mortenVChristiansen
/
k_card
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
k_card/webauthn_local_demo.py

390 lines
14 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""
Local WebAuthn demo server for USB FIDO2 card testing.
Purpose:
- Validate registration and authentication flows with the connected card.
- Keep setup minimal (Python stdlib only).
Security note:
- This demo does NOT verify attestation or assertion signatures.
- Use only for local bring-up/testing, not production.
"""
from __future__ import annotations
import argparse
import base64
import json
import os
import secrets
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
from pathlib import Path
from typing import Any
from urllib.parse import urlparse
def b64u_encode(data: bytes) -> str:
return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
def b64u_decode(data: str) -> bytes:
pad = "=" * ((4 - len(data) % 4) % 4)
return base64.urlsafe_b64decode((data + pad).encode("ascii"))
def random_b64u(n: int = 32) -> str:
return b64u_encode(secrets.token_bytes(n))
class DemoState:
def __init__(self, db_path: Path, rp_id: str, rp_name: str, origin: str):
self.db_path = db_path
self.rp_id = rp_id
self.rp_name = rp_name
self.origin = origin
self.pending_register: dict[str, str] = {}
self.pending_auth: dict[str, str] = {}
self.db: dict[str, Any] = self._load_db()
def _load_db(self) -> dict[str, Any]:
if not self.db_path.exists():
return {"users": {}}
with self.db_path.open("r", encoding="utf-8") as f:
return json.load(f)
def save_db(self) -> None:
self.db_path.parent.mkdir(parents=True, exist_ok=True)
with self.db_path.open("w", encoding="utf-8") as f:
json.dump(self.db, f, indent=2)
def get_user(self, username: str) -> dict[str, Any]:
users = self.db.setdefault("users", {})
return users.setdefault(username, {"credentials": []})
def html_page() -> str:
return """<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>ChromeCard WebAuthn Local Demo</title>
<style>
body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, sans-serif; max-width: 860px; margin: 2rem auto; padding: 0 1rem; }
h1 { margin-bottom: 0.5rem; }
.row { display: flex; gap: 0.5rem; margin: 0.8rem 0; }
input { flex: 1; padding: 0.55rem; border: 1px solid #c8c8c8; border-radius: 8px; }
button { padding: 0.55rem 0.8rem; border: 1px solid #444; border-radius: 8px; background: #fff; cursor: pointer; }
pre { background: #111; color: #ddd; padding: 1rem; border-radius: 10px; overflow: auto; min-height: 200px; }
.muted { color: #555; }
</style>
</head>
<body>
<h1>ChromeCard WebAuthn Demo</h1>
<p class="muted">Use this page to test local FIDO2 register/login over USB.</p>
<div class="row">
<input id="username" value="alice" />
<button id="registerBtn">Register</button>
<button id="loginBtn">Login</button>
</div>
<pre id="log"></pre>
<script>
const log = (obj) => {
const el = document.getElementById("log");
const text = typeof obj === "string" ? obj : JSON.stringify(obj, null, 2);
el.textContent = text + "\\n" + el.textContent;
};
const toB64u = (bytes) => {
let str = "";
const arr = new Uint8Array(bytes);
for (let i = 0; i < arr.length; i++) str += String.fromCharCode(arr[i]);
return btoa(str).replace(/\\+/g, "-").replace(/\\//g, "_").replace(/=+$/g, "");
};
const fromB64u = (s) => {
const b64 = s.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((s.length + 3) % 4);
const bin = atob(b64);
const out = new Uint8Array(bin.length);
for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
return out.buffer;
};
async function postJson(path, body) {
const resp = await fetch(path, {
method: "POST",
headers: {"Content-Type": "application/json"},
body: JSON.stringify(body),
});
const data = await resp.json();
if (!resp.ok) throw new Error(JSON.stringify(data));
return data;
}
async function register() {
const username = document.getElementById("username").value.trim();
const start = await postJson("/register/start", {username});
const pk = start.publicKey;
pk.challenge = fromB64u(pk.challenge);
pk.user.id = fromB64u(pk.user.id);
const cred = await navigator.credentials.create({ publicKey: pk });
const body = {
username,
id: cred.id,
rawId: toB64u(cred.rawId),
type: cred.type,
response: {
clientDataJSON: toB64u(cred.response.clientDataJSON),
attestationObject: toB64u(cred.response.attestationObject),
}
};
const finish = await postJson("/register/finish", body);
log({registerResult: finish});
}
async function login() {
const username = document.getElementById("username").value.trim();
const start = await postJson("/auth/start", {username});
const pk = start.publicKey;
pk.challenge = fromB64u(pk.challenge);
pk.allowCredentials = pk.allowCredentials.map(c => ({...c, id: fromB64u(c.id)}));
const assertion = await navigator.credentials.get({ publicKey: pk });
const body = {
username,
id: assertion.id,
rawId: toB64u(assertion.rawId),
type: assertion.type,
response: {
clientDataJSON: toB64u(assertion.response.clientDataJSON),
authenticatorData: toB64u(assertion.response.authenticatorData),
signature: toB64u(assertion.response.signature),
userHandle: assertion.response.userHandle ? toB64u(assertion.response.userHandle) : null
}
};
const finish = await postJson("/auth/finish", body);
log({authResult: finish});
}
document.getElementById("registerBtn").addEventListener("click", () => {
register().catch((e) => log("register error: " + e.message));
});
document.getElementById("loginBtn").addEventListener("click", () => {
login().catch((e) => log("login error: " + e.message));
});
</script>
</body>
</html>
"""
class Handler(BaseHTTPRequestHandler):
state: DemoState
def _json(self, status: int, data: dict[str, Any]) -> None:
body = json.dumps(data).encode("utf-8")
self.send_response(status)
self.send_header("Content-Type", "application/json")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
def _bad(self, message: str, status: int = 400) -> None:
self._json(status, {"ok": False, "error": message})
def _read_json(self) -> dict[str, Any]:
length = int(self.headers.get("Content-Length", "0"))
raw = self.rfile.read(length)
return json.loads(raw.decode("utf-8"))
def do_GET(self) -> None: # noqa: N802
path = urlparse(self.path).path
if path == "/":
body = html_page().encode("utf-8")
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
return
self.send_error(404)
def do_POST(self) -> None: # noqa: N802
path = urlparse(self.path).path
try:
data = self._read_json()
except Exception:
self._bad("Invalid JSON")
return
if path == "/register/start":
self._register_start(data)
return
if path == "/register/finish":
self._register_finish(data)
return
if path == "/auth/start":
self._auth_start(data)
return
if path == "/auth/finish":
self._auth_finish(data)
return
self.send_error(404)
def _register_start(self, data: dict[str, Any]) -> None:
username = str(data.get("username", "")).strip()
if not username:
self._bad("username required")
return
challenge = random_b64u(32)
user_id = random_b64u(32)
self.state.pending_register[username] = challenge
public_key = {
"rp": {"name": self.state.rp_name, "id": self.state.rp_id},
"user": {"id": user_id, "name": username, "displayName": username},
"challenge": challenge,
"pubKeyCredParams": [{"type": "public-key", "alg": -7}, {"type": "public-key", "alg": -257}],
"timeout": 60000,
"attestation": "none",
"authenticatorSelection": {
"residentKey": "discouraged",
"requireResidentKey": False,
"userVerification": "preferred",
},
}
self._json(200, {"ok": True, "publicKey": public_key})
def _register_finish(self, data: dict[str, Any]) -> None:
username = str(data.get("username", "")).strip()
expected = self.state.pending_register.get(username)
if not username or not expected:
self._bad("no pending registration")
return
try:
client_data_raw = b64u_decode(data["response"]["clientDataJSON"])
client_data = json.loads(client_data_raw.decode("utf-8"))
challenge = client_data.get("challenge")
typ = client_data.get("type")
origin = client_data.get("origin")
except Exception:
self._bad("invalid credential response")
return
if typ != "webauthn.create":
self._bad("unexpected clientData type")
return
if challenge != expected:
self._bad("challenge mismatch")
return
if origin != self.state.origin:
self._bad(f"origin mismatch: expected {self.state.origin}, got {origin}")
return
raw_id = str(data.get("rawId", ""))
if not raw_id:
self._bad("rawId missing")
return
user = self.state.get_user(username)
creds = user.setdefault("credentials", [])
if raw_id not in creds:
creds.append(raw_id)
self.state.save_db()
self.state.pending_register.pop(username, None)
self._json(200, {"ok": True, "username": username, "credential_count": len(creds)})
def _auth_start(self, data: dict[str, Any]) -> None:
username = str(data.get("username", "")).strip()
if not username:
self._bad("username required")
return
user = self.state.db.get("users", {}).get(username)
if not user or not user.get("credentials"):
self._bad("no credentials for user", 404)
return
challenge = random_b64u(32)
self.state.pending_auth[username] = challenge
allow_credentials = [{"type": "public-key", "id": cid} for cid in user["credentials"]]
public_key = {
"challenge": challenge,
"rpId": self.state.rp_id,
"timeout": 60000,
"userVerification": "preferred",
"allowCredentials": allow_credentials,
}
self._json(200, {"ok": True, "publicKey": public_key})
def _auth_finish(self, data: dict[str, Any]) -> None:
username = str(data.get("username", "")).strip()
expected = self.state.pending_auth.get(username)
if not username or not expected:
self._bad("no pending authentication")
return
user = self.state.db.get("users", {}).get(username, {})
known = set(user.get("credentials", []))
raw_id = str(data.get("rawId", ""))
if raw_id not in known:
self._bad("unknown credential")
return
try:
client_data_raw = b64u_decode(data["response"]["clientDataJSON"])
client_data = json.loads(client_data_raw.decode("utf-8"))
challenge = client_data.get("challenge")
typ = client_data.get("type")
origin = client_data.get("origin")
except Exception:
self._bad("invalid assertion response")
return
if typ != "webauthn.get":
self._bad("unexpected clientData type")
return
if challenge != expected:
self._bad("challenge mismatch")
return
if origin != self.state.origin:
self._bad(f"origin mismatch: expected {self.state.origin}, got {origin}")
return
self.state.pending_auth.pop(username, None)
self._json(200, {"ok": True, "username": username, "authenticated": True})
def log_message(self, format: str, *args: Any) -> None:
return
def main() -> int:
parser = argparse.ArgumentParser(description="Local WebAuthn demo server")
parser.add_argument("--host", default="localhost")
parser.add_argument("--port", type=int, default=8765)
parser.add_argument("--rp-id", default="localhost")
parser.add_argument("--rp-name", default="ChromeCard Local Demo")
parser.add_argument("--origin", default="http://localhost:8765")
parser.add_argument("--db", default=".webauthn_demo_db.json")
args = parser.parse_args()
db_path = Path(args.db).resolve()
state = DemoState(db_path, rp_id=args.rp_id, rp_name=args.rp_name, origin=args.origin)
Handler.state = state
server = ThreadingHTTPServer((args.host, args.port), Handler)
print(f"WebAuthn demo listening on http://{args.host}:{args.port}")
print(f"RP ID: {args.rp_id}")
print(f"Origin: {args.origin}")
print(f"DB: {db_path}")
try:
server.serve_forever()
except KeyboardInterrupt:
pass
finally:
server.server_close()
return 0
if __name__ == "__main__":
raise SystemExit(main())
Reference in New Issue View Git Blame Copy Permalink