Skip to content

Commit

Permalink
Update AuthenticationResponseProcessing.java
Browse files Browse the repository at this point in the history 
Before this fix here is HUGE security bug which successfully (without any checks ) authenticates everyone  who sets UAF_ALG_SIGN_RSASSA_PSS_SHA256_DER in assertion
  • Loading branch information
@hackappcom
hackappcom committed Jan 26, 2016
1 parent 9afef2a commit 7bb6926
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ...-core/src/main/java/org/ebayopensource/fido/uaf/ops/AuthenticationResponseProcessing.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ private AuthenticatorRecord processAssertions(
String pubKey = registrationRecord.PublicKey;
if (algAndEncoding == AlgAndEncodingEnum.UAF_ALG_SIGN_RSASSA_PSS_SHA256_DER) {
// TODO Implement RSA signature check
authRecord.status = "FAILED_ALGORITHM_NOT_IMPLEMENTED";
return authRecord;
} else {
try {
if (!verifySignature(signnedData, signature, pubKey,
Expand Down

0 comments on commit 7bb6926

Please sign in to comment.