// Modified U2F client API by Google (https://demo.yubico.com/js/u2f-api.js) // Copyright 2014-2015 Google Inc. All rights reserved. // // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file or at // https://developers.google.com/open-source/licenses/bsd 'use strict'; // Namespace for the U2F api. var u2f = u2f || {}; // The U2F extension id u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd'; // Message types for messsages to/from the extension u2f.MessageTypes = { 'U2F_REGISTER_REQUEST': 'u2f_register_request', 'U2F_SIGN_REQUEST': 'u2f_sign_request', 'U2F_REGISTER_RESPONSE': 'u2f_register_response', 'U2F_SIGN_RESPONSE': 'u2f_sign_response' }; // Response status codes u2f.ErrorCodes = { 'OK': 0, 'OTHER_ERROR': 1, 'BAD_REQUEST': 2, 'CONFIGURATION_UNSUPPORTED': 3, 'DEVICE_INELIGIBLE': 4, 'TIMEOUT': 5 }; // A message type for registration requests u2f.Request; // A message for registration responses u2f.Response; // An error object for responses u2f.Error; // Data object for a single sign request. u2f.SignRequest; // Data object for a sign response. u2f.SignResponse; // Data object for a registration request. u2f.RegisterRequest; // Data object for a registration response. u2f.RegisterResponse; // Low level MessagePort API support // Sets up a MessagePort to the U2F extension using the available mechanisms. u2f.getMessagePort = function(callback) { if (typeof chrome != 'undefined' && chrome.runtime) { // The actual message here does not matter, but we need to get a reply // for the callback to run. Thus, send an empty signature request // in order to get a failure response. var msg = { type: u2f.MessageTypes.U2F_SIGN_REQUEST, signRequests: [] }; chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() { if (!chrome.runtime.lastError) { // We are on a whitelisted origin and can talk directly // with the extension. u2f.getChromeRuntimePort_(callback); } else { // chrome.runtime was available, but we couldn't message // the extension directly, use iframe u2f.getIframePort_(callback); } }); } else if (u2f.isAndroidChrome_()) { u2f.getAuthenticatorPort_(callback); } else { // chrome.runtime was not available at all, which is normal // when this origin doesn't have access to any extensions. u2f.getIframePort_(callback); } }; // Detect chrome running on android based on the browser's useragent. u2f.isAndroidChrome_ = function() { var userAgent = navigator.userAgent; return userAgent.indexOf('Chrome') != -1 && userAgent.indexOf('Android') != -1; }; // Connects directly to the extension via chrome.runtime.connect u2f.getChromeRuntimePort_ = function(callback) { var port = chrome.runtime.connect(u2f.EXTENSION_ID, {'includeTlsChannelId': true}); setTimeout(function() { callback(new u2f.WrappedChromeRuntimePort_(port)); }, 0); }; // Return a 'port' abstraction to the Authenticator app. u2f.getAuthenticatorPort_ = function(callback) { setTimeout(function() { callback(new u2f.WrappedAuthenticatorPort_()); }, 0); }; // A wrapper for chrome.runtime.Port that is compatible with MessagePort. u2f.WrappedChromeRuntimePort_ = function(port) { this.port_ = port; }; // Format a return a sign request. u2f.WrappedChromeRuntimePort_.prototype.formatSignRequest_ = function(signRequests, timeoutSeconds, reqId) { return { type: u2f.MessageTypes.U2F_SIGN_REQUEST, signRequests: signRequests, timeoutSeconds: timeoutSeconds, requestId: reqId }; }; // Format a return a register request. u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ = function(signRequests, registerRequests, timeoutSeconds, reqId) { return { type: u2f.MessageTypes.U2F_REGISTER_REQUEST, signRequests: signRequests, registerRequests: registerRequests, timeoutSeconds: timeoutSeconds, requestId: reqId }; }; // Posts a message on the underlying channel. u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) { this.port_.postMessage(message); }; // Emulates the HTML 5 addEventListener interface. Works only for the // onmessage event, which is hooked up to the chrome.runtime.Port.onMessage. u2f.WrappedChromeRuntimePort_.prototype.addEventListener = function(eventName, handler) { var name = eventName.toLowerCase(); if (name == 'message' || name == 'onmessage') { this.port_.onMessage.addListener(function(message) { // Emulate a minimal MessageEvent object handler({'data': message}); }); } else { console.error('WrappedChromeRuntimePort only supports onMessage'); } }; // Wrap the Authenticator app with a MessagePort interface. u2f.WrappedAuthenticatorPort_ = function() { this.requestId_ = -1; this.requestObject_ = null; } // Launch the Authenticator intent. u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) { var intentLocation = /** @type {string} */ (message); document.location = intentLocation; }; // Emulates the HTML5 addEventListener interface. u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) { var name = eventName.toLowerCase(); if (name == 'message') { var self = this; /* Register a callback to that executes when * chrome injects the response. */ window.addEventListener( 'message', self.onRequestUpdate_.bind(self, handler), false); } else { console.error('WrappedAuthenticatorPort only supports message'); } }; // Callback invoked when a response is received from the Authenticator. u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ = function(callback, message) { var messageObject = JSON.parse(message.data); var intentUrl = messageObject['intentURL']; var errorCode = messageObject['errorCode']; var responseObject = null; if (messageObject.hasOwnProperty('data')) { responseObject = /** @type {Object} */ ( JSON.parse(messageObject['data'])); responseObject['requestId'] = this.requestId_; } /* Sign responses from the authenticator do not conform to U2F, * convert to U2F here. */ responseObject = this.doResponseFixups_(responseObject); callback({'data': responseObject}); }; // Fixup the response provided by the Authenticator to conform with the U2F spec. u2f.WrappedAuthenticatorPort_.prototype.doResponseFixups_ = function(responseObject) { if (responseObject.hasOwnProperty('responseData')) { return responseObject; } else if (this.requestObject_['type'] != u2f.MessageTypes.U2F_SIGN_REQUEST) { // Only sign responses require fixups. If this is not a response // to a sign request, then an internal error has occurred. return { 'type': u2f.MessageTypes.U2F_REGISTER_RESPONSE, 'responseData': { 'errorCode': u2f.ErrorCodes.OTHER_ERROR, 'errorMessage': 'Internal error: invalid response from Authenticator' } }; } /* Non-conformant sign response, do fixups. */ var encodedChallengeObject = responseObject['challenge']; if (typeof encodedChallengeObject !== 'undefined') { var challengeObject = JSON.parse(atob(encodedChallengeObject)); var serverChallenge = challengeObject['challenge']; var challengesList = this.requestObject_['signData']; var requestChallengeObject = null; for (var i = 0; i < challengesList.length; i++) { var challengeObject = challengesList[i]; if (challengeObject['keyHandle'] == responseObject['keyHandle']) { requestChallengeObject = challengeObject; break; } } } var responseData = { 'errorCode': responseObject['resultCode'], 'keyHandle': responseObject['keyHandle'], 'signatureData': responseObject['signature'], 'clientData': encodedChallengeObject }; return { 'type': u2f.MessageTypes.U2F_SIGN_RESPONSE, 'responseData': responseData, 'requestId': responseObject['requestId'] } }; // Base URL for intents to Authenticator. u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ = 'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE'; // Format a return a sign request. u2f.WrappedAuthenticatorPort_.prototype.formatSignRequest_ = function(signRequests, timeoutSeconds, reqId) { if (!signRequests || signRequests.length == 0) { return null; } /* TODO(fixme): stash away requestId, as the authenticator app does * not return it for sign responses. */ this.requestId_ = reqId; /* TODO(fixme): stash away the signRequests, to deal with the legacy * response format returned by the Authenticator app. */ this.requestObject_ = { 'type': u2f.MessageTypes.U2F_SIGN_REQUEST, 'signData': signRequests, 'requestId': reqId, 'timeout': timeoutSeconds }; var appId = signRequests[0]['appId']; var intentUrl = u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ + ';S.appId=' + encodeURIComponent(appId) + ';S.eventId=' + reqId + ';S.challenges=' + encodeURIComponent( JSON.stringify(this.getBrowserDataList_(signRequests))) + ';end'; return intentUrl; }; // Get the browser data objects from the challenge list u2f.WrappedAuthenticatorPort_ .prototype.getBrowserDataList_ = function(challenges) { return challenges .map(function(challenge) { var browserData = { 'typ': 'navigator.id.getAssertion', 'challenge': challenge['challenge'] }; var challengeObject = { 'challenge' : browserData, 'keyHandle' : challenge['keyHandle'] }; return challengeObject; }); }; // Format a return a register request. u2f.WrappedAuthenticatorPort_.prototype.formatRegisterRequest_ = function(signRequests, enrollChallenges, timeoutSeconds, reqId) { if (!enrollChallenges || enrollChallenges.length == 0) { return null; } // Assume the appId is the same for all enroll challenges. var appId = enrollChallenges[0]['appId']; var registerRequests = []; for (var i = 0; i < enrollChallenges.length; i++) { var registerRequest = { 'challenge': enrollChallenges[i]['challenge'], 'version': enrollChallenges[i]['version'] }; if (enrollChallenges[i]['appId'] != appId) { // Only include the appId when it differs from the first appId. registerRequest['appId'] = enrollChallenges[i]['appId']; } registerRequests.push(registerRequest); } var registeredKeys = []; if (signRequests) { for (i = 0; i < signRequests.length; i++) { var key = { 'keyHandle': signRequests[i]['keyHandle'], 'version': signRequests[i]['version'] }; // Only include the appId when it differs from the appId that's // being registered now. if (signRequests[i]['appId'] != appId) { key['appId'] = signRequests[i]['appId']; } registeredKeys.push(key); } } var request = { 'type': u2f.MessageTypes.U2F_REGISTER_REQUEST, 'appId': appId, 'registerRequests': registerRequests, 'registeredKeys': registeredKeys, 'requestId': reqId, 'timeoutSeconds': timeoutSeconds }; var intentUrl = u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ + ';S.request=' + encodeURIComponent(JSON.stringify(request)) + ';end'; /* TODO(fixme): stash away requestId, this is is not necessary for * register requests, but here to keep parity with sign. */ this.requestId_ = reqId; return intentUrl; }; // Sets up an embedded trampoline iframe, sourced from the extension. u2f.getIframePort_ = function(callback) { // Create the iframe var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID; var iframe = document.createElement('iframe'); iframe.src = iframeOrigin + '/u2f-comms.html'; iframe.setAttribute('style', 'display:none'); document.body.appendChild(iframe); var channel = new MessageChannel(); var ready = function(message) { if (message.data == 'ready') { channel.port1.removeEventListener('message', ready); callback(channel.port1); } else { console.error('First event on iframe port was not "ready"'); } }; channel.port1.addEventListener('message', ready); channel.port1.start(); iframe.addEventListener('load', function() { // Deliver the port to the iframe and initialize iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]); }); }; // High-level JS API // Default extension response timeout in seconds. u2f.EXTENSION_TIMEOUT_SEC = 30; // A singleton instance for a MessagePort to the extension. u2f.port_ = null; // Callbacks waiting for a port u2f.waitingForPort_ = []; // A counter for requestIds. u2f.reqCounter_ = 0; // A map from requestIds to client callbacks u2f.callbackMap_ = {}; // Creates or retrieves the MessagePort singleton to use. u2f.getPortSingleton_ = function(callback) { if (u2f.port_) { callback(u2f.port_); } else { if (u2f.waitingForPort_.length == 0) { u2f.getMessagePort(function(port) { u2f.port_ = port; u2f.port_.addEventListener('message', /** @type {function(Event)} */ (u2f.responseHandler_)); // Careful, here be async callbacks. Maybe. while (u2f.waitingForPort_.length) u2f.waitingForPort_.shift()(u2f.port_); }); } u2f.waitingForPort_.push(callback); } }; // Handles response messages from the extension. u2f.responseHandler_ = function(message) { var response = message.data; var reqId = response['requestId']; if (!reqId || !u2f.callbackMap_[reqId]) { console.error('Unknown or missing requestId in response.'); return; } var cb = u2f.callbackMap_[reqId]; delete u2f.callbackMap_[reqId]; cb(response['responseData']); }; // Dispatches an array of sign requests to available U2F tokens. u2f.sign = function(signRequests, callback, opt_timeoutSeconds) { u2f.getPortSingleton_(function(port) { var reqId = ++u2f.reqCounter_; u2f.callbackMap_[reqId] = callback; var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); var req = port.formatSignRequest_(signRequests, timeoutSeconds, reqId); port.postMessage(req); }); }; // Dispatches register requests to available U2F tokens. An array of sign // requests identifies already registered tokens. u2f.register = function(registerRequests, signRequests, callback, opt_timeoutSeconds) { u2f.getPortSingleton_(function(port) { var reqId = ++u2f.reqCounter_; u2f.callbackMap_[reqId] = callback; var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ? opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC); var req = port.formatRegisterRequest_( signRequests, registerRequests, timeoutSeconds, reqId); port.postMessage(req); }); }; // Everything below is Gazelle-specific and not part of the u2f API function initU2F() { if (document.querySelector('#u2f_register_form') && document.querySelector('[name="u2f-request"]')) { var req = JSON.parse($('[name="u2f-request"]').raw().value); var sigs = JSON.parse($('[name="u2f-sigs"]').raw().value); if (req) { u2f.register([req], sigs, function(data) { if (data.errorCode) { console.log('U2F Register Error: ' + Object.keys(u2f.ErrorCodes).find(k => u2f.ErrorCodes[k] == data.errorCode)); return; } $('[name="u2f-response"]').raw().value = JSON.stringify(data); $('[value="U2F-E"]').raw().name = 'type' $('#u2f_register_form').submit(); }, 3600) } } if (document.querySelector('#u2f_sign_form') && document.querySelector('[name="u2f-request"]')) { var req = JSON.parse($('[name="u2f-request"]').raw().value); if (req) { u2f.sign(req, function(data) { if (data.errorCode) { console.log('U2F Sign Error: ' + Object.keys(u2f.ErrorCodes).find(k => u2f.ErrorCodes[k] == data.errorCode)); return; } $('[name="u2f-response"]').raw().value = JSON.stringify(data); $('#u2f_sign_form').submit(); }, 3600) } } } if (document.readyState != 'loading') { initU2F(); } else { document.addEventListener("DOMContentLoaded", initU2F); }