PackedAttestationStatementSupport::loadFromX5C() - Code Metrics - Inspection of "Better CA cretificate check" - Spomky-Labs/u2f-php - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( cf2c3c...c63c7f )

by Florent

created 2018-11-18 23:44 UTC

PackedAttestationStatementSupport::loadFromX5C() B

↳ Parent: Project

Complexity

Conditions	10
Paths	16

Size

Total Lines	48
Code Lines	36

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	10
eloc	36
nc	16
nop	1
dl	0
loc	48
rs	7.6666
c	0
b	0
f	0

How to fix Complexity

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace U2FAuthentication\Fido2\AttestationStatement;

use Assert\Assertion;
use U2FAuthentication\Fido2\AuthenticatorData;
use U2FAuthentication\Fido2\CertificateChainChecker;

final class PackedAttestationStatementSupport implements AttestationStatementSupport
{
    public function name(): string
    {
        return 'packed';
    }

    public function isValid(string $clientDataJSONHash, AttestationStatement $attestationStatement, AuthenticatorData $authenticatorData): bool
    {
        Assertion::true($attestationStatement->has('sig'), 'The attestation statement value "sig" is missing.');

        switch (true) {
            case $attestationStatement->has('x5c'):
                return $this->processWithCertificate($clientDataJSONHash, $attestationStatement, $authenticatorData);
            case $attestationStatement->has('ecdaaKeyId'):
                return $this->processWithECDAA();
            default:
                return $this->processWithSelfAttestation();
        }
    }

    private function processWithCertificate(string $clientDataJSONHash, AttestationStatement $attestationStatement, AuthenticatorData $authenticatorData): bool
    {
        $certificates = $attestationStatement->get('x5c');
        Assertion::isArray($certificates, 'The attestation statement value "x5c" must be a list with at least one certificate.');

        //Check certificate CA chain and returns the Attestation Certificate
        $attestnCert = CertificateChainChecker::check($certificates);

        $signedData = $authenticatorData->getAuthData().$clientDataJSONHash;
        $result = openssl_verify($signedData, $attestationStatement->get('sig'), $attestnCert, OPENSSL_ALGO_SHA256);
        if (1 !== $result) {
            return false;
        }

        $this->checkCertificate($attestnCert, $authenticatorData);

        return true;
    }

    private function checkCertificate(string $attestnCert, AuthenticatorData $authenticatorData): void
    {
        $parsed = openssl_x509_parse($attestnCert);

        //Check version
        Assertion::false(!isset($parsed['version']) || 2 !== $parsed['version'], 'Invalid certificate version');

        //Check subject field
        Assertion::false(!isset($parsed['name']) || false === mb_strpos($parsed['name'], '/OU=Authenticator Attestation'), 'Invalid certificate name. The Subject Organization Unit must be "Authenticator Attestation"');

        //Check extensions
        Assertion::false(!isset($parsed['extensions']) || !\is_array($parsed['extensions']), 'Certificate extensions are missing');

        //Check certificate is not a CA cert
        Assertion::false(!isset($parsed['extensions']['basicConstraints']) || 'CA:FALSE' !== $parsed['extensions']['basicConstraints'], 'The Basic Constraints extension must have the CA component set to false');

        // id-fido-gen-ce-aaguid OID check
        Assertion::false(\in_array('1.3.6.1.4.1.45724.1.1.4', $parsed['extensions'], true) && !hash_equals($authenticatorData->getAttestedCredentialData()->getAaguid(), $parsed['extensions']['1.3.6.1.4.1.45724.1.1.4']), 'The value of the "aaguid" does not match with the certificate');
    }

    private function processWithECDAA(): bool
    {
        throw new \RuntimeException('ECDAA not supported');
    }

    private function processWithSelfAttestation(): bool
    {
        throw new \RuntimeException('Self attestation not supported');
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace U2FAuthentication\Fido2\AttestationStatement;
15
16			use Assert\Assertion;
17			use U2FAuthentication\Fido2\AuthenticatorData;
18			use U2FAuthentication\Fido2\CertificateChainChecker;
19
20			final class PackedAttestationStatementSupport implements AttestationStatementSupport
21			{
22			public function name(): string
23			{
24			return 'packed';
25			}
26
27			public function isValid(string $clientDataJSONHash, AttestationStatement $attestationStatement, AuthenticatorData $authenticatorData): bool
28			{
29			Assertion::true($attestationStatement->has('sig'), 'The attestation statement value "sig" is missing.');
30
31			switch (true) {
32			case $attestationStatement->has('x5c'):
33			return $this->processWithCertificate($clientDataJSONHash, $attestationStatement, $authenticatorData);
34			case $attestationStatement->has('ecdaaKeyId'):
35			return $this->processWithECDAA();
36			default:
37			return $this->processWithSelfAttestation();
38			}
39			}
40
41			private function processWithCertificate(string $clientDataJSONHash, AttestationStatement $attestationStatement, AuthenticatorData $authenticatorData): bool
42			{
43			$certificates = $attestationStatement->get('x5c');
44			Assertion::isArray($certificates, 'The attestation statement value "x5c" must be a list with at least one certificate.');
45
46			//Check certificate CA chain and returns the Attestation Certificate
47			$attestnCert = CertificateChainChecker::check($certificates);
48
49			$signedData = $authenticatorData->getAuthData().$clientDataJSONHash;
50			$result = openssl_verify($signedData, $attestationStatement->get('sig'), $attestnCert, OPENSSL_ALGO_SHA256);
51			if (1 !== $result) {
52			return false;
53			}
54
55			$this->checkCertificate($attestnCert, $authenticatorData);
56
57			return true;
58			}
59
60			private function checkCertificate(string $attestnCert, AuthenticatorData $authenticatorData): void
61			{
62			$parsed = openssl_x509_parse($attestnCert);
63
64			//Check version
65			Assertion::false(!isset($parsed['version']) \|\| 2 !== $parsed['version'], 'Invalid certificate version');
66
67			//Check subject field
68			Assertion::false(!isset($parsed['name']) \|\| false === mb_strpos($parsed['name'], '/OU=Authenticator Attestation'), 'Invalid certificate name. The Subject Organization Unit must be "Authenticator Attestation"');
69
70			//Check extensions
71			Assertion::false(!isset($parsed['extensions']) \|\| !\is_array($parsed['extensions']), 'Certificate extensions are missing');
72
73			//Check certificate is not a CA cert
74			Assertion::false(!isset($parsed['extensions']['basicConstraints']) \|\| 'CA:FALSE' !== $parsed['extensions']['basicConstraints'], 'The Basic Constraints extension must have the CA component set to false');
75
76			// id-fido-gen-ce-aaguid OID check
77			Assertion::false(\in_array('1.3.6.1.4.1.45724.1.1.4', $parsed['extensions'], true) && !hash_equals($authenticatorData->getAttestedCredentialData()->getAaguid(), $parsed['extensions']['1.3.6.1.4.1.45724.1.1.4']), 'The value of the "aaguid" does not match with the certificate');
78			}
79
80			private function processWithECDAA(): bool
81			{
82			throw new \RuntimeException('ECDAA not supported');
83			}
84
85			private function processWithSelfAttestation(): bool
86			{
87			throw new \RuntimeException('Self attestation not supported');
88			}
89			}
90

Spomky-Labs / u2f-php

Push — master ( cf2c3c...c63c7f )

PackedAttestationStatementSupport::loadFromX5C() B

Complexity

Size

Duplication

Importance

How to fix Complexity

Long Method

Duplication Side-by-Side

Filter issues like