Yubico /
php-u2flib-server
@@ -112,8 +112,8 @@ discard block |
||
| 112 | 112 | */ |
| 113 | 113 | public function __construct($appId, $attestDir = null) |
| 114 | 114 | { |
| 115 | - if(OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 116 | - throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 115 | + if (OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 116 | + throw new Error('OpenSSL has to be at least version 1.0.0, this is '.OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 117 | 117 | } |
| 118 | 118 | $this->appId = $appId; |
| 119 | 119 | $this->attestDir = $attestDir; |
@@ -150,19 +150,19 @@ discard block |
||
| 150 | 150 | */ |
| 151 | 151 | public function doRegister($request, $response, $includeCert = true) |
| 152 | 152 | { |
| 153 | - if( !is_object( $request ) ) { |
|
| 153 | + if (!is_object($request)) { |
|
| 154 | 154 | throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); |
| 155 | 155 | } |
| 156 | 156 | |
| 157 | - if( !is_object( $response ) ) { |
|
| 157 | + if (!is_object($response)) { |
|
| 158 | 158 | throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); |
| 159 | 159 | } |
| 160 | 160 | |
| 161 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 162 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 161 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 162 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 163 | 163 | } |
| 164 | 164 | |
| 165 | - if( !is_bool( $includeCert ) ) { |
|
| 165 | + if (!is_bool($includeCert)) { |
|
| 166 | 166 | throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); |
| 167 | 167 | } |
| 168 | 168 | |
@@ -171,15 +171,15 @@ discard block |
||
| 171 | 171 | $clientData = $this->base64u_decode($response->clientData); |
| 172 | 172 | $cli = json_decode($clientData); |
| 173 | 173 | |
| 174 | - if($cli->challenge !== $request->challenge) { |
|
| 175 | - throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); |
|
| 174 | + if ($cli->challenge !== $request->challenge) { |
|
| 175 | + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE); |
|
| 176 | 176 | } |
| 177 | 177 | |
| 178 | - if(isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 178 | + if (isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 179 | 179 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 180 | 180 | } |
| 181 | 181 | |
| 182 | - if(isset($cli->origin) && $cli->origin !== $request->appId) { |
|
| 182 | + if (isset($cli->origin) && $cli->origin !== $request->appId) { |
|
| 183 | 183 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 184 | 184 | } |
| 185 | 185 | |
@@ -189,8 +189,8 @@ discard block |
||
| 189 | 189 | $offs += PUBKEY_LEN; |
| 190 | 190 | // decode the pubKey to make sure it's good |
| 191 | 191 | $tmpKey = $this->pubkey_to_pem($pubKey); |
| 192 | - if($tmpKey === null) { |
|
| 193 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 192 | + if ($tmpKey === null) { |
|
| 193 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 194 | 194 | } |
| 195 | 195 | $registration->publicKey = base64_encode($pubKey); |
| 196 | 196 | $khLen = $regData[$offs++]; |
@@ -208,17 +208,17 @@ discard block |
||
| 208 | 208 | $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; |
| 209 | 209 | $pemCert .= chunk_split(base64_encode($rawCert), 64); |
| 210 | 210 | $pemCert .= "-----END CERTIFICATE-----"; |
| 211 | - if($includeCert) { |
|
| 211 | + if ($includeCert) { |
|
| 212 | 212 | $registration->certificate = base64_encode($rawCert); |
| 213 | 213 | } |
| 214 | - if($this->attestDir) { |
|
| 215 | - if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 216 | - throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); |
|
| 214 | + if ($this->attestDir) { |
|
| 215 | + if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 216 | + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION); |
|
| 217 | 217 | } |
| 218 | 218 | } |
| 219 | 219 | |
| 220 | - if(!openssl_pkey_get_public($pemCert)) { |
|
| 221 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 220 | + if (!openssl_pkey_get_public($pemCert)) { |
|
| 221 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 222 | 222 | } |
| 223 | 223 | $signature = substr($rawReg, $offs); |
| 224 | 224 | |
@@ -228,10 +228,10 @@ discard block |
||
| 228 | 228 | $dataToVerify .= $kh; |
| 229 | 229 | $dataToVerify .= $pubKey; |
| 230 | 230 | |
| 231 | - if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 231 | + if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 232 | 232 | return $registration; |
| 233 | 233 | } else { |
| 234 | - throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); |
|
| 234 | + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE); |
|
| 235 | 235 | } |
| 236 | 236 | } |
| 237 | 237 | |
@@ -247,7 +247,7 @@ discard block |
||
| 247 | 247 | $sigs = array(); |
| 248 | 248 | $challenge = $this->createChallenge(); |
| 249 | 249 | foreach ($registrations as $reg) { |
| 250 | - if( !is_object( $reg ) ) { |
|
| 250 | + if (!is_object($reg)) { |
|
| 251 | 251 | throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); |
| 252 | 252 | } |
| 253 | 253 | |
@@ -276,12 +276,12 @@ discard block |
||
| 276 | 276 | */ |
| 277 | 277 | public function doAuthenticate(array $requests, array $registrations, $response) |
| 278 | 278 | { |
| 279 | - if( !is_object( $response ) ) { |
|
| 279 | + if (!is_object($response)) { |
|
| 280 | 280 | throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); |
| 281 | 281 | } |
| 282 | 282 | |
| 283 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 284 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 283 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 284 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 285 | 285 | } |
| 286 | 286 | |
| 287 | 287 | /** @var object|null $req */ |
@@ -293,43 +293,43 @@ discard block |
||
| 293 | 293 | $clientData = $this->base64u_decode($response->clientData); |
| 294 | 294 | $decodedClient = json_decode($clientData); |
| 295 | 295 | |
| 296 | - if(isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 296 | + if (isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 297 | 297 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 298 | 298 | } |
| 299 | 299 | |
| 300 | 300 | foreach ($requests as $req) { |
| 301 | - if( !is_object( $req ) ) { |
|
| 301 | + if (!is_object($req)) { |
|
| 302 | 302 | throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); |
| 303 | 303 | } |
| 304 | 304 | |
| 305 | - if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 305 | + if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 306 | 306 | break; |
| 307 | 307 | } |
| 308 | 308 | |
| 309 | 309 | $req = null; |
| 310 | 310 | } |
| 311 | - if($req === null) { |
|
| 312 | - throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); |
|
| 311 | + if ($req === null) { |
|
| 312 | + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST); |
|
| 313 | 313 | } |
| 314 | - if(isset($decodedClient->origin) && $decodedClient->origin !== $req->appId) { |
|
| 314 | + if (isset($decodedClient->origin) && $decodedClient->origin !== $req->appId) { |
|
| 315 | 315 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 316 | 316 | } |
| 317 | 317 | foreach ($registrations as $reg) { |
| 318 | - if( !is_object( $reg ) ) { |
|
| 318 | + if (!is_object($reg)) { |
|
| 319 | 319 | throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); |
| 320 | 320 | } |
| 321 | 321 | |
| 322 | - if($reg->keyHandle === $response->keyHandle) { |
|
| 322 | + if ($reg->keyHandle === $response->keyHandle) { |
|
| 323 | 323 | break; |
| 324 | 324 | } |
| 325 | 325 | $reg = null; |
| 326 | 326 | } |
| 327 | - if($reg === null) { |
|
| 328 | - throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); |
|
| 327 | + if ($reg === null) { |
|
| 328 | + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION); |
|
| 329 | 329 | } |
| 330 | 330 | $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); |
| 331 | - if($pemKey === null) { |
|
| 332 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 331 | + if ($pemKey === null) { |
|
| 332 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 333 | 333 | } |
| 334 | 334 | |
| 335 | 335 | $signData = $this->base64u_decode($response->signatureData); |
@@ -338,22 +338,22 @@ discard block |
||
| 338 | 338 | $dataToVerify .= hash('sha256', $clientData, true); |
| 339 | 339 | $signature = substr($signData, 5); |
| 340 | 340 | |
| 341 | - if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 341 | + if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 342 | 342 | $upb = unpack("Cupb", substr($signData, 0, 1)); |
| 343 | - if($upb['upb'] !== 1) { |
|
| 344 | - throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE ); |
|
| 343 | + if ($upb['upb'] !== 1) { |
|
| 344 | + throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE); |
|
| 345 | 345 | } |
| 346 | 346 | $ctr = unpack("Nctr", substr($signData, 1, 4)); |
| 347 | 347 | $counter = $ctr['ctr']; |
| 348 | 348 | /* TODO: wrap-around should be handled somehow.. */ |
| 349 | - if($counter > $reg->counter) { |
|
| 349 | + if ($counter > $reg->counter) { |
|
| 350 | 350 | $reg->counter = $counter; |
| 351 | 351 | return $reg; |
| 352 | 352 | } else { |
| 353 | - throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); |
|
| 353 | + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW); |
|
| 354 | 354 | } |
| 355 | 355 | } else { |
| 356 | - throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); |
|
| 356 | + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE); |
|
| 357 | 357 | } |
| 358 | 358 | } |
| 359 | 359 | |
@@ -364,9 +364,9 @@ discard block |
||
| 364 | 364 | { |
| 365 | 365 | $files = array(); |
| 366 | 366 | $dir = $this->attestDir; |
| 367 | - if($dir && $handle = opendir($dir)) { |
|
| 368 | - while(false !== ($entry = readdir($handle))) { |
|
| 369 | - if(is_file("$dir/$entry")) { |
|
| 367 | + if ($dir && $handle = opendir($dir)) { |
|
| 368 | + while (false !== ($entry = readdir($handle))) { |
|
| 369 | + if (is_file("$dir/$entry")) { |
|
| 370 | 370 | $files[] = "$dir/$entry"; |
| 371 | 371 | } |
| 372 | 372 | } |
@@ -399,7 +399,7 @@ discard block |
||
| 399 | 399 | */ |
| 400 | 400 | private function pubkey_to_pem($key) |
| 401 | 401 | { |
| 402 | - if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 402 | + if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 403 | 403 | return null; |
| 404 | 404 | } |
| 405 | 405 | |
@@ -430,12 +430,12 @@ discard block |
||
| 430 | 430 | */ |
| 431 | 431 | private function createChallenge() |
| 432 | 432 | { |
| 433 | - $challenge = openssl_random_pseudo_bytes(32, $crypto_strong ); |
|
| 434 | - if( $crypto_strong !== true ) { |
|
| 433 | + $challenge = openssl_random_pseudo_bytes(32, $crypto_strong); |
|
| 434 | + if ($crypto_strong !== true) { |
|
| 435 | 435 | throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM); |
| 436 | 436 | } |
| 437 | 437 | |
| 438 | - $challenge = $this->base64u_encode( $challenge ); |
|
| 438 | + $challenge = $this->base64u_encode($challenge); |
|
| 439 | 439 | |
| 440 | 440 | return $challenge; |
| 441 | 441 | } |
@@ -448,7 +448,7 @@ discard block |
||
| 448 | 448 | */ |
| 449 | 449 | private function fixSignatureUnusedBits($cert) |
| 450 | 450 | { |
| 451 | - if(in_array(hash('sha256', $cert), $this->FIXCERTS)) { |
|
| 451 | + if (in_array(hash('sha256', $cert), $this->FIXCERTS)) { |
|
| 452 | 452 | $cert[strlen($cert) - 257] = "\0"; |
| 453 | 453 | } |
| 454 | 454 | return $cert; |
