Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 1ba5381a59770700b02f1f1023d2b2dca73c5e8d / . / mailcow / src / mailcow-dockerized / data / web / inc / lib / WebAuthn / Attestation / Format / AndroidKey.php
blob: 4581272ceaa917e666a7e434ac023d9310bd67ed [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]1<?php
2
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +0100[diff] [blame^]3namespace lbuchs\WebAuthn\Attestation\Format;
4use lbuchs\WebAuthn\Attestation\AuthenticatorData;
5use lbuchs\WebAuthn\WebAuthnException;
6use lbuchs\WebAuthn\Binary\ByteBuffer;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]7
8class AndroidKey extends FormatBase {
9 private $_alg;
10 private $_signature;
11 private $_x5c;
12
Matthias Andreas Benkard1ba53812022-12-27 17:32:58 +0100[diff] [blame^]13 public function __construct($AttestionObject, AuthenticatorData $authenticatorData) {
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]14 parent::__construct($AttestionObject, $authenticatorData);
15
16 // check u2f data
17 $attStmt = $this->_attestationObject['attStmt'];
18
19 if (!\array_key_exists('alg', $attStmt) || $this->_getCoseAlgorithm($attStmt['alg']) === null) {
20 throw new WebAuthnException('unsupported alg: ' . $attStmt['alg'], WebAuthnException::INVALID_DATA);
21 }
22
23 if (!\array_key_exists('sig', $attStmt) || !\is_object($attStmt['sig']) || !($attStmt['sig'] instanceof ByteBuffer)) {
24 throw new WebAuthnException('no signature found', WebAuthnException::INVALID_DATA);
25 }
26
27 if (!\array_key_exists('x5c', $attStmt) || !\is_array($attStmt['x5c']) || \count($attStmt['x5c']) < 1) {
28 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
29 }
30
31 if (!\is_object($attStmt['x5c'][0]) || !($attStmt['x5c'][0] instanceof ByteBuffer)) {
32 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
33 }
34
35 $this->_alg = $attStmt['alg'];
36 $this->_signature = $attStmt['sig']->getBinaryString();
37 $this->_x5c = $attStmt['x5c'][0]->getBinaryString();
38
39 if (count($attStmt['x5c']) > 1) {
40 for ($i=1; $i<count($attStmt['x5c']); $i++) {
41 $this->_x5c_chain[] = $attStmt['x5c'][$i]->getBinaryString();
42 }
43 unset ($i);
44 }
45 }
46
47
48 /*
49 * returns the key certificate in PEM format
50 * @return string
51 */
52 public function getCertificatePem() {
53 return $this->_createCertificatePem($this->_x5c);
54 }
55
56 /**
57 * @param string $clientDataHash
58 */
59 public function validateAttestation($clientDataHash) {
60 $publicKey = \openssl_pkey_get_public($this->getCertificatePem());
61
62 if ($publicKey === false) {
63 throw new WebAuthnException('invalid public key: ' . \openssl_error_string(), WebAuthnException::INVALID_PUBLIC_KEY);
64 }
65
66 // Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash
67 // using the attestation public key in attestnCert with the algorithm specified in alg.
68 $dataToVerify = $this->_authenticatorData->getBinary();
69 $dataToVerify .= $clientDataHash;
70
71 $coseAlgorithm = $this->_getCoseAlgorithm($this->_alg);
72
73 // check certificate
74 return \openssl_verify($dataToVerify, $this->_signature, $publicKey, $coseAlgorithm->openssl) === 1;
75 }
76
77 /**
78 * validates the certificate against root certificates
79 * @param array $rootCas
80 * @return boolean
81 * @throws WebAuthnException
82 */
83 public function validateRootCertificate($rootCas) {
84 $chainC = $this->_createX5cChainFile();
85 if ($chainC) {
86 $rootCas[] = $chainC;
87 }
88
89 $v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas);
90 if ($v === -1) {
91 throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED);
92 }
93 return $v;
94 }
95}
96