|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* Copyright 2015 SURFnet bv |
|
5
|
|
|
* |
|
6
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
7
|
|
|
* you may not use this file except in compliance with the License. |
|
8
|
|
|
* You may obtain a copy of the License at |
|
9
|
|
|
* |
|
10
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
11
|
|
|
* |
|
12
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
13
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
14
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
15
|
|
|
* See the License for the specific language governing permissions and |
|
16
|
|
|
* limitations under the License. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace Surfnet\StepupU2fBundle\Validator\Constraints; |
|
20
|
|
|
|
|
21
|
|
|
use Surfnet\StepupU2fBundle\Exception\LogicException; |
|
22
|
|
|
use Symfony\Component\Validator\Constraint; |
|
23
|
|
|
use Symfony\Component\Validator\ConstraintValidator; |
|
24
|
|
|
|
|
25
|
|
|
/** |
|
26
|
|
|
* @see https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html#registration-response-message-success |
|
27
|
|
|
*/ |
|
28
|
|
|
final class RegistrationDataConstraintValidator extends ConstraintValidator |
|
29
|
|
|
{ |
|
30
|
|
|
const RESERVED_BYTE_OFFSET = 1; |
|
31
|
|
|
const STRICT = true; |
|
32
|
|
|
|
|
33
|
|
|
public function validate($value, Constraint $constraint) |
|
34
|
|
|
{ |
|
35
|
|
|
if (!$constraint instanceof RegistrationDataConstraint) { |
|
36
|
|
|
throw new LogicException( |
|
37
|
|
|
'RegistrationDataConstraintValidator can only validate RegistrationDataConstraints' |
|
38
|
|
|
); |
|
39
|
|
|
} |
|
40
|
|
|
|
|
41
|
|
|
if (!is_string($value)) { |
|
42
|
|
|
$this->context->addViolation($constraint->message, ['%reason%' => 'Not a string'], $value); |
|
|
|
|
|
|
43
|
|
|
return; |
|
44
|
|
|
} |
|
45
|
|
|
|
|
46
|
|
|
$decoded = base64_decode(strtr($value, '-_', '+/'), self::STRICT); |
|
47
|
|
|
|
|
48
|
|
View Code Duplication |
if ($decoded === false) { |
|
|
|
|
|
|
49
|
|
|
$this->context->addViolation($constraint->message, ['%reason%' => 'Not base64 decodable'], $value); |
|
|
|
|
|
|
50
|
|
|
return; |
|
51
|
|
|
} |
|
52
|
|
|
|
|
53
|
|
|
// Unpack into an array of unsigned characters (8-bits each, ie. bytes). |
|
54
|
|
|
$bytes = array_values(unpack('C*', $decoded)); |
|
55
|
|
|
|
|
56
|
|
|
// We navigate over the characters using an offset, determining the string length we expect. |
|
57
|
|
|
// The registration data starts with a reserved byte (0x05). |
|
58
|
|
|
$offset = self::RESERVED_BYTE_OFFSET; |
|
59
|
|
|
// We then expect the public key. First, load the PUBKEY_LEN constant by auto-loading \u2flib_serverf\U2F. |
|
60
|
|
|
class_exists('u2flib_server\U2F'); |
|
61
|
|
|
$offset += \u2flib_server\PUBKEY_LEN; |
|
62
|
|
|
|
|
63
|
|
|
if (!isset($bytes[$offset])) { |
|
64
|
|
|
$this->addNotEnoughBytesViolation($constraint, $value); |
|
65
|
|
|
return; |
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
|
|
// We then expect the key handle length and key handle itself. |
|
69
|
|
|
$offset += 1 + $bytes[$offset]; |
|
70
|
|
|
|
|
71
|
|
|
if (!isset($bytes[$offset + 3])) { |
|
72
|
|
|
$this->addNotEnoughBytesViolation($constraint, $value); |
|
73
|
|
|
return; |
|
74
|
|
|
} |
|
75
|
|
|
|
|
76
|
|
|
// We then skip two bytes and expect two bytes that form a number that specifies the public key length. |
|
77
|
|
|
$certificateLength = 4 + ($bytes[$offset + 2] << 8) + $bytes[$offset + 3]; |
|
78
|
|
|
$minimumLength = $offset + $certificateLength; |
|
79
|
|
|
|
|
80
|
|
|
// The calculated minimum length excludes the signature, thus if the data length equals the minimum length, the |
|
81
|
|
|
// signature is missing. |
|
82
|
|
|
if (count($bytes) <= $minimumLength) { |
|
83
|
|
|
$this->addNotEnoughBytesViolation($constraint, $value); |
|
84
|
|
|
return; |
|
85
|
|
|
} |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
/** |
|
89
|
|
|
* @param RegistrationDataConstraint $constraint |
|
90
|
|
|
* @param $value |
|
91
|
|
|
*/ |
|
92
|
|
|
private function addNotEnoughBytesViolation(RegistrationDataConstraint $constraint, $value) |
|
93
|
|
|
{ |
|
94
|
|
|
$this->context->addViolation($constraint->message, ['%reason%' => 'Not enough bytes'], $value); |
|
|
|
|
|
|
95
|
|
|
} |
|
96
|
|
|
} |
|
97
|
|
|
|
OpenConext /
Stepup-u2f-bundle
Loading history...
This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.
If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.
In this case you can add the
@ignorePhpDoc annotation to the duplicate definition and it will be ignored.