@@ -116,13 +116,13 @@ discard block |
||
116 | 116 | */ |
117 | 117 | public function __construct($appId, $attestDir = null, $facetIds = null) |
118 | 118 | { |
119 | - if(OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
120 | - throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
119 | + if (OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
120 | + throw new Error('OpenSSL has to be at least version 1.0.0, this is '.OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
121 | 121 | } |
122 | 122 | $this->appId = $appId; |
123 | 123 | $this->attestDir = $attestDir; |
124 | 124 | |
125 | - if(!is_array($facetIds)) { |
|
125 | + if (!is_array($facetIds)) { |
|
126 | 126 | $facetIds = [$appId]; |
127 | 127 | } |
128 | 128 | $this->facetIds = $facetIds; |
@@ -159,19 +159,19 @@ discard block |
||
159 | 159 | */ |
160 | 160 | public function doRegister($request, $response, $includeCert = true) |
161 | 161 | { |
162 | - if( !is_object( $request ) ) { |
|
162 | + if (!is_object($request)) { |
|
163 | 163 | throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); |
164 | 164 | } |
165 | 165 | |
166 | - if( !is_object( $response ) ) { |
|
166 | + if (!is_object($response)) { |
|
167 | 167 | throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); |
168 | 168 | } |
169 | 169 | |
170 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
171 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
170 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
171 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
172 | 172 | } |
173 | 173 | |
174 | - if( !is_bool( $includeCert ) ) { |
|
174 | + if (!is_bool($includeCert)) { |
|
175 | 175 | throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); |
176 | 176 | } |
177 | 177 | |
@@ -180,15 +180,15 @@ discard block |
||
180 | 180 | $clientData = $this->base64u_decode($response->clientData); |
181 | 181 | $cli = json_decode($clientData); |
182 | 182 | |
183 | - if($cli->challenge !== $request->challenge) { |
|
184 | - throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); |
|
183 | + if ($cli->challenge !== $request->challenge) { |
|
184 | + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE); |
|
185 | 185 | } |
186 | 186 | |
187 | - if(isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
187 | + if (isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
188 | 188 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
189 | 189 | } |
190 | 190 | |
191 | - if(isset($cli->origin) && !in_array($cli->origin, $this->facetIds, true)) { |
|
191 | + if (isset($cli->origin) && !in_array($cli->origin, $this->facetIds, true)) { |
|
192 | 192 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
193 | 193 | } |
194 | 194 | |
@@ -198,8 +198,8 @@ discard block |
||
198 | 198 | $offs += PUBKEY_LEN; |
199 | 199 | // decode the pubKey to make sure it's good |
200 | 200 | $tmpKey = $this->pubkey_to_pem($pubKey); |
201 | - if($tmpKey === null) { |
|
202 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
201 | + if ($tmpKey === null) { |
|
202 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
203 | 203 | } |
204 | 204 | $registration->publicKey = base64_encode($pubKey); |
205 | 205 | $khLen = $regData[$offs++]; |
@@ -217,17 +217,17 @@ discard block |
||
217 | 217 | $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; |
218 | 218 | $pemCert .= chunk_split(base64_encode($rawCert), 64); |
219 | 219 | $pemCert .= "-----END CERTIFICATE-----"; |
220 | - if($includeCert) { |
|
220 | + if ($includeCert) { |
|
221 | 221 | $registration->certificate = base64_encode($rawCert); |
222 | 222 | } |
223 | - if($this->attestDir) { |
|
224 | - if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
225 | - throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); |
|
223 | + if ($this->attestDir) { |
|
224 | + if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
225 | + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION); |
|
226 | 226 | } |
227 | 227 | } |
228 | 228 | |
229 | - if(!openssl_pkey_get_public($pemCert)) { |
|
230 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
229 | + if (!openssl_pkey_get_public($pemCert)) { |
|
230 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
231 | 231 | } |
232 | 232 | $signature = substr($rawReg, $offs); |
233 | 233 | |
@@ -237,10 +237,10 @@ discard block |
||
237 | 237 | $dataToVerify .= $kh; |
238 | 238 | $dataToVerify .= $pubKey; |
239 | 239 | |
240 | - if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
240 | + if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
241 | 241 | return $registration; |
242 | 242 | } else { |
243 | - throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); |
|
243 | + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE); |
|
244 | 244 | } |
245 | 245 | } |
246 | 246 | |
@@ -256,7 +256,7 @@ discard block |
||
256 | 256 | $sigs = array(); |
257 | 257 | $challenge = $this->createChallenge(); |
258 | 258 | foreach ($registrations as $reg) { |
259 | - if( !is_object( $reg ) ) { |
|
259 | + if (!is_object($reg)) { |
|
260 | 260 | throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); |
261 | 261 | } |
262 | 262 | /** @var Registration $reg */ |
@@ -286,12 +286,12 @@ discard block |
||
286 | 286 | */ |
287 | 287 | public function doAuthenticate(array $requests, array $registrations, $response) |
288 | 288 | { |
289 | - if( !is_object( $response ) ) { |
|
289 | + if (!is_object($response)) { |
|
290 | 290 | throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); |
291 | 291 | } |
292 | 292 | |
293 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
294 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
293 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
294 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
295 | 295 | } |
296 | 296 | |
297 | 297 | /** @var object|null $req */ |
@@ -303,43 +303,43 @@ discard block |
||
303 | 303 | $clientData = $this->base64u_decode($response->clientData); |
304 | 304 | $decodedClient = json_decode($clientData); |
305 | 305 | |
306 | - if(isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
306 | + if (isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
307 | 307 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
308 | 308 | } |
309 | 309 | |
310 | 310 | foreach ($requests as $req) { |
311 | - if( !is_object( $req ) ) { |
|
311 | + if (!is_object($req)) { |
|
312 | 312 | throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); |
313 | 313 | } |
314 | 314 | |
315 | - if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
315 | + if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
316 | 316 | break; |
317 | 317 | } |
318 | 318 | |
319 | 319 | $req = null; |
320 | 320 | } |
321 | - if($req === null) { |
|
322 | - throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); |
|
321 | + if ($req === null) { |
|
322 | + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST); |
|
323 | 323 | } |
324 | - if(isset($decodedClient->origin) && !in_array($decodedClient->origin, $this->facetIds, true)) { |
|
324 | + if (isset($decodedClient->origin) && !in_array($decodedClient->origin, $this->facetIds, true)) { |
|
325 | 325 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
326 | 326 | } |
327 | 327 | foreach ($registrations as $reg) { |
328 | - if( !is_object( $reg ) ) { |
|
328 | + if (!is_object($reg)) { |
|
329 | 329 | throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); |
330 | 330 | } |
331 | 331 | |
332 | - if($reg->keyHandle === $response->keyHandle) { |
|
332 | + if ($reg->keyHandle === $response->keyHandle) { |
|
333 | 333 | break; |
334 | 334 | } |
335 | 335 | $reg = null; |
336 | 336 | } |
337 | - if($reg === null) { |
|
338 | - throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); |
|
337 | + if ($reg === null) { |
|
338 | + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION); |
|
339 | 339 | } |
340 | 340 | $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); |
341 | - if($pemKey === null) { |
|
342 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
341 | + if ($pemKey === null) { |
|
342 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
343 | 343 | } |
344 | 344 | |
345 | 345 | $signData = $this->base64u_decode($response->signatureData); |
@@ -348,22 +348,22 @@ discard block |
||
348 | 348 | $dataToVerify .= hash('sha256', $clientData, true); |
349 | 349 | $signature = substr($signData, 5); |
350 | 350 | |
351 | - if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
351 | + if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
352 | 352 | $upb = unpack("Cupb", substr($signData, 0, 1)); |
353 | - if($upb['upb'] !== 1) { |
|
354 | - throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE ); |
|
353 | + if ($upb['upb'] !== 1) { |
|
354 | + throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE); |
|
355 | 355 | } |
356 | 356 | $ctr = unpack("Nctr", substr($signData, 1, 4)); |
357 | 357 | $counter = $ctr['ctr']; |
358 | 358 | /* TODO: wrap-around should be handled somehow.. */ |
359 | - if($counter > $reg->counter) { |
|
359 | + if ($counter > $reg->counter) { |
|
360 | 360 | $reg->counter = $counter; |
361 | 361 | return self::castObjectToRegistration($reg); |
362 | 362 | } else { |
363 | - throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); |
|
363 | + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW); |
|
364 | 364 | } |
365 | 365 | } else { |
366 | - throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); |
|
366 | + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE); |
|
367 | 367 | } |
368 | 368 | } |
369 | 369 | |
@@ -396,9 +396,9 @@ discard block |
||
396 | 396 | { |
397 | 397 | $files = array(); |
398 | 398 | $dir = $this->attestDir; |
399 | - if($dir !== null && is_dir($dir) && $handle = opendir($dir)) { |
|
400 | - while(false !== ($entry = readdir($handle))) { |
|
401 | - if(is_file("$dir/$entry")) { |
|
399 | + if ($dir !== null && is_dir($dir) && $handle = opendir($dir)) { |
|
400 | + while (false !== ($entry = readdir($handle))) { |
|
401 | + if (is_file("$dir/$entry")) { |
|
402 | 402 | $files[] = "$dir/$entry"; |
403 | 403 | } |
404 | 404 | } |
@@ -433,7 +433,7 @@ discard block |
||
433 | 433 | */ |
434 | 434 | private function pubkey_to_pem($key) |
435 | 435 | { |
436 | - if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
436 | + if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
437 | 437 | return null; |
438 | 438 | } |
439 | 439 | |
@@ -465,7 +465,7 @@ discard block |
||
465 | 465 | private function createChallenge() |
466 | 466 | { |
467 | 467 | $challenge = random_bytes(32); |
468 | - $challenge = $this->base64u_encode( $challenge ); |
|
468 | + $challenge = $this->base64u_encode($challenge); |
|
469 | 469 | |
470 | 470 | return $challenge; |
471 | 471 | } |
@@ -478,7 +478,7 @@ discard block |
||
478 | 478 | */ |
479 | 479 | private function fixSignatureUnusedBits($cert) |
480 | 480 | { |
481 | - if(in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
481 | + if (in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
482 | 482 | $cert[strlen($cert) - 257] = "\0"; |
483 | 483 | } |
484 | 484 | return $cert; |