forked from Silverfish/proton-bridge
112 lines
3.4 KiB
Go
112 lines
3.4 KiB
Go
// Copyright (c) 2026 Proton AG
|
|
//
|
|
// This file is part of Proton Mail Bridge.
|
|
//
|
|
// Proton Mail Bridge is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Proton Mail Bridge is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package fido
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/ProtonMail/go-proton-api"
|
|
)
|
|
|
|
type authData struct {
|
|
AllowCredentials []interface{}
|
|
ClientDataJSONBytes []byte
|
|
RpID string
|
|
}
|
|
|
|
func extractFidoAuthData(auth proton.Auth) (authData, error) {
|
|
authOptions, ok := auth.TwoFA.FIDO2.AuthenticationOptions.(map[string]interface{})
|
|
if !ok {
|
|
return authData{}, fmt.Errorf("invalid authentication options format")
|
|
}
|
|
|
|
publicKey, ok := authOptions["publicKey"].(map[string]interface{})
|
|
if !ok {
|
|
return authData{}, fmt.Errorf("no publicKey found in authentication options")
|
|
}
|
|
|
|
rpID, ok := publicKey["rpId"].(string)
|
|
if !ok {
|
|
return authData{}, fmt.Errorf("could not find rpId in authentication options")
|
|
}
|
|
|
|
challengeArray, ok := publicKey["challenge"].([]interface{})
|
|
if !ok {
|
|
return authData{}, fmt.Errorf("no challenge found in authentication options")
|
|
}
|
|
challenge := sliceAnyToByteArray(challengeArray)
|
|
|
|
allowCredentials, ok := publicKey["allowCredentials"].([]interface{})
|
|
if !ok || len(allowCredentials) == 0 {
|
|
return authData{}, fmt.Errorf("no allowed credentials found in authentication options")
|
|
}
|
|
|
|
clientDataJSON := map[string]interface{}{
|
|
"type": "webauthn.get",
|
|
"challenge": base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(challenge),
|
|
"origin": "https://" + rpID,
|
|
}
|
|
|
|
clientDataJSONBytes, err := json.Marshal(clientDataJSON)
|
|
if err != nil {
|
|
return authData{}, fmt.Errorf("failed to marshal client data JSON: %w", err)
|
|
}
|
|
|
|
return authData{
|
|
AllowCredentials: allowCredentials,
|
|
ClientDataJSONBytes: clientDataJSONBytes,
|
|
RpID: rpID,
|
|
}, nil
|
|
}
|
|
|
|
func sliceAnyToByteArray(s []any) []byte {
|
|
result := make([]byte, len(s))
|
|
for i, val := range s {
|
|
if intVal, ok := val.(float64); ok {
|
|
result[i] = byte(intVal)
|
|
} else {
|
|
panic("boom")
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
func authWithFido(client *proton.Client, auth proton.Auth, credentialIDs []byte, clientDataJSON []byte, authDataRaw []byte, signature []byte) error {
|
|
credentialIDInts := make([]int, len(credentialIDs))
|
|
for i, b := range credentialIDs {
|
|
credentialIDInts[i] = int(b)
|
|
}
|
|
|
|
fido2Req := proton.FIDO2Req{
|
|
AuthenticationOptions: auth.TwoFA.FIDO2.AuthenticationOptions,
|
|
ClientData: base64.StdEncoding.EncodeToString(clientDataJSON),
|
|
AuthenticatorData: base64.StdEncoding.EncodeToString(authDataRaw),
|
|
Signature: base64.StdEncoding.EncodeToString(signature),
|
|
CredentialID: credentialIDInts,
|
|
}
|
|
|
|
if err := client.Auth2FA(context.Background(), proton.Auth2FAReq{FIDO2: fido2Req}); err != nil {
|
|
return fmt.Errorf("FIDO2 authentication failed: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|