Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / e39c4f8729a5a9c5ea98dac8ef04f2f1255656c6 / . / mailcow / src / mailcow-dockerized / data / web / inc / lib / WebAuthn / Attestation / Format / U2f.php
blob: 51c7fc0e5875e89d31f139476ae6b607ff907467 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]1<?php
2
3
4namespace WebAuthn\Attestation\Format;
5use WebAuthn\WebAuthnException;
6use WebAuthn\Binary\ByteBuffer;
7
8class U2f extends FormatBase {
Matthias Andreas Benkarde39c4f82021-01-06 17:59:39 +0100[diff] [blame^]9 private $_alg = -7;
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]10 private $_signature;
11 private $_x5c;
12
Matthias Andreas Benkarde39c4f82021-01-06 17:59:39 +0100[diff] [blame^]13 public function __construct($AttestionObject, AuthenticatorData $authenticatorData) {
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]14 parent::__construct($AttestionObject, $authenticatorData);
15
16 // check u2f data
17 $attStmt = $this->_attestationObject['attStmt'];
18
Matthias Andreas Benkarde39c4f82021-01-06 17:59:39 +0100[diff] [blame^]19 if (\array_key_exists('alg', $attStmt) && $attStmt['alg'] !== $this->_alg) {
20 throw new WebAuthnException('u2f only accepts algorithm -7 ("ES256"), but got ' . $attStmt['alg'], WebAuthnException::INVALID_DATA);
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]21 }
22
23 if (!\array_key_exists('sig', $attStmt) || !\is_object($attStmt['sig']) || !($attStmt['sig'] instanceof ByteBuffer)) {
24 throw new WebAuthnException('no signature found', WebAuthnException::INVALID_DATA);
25 }
26
27 if (!\array_key_exists('x5c', $attStmt) || !\is_array($attStmt['x5c']) || \count($attStmt['x5c']) !== 1) {
28 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
29 }
30
31 if (!\is_object($attStmt['x5c'][0]) || !($attStmt['x5c'][0] instanceof ByteBuffer)) {
32 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
33 }
34
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100[diff] [blame]35 $this->_signature = $attStmt['sig']->getBinaryString();
36 $this->_x5c = $attStmt['x5c'][0]->getBinaryString();
37 }
38
39
40 /*
41 * returns the key certificate in PEM format
42 * @return string
43 */
44 public function getCertificatePem() {
45 $pem = '-----BEGIN CERTIFICATE-----' . "\n";
46 $pem .= \chunk_split(\base64_encode($this->_x5c), 64, "\n");
47 $pem .= '-----END CERTIFICATE-----' . "\n";
48 return $pem;
49 }
50
51 /**
52 * @param string $clientDataHash
53 */
54 public function validateAttestation($clientDataHash) {
55 $publicKey = \openssl_pkey_get_public($this->getCertificatePem());
56
57 if ($publicKey === false) {
58 throw new WebAuthnException('invalid public key: ' . \openssl_error_string(), WebAuthnException::INVALID_PUBLIC_KEY);
59 }
60
61 // Let verificationData be the concatenation of (0x00 || rpIdHash || clientDataHash || credentialId || publicKeyU2F)
62 $dataToVerify = "\x00";
63 $dataToVerify .= $this->_authenticatorData->getRpIdHash();
64 $dataToVerify .= $clientDataHash;
65 $dataToVerify .= $this->_authenticatorData->getCredentialId();
66 $dataToVerify .= $this->_authenticatorData->getPublicKeyU2F();
67
68 $coseAlgorithm = $this->_getCoseAlgorithm($this->_alg);
69
70 // check certificate
71 return \openssl_verify($dataToVerify, $this->_signature, $publicKey, $coseAlgorithm->openssl) === 1;
72 }
73
74 /**
75 * validates the certificate against root certificates
76 * @param array $rootCas
77 * @return boolean
78 * @throws WebAuthnException
79 */
80 public function validateRootCertificate($rootCas) {
81 $chainC = $this->_createX5cChainFile();
82 if ($chainC) {
83 $rootCas[] = $chainC;
84 }
85
86 $v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas);
87 if ($v === -1) {
88 throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED);
89 }
90 return $v;
91 }
92}