[CHORE] Remove u2f dependency

- It was only used to parse old U2F data to webauthn credentials. We only used the public key and keyhandle. This functiontionality was reworked to `parseU2FRegistration`. - Tests are already present, `Test_RemigrateU2FCredentials`.
2024-04-05 14:00:36 +02:00 · 2024-04-05 14:00:36 +02:00 · 32134e3a43
commit 32134e3a43
parent 9c82789664
5 changed files with 43 additions and 16 deletions
--- a/models/migrations/v1_16/v210.go
+++ b/models/migrations/v1_16/v210.go
@ -4,18 +4,44 @@
 package v1_16 //nolint

 import (
+	"crypto/ecdh"
 	"encoding/base32"
+	"errors"
 	"fmt"
 	"strings"

 	"code.gitea.io/gitea/models/migrations/base"
 	"code.gitea.io/gitea/modules/timeutil"

-	"github.com/tstranex/u2f"
 	"xorm.io/xorm"
 	"xorm.io/xorm/schemas"
 )

+func parseU2FRegistration(raw []byte) (pubKey *ecdh.PublicKey, keyHandle []byte, err error) {
+	if len(raw) < 69 {
+		return nil, nil, errors.New("data is too short")
+	}
+	if raw[0] != 0x05 {
+		return nil, nil, errors.New("invalid reserved byte")
+	}
+	raw = raw[1:]
+
+	pubKey, err = ecdh.P256().NewPublicKey(raw[:65])
+	if err != nil {
+		return nil, nil, err
+	}
+	raw = raw[65:]
+
+	khLen := int(raw[0])
+	if len(raw) < khLen {
+		return nil, nil, errors.New("invalid key handle")
+	}
+	raw = raw[1:]
+	keyHandle = raw[:khLen]
+
+	return pubKey, keyHandle, nil
+}
+
 // v208 migration was completely broken
 func RemigrateU2FCredentials(x *xorm.Engine) error {
 	// Create webauthnCredential table
@ -117,12 +143,7 @@ func RemigrateU2FCredentials(x *xorm.Engine) error {
 				}
 			}
 			for _, reg := range regs {
-				parsed := new(u2f.Registration)
-				err = parsed.UnmarshalBinary(reg.Raw)
-				if err != nil {
-					continue
-				}
-				pubKey, err := parsed.PubKey.ECDH()
+				pubKey, keyHandle, err := parseU2FRegistration(reg.Raw)
 				if err != nil {
 					continue
 				}
@ -131,7 +152,7 @@ func RemigrateU2FCredentials(x *xorm.Engine) error {
 					Name:            reg.Name,
 					LowerName:       strings.ToLower(reg.Name),
 					UserID:          reg.UserID,
-					CredentialID:    base32.HexEncoding.EncodeToString(parsed.KeyHandle),
+					CredentialID:    base32.HexEncoding.EncodeToString(keyHandle),
 					PublicKey:       pubKey.Bytes(),
 					AttestationType: "fido-u2f",
 					AAGUID:          []byte{},
--- a/models/migrations/v1_16/v210_test.go
+++ b/models/migrations/v1_16/v210_test.go
@ -4,6 +4,7 @@
 package v1_16 //nolint

 import (
+	"encoding/hex"
 	"testing"

 	"code.gitea.io/gitea/models/migrations/base"
@ -13,6 +14,19 @@ import (
 	"xorm.io/xorm/schemas"
 )

+func TestParseU2FRegistration(t *testing.T) {
+	// test vectors from https://github.com/tstranex/u2f/blob/d21a03e0b1d9fc1df59ff54e7a513655c1748b0c/register_test.go#L15
+
+	const testRegRespHex = "0504b174bc49c7ca254b70d2e5c207cee9cf174820ebd77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e60385d2f6d9402a552dfdb7477ed65fd84133f86196010b2215b57da75d315b7b9e8fe2e3925a6019551bab61d16591659cbaf00b4950f7abfe6660e2e006f76868b772d70c253082013c3081e4a003020102020a47901280001155957352300a06082a8648ce3d0403023017311530130603550403130c476e756262792050696c6f74301e170d3132303831343138323933325a170d3133303831343138323933325a3031312f302d0603550403132650696c6f74476e756262792d302e342e312d34373930313238303030313135353935373335323059301306072a8648ce3d020106082a8648ce3d030107034200048d617e65c9508e64bcc5673ac82a6799da3c1446682c258c463fffdf58dfd2fa3e6c378b53d795c4a4dffb4199edd7862f23abaf0203b4b8911ba0569994e101300a06082a8648ce3d0403020347003044022060cdb6061e9c22262d1aac1d96d8c70829b2366531dda268832cb836bcd30dfa0220631b1459f09e6330055722c8d89b7f48883b9089b88d60d1d9795902b30410df304502201471899bcc3987e62e8202c9b39c33c19033f7340352dba80fcab017db9230e402210082677d673d891933ade6f617e5dbde2e247e70423fd5ad7804a6d3d3961ef871"
+
+	regResp, err := hex.DecodeString(testRegRespHex)
+	assert.NoError(t, err)
+	pubKey, keyHandle, err := parseU2FRegistration(regResp)
+	assert.NoError(t, err)
+	assert.Equal(t, "04b174bc49c7ca254b70d2e5c207cee9cf174820ebd77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e60385d2f6d9", hex.EncodeToString(pubKey.Bytes()))
+	assert.Equal(t, "2a552dfdb7477ed65fd84133f86196010b2215b57da75d315b7b9e8fe2e3925a6019551bab61d16591659cbaf00b4950f7abfe6660e2e006f76868b772d70c25", hex.EncodeToString(keyHandle))
+}
+
 func Test_RemigrateU2FCredentials(t *testing.T) {
 	// Create webauthnCredential table
 	type WebauthnCredential struct {