request.session["base_username"]
+    return callable_func(request,username=username)
 
 
 @login_required

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='2.5.0',
+    version='2.6.1',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",