Yubico /
php-u2flib-server
@@ -116,13 +116,13 @@ discard block |
||
| 116 | 116 | */ |
| 117 | 117 | public function __construct($appId, $attestDir = null, $facetIds = null) |
| 118 | 118 | { |
| 119 | - if(OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 120 | - throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 119 | + if (OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 120 | + throw new Error('OpenSSL has to be at least version 1.0.0, this is '.OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 121 | 121 | } |
| 122 | 122 | $this->appId = $appId; |
| 123 | 123 | $this->attestDir = $attestDir; |
| 124 | 124 | |
| 125 | - if(!is_array($facetIds)) { |
|
| 125 | + if (!is_array($facetIds)) { |
|
| 126 | 126 | $facetIds = [$appId]; |
| 127 | 127 | } |
| 128 | 128 | $this->facetIds = $facetIds; |
@@ -159,19 +159,19 @@ discard block |
||
| 159 | 159 | */ |
| 160 | 160 | public function doRegister($request, $response, $includeCert = true) |
| 161 | 161 | { |
| 162 | - if( !is_object( $request ) ) { |
|
| 162 | + if (!is_object($request)) { |
|
| 163 | 163 | throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); |
| 164 | 164 | } |
| 165 | 165 | |
| 166 | - if( !is_object( $response ) ) { |
|
| 166 | + if (!is_object($response)) { |
|
| 167 | 167 | throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); |
| 168 | 168 | } |
| 169 | 169 | |
| 170 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 171 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 170 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 171 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 172 | 172 | } |
| 173 | 173 | |
| 174 | - if( !is_bool( $includeCert ) ) { |
|
| 174 | + if (!is_bool($includeCert)) { |
|
| 175 | 175 | throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); |
| 176 | 176 | } |
| 177 | 177 | |
@@ -180,15 +180,15 @@ discard block |
||
| 180 | 180 | $clientData = $this->base64u_decode($response->clientData); |
| 181 | 181 | $cli = json_decode($clientData); |
| 182 | 182 | |
| 183 | - if($cli->challenge !== $request->challenge) { |
|
| 184 | - throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); |
|
| 183 | + if ($cli->challenge !== $request->challenge) { |
|
| 184 | + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE); |
|
| 185 | 185 | } |
| 186 | 186 | |
| 187 | - if(isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 187 | + if (isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 188 | 188 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 189 | 189 | } |
| 190 | 190 | |
| 191 | - if(isset($cli->origin) && !in_array($cli->origin, $this->facetIds, true)) { |
|
| 191 | + if (isset($cli->origin) && !in_array($cli->origin, $this->facetIds, true)) { |
|
| 192 | 192 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 193 | 193 | } |
| 194 | 194 | |
@@ -198,8 +198,8 @@ discard block |
||
| 198 | 198 | $offs += PUBKEY_LEN; |
| 199 | 199 | // decode the pubKey to make sure it's good |
| 200 | 200 | $tmpKey = $this->pubkey_to_pem($pubKey); |
| 201 | - if($tmpKey === null) { |
|
| 202 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 201 | + if ($tmpKey === null) { |
|
| 202 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 203 | 203 | } |
| 204 | 204 | $registration->publicKey = base64_encode($pubKey); |
| 205 | 205 | $khLen = $regData[$offs++]; |
@@ -217,17 +217,17 @@ discard block |
||
| 217 | 217 | $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; |
| 218 | 218 | $pemCert .= chunk_split(base64_encode($rawCert), 64); |
| 219 | 219 | $pemCert .= "-----END CERTIFICATE-----"; |
| 220 | - if($includeCert) { |
|
| 220 | + if ($includeCert) { |
|
| 221 | 221 | $registration->certificate = base64_encode($rawCert); |
| 222 | 222 | } |
| 223 | - if($this->attestDir) { |
|
| 224 | - if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 225 | - throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); |
|
| 223 | + if ($this->attestDir) { |
|
| 224 | + if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 225 | + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION); |
|
| 226 | 226 | } |
| 227 | 227 | } |
| 228 | 228 | |
| 229 | - if(!openssl_pkey_get_public($pemCert)) { |
|
| 230 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 229 | + if (!openssl_pkey_get_public($pemCert)) { |
|
| 230 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 231 | 231 | } |
| 232 | 232 | $signature = substr($rawReg, $offs); |
| 233 | 233 | |
@@ -237,10 +237,10 @@ discard block |
||
| 237 | 237 | $dataToVerify .= $kh; |
| 238 | 238 | $dataToVerify .= $pubKey; |
| 239 | 239 | |
| 240 | - if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 240 | + if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 241 | 241 | return $registration; |
| 242 | 242 | } else { |
| 243 | - throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); |
|
| 243 | + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE); |
|
| 244 | 244 | } |
| 245 | 245 | } |
| 246 | 246 | |
@@ -256,7 +256,7 @@ discard block |
||
| 256 | 256 | $sigs = array(); |
| 257 | 257 | $challenge = $this->createChallenge(); |
| 258 | 258 | foreach ($registrations as $reg) { |
| 259 | - if( !is_object( $reg ) ) { |
|
| 259 | + if (!is_object($reg)) { |
|
| 260 | 260 | throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); |
| 261 | 261 | } |
| 262 | 262 | /** @var Registration $reg */ |
@@ -286,12 +286,12 @@ discard block |
||
| 286 | 286 | */ |
| 287 | 287 | public function doAuthenticate(array $requests, array $registrations, $response) |
| 288 | 288 | { |
| 289 | - if( !is_object( $response ) ) { |
|
| 289 | + if (!is_object($response)) { |
|
| 290 | 290 | throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); |
| 291 | 291 | } |
| 292 | 292 | |
| 293 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 294 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 293 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 294 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 295 | 295 | } |
| 296 | 296 | |
| 297 | 297 | /** @var object|null $req */ |
@@ -303,43 +303,43 @@ discard block |
||
| 303 | 303 | $clientData = $this->base64u_decode($response->clientData); |
| 304 | 304 | $decodedClient = json_decode($clientData); |
| 305 | 305 | |
| 306 | - if(isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 306 | + if (isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 307 | 307 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 308 | 308 | } |
| 309 | 309 | |
| 310 | 310 | foreach ($requests as $req) { |
| 311 | - if( !is_object( $req ) ) { |
|
| 311 | + if (!is_object($req)) { |
|
| 312 | 312 | throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); |
| 313 | 313 | } |
| 314 | 314 | |
| 315 | - if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 315 | + if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 316 | 316 | break; |
| 317 | 317 | } |
| 318 | 318 | |
| 319 | 319 | $req = null; |
| 320 | 320 | } |
| 321 | - if($req === null) { |
|
| 322 | - throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); |
|
| 321 | + if ($req === null) { |
|
| 322 | + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST); |
|
| 323 | 323 | } |
| 324 | - if(isset($decodedClient->origin) && !in_array($decodedClient->origin, $this->facetIds, true)) { |
|
| 324 | + if (isset($decodedClient->origin) && !in_array($decodedClient->origin, $this->facetIds, true)) { |
|
| 325 | 325 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 326 | 326 | } |
| 327 | 327 | foreach ($registrations as $reg) { |
| 328 | - if( !is_object( $reg ) ) { |
|
| 328 | + if (!is_object($reg)) { |
|
| 329 | 329 | throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); |
| 330 | 330 | } |
| 331 | 331 | |
| 332 | - if($reg->keyHandle === $response->keyHandle) { |
|
| 332 | + if ($reg->keyHandle === $response->keyHandle) { |
|
| 333 | 333 | break; |
| 334 | 334 | } |
| 335 | 335 | $reg = null; |
| 336 | 336 | } |
| 337 | - if($reg === null) { |
|
| 338 | - throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); |
|
| 337 | + if ($reg === null) { |
|
| 338 | + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION); |
|
| 339 | 339 | } |
| 340 | 340 | $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); |
| 341 | - if($pemKey === null) { |
|
| 342 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 341 | + if ($pemKey === null) { |
|
| 342 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 343 | 343 | } |
| 344 | 344 | |
| 345 | 345 | $signData = $this->base64u_decode($response->signatureData); |
@@ -348,22 +348,22 @@ discard block |
||
| 348 | 348 | $dataToVerify .= hash('sha256', $clientData, true); |
| 349 | 349 | $signature = substr($signData, 5); |
| 350 | 350 | |
| 351 | - if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 351 | + if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 352 | 352 | $upb = unpack("Cupb", substr($signData, 0, 1)); |
| 353 | - if($upb['upb'] !== 1) { |
|
| 354 | - throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE ); |
|
| 353 | + if ($upb['upb'] !== 1) { |
|
| 354 | + throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE); |
|
| 355 | 355 | } |
| 356 | 356 | $ctr = unpack("Nctr", substr($signData, 1, 4)); |
| 357 | 357 | $counter = $ctr['ctr']; |
| 358 | 358 | /* TODO: wrap-around should be handled somehow.. */ |
| 359 | - if($counter > $reg->counter) { |
|
| 359 | + if ($counter > $reg->counter) { |
|
| 360 | 360 | $reg->counter = $counter; |
| 361 | 361 | return self::castObjectToRegistration($reg); |
| 362 | 362 | } else { |
| 363 | - throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); |
|
| 363 | + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW); |
|
| 364 | 364 | } |
| 365 | 365 | } else { |
| 366 | - throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); |
|
| 366 | + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE); |
|
| 367 | 367 | } |
| 368 | 368 | } |
| 369 | 369 | |
@@ -396,9 +396,9 @@ discard block |
||
| 396 | 396 | { |
| 397 | 397 | $files = array(); |
| 398 | 398 | $dir = $this->attestDir; |
| 399 | - if($dir !== null && is_dir($dir) && $handle = opendir($dir)) { |
|
| 400 | - while(false !== ($entry = readdir($handle))) { |
|
| 401 | - if(is_file("$dir/$entry")) { |
|
| 399 | + if ($dir !== null && is_dir($dir) && $handle = opendir($dir)) { |
|
| 400 | + while (false !== ($entry = readdir($handle))) { |
|
| 401 | + if (is_file("$dir/$entry")) { |
|
| 402 | 402 | $files[] = "$dir/$entry"; |
| 403 | 403 | } |
| 404 | 404 | } |
@@ -433,7 +433,7 @@ discard block |
||
| 433 | 433 | */ |
| 434 | 434 | private function pubkey_to_pem($key) |
| 435 | 435 | { |
| 436 | - if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 436 | + if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 437 | 437 | return null; |
| 438 | 438 | } |
| 439 | 439 | |
@@ -465,7 +465,7 @@ discard block |
||
| 465 | 465 | private function createChallenge() |
| 466 | 466 | { |
| 467 | 467 | $challenge = random_bytes(32); |
| 468 | - $challenge = $this->base64u_encode( $challenge ); |
|
| 468 | + $challenge = $this->base64u_encode($challenge); |
|
| 469 | 469 | |
| 470 | 470 | return $challenge; |
| 471 | 471 | } |
@@ -478,7 +478,7 @@ discard block |
||
| 478 | 478 | */ |
| 479 | 479 | private function fixSignatureUnusedBits($cert) |
| 480 | 480 | { |
| 481 | - if(in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
| 481 | + if (in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
| 482 | 482 | $cert[strlen($cert) - 257] = "\0"; |
| 483 | 483 | } |
| 484 | 484 | return $cert; |
