Adding WebAuthn authentication to EJBCA

[Stueypoo]

Introduction

EJBCA primarily uses TLS client authentication to identify Operators, but trusted OAuth services could be provisioned to cater for other authentication methods. However, OAuth services are probably not that practical in PKI environments (especially for offline Root CAs). An alternative could be to integrate WebAuthn authentication within EJBCA itself. This provides the following benefits:

1. Operators could use many kinds of WebAuthn tokens for strong two-factor login to EJBCA. These tokens are easy to use and completely plug-n-play. Windows Hello can also be used.
2. The provisioning process could be self-managed, which would allow each Operator to issue/remove their own tokens. The EJBCA 'Role and Access Rules' can be automaticlly configured as tokens are added or removed.
3. No reliance or skillset required for another third-party OAuth solution to provide similar capabilities.
4. As WebAuthn is public-key based, then EJBCA could issue a certificate for each token registered. With a certificate, other conrols can be imposed such as validity dates and revocation status.

EJBCA Login with WebAuthn

In this section, I will demonstrate how WebAuthn login could work via a protype.

The Operator navigates to the OAuth Provider's login page (usually port 8442). Here there is a link for "EJBCA WebAuthn Login".

After clicking the link, the Operator is prompted to enter their Username.

The Username reference is used to retrive previously registered WebAuthn information for this User, and then the WebAuthn authentication protocol is initiated. In this example, Windows Hello is prompting for the User's PIN to complete the authentication.

EJBCA then validates the WebAuthn authentication response, and if successful, allows access to the EJBCA's admin page. The access privileges would be no different that which the Operator is already provisioned with.

Note: The Web RA would also authenticate is a similar fashion.

WebAuthn Registration Page

In this section, I will demonstrate the WebAuthn Registration page that would allow an Operator to self-manage their own tokens. The WebAuthn Registration page could be launch from say the "My Preferences" page:

On this page, some information about existing tokens is displayed. This could include the time when the token was registered and the time when last used. A link to the issued certificate could be handy, as well as the remaining number of days before expiry. There would also be an option to "Delete" a token (if that token is not currently in use). Additional tokens could be added by clicking "New" button, and then stepping through the WebAuthn registration process.

As mentioned in the Introduction, the access rules can be auomatically set for that User upon registration.

Wrap-Up

The prototype has demonstrated well that EJBCA could be integrated with WebAuthn. By doing so, a better authentication mechanism would be provided which would offer the same capabilities as TLS client Authentication, but better!