AuthenticatorAssertionResponseValidator - Code Metrics - Inspection of "Project updated" - Spomky-Labs/u2f-php - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( d96c64...807a21 )

by Florent

created 2018-09-03 20:48 UTC

AuthenticatorAssertionResponseValidator A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	129
Duplicated Lines	0 %

Importance

Changes

Metric	Value
eloc	55
dl	0
loc	129
rs	10
c	0
b	0
f	0
wmc	23

4 Methods

Rating	Name	Size	Complexity
A	__construct()	3	1
A	getPublicKeyAsPem()	11	1
A	isCredentialIdAllowed()	9	3
D	check()	90	18

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace U2FAuthentication\Fido2;

class AuthenticatorAssertionResponseValidator
{
    private $credentialRepository;

    public function __construct(CredentialRepository $credentialRepository)
    {
        $this->credentialRepository = $credentialRepository;
    }

    /**
     * @see https://www.w3.org/TR/webauthn/#registering-a-new-credential
     */
    public function check(string $credentialId, AuthenticatorAssertionResponse $authenticatorAssertionResponse, PublicKeyCredentialRequestOptions $publicKeyCredentialRequestOptions, ?string $rpId = null): void
    {
        /* @see 7.2.1 */
        if (!$this->isCredentialIdAllowed($credentialId, $publicKeyCredentialRequestOptions->getAllowCredentials())) {
            throw new \InvalidArgumentException('The credential ID is not allowed.');
        }
        /* @see 7.2.2 */
        if (null !== $authenticatorAssertionResponse->getUserHandle()) {
            throw new \RuntimeException('Not supported.'); //TODO: implementation shall be done.
        }

        /* @see 7.2.3 */
        if (!$this->credentialRepository->hasCredential($credentialId)) {
            throw new \InvalidArgumentException('No credential public key available for the given credential ID.');
        }
        $credentialPublicKey = $this->credentialRepository->getCredentialPublicKey($credentialId);

        /** @see 7.2.4 */
        /** @see 7.2.5 */
        //Nothing to do. Use of objets directly

        /** @see 7.2.6 */
        $C = $authenticatorAssertionResponse->getClientDataJSON();

        /* @see 7.2.7 */
        if ('webauthn.get' !== $C->getType()) {
            throw new \InvalidArgumentException('The client data type is not "webauthn.get".');
        }

        /* @see 7.2.8 */
        if (hash_equals($publicKeyCredentialRequestOptions->getChallenge(), $C->getChallenge())) {
            throw new \InvalidArgumentException('Invalid challenge.');
        }

        /** @see 7.2.9 */
        $rpId = $rpId ?? $publicKeyCredentialRequestOptions->getRpId();
        if (null === $rpId) {
            throw new \InvalidArgumentException('No rpId.');
        }
        $parsedRelyingPartyId = parse_url($C->getOrigin());
        if (!array_key_exists('host', $parsedRelyingPartyId) || !\is_string($parsedRelyingPartyId['host'])) {
            throw new \InvalidArgumentException('Invalid origin rpId.');
        }
        if ($parsedRelyingPartyId['host'] !== $rpId) {
            throw new \InvalidArgumentException('rpId mismatch.');
        }

        /* @see 7.2.10 */
        if ($C->getTokenBinding()) {
            throw new \InvalidArgumentException('Token binding not supported.');
        }

        /** @see 7.2.11 */
        $rpIdHash = hash('sha256', $rpId, true);
        if (!hash_equals($rpIdHash, $authenticatorAssertionResponse->getAuthenticatorData()->getRpIdHash())) {
            throw new \InvalidArgumentException('rpId hash mismatch.');
        }

        /* @see 7.2.12 */
        if (!$authenticatorAssertionResponse->getAuthenticatorData()->isUserPresent()) {
            throw new \InvalidArgumentException('User was not present');
        }

        /* @see 7.2.13 */
        if (AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED === $publicKeyCredentialRequestOptions->getUserVerification() && !$authenticatorAssertionResponse->getAuthenticatorData()->isUserVerified()) {
            throw new \InvalidArgumentException('User authentication required.');
        }

        /* @see 7.2.14 */
        if (0 !== $publicKeyCredentialRequestOptions->getExtensions()->count()) {
            throw new \InvalidArgumentException('Extensions not supported.');
        }

        /** @see 7.2.15 */
        $getClientDataJSONHash = hash('sha256', $authenticatorAssertionResponse->getClientDataJSON()->getRawData(), true);

        /* @see 7.2.16 */
        $coseKey = $credentialPublicKey->getNormalizedData();
        $key = "\04".$coseKey[-2].$coseKey[-3];
        if (1 !== openssl_verify($authenticatorAssertionResponse->getAuthenticatorData()->getAuthData().$getClientDataJSONHash, $authenticatorAssertionResponse->getSignature(), $this->getPublicKeyAsPem($key), OPENSSL_ALGO_SHA256)) {
            throw new \InvalidArgumentException('Invalid signature.');
        }

        /* @see 7.2.17 */
        $storedCounter = $this->credentialRepository->getCredentialCounter($credentialId);
        $currentCounter = $authenticatorAssertionResponse->getAuthenticatorData()->getSignCount();
        if ($storedCounter >= $currentCounter) {
            throw new \InvalidArgumentException('Invalid counter.');
        }
        $this->credentialRepository->updateCredentialCounter($credentialId, $currentCounter);

        /* @see 7.2.18 */
        //Great!
    }

    private function getPublicKeyAsPem(string $key): string
    {
        $der = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
        $der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
        $der .= "\0".$key;

        $pem = '-----BEGIN PUBLIC KEY-----'.PHP_EOL;
        $pem .= chunk_split(base64_encode($der), 64, PHP_EOL);
        $pem .= '-----END PUBLIC KEY-----'.PHP_EOL;

        return $pem;
    }

    private function isCredentialIdAllowed(string $credentialId, array $allowedCredentials): bool
    {
        foreach ($allowedCredentials as $allowedCredential) {
            if (hash_equals($allowedCredential->getId(), $credentialId)) {
                return true;
            }
        }

        return false;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace U2FAuthentication\Fido2;
15
16			class AuthenticatorAssertionResponseValidator
17			{
18			private $credentialRepository;
19
20			public function __construct(CredentialRepository $credentialRepository)
21			{
22			$this->credentialRepository = $credentialRepository;
23			}
24
25			/**
26			* @see https://www.w3.org/TR/webauthn/#registering-a-new-credential
27			*/
28			public function check(string $credentialId, AuthenticatorAssertionResponse $authenticatorAssertionResponse, PublicKeyCredentialRequestOptions $publicKeyCredentialRequestOptions, ?string $rpId = null): void
29			{
30			/* @see 7.2.1 */
31			if (!$this->isCredentialIdAllowed($credentialId, $publicKeyCredentialRequestOptions->getAllowCredentials())) {
32			throw new \InvalidArgumentException('The credential ID is not allowed.');
33			}
34			/* @see 7.2.2 */
35			if (null !== $authenticatorAssertionResponse->getUserHandle()) {
36			throw new \RuntimeException('Not supported.'); //TODO: implementation shall be done.
37			}
38
39			/* @see 7.2.3 */
40			if (!$this->credentialRepository->hasCredential($credentialId)) {
41			throw new \InvalidArgumentException('No credential public key available for the given credential ID.');
42			}
43			$credentialPublicKey = $this->credentialRepository->getCredentialPublicKey($credentialId);
44
45			/** @see 7.2.4 */
46			/** @see 7.2.5 */
47			//Nothing to do. Use of objets directly
48
49			/** @see 7.2.6 */
50			$C = $authenticatorAssertionResponse->getClientDataJSON();
51
52			/* @see 7.2.7 */
53			if ('webauthn.get' !== $C->getType()) {
54			throw new \InvalidArgumentException('The client data type is not "webauthn.get".');
55			}
56
57			/* @see 7.2.8 */
58			if (hash_equals($publicKeyCredentialRequestOptions->getChallenge(), $C->getChallenge())) {
59			throw new \InvalidArgumentException('Invalid challenge.');
60			}
61
62			/** @see 7.2.9 */
63			$rpId = $rpId ?? $publicKeyCredentialRequestOptions->getRpId();
64			if (null === $rpId) {
65			throw new \InvalidArgumentException('No rpId.');
66			}
67			$parsedRelyingPartyId = parse_url($C->getOrigin());
68			if (!array_key_exists('host', $parsedRelyingPartyId) \|\| !\is_string($parsedRelyingPartyId['host'])) {
69			throw new \InvalidArgumentException('Invalid origin rpId.');
70			}
71			if ($parsedRelyingPartyId['host'] !== $rpId) {
72			throw new \InvalidArgumentException('rpId mismatch.');
73			}
74
75			/* @see 7.2.10 */
76			if ($C->getTokenBinding()) {
77			throw new \InvalidArgumentException('Token binding not supported.');
78			}
79
80			/** @see 7.2.11 */
81			$rpIdHash = hash('sha256', $rpId, true);
82			if (!hash_equals($rpIdHash, $authenticatorAssertionResponse->getAuthenticatorData()->getRpIdHash())) {
83			throw new \InvalidArgumentException('rpId hash mismatch.');
84			}
85
86			/* @see 7.2.12 */
87			if (!$authenticatorAssertionResponse->getAuthenticatorData()->isUserPresent()) {
88			throw new \InvalidArgumentException('User was not present');
89			}
90
91			/* @see 7.2.13 */
92			if (AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED === $publicKeyCredentialRequestOptions->getUserVerification() && !$authenticatorAssertionResponse->getAuthenticatorData()->isUserVerified()) {
93			throw new \InvalidArgumentException('User authentication required.');
94			}
95
96			/* @see 7.2.14 */
97			if (0 !== $publicKeyCredentialRequestOptions->getExtensions()->count()) {
98			throw new \InvalidArgumentException('Extensions not supported.');
99			}
100
101			/** @see 7.2.15 */
102			$getClientDataJSONHash = hash('sha256', $authenticatorAssertionResponse->getClientDataJSON()->getRawData(), true);
103
104			/* @see 7.2.16 */
105			$coseKey = $credentialPublicKey->getNormalizedData();
106			$key = "\04".$coseKey[-2].$coseKey[-3];
107			if (1 !== openssl_verify($authenticatorAssertionResponse->getAuthenticatorData()->getAuthData().$getClientDataJSONHash, $authenticatorAssertionResponse->getSignature(), $this->getPublicKeyAsPem($key), OPENSSL_ALGO_SHA256)) {
108			throw new \InvalidArgumentException('Invalid signature.');
109			}
110
111			/* @see 7.2.17 */
112			$storedCounter = $this->credentialRepository->getCredentialCounter($credentialId);
113			$currentCounter = $authenticatorAssertionResponse->getAuthenticatorData()->getSignCount();
114			if ($storedCounter >= $currentCounter) {
115			throw new \InvalidArgumentException('Invalid counter.');
116			}
117			$this->credentialRepository->updateCredentialCounter($credentialId, $currentCounter);
118
119			/* @see 7.2.18 */
120			//Great!
121			}
122
123			private function getPublicKeyAsPem(string $key): string
124			{
125			$der = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
126			$der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
127			$der .= "\0".$key;
128
129			$pem = '-----BEGIN PUBLIC KEY-----'.PHP_EOL;
130			$pem .= chunk_split(base64_encode($der), 64, PHP_EOL);
131			$pem .= '-----END PUBLIC KEY-----'.PHP_EOL;
132
133			return $pem;
134			}
135
136			private function isCredentialIdAllowed(string $credentialId, array $allowedCredentials): bool
137			{
138			foreach ($allowedCredentials as $allowedCredential) {
139			if (hash_equals($allowedCredential->getId(), $credentialId)) {
140			return true;
141			}
142			}
143
144			return false;
145			}
146			}
147

Spomky-Labs / u2f-php

Push — master ( d96c64...807a21 )

AuthenticatorAssertionResponseValidator A

Complexity

Size/Duplication

Importance

4 Methods

Duplication Side-by-Side

Filter issues like