Yubico /
php-u2flib-server
@@ -112,8 +112,8 @@ discard block |
||
| 112 | 112 | */ |
| 113 | 113 | public function __construct($appId, $attestDir = null) |
| 114 | 114 | { |
| 115 | - if(OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 116 | - throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 115 | + if (OPENSSL_VERSION_NUMBER < 0x10000000) { |
|
| 116 | + throw new Error('OpenSSL has to be at least version 1.0.0, this is '.OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL); |
|
| 117 | 117 | } |
| 118 | 118 | $this->appId = $appId; |
| 119 | 119 | $this->attestDir = $attestDir; |
@@ -150,19 +150,19 @@ discard block |
||
| 150 | 150 | */ |
| 151 | 151 | public function doRegister($request, $response, $includeCert = true) |
| 152 | 152 | { |
| 153 | - if( !is_object( $request ) ) { |
|
| 153 | + if (!is_object($request)) { |
|
| 154 | 154 | throw new \InvalidArgumentException('$request of doRegister() method only accepts object.'); |
| 155 | 155 | } |
| 156 | 156 | |
| 157 | - if( !is_object( $response ) ) { |
|
| 157 | + if (!is_object($response)) { |
|
| 158 | 158 | throw new \InvalidArgumentException('$response of doRegister() method only accepts object.'); |
| 159 | 159 | } |
| 160 | 160 | |
| 161 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 162 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 161 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 162 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 163 | 163 | } |
| 164 | 164 | |
| 165 | - if( !is_bool( $includeCert ) ) { |
|
| 165 | + if (!is_bool($includeCert)) { |
|
| 166 | 166 | throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.'); |
| 167 | 167 | } |
| 168 | 168 | |
@@ -171,15 +171,15 @@ discard block |
||
| 171 | 171 | $clientData = $this->base64u_decode($response->clientData); |
| 172 | 172 | $cli = json_decode($clientData); |
| 173 | 173 | |
| 174 | - if($cli->challenge !== $request->challenge) { |
|
| 175 | - throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE ); |
|
| 174 | + if ($cli->challenge !== $request->challenge) { |
|
| 175 | + throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE); |
|
| 176 | 176 | } |
| 177 | 177 | |
| 178 | - if(isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 178 | + if (isset($cli->typ) && $cli->typ !== REQUEST_TYPE_REGISTER) { |
|
| 179 | 179 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 180 | 180 | } |
| 181 | 181 | |
| 182 | - if(isset($cli->origin) && $cli->origin !== $request->appId) { |
|
| 182 | + if (isset($cli->origin) && $cli->origin !== $request->appId) { |
|
| 183 | 183 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 184 | 184 | } |
| 185 | 185 | |
@@ -189,8 +189,8 @@ discard block |
||
| 189 | 189 | $offs += PUBKEY_LEN; |
| 190 | 190 | // decode the pubKey to make sure it's good |
| 191 | 191 | $tmpKey = $this->pubkey_to_pem($pubKey); |
| 192 | - if($tmpKey === null) { |
|
| 193 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 192 | + if ($tmpKey === null) { |
|
| 193 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 194 | 194 | } |
| 195 | 195 | $registration->publicKey = base64_encode($pubKey); |
| 196 | 196 | $khLen = $regData[$offs++]; |
@@ -208,17 +208,17 @@ discard block |
||
| 208 | 208 | $pemCert = "-----BEGIN CERTIFICATE-----\r\n"; |
| 209 | 209 | $pemCert .= chunk_split(base64_encode($rawCert), 64); |
| 210 | 210 | $pemCert .= "-----END CERTIFICATE-----"; |
| 211 | - if($includeCert) { |
|
| 211 | + if ($includeCert) { |
|
| 212 | 212 | $registration->certificate = base64_encode($rawCert); |
| 213 | 213 | } |
| 214 | - if($this->attestDir) { |
|
| 215 | - if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 216 | - throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION ); |
|
| 214 | + if ($this->attestDir) { |
|
| 215 | + if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) { |
|
| 216 | + throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION); |
|
| 217 | 217 | } |
| 218 | 218 | } |
| 219 | 219 | |
| 220 | - if(!openssl_pkey_get_public($pemCert)) { |
|
| 221 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 220 | + if (!openssl_pkey_get_public($pemCert)) { |
|
| 221 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 222 | 222 | } |
| 223 | 223 | $signature = substr($rawReg, $offs); |
| 224 | 224 | |
@@ -228,10 +228,10 @@ discard block |
||
| 228 | 228 | $dataToVerify .= $kh; |
| 229 | 229 | $dataToVerify .= $pubKey; |
| 230 | 230 | |
| 231 | - if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 231 | + if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) { |
|
| 232 | 232 | return $registration; |
| 233 | 233 | } else { |
| 234 | - throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE ); |
|
| 234 | + throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE); |
|
| 235 | 235 | } |
| 236 | 236 | } |
| 237 | 237 | |
@@ -247,7 +247,7 @@ discard block |
||
| 247 | 247 | $sigs = array(); |
| 248 | 248 | $challenge = $this->createChallenge(); |
| 249 | 249 | foreach ($registrations as $reg) { |
| 250 | - if( !is_object( $reg ) ) { |
|
| 250 | + if (!is_object($reg)) { |
|
| 251 | 251 | throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.'); |
| 252 | 252 | } |
| 253 | 253 | /** @var Registration $reg */ |
@@ -277,12 +277,12 @@ discard block |
||
| 277 | 277 | */ |
| 278 | 278 | public function doAuthenticate(array $requests, array $registrations, $response) |
| 279 | 279 | { |
| 280 | - if( !is_object( $response ) ) { |
|
| 280 | + if (!is_object($response)) { |
|
| 281 | 281 | throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.'); |
| 282 | 282 | } |
| 283 | 283 | |
| 284 | - if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) { |
|
| 285 | - throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING ); |
|
| 284 | + if (property_exists($response, 'errorCode') && $response->errorCode !== 0) { |
|
| 285 | + throw new Error('User-agent returned error. Error code: '.$response->errorCode, ERR_BAD_UA_RETURNING); |
|
| 286 | 286 | } |
| 287 | 287 | |
| 288 | 288 | /** @var object|null $req */ |
@@ -294,43 +294,43 @@ discard block |
||
| 294 | 294 | $clientData = $this->base64u_decode($response->clientData); |
| 295 | 295 | $decodedClient = json_decode($clientData); |
| 296 | 296 | |
| 297 | - if(isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 297 | + if (isset($decodedClient->typ) && $decodedClient->typ !== REQUEST_TYPE_AUTHENTICATE) { |
|
| 298 | 298 | throw new Error('ClientData type is invalid', ERR_BAD_TYPE); |
| 299 | 299 | } |
| 300 | 300 | |
| 301 | 301 | foreach ($requests as $req) { |
| 302 | - if( !is_object( $req ) ) { |
|
| 302 | + if (!is_object($req)) { |
|
| 303 | 303 | throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.'); |
| 304 | 304 | } |
| 305 | 305 | |
| 306 | - if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 306 | + if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) { |
|
| 307 | 307 | break; |
| 308 | 308 | } |
| 309 | 309 | |
| 310 | 310 | $req = null; |
| 311 | 311 | } |
| 312 | - if($req === null) { |
|
| 313 | - throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST ); |
|
| 312 | + if ($req === null) { |
|
| 313 | + throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST); |
|
| 314 | 314 | } |
| 315 | - if(isset($decodedClient->origin) && $decodedClient->origin !== $req->appId) { |
|
| 315 | + if (isset($decodedClient->origin) && $decodedClient->origin !== $req->appId) { |
|
| 316 | 316 | throw new Error('App ID does not match the origin', ERR_NO_MATCHING_ORIGIN); |
| 317 | 317 | } |
| 318 | 318 | foreach ($registrations as $reg) { |
| 319 | - if( !is_object( $reg ) ) { |
|
| 319 | + if (!is_object($reg)) { |
|
| 320 | 320 | throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.'); |
| 321 | 321 | } |
| 322 | 322 | |
| 323 | - if($reg->keyHandle === $response->keyHandle) { |
|
| 323 | + if ($reg->keyHandle === $response->keyHandle) { |
|
| 324 | 324 | break; |
| 325 | 325 | } |
| 326 | 326 | $reg = null; |
| 327 | 327 | } |
| 328 | - if($reg === null) { |
|
| 329 | - throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION ); |
|
| 328 | + if ($reg === null) { |
|
| 329 | + throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION); |
|
| 330 | 330 | } |
| 331 | 331 | $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey)); |
| 332 | - if($pemKey === null) { |
|
| 333 | - throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE ); |
|
| 332 | + if ($pemKey === null) { |
|
| 333 | + throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE); |
|
| 334 | 334 | } |
| 335 | 335 | |
| 336 | 336 | $signData = $this->base64u_decode($response->signatureData); |
@@ -339,22 +339,22 @@ discard block |
||
| 339 | 339 | $dataToVerify .= hash('sha256', $clientData, true); |
| 340 | 340 | $signature = substr($signData, 5); |
| 341 | 341 | |
| 342 | - if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 342 | + if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) { |
|
| 343 | 343 | $upb = unpack("Cupb", substr($signData, 0, 1)); |
| 344 | - if($upb['upb'] !== 1) { |
|
| 345 | - throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE ); |
|
| 344 | + if ($upb['upb'] !== 1) { |
|
| 345 | + throw new Error('User presence byte value is invalid', ERR_BAD_USER_PRESENCE); |
|
| 346 | 346 | } |
| 347 | 347 | $ctr = unpack("Nctr", substr($signData, 1, 4)); |
| 348 | 348 | $counter = $ctr['ctr']; |
| 349 | 349 | /* TODO: wrap-around should be handled somehow.. */ |
| 350 | - if($counter > $reg->counter) { |
|
| 350 | + if ($counter > $reg->counter) { |
|
| 351 | 351 | $reg->counter = $counter; |
| 352 | 352 | return self::castObjectToRegistration($reg); |
| 353 | 353 | } else { |
| 354 | - throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW ); |
|
| 354 | + throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW); |
|
| 355 | 355 | } |
| 356 | 356 | } else { |
| 357 | - throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE ); |
|
| 357 | + throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE); |
|
| 358 | 358 | } |
| 359 | 359 | } |
| 360 | 360 | |
@@ -387,9 +387,9 @@ discard block |
||
| 387 | 387 | { |
| 388 | 388 | $files = array(); |
| 389 | 389 | $dir = $this->attestDir; |
| 390 | - if($dir != null && is_dir($dir) && $handle = opendir($dir)) { |
|
| 391 | - while(false !== ($entry = readdir($handle))) { |
|
| 392 | - if(is_file("$dir/$entry")) { |
|
| 390 | + if ($dir != null && is_dir($dir) && $handle = opendir($dir)) { |
|
| 391 | + while (false !== ($entry = readdir($handle))) { |
|
| 392 | + if (is_file("$dir/$entry")) { |
|
| 393 | 393 | $files[] = "$dir/$entry"; |
| 394 | 394 | } |
| 395 | 395 | } |
@@ -424,7 +424,7 @@ discard block |
||
| 424 | 424 | */ |
| 425 | 425 | private function pubkey_to_pem($key) |
| 426 | 426 | { |
| 427 | - if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 427 | + if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") { |
|
| 428 | 428 | return null; |
| 429 | 429 | } |
| 430 | 430 | |
@@ -456,7 +456,7 @@ discard block |
||
| 456 | 456 | private function createChallenge() |
| 457 | 457 | { |
| 458 | 458 | $challenge = random_bytes(32); |
| 459 | - $challenge = $this->base64u_encode( $challenge ); |
|
| 459 | + $challenge = $this->base64u_encode($challenge); |
|
| 460 | 460 | |
| 461 | 461 | return $challenge; |
| 462 | 462 | } |
@@ -469,7 +469,7 @@ discard block |
||
| 469 | 469 | */ |
| 470 | 470 | private function fixSignatureUnusedBits($cert) |
| 471 | 471 | { |
| 472 | - if(in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
| 472 | + if (in_array(hash('sha256', $cert), $this->FIXCERTS, true)) { |
|
| 473 | 473 | $cert[strlen($cert) - 257] = "\0"; |
| 474 | 474 | } |
| 475 | 475 | return $cert; |
