Yubico /
php-u2flib-server
@@ -408,7 +408,7 @@ |
||
| 408 | 408 | * Fixes a certificate where the signature contains unused bits. |
| 409 | 409 | * |
| 410 | 410 | * @param string $cert |
| 411 | - * @return mixed |
|
| 411 | + * @return string |
|
| 412 | 412 | */ |
| 413 | 413 | private function fixSignatureUnusedBits($cert) |
| 414 | 414 | { |
@@ -97,8 +97,8 @@ discard block |
||
| 97 | 97 | */ |
| 98 | 98 | public function __construct($appId, $attestDir = null) |
| 99 | 99 | { |
| 100 | - if(OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 101 | - throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 100 | + if (OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 101 | + throw new Error('OpenSSL has to be at least version 1.0.0, this is '.OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 102 | 102 | } |
| 103 | 103 | $this->appId = $appId; |
| 104 | 104 | $this->attestDir = $attestDir; |
@@ -135,19 +135,19 @@ discard block |
||
| 135 | 135 | */ |
| 136 | 136 | public function doRegister($request, $response, $includeCert = true) |
| 137 | 137 | { |
| 138 | - if( !is_object( $request ) ) { |
|
| 138 | + if (!is_object($request)) { |
|
| 139 | 139 | throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); |
| 140 | 140 | } |
| 141 | 141 | |
| 142 | - if( !is_object( $response ) ) { |
|
| 142 | + if (!is_object($response)) { |
|
| 143 | 143 | throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); |
| 144 | 144 | } |
| 145 | 145 | |
| 146 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 147 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 146 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 147 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 148 | 148 | } |
| 149 | 149 | |
| 150 | - if( !is_bool( $includeCert ) ) { |
|
| 150 | + if (!is_bool($includeCert)) { |
|
| 151 | 151 | throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); |
| 152 | 152 | } |
| 153 | 153 | |
@@ -156,8 +156,8 @@ discard block |
||
| 156 | 156 | $clientData = $this->base64u_decode($response->clientData); |
| 157 | 157 | $cli = json_decode($clientData); |
| 158 | 158 | |
| 159 | - if($cli->challenge !== $request->challenge) { |
|
| 160 | - throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); |
|
| 159 | + if ($cli->challenge !== $request->challenge) { |
|
| 160 | + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE); |
|
| 161 | 161 | } |
| 162 | 162 | |
| 163 | 163 | $registration = new Registration(); |
@@ -166,8 +166,8 @@ discard block |
||
| 166 | 166 | $offs += PUBKEY_LEN; |
| 167 | 167 | // decode the pubKey to make sure it's good |
| 168 | 168 | $tmpKey = $this->pubkey_to_pem($pubKey); |
| 169 | - if($tmpKey === null) { |
|
| 170 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 169 | + if ($tmpKey === null) { |
|
| 170 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 171 | 171 | } |
| 172 | 172 | $registration->publicKey = base64_encode($pubKey); |
| 173 | 173 | $khLen = $regData[$offs++]; |
@@ -185,17 +185,17 @@ discard block |
||
| 185 | 185 | $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; |
| 186 | 186 | $pemCert .= chunk_split(base64_encode($rawCert), 64); |
| 187 | 187 | $pemCert .= "-----END CERTIFICATE-----"; |
| 188 | - if($includeCert) { |
|
| 188 | + if ($includeCert) { |
|
| 189 | 189 | $registration->certificate = base64_encode($rawCert); |
| 190 | 190 | } |
| 191 | - if($this->attestDir) { |
|
| 192 | - if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 193 | - throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); |
|
| 191 | + if ($this->attestDir) { |
|
| 192 | + if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 193 | + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION); |
|
| 194 | 194 | } |
| 195 | 195 | } |
| 196 | 196 | |
| 197 | - if(!openssl_pkey_get_public($pemCert)) { |
|
| 198 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 197 | + if (!openssl_pkey_get_public($pemCert)) { |
|
| 198 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 199 | 199 | } |
| 200 | 200 | $signature = substr($rawReg, $offs); |
| 201 | 201 | |
@@ -205,10 +205,10 @@ discard block |
||
| 205 | 205 | $dataToVerify .= $kh; |
| 206 | 206 | $dataToVerify .= $pubKey; |
| 207 | 207 | |
| 208 | - if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 208 | + if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 209 | 209 | return $registration; |
| 210 | 210 | } else { |
| 211 | - throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); |
|
| 211 | + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE); |
|
| 212 | 212 | } |
| 213 | 213 | } |
| 214 | 214 | |
@@ -224,7 +224,7 @@ discard block |
||
| 224 | 224 | $sigs = array(); |
| 225 | 225 | $challenge = $this->createChallenge(); |
| 226 | 226 | foreach ($registrations as $reg) { |
| 227 | - if( !is_object( $reg ) ) { |
|
| 227 | + if (!is_object($reg)) { |
|
| 228 | 228 | throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); |
| 229 | 229 | } |
| 230 | 230 | |
@@ -253,12 +253,12 @@ discard block |
||
| 253 | 253 | */ |
| 254 | 254 | public function doAuthenticate(array $requests, array $registrations, $response) |
| 255 | 255 | { |
| 256 | - if( !is_object( $response ) ) { |
|
| 256 | + if (!is_object($response)) { |
|
| 257 | 257 | throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); |
| 258 | 258 | } |
| 259 | 259 | |
| 260 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 261 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 260 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 261 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 262 | 262 | } |
| 263 | 263 | |
| 264 | 264 | /** @var object|null $req */ |
@@ -270,35 +270,35 @@ discard block |
||
| 270 | 270 | $clientData = $this->base64u_decode($response->clientData); |
| 271 | 271 | $decodedClient = json_decode($clientData); |
| 272 | 272 | foreach ($requests as $req) { |
| 273 | - if( !is_object( $req ) ) { |
|
| 273 | + if (!is_object($req)) { |
|
| 274 | 274 | throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); |
| 275 | 275 | } |
| 276 | 276 | |
| 277 | - if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 277 | + if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 278 | 278 | break; |
| 279 | 279 | } |
| 280 | 280 | |
| 281 | 281 | $req = null; |
| 282 | 282 | } |
| 283 | - if($req === null) { |
|
| 284 | - throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); |
|
| 283 | + if ($req === null) { |
|
| 284 | + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST); |
|
| 285 | 285 | } |
| 286 | 286 | foreach ($registrations as $reg) { |
| 287 | - if( !is_object( $reg ) ) { |
|
| 287 | + if (!is_object($reg)) { |
|
| 288 | 288 | throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); |
| 289 | 289 | } |
| 290 | 290 | |
| 291 | - if($reg->keyHandle === $response->keyHandle) { |
|
| 291 | + if ($reg->keyHandle === $response->keyHandle) { |
|
| 292 | 292 | break; |
| 293 | 293 | } |
| 294 | 294 | $reg = null; |
| 295 | 295 | } |
| 296 | - if($reg === null) { |
|
| 297 | - throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); |
|
| 296 | + if ($reg === null) { |
|
| 297 | + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION); |
|
| 298 | 298 | } |
| 299 | 299 | $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); |
| 300 | - if($pemKey === null) { |
|
| 301 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 300 | + if ($pemKey === null) { |
|
| 301 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 302 | 302 | } |
| 303 | 303 | |
| 304 | 304 | $signData = $this->base64u_decode($response->signatureData); |
@@ -307,18 +307,18 @@ discard block |
||
| 307 | 307 | $dataToVerify .= hash('sha256', $clientData, true); |
| 308 | 308 | $signature = substr($signData, 5); |
| 309 | 309 | |
| 310 | - if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 310 | + if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 311 | 311 | $ctr = unpack("Nctr", substr($signData, 1, 4)); |
| 312 | 312 | $counter = $ctr['ctr']; |
| 313 | 313 | /* TODO: wrap-around should be handled somehow.. */ |
| 314 | - if($counter > $reg->counter) { |
|
| 314 | + if ($counter > $reg->counter) { |
|
| 315 | 315 | $reg->counter = $counter; |
| 316 | 316 | return $reg; |
| 317 | 317 | } else { |
| 318 | - throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); |
|
| 318 | + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW); |
|
| 319 | 319 | } |
| 320 | 320 | } else { |
| 321 | - throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); |
|
| 321 | + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE); |
|
| 322 | 322 | } |
| 323 | 323 | } |
| 324 | 324 | |
@@ -329,9 +329,9 @@ discard block |
||
| 329 | 329 | { |
| 330 | 330 | $files = array(); |
| 331 | 331 | $dir = $this->attestDir; |
| 332 | - if($dir && $handle = opendir($dir)) { |
|
| 333 | - while(false !== ($entry = readdir($handle))) { |
|
| 334 | - if(is_file("$dir/$entry")) { |
|
| 332 | + if ($dir && $handle = opendir($dir)) { |
|
| 333 | + while (false !== ($entry = readdir($handle))) { |
|
| 334 | + if (is_file("$dir/$entry")) { |
|
| 335 | 335 | $files[] = "$dir/$entry"; |
| 336 | 336 | } |
| 337 | 337 | } |
@@ -364,7 +364,7 @@ discard block |
||
| 364 | 364 | */ |
| 365 | 365 | private function pubkey_to_pem($key) |
| 366 | 366 | { |
| 367 | - if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 367 | + if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 368 | 368 | return null; |
| 369 | 369 | } |
| 370 | 370 | |
@@ -395,12 +395,12 @@ discard block |
||
| 395 | 395 | */ |
| 396 | 396 | private function createChallenge() |
| 397 | 397 | { |
| 398 | - $challenge = openssl_random_pseudo_bytes(32, $crypto_strong ); |
|
| 399 | - if( $crypto_strong !== true ) { |
|
| 398 | + $challenge = openssl_random_pseudo_bytes(32, $crypto_strong); |
|
| 399 | + if ($crypto_strong !== true) { |
|
| 400 | 400 | throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM); |
| 401 | 401 | } |
| 402 | 402 | |
| 403 | - $challenge = $this->base64u_encode( $challenge ); |
|
| 403 | + $challenge = $this->base64u_encode($challenge); |
|
| 404 | 404 | |
| 405 | 405 | return $challenge; |
| 406 | 406 | } |
@@ -413,7 +413,7 @@ discard block |
||
| 413 | 413 | */ |
| 414 | 414 | private function fixSignatureUnusedBits($cert) |
| 415 | 415 | { |
| 416 | - if(in_array(hash('sha256', $cert), $this->FIXCERTS)) { |
|
| 416 | + if (in_array(hash('sha256', $cert), $this->FIXCERTS)) { |
|
| 417 | 417 | $cert[strlen($cert) - 257] = "\0"; |
| 418 | 418 | } |
| 419 | 419 | return $cert; |
