CustomServer::getCredentialCreationOptions() - Code Metrics - phpmyadmin/phpmyadmin - Measure and Improve Code Quality continuously with Scrutinizer

CustomServer::getCredentialCreationOptions() A
last analyzed 2024-09-19 14:01 UTC

↳ Parent: CustomServer

Complexity

Conditions	1
Paths	1

Size

Total Lines	13
Code Lines	10

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	12
CRAP Score	1

Importance

Changes

Metric	Value
eloc	10
dl	0
loc	13
ccs	12
cts	12
cp	1
rs	9.9332
c	0
b	0
f	0
cc	1
nc	1
nop	3
crap	1

<?php

declare(strict_types=1);

namespace PhpMyAdmin\WebAuthn;

use Psr\Http\Message\ServerRequestInterface;
use SodiumException;
use Throwable;
use Webmozart\Assert\Assert;
use Webmozart\Assert\InvalidArgumentException;

use function hash;
use function hash_equals;
use function json_decode;
use function mb_strlen;
use function mb_substr;
use function ord;
use function parse_url;
use function random_bytes;
use function sodium_base642bin;
use function sodium_bin2base64;
use function unpack;

use const PHP_URL_HOST;
use const SODIUM_BASE64_VARIANT_ORIGINAL;
use const SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING;

/**
 * Web Authentication API server.
 *
 * @see https://www.w3.org/TR/webauthn-3/
 * @see https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
 * @see https://webauthn.guide/
 */
final class CustomServer implements Server
{
    /** @inheritDoc */
    public function getCredentialCreationOptions(string $userName, string $userId, string $relyingPartyId): array
    {
        return [
            'challenge' => $this->generateChallenge(),
            'rp' => ['name' => 'phpMyAdmin (' . $relyingPartyId . ')', 'id' => $relyingPartyId],
            'user' => ['id' => $userId, 'name' => $userName, 'displayName' => $userName],
            'pubKeyCredParams' => $this->getCredentialParameters(),
            'authenticatorSelection' => [
                'authenticatorAttachment' => 'cross-platform',
                'userVerification' => 'discouraged',
            ],
            'timeout' => 60000,
            'attestation' => 'none',
        ];
    }

    /** @inheritDoc */
    public function getCredentialRequestOptions(
        string $userName,
        string $userId,
        string $relyingPartyId,
        array $allowedCredentials,
    ): array {
        foreach ($allowedCredentials as $key => $credential) {
            $allowedCredentials[$key]['id'] = sodium_bin2base64(
                sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING),
                SODIUM_BASE64_VARIANT_ORIGINAL,
            );
        }

        return [
            'challenge' => $this->generateChallenge(),
            'allowCredentials' => $allowedCredentials,
            'timeout' => 60000,
            'attestation' => 'none',
            'userVerification' => 'discouraged',
        ];
    }

    /** @inheritDoc */
    public function parseAndValidateAssertionResponse(
        string $assertionResponseJson,
        array $allowedCredentials,
        string $challenge,
        ServerRequestInterface $request,
    ): void {
        $assertionCredential = $this->getAssertionCredential($assertionResponseJson);

        if ($allowedCredentials !== []) {
            Assert::true($this->isCredentialIdAllowed($assertionCredential['rawId'], $allowedCredentials));
        }

        $authenticatorData = $this->getAuthenticatorData($assertionCredential['response']['authenticatorData']);

        $clientData = $this->getCollectedClientData($assertionCredential['response']['clientDataJSON']);
        Assert::same($clientData['type'], 'webauthn.get');

        try {
            $knownChallenge = sodium_base642bin($challenge, SODIUM_BASE64_VARIANT_ORIGINAL);
            $cDataChallenge = sodium_base642bin($clientData['challenge'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
        } catch (SodiumException $exception) {
            throw new WebAuthnException((string) $exception);
        }

        Assert::true(hash_equals($knownChallenge, $cDataChallenge));

        $host = $request->getUri()->getHost();
        Assert::same($host, parse_url($clientData['origin'], PHP_URL_HOST));

        $rpIdHash = hash('sha256', $host, true);
        Assert::true(hash_equals($rpIdHash, $authenticatorData['rpIdHash']));

        $isUserPresent = (ord($authenticatorData['flags']) & 1) !== 0;
        Assert::true($isUserPresent);
    }

    /** @inheritDoc */
    public function parseAndValidateAttestationResponse(
        string $attestationResponse,
        string $credentialCreationOptions,
        ServerRequestInterface $request,
    ): array {
        try {
            $attestationCredential = $this->getAttestationCredential($attestationResponse);
        } catch (Throwable $exception) {
            throw new WebAuthnException('Invalid authenticator response.', (int) $exception->getCode(), $exception);
        }

        $creationOptions = json_decode($credentialCreationOptions, true);
        Assert::isArray($creationOptions);
        Assert::keyExists($creationOptions, 'challenge');
        Assert::string($creationOptions['challenge']);
        Assert::keyExists($creationOptions, 'user');
        Assert::isArray($creationOptions['user']);
        Assert::keyExists($creationOptions['user'], 'id');
        Assert::string($creationOptions['user']['id']);

        $clientData = $this->getCollectedClientData($attestationCredential['response']['clientDataJSON']);

        // Verify that the value of C.type is webauthn.create.
        Assert::same($clientData['type'], 'webauthn.create');

        // Verify that the value of C.challenge equals the base64url encoding of options.challenge.
        $optionsChallenge = sodium_base642bin($creationOptions['challenge'], SODIUM_BASE64_VARIANT_ORIGINAL);
        $clientDataChallenge = sodium_base642bin($clientData['challenge'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
        Assert::true(hash_equals($optionsChallenge, $clientDataChallenge));

        // Verify that the value of C.origin matches the Relying Party's origin.
        $host = $request->getUri()->getHost();
        Assert::same($host, parse_url($clientData['origin'], PHP_URL_HOST), 'Invalid origin.');

        // Perform CBOR decoding on the attestationObject field.
        $attestationObject = $this->getAttestationObject($attestationCredential['response']['attestationObject']);

        $authenticatorData = $this->getAuthenticatorData($attestationObject['authData']);
        Assert::notNull($authenticatorData['attestedCredentialData']);

        // Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
        $rpIdHash = hash('sha256', $host, true);
        Assert::true(hash_equals($rpIdHash, $authenticatorData['rpIdHash']), 'Invalid rpIdHash.');

        // Verify that the User Present bit of the flags in authData is set.
        $isUserPresent = (ord($authenticatorData['flags']) & 1) !== 0;
        Assert::true($isUserPresent);

        Assert::same($attestationObject['fmt'], 'none');
        Assert::same($attestationObject['attStmt'], []);

        $encodedCredentialId = sodium_bin2base64(
            $authenticatorData['attestedCredentialData']['credentialId'],
            SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
        );
        $encodedCredentialPublicKey = sodium_bin2base64(
            $authenticatorData['attestedCredentialData']['credentialPublicKey'],
            SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
        );
        $userHandle = sodium_bin2base64(
            sodium_base642bin($creationOptions['user']['id'], SODIUM_BASE64_VARIANT_ORIGINAL),
            SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
        );

        return [
            'publicKeyCredentialId' => $encodedCredentialId,
            'type' => 'public-key',
            'transports' => [],
            'attestationType' => $attestationObject['fmt'],
            'aaguid' => $authenticatorData['attestedCredentialData']['aaguid'],
            'credentialPublicKey' => $encodedCredentialPublicKey,
            'userHandle' => $userHandle,
            'counter' => $authenticatorData['signCount'],
        ];
    }

    /**
     * In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible.
     * Challenges SHOULD therefore be at least 16 bytes long.
     *
     * @see https://www.w3.org/TR/webauthn-3/#sctn-cryptographic-challenges
     *
     * @psalm-return non-empty-string
     *
     * @throws WebAuthnException
     */
    private function generateChallenge(): string
    {
        try {
            return sodium_bin2base64(random_bytes(32), SODIUM_BASE64_VARIANT_ORIGINAL);
        } catch (Throwable) { // @codeCoverageIgnore
            throw new WebAuthnException('Error when generating challenge.'); // @codeCoverageIgnore
        }
    }

    /**
     * @see https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
     *
     * @psalm-return array{
     *   rpIdHash: string,
     *   flags: string,
     *   signCount: int,
     *   attestedCredentialData: array{
     *     aaguid: string,
     *     credentialId: string,
     *     credentialPublicKey: string,
     *     credentialPublicKeyDecoded: mixed[]
     *   }|null,
     *   extensions: string|null
     * }
     *
     * @throws WebAuthnException
     */
    private function getAuthenticatorData(string $authData): array
    {
        $authDataLength = mb_strlen($authData, '8bit');
        Assert::true($authDataLength >= 37);
        $authDataStream = new DataStream($authData);

        $rpIdHash = $authDataStream->take(32);
        $flags = $authDataStream->take(1);

        // 32-bit unsigned big-endian integer
        $unpackedSignCount = unpack('N', $authDataStream->take(4));
        Assert::isArray($unpackedSignCount);
        Assert::keyExists($unpackedSignCount, 1);
        Assert::integer($unpackedSignCount[1]);
        $signCount = $unpackedSignCount[1];

        $attestedCredentialData = null;
        // Bit 6: Attested credential data included (AT).
        if ((ord($flags) & 64) !== 0) {
            /** Authenticator Attestation GUID */
            $aaguid = $authDataStream->take(16);

            // 16-bit unsigned big-endian integer
            $unpackedCredentialIdLength = unpack('n', $authDataStream->take(2));
            Assert::isArray($unpackedCredentialIdLength);
            Assert::keyExists($unpackedCredentialIdLength, 1);
            Assert::integer($unpackedCredentialIdLength[1]);
            $credentialIdLength = $unpackedCredentialIdLength[1];

            $credentialId = $authDataStream->take($credentialIdLength);

            $credentialPublicKeyDecoded = (new CBORDecoder())->decode($authDataStream);
            Assert::isArray($credentialPublicKeyDecoded);
            $credentialPublicKey = mb_substr(
                $authData,
                37 + 18 + $credentialIdLength,
                $authDataStream->getPosition(),
                '8bit',
            );

            $attestedCredentialData = [
                'aaguid' => $aaguid,
                'credentialId' => $credentialId,
                'credentialPublicKey' => $credentialPublicKey,
                'credentialPublicKeyDecoded' => $credentialPublicKeyDecoded,
            ];
        }

        return [
            'rpIdHash' => $rpIdHash,
            'flags' => $flags,
            'signCount' => $signCount,
            'attestedCredentialData' => $attestedCredentialData,
            'extensions' => null,
        ];
    }

    /**
     * @psalm-param non-empty-string $id
     * @psalm-param list<array{id: non-empty-string, type: non-empty-string}> $allowedCredentials
     *
     * @throws WebAuthnException
     */
    private function isCredentialIdAllowed(string $id, array $allowedCredentials): bool
    {
        foreach ($allowedCredentials as $credential) {
            try {
                $credentialId = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
            } catch (SodiumException) {
                throw new WebAuthnException();
            }

            if (hash_equals($credentialId, $id)) {
                return true;
            }
        }

        return false;
    }

    /**
     * @see https://www.iana.org/assignments/cose/cose.xhtml#algorithms
     *
     * @psalm-return list<array{alg: int, type: 'public-key'}>
     */
    private function getCredentialParameters(): array
    {
        return [
            ['alg' => -257, 'type' => 'public-key'], // RS256
            ['alg' => -259, 'type' => 'public-key'], // RS512
            ['alg' => -37, 'type' => 'public-key'], // PS256
            ['alg' => -39, 'type' => 'public-key'], // PS512
            ['alg' => -7, 'type' => 'public-key'], // ES256
            ['alg' => -36, 'type' => 'public-key'], // ES512
            ['alg' => -8, 'type' => 'public-key'], // EdDSA
        ];
    }

    /**
     * @psalm-param non-empty-string $assertionResponseJson
     *
     * @psalm-return array{
     *   id: non-empty-string,
     *   type: 'public-key',
     *   rawId: non-empty-string,
     *   response: array{
     *     clientDataJSON: non-empty-string,
     *     authenticatorData: non-empty-string,
     *     signature: non-empty-string,
     *   }
     * }
     *
     * @throws SodiumException
     * @throws InvalidArgumentException
     */
    private function getAssertionCredential(string $assertionResponseJson): array
    {
        $credential = json_decode($assertionResponseJson, true);
        Assert::isArray($credential);
        Assert::keyExists($credential, 'id');
        Assert::stringNotEmpty($credential['id']);
        Assert::keyExists($credential, 'type');
        Assert::same($credential['type'], 'public-key');
        Assert::keyExists($credential, 'rawId');
        Assert::stringNotEmpty($credential['rawId']);
        Assert::keyExists($credential, 'response');
        Assert::isArray($credential['response']);
        Assert::keyExists($credential['response'], 'clientDataJSON');
        Assert::stringNotEmpty($credential['response']['clientDataJSON']);
        Assert::keyExists($credential['response'], 'authenticatorData');
        Assert::stringNotEmpty($credential['response']['authenticatorData']);
        Assert::keyExists($credential['response'], 'signature');
        Assert::stringNotEmpty($credential['response']['signature']);

        $id = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
        $rawId = sodium_base642bin($credential['rawId'], SODIUM_BASE64_VARIANT_ORIGINAL);
        Assert::stringNotEmpty($id);
        Assert::stringNotEmpty($rawId);
        Assert::true(hash_equals($rawId, $id));

        $clientDataJSON = sodium_base642bin($credential['response']['clientDataJSON'], SODIUM_BASE64_VARIANT_ORIGINAL);
        Assert::stringNotEmpty($clientDataJSON);
        $authenticatorData = sodium_base642bin(
            $credential['response']['authenticatorData'],
            SODIUM_BASE64_VARIANT_ORIGINAL,
        );
        Assert::stringNotEmpty($authenticatorData);
        $signature = sodium_base642bin($credential['response']['signature'], SODIUM_BASE64_VARIANT_ORIGINAL);
        Assert::stringNotEmpty($signature);

        return [
            'id' => $credential['id'],
            'type' => 'public-key',
            'rawId' => $rawId,
            'response' => [
                'clientDataJSON' => $clientDataJSON,
                'authenticatorData' => $authenticatorData,
                'signature' => $signature,
            ],
        ];
    }

    /**
     * @see https://www.w3.org/TR/webauthn-3/#iface-authenticatorattestationresponse
     *
     * @psalm-param non-empty-string $attestationResponse
     *
     * @psalm-return array{
     *   id: non-empty-string,
     *   rawId: non-empty-string,
     *   type: 'public-key',
     *   response: array{clientDataJSON: non-empty-string, attestationObject: non-empty-string}
     * }
     *
     * @throws SodiumException
     * @throws InvalidArgumentException
     */
    private function getAttestationCredential(string $attestationResponse): array
    {
        $credential = json_decode($attestationResponse, true);
        Assert::isArray($credential);
        Assert::keyExists($credential, 'id');
        Assert::stringNotEmpty($credential['id']);
        Assert::keyExists($credential, 'rawId');
        Assert::stringNotEmpty($credential['rawId']);
        Assert::keyExists($credential, 'type');
        Assert::string($credential['type']);
        Assert::same($credential['type'], 'public-key');
        Assert::keyExists($credential, 'response');
        Assert::isArray($credential['response']);
        Assert::keyExists($credential['response'], 'clientDataJSON');
        Assert::stringNotEmpty($credential['response']['clientDataJSON']);
        Assert::keyExists($credential['response'], 'attestationObject');
        Assert::stringNotEmpty($credential['response']['attestationObject']);

        $id = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
        $rawId = sodium_base642bin($credential['rawId'], SODIUM_BASE64_VARIANT_ORIGINAL);
        Assert::stringNotEmpty($id);
        Assert::stringNotEmpty($rawId);
        Assert::true(hash_equals($rawId, $id));

        $clientDataJSON = sodium_base642bin($credential['response']['clientDataJSON'], SODIUM_BASE64_VARIANT_ORIGINAL);
        Assert::stringNotEmpty($clientDataJSON);
        $attestationObject = sodium_base642bin(
            $credential['response']['attestationObject'],
            SODIUM_BASE64_VARIANT_ORIGINAL,
        );
        Assert::stringNotEmpty($attestationObject);

        return [
            'id' => $credential['id'],
            'rawId' => $rawId,
            'type' => 'public-key',
            'response' => ['clientDataJSON' => $clientDataJSON, 'attestationObject' => $attestationObject],
        ];
    }

    /**
     * @see https://www.w3.org/TR/webauthn-3/#dictionary-client-data
     *
     * @psalm-param non-empty-string $clientDataJSON
     *
     * @return array{

     *   type: 'webauthn.create'|'webauthn.get',
     *   challenge: non-empty-string,
     *   origin: non-empty-string
     * }
     */
    private function getCollectedClientData(string $clientDataJSON): array
    {
        $clientData = json_decode($clientDataJSON, true);

        Assert::isArray($clientData);
        Assert::keyExists($clientData, 'type');
        Assert::stringNotEmpty($clientData['type']);
        Assert::inArray($clientData['type'], ['webauthn.create', 'webauthn.get']);
        Assert::keyExists($clientData, 'challenge');
        Assert::stringNotEmpty($clientData['challenge']);
        Assert::keyExists($clientData, 'origin');
        Assert::stringNotEmpty($clientData['origin']);

        return [
            'type' => $clientData['type'],
            'challenge' => $clientData['challenge'],
            'origin' => $clientData['origin'],
        ];
    }

    /**
     * @psalm-param non-empty-string $attestationObjectEncoded
     *
     * @psalm-return array{fmt: string, attStmt: mixed[], authData: string}
     *
     * @throws WebAuthnException
     */
    private function getAttestationObject(string $attestationObjectEncoded): array
    {
        $decoded = (new CBORDecoder())->decode(new DataStream($attestationObjectEncoded));

        Assert::isArray($decoded);
        Assert::keyExists($decoded, 'fmt');
        Assert::string($decoded['fmt']);
        Assert::keyExists($decoded, 'attStmt');
        Assert::isArray($decoded['attStmt']);
        Assert::keyExists($decoded, 'authData');
        Assert::string($decoded['authData']);

        return $decoded;
    }
}


1		<?php
2
3		declare(strict_types=1);
4
5		namespace PhpMyAdmin\WebAuthn;
6
7		use Psr\Http\Message\ServerRequestInterface;
8		use SodiumException;
9		use Throwable;
10		use Webmozart\Assert\Assert;
11		use Webmozart\Assert\InvalidArgumentException;
12
13		use function hash;
14		use function hash_equals;
15		use function json_decode;
16		use function mb_strlen;
17		use function mb_substr;
18		use function ord;
19		use function parse_url;
20		use function random_bytes;
21		use function sodium_base642bin;
22		use function sodium_bin2base64;
23		use function unpack;
24
25		use const PHP_URL_HOST;
26		use const SODIUM_BASE64_VARIANT_ORIGINAL;
27		use const SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING;
28
29		/**
30		* Web Authentication API server.
31		*
32		* @see https://www.w3.org/TR/webauthn-3/
33		* @see https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
34		* @see https://webauthn.guide/
35		*/
36		final class CustomServer implements Server
37		{
38		/** @inheritDoc */
39	4	public function getCredentialCreationOptions(string $userName, string $userId, string $relyingPartyId): array
40		{
41	4	return [
42	4	'challenge' => $this->generateChallenge(),
43	4	'rp' => ['name' => 'phpMyAdmin (' . $relyingPartyId . ')', 'id' => $relyingPartyId],
44	4	'user' => ['id' => $userId, 'name' => $userName, 'displayName' => $userName],
45	4	'pubKeyCredParams' => $this->getCredentialParameters(),
46	4	'authenticatorSelection' => [
47	4	'authenticatorAttachment' => 'cross-platform',
48	4	'userVerification' => 'discouraged',
49	4	],
50	4	'timeout' => 60000,
51	4	'attestation' => 'none',
52	4	];
53		}
54
55		/** @inheritDoc */
56	4	public function getCredentialRequestOptions(
57		string $userName,
58		string $userId,
59		string $relyingPartyId,
60		array $allowedCredentials,
61		): array {
62	4	foreach ($allowedCredentials as $key => $credential) {
63	4	$allowedCredentials[$key]['id'] = sodium_bin2base64(
64	4	sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING),
65	4	SODIUM_BASE64_VARIANT_ORIGINAL,
66	4	);
67		}
68
69	4	return [
70	4	'challenge' => $this->generateChallenge(),
71	4	'allowCredentials' => $allowedCredentials,
72	4	'timeout' => 60000,
73	4	'attestation' => 'none',
74	4	'userVerification' => 'discouraged',
75	4	];
76		}
77
78		/** @inheritDoc */
79	4	public function parseAndValidateAssertionResponse(
80		string $assertionResponseJson,
81		array $allowedCredentials,
82		string $challenge,
83		ServerRequestInterface $request,
84		): void {
85	4	$assertionCredential = $this->getAssertionCredential($assertionResponseJson);
86
87	4	if ($allowedCredentials !== []) {
88	4	Assert::true($this->isCredentialIdAllowed($assertionCredential['rawId'], $allowedCredentials));
89		}
90
91	4	$authenticatorData = $this->getAuthenticatorData($assertionCredential['response']['authenticatorData']);
92
93	4	$clientData = $this->getCollectedClientData($assertionCredential['response']['clientDataJSON']);
94	4	Assert::same($clientData['type'], 'webauthn.get');
95
96		try {
97	4	$knownChallenge = sodium_base642bin($challenge, SODIUM_BASE64_VARIANT_ORIGINAL);
98	4	$cDataChallenge = sodium_base642bin($clientData['challenge'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
99		} catch (SodiumException $exception) {
100		throw new WebAuthnException((string) $exception);
101		}
102
103	4	Assert::true(hash_equals($knownChallenge, $cDataChallenge));
104
105	4	$host = $request->getUri()->getHost();
106	4	Assert::same($host, parse_url($clientData['origin'], PHP_URL_HOST));
107
108	4	$rpIdHash = hash('sha256', $host, true);
109	4	Assert::true(hash_equals($rpIdHash, $authenticatorData['rpIdHash']));
110
111	4	$isUserPresent = (ord($authenticatorData['flags']) & 1) !== 0;
112	4	Assert::true($isUserPresent);
113		}
114
115		/** @inheritDoc */
116	4	public function parseAndValidateAttestationResponse(
117		string $attestationResponse,
118		string $credentialCreationOptions,
119		ServerRequestInterface $request,
120		): array {
121		try {
122	4	$attestationCredential = $this->getAttestationCredential($attestationResponse);
123		} catch (Throwable $exception) {
124		throw new WebAuthnException('Invalid authenticator response.', (int) $exception->getCode(), $exception);
125		}
126
127	4	$creationOptions = json_decode($credentialCreationOptions, true);
128	4	Assert::isArray($creationOptions);
129	4	Assert::keyExists($creationOptions, 'challenge');
130	4	Assert::string($creationOptions['challenge']);
131	4	Assert::keyExists($creationOptions, 'user');
132	4	Assert::isArray($creationOptions['user']);
133	4	Assert::keyExists($creationOptions['user'], 'id');
134	4	Assert::string($creationOptions['user']['id']);
135
136	4	$clientData = $this->getCollectedClientData($attestationCredential['response']['clientDataJSON']);
137
138		// Verify that the value of C.type is webauthn.create.
139	4	Assert::same($clientData['type'], 'webauthn.create');
140
141		// Verify that the value of C.challenge equals the base64url encoding of options.challenge.
142	4	$optionsChallenge = sodium_base642bin($creationOptions['challenge'], SODIUM_BASE64_VARIANT_ORIGINAL);
143	4	$clientDataChallenge = sodium_base642bin($clientData['challenge'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
144	4	Assert::true(hash_equals($optionsChallenge, $clientDataChallenge));
145
146		// Verify that the value of C.origin matches the Relying Party's origin.
147	4	$host = $request->getUri()->getHost();
148	4	Assert::same($host, parse_url($clientData['origin'], PHP_URL_HOST), 'Invalid origin.');
149
150		// Perform CBOR decoding on the attestationObject field.
151	4	$attestationObject = $this->getAttestationObject($attestationCredential['response']['attestationObject']);
152
153	4	$authenticatorData = $this->getAuthenticatorData($attestationObject['authData']);
154	4	Assert::notNull($authenticatorData['attestedCredentialData']);
155
156		// Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
157	4	$rpIdHash = hash('sha256', $host, true);
158	4	Assert::true(hash_equals($rpIdHash, $authenticatorData['rpIdHash']), 'Invalid rpIdHash.');
159
160		// Verify that the User Present bit of the flags in authData is set.
161	4	$isUserPresent = (ord($authenticatorData['flags']) & 1) !== 0;
162	4	Assert::true($isUserPresent);
163
164	4	Assert::same($attestationObject['fmt'], 'none');
165	4	Assert::same($attestationObject['attStmt'], []);
166
167	4	$encodedCredentialId = sodium_bin2base64(
168	4	$authenticatorData['attestedCredentialData']['credentialId'],
169	4	SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
170	4	);
171	4	$encodedCredentialPublicKey = sodium_bin2base64(
172	4	$authenticatorData['attestedCredentialData']['credentialPublicKey'],
173	4	SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
174	4	);
175	4	$userHandle = sodium_bin2base64(
176	4	sodium_base642bin($creationOptions['user']['id'], SODIUM_BASE64_VARIANT_ORIGINAL),
177	4	SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING,
178	4	);
179
180	4	return [
181	4	'publicKeyCredentialId' => $encodedCredentialId,
182	4	'type' => 'public-key',
183	4	'transports' => [],
184	4	'attestationType' => $attestationObject['fmt'],
185	4	'aaguid' => $authenticatorData['attestedCredentialData']['aaguid'],
186	4	'credentialPublicKey' => $encodedCredentialPublicKey,
187	4	'userHandle' => $userHandle,
188	4	'counter' => $authenticatorData['signCount'],
189	4	];
190		}
191
192		/**
193		* In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible.
194		* Challenges SHOULD therefore be at least 16 bytes long.
195		*
196		* @see https://www.w3.org/TR/webauthn-3/#sctn-cryptographic-challenges
197		*
198		* @psalm-return non-empty-string
199		*
200		* @throws WebAuthnException
201		*/
202	8	private function generateChallenge(): string
203		{
204		try {
205	8	return sodium_bin2base64(random_bytes(32), SODIUM_BASE64_VARIANT_ORIGINAL);
206		} catch (Throwable) { // @codeCoverageIgnore
207		throw new WebAuthnException('Error when generating challenge.'); // @codeCoverageIgnore
208		}
209		}
210
211		/**
212		* @see https://www.w3.org/TR/webauthn-3/#sctn-authenticator-data
213		*
214		* @psalm-return array{
215		* rpIdHash: string,
216		* flags: string,
217		* signCount: int,
218		* attestedCredentialData: array{
219		* aaguid: string,
220		* credentialId: string,
221		* credentialPublicKey: string,
222		* credentialPublicKeyDecoded: mixed[]
223		* }\|null,
224		* extensions: string\|null
225		* }
226		*
227		* @throws WebAuthnException
228		*/
229	8	private function getAuthenticatorData(string $authData): array
230		{
231	8	$authDataLength = mb_strlen($authData, '8bit');
232	8	Assert::true($authDataLength >= 37);
233	8	$authDataStream = new DataStream($authData);
234
235	8	$rpIdHash = $authDataStream->take(32);
236	8	$flags = $authDataStream->take(1);
237
238		// 32-bit unsigned big-endian integer
239	8	$unpackedSignCount = unpack('N', $authDataStream->take(4));
240	8	Assert::isArray($unpackedSignCount);
241	8	Assert::keyExists($unpackedSignCount, 1);
242	8	Assert::integer($unpackedSignCount[1]);
243	8	$signCount = $unpackedSignCount[1];
244
245	8	$attestedCredentialData = null;
246		// Bit 6: Attested credential data included (AT).
247	8	if ((ord($flags) & 64) !== 0) {
248		/** Authenticator Attestation GUID */
249	4	$aaguid = $authDataStream->take(16);
250
251		// 16-bit unsigned big-endian integer
252	4	$unpackedCredentialIdLength = unpack('n', $authDataStream->take(2));
253	4	Assert::isArray($unpackedCredentialIdLength);
254	4	Assert::keyExists($unpackedCredentialIdLength, 1);
255	4	Assert::integer($unpackedCredentialIdLength[1]);
256	4	$credentialIdLength = $unpackedCredentialIdLength[1];
257
258	4	$credentialId = $authDataStream->take($credentialIdLength);
259
260	4	$credentialPublicKeyDecoded = (new CBORDecoder())->decode($authDataStream);
261	4	Assert::isArray($credentialPublicKeyDecoded);
262	4	$credentialPublicKey = mb_substr(
263	4	$authData,
264	4	37 + 18 + $credentialIdLength,
265	4	$authDataStream->getPosition(),
266	4	'8bit',
267	4	);
268
269	4	$attestedCredentialData = [
270	4	'aaguid' => $aaguid,
271	4	'credentialId' => $credentialId,
272	4	'credentialPublicKey' => $credentialPublicKey,
273	4	'credentialPublicKeyDecoded' => $credentialPublicKeyDecoded,
274	4	];
275		}
276
277	8	return [
278	8	'rpIdHash' => $rpIdHash,
279	8	'flags' => $flags,
280	8	'signCount' => $signCount,
281	8	'attestedCredentialData' => $attestedCredentialData,
282	8	'extensions' => null,
283	8	];
284		}
285
286		/**
287		* @psalm-param non-empty-string $id
288		* @psalm-param list<array{id: non-empty-string, type: non-empty-string}> $allowedCredentials
289		*
290		* @throws WebAuthnException
291		*/
292	4	private function isCredentialIdAllowed(string $id, array $allowedCredentials): bool
293		{
294	4	foreach ($allowedCredentials as $credential) {
295		try {
296	4	$credentialId = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
297		} catch (SodiumException) {
298		throw new WebAuthnException();
299		}
300
301	4	if (hash_equals($credentialId, $id)) {
302	4	return true;
303		}
304		}
305
306		return false;
307		}
308
309		/**
310		* @see https://www.iana.org/assignments/cose/cose.xhtml#algorithms
311		*
312		* @psalm-return list<array{alg: int, type: 'public-key'}>
313		*/
314	4	private function getCredentialParameters(): array
315		{
316	4	return [
317	4	['alg' => -257, 'type' => 'public-key'], // RS256
318	4	['alg' => -259, 'type' => 'public-key'], // RS512
319	4	['alg' => -37, 'type' => 'public-key'], // PS256
320	4	['alg' => -39, 'type' => 'public-key'], // PS512
321	4	['alg' => -7, 'type' => 'public-key'], // ES256
322	4	['alg' => -36, 'type' => 'public-key'], // ES512
323	4	['alg' => -8, 'type' => 'public-key'], // EdDSA
324	4	];
325		}
326
327		/**
328		* @psalm-param non-empty-string $assertionResponseJson
329		*
330		* @psalm-return array{
331		* id: non-empty-string,
332		* type: 'public-key',
333		* rawId: non-empty-string,
334		* response: array{
335		* clientDataJSON: non-empty-string,
336		* authenticatorData: non-empty-string,
337		* signature: non-empty-string,
338		* }
339		* }
340		*
341		* @throws SodiumException
342		* @throws InvalidArgumentException
343		*/
344	4	private function getAssertionCredential(string $assertionResponseJson): array
345		{
346	4	$credential = json_decode($assertionResponseJson, true);
347	4	Assert::isArray($credential);
348	4	Assert::keyExists($credential, 'id');
349	4	Assert::stringNotEmpty($credential['id']);
350	4	Assert::keyExists($credential, 'type');
351	4	Assert::same($credential['type'], 'public-key');
352	4	Assert::keyExists($credential, 'rawId');
353	4	Assert::stringNotEmpty($credential['rawId']);
354	4	Assert::keyExists($credential, 'response');
355	4	Assert::isArray($credential['response']);
356	4	Assert::keyExists($credential['response'], 'clientDataJSON');
357	4	Assert::stringNotEmpty($credential['response']['clientDataJSON']);
358	4	Assert::keyExists($credential['response'], 'authenticatorData');
359	4	Assert::stringNotEmpty($credential['response']['authenticatorData']);
360	4	Assert::keyExists($credential['response'], 'signature');
361	4	Assert::stringNotEmpty($credential['response']['signature']);
362
363	4	$id = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
364	4	$rawId = sodium_base642bin($credential['rawId'], SODIUM_BASE64_VARIANT_ORIGINAL);
365	4	Assert::stringNotEmpty($id);
366	4	Assert::stringNotEmpty($rawId);
367	4	Assert::true(hash_equals($rawId, $id));
368
369	4	$clientDataJSON = sodium_base642bin($credential['response']['clientDataJSON'], SODIUM_BASE64_VARIANT_ORIGINAL);
370	4	Assert::stringNotEmpty($clientDataJSON);
371	4	$authenticatorData = sodium_base642bin(
372	4	$credential['response']['authenticatorData'],
373	4	SODIUM_BASE64_VARIANT_ORIGINAL,
374	4	);
375	4	Assert::stringNotEmpty($authenticatorData);
376	4	$signature = sodium_base642bin($credential['response']['signature'], SODIUM_BASE64_VARIANT_ORIGINAL);
377	4	Assert::stringNotEmpty($signature);
378
379	4	return [
380	4	'id' => $credential['id'],
381	4	'type' => 'public-key',
382	4	'rawId' => $rawId,
383	4	'response' => [
384	4	'clientDataJSON' => $clientDataJSON,
385	4	'authenticatorData' => $authenticatorData,
386	4	'signature' => $signature,
387	4	],
388	4	];
389		}
390
391		/**
392		* @see https://www.w3.org/TR/webauthn-3/#iface-authenticatorattestationresponse
393		*
394		* @psalm-param non-empty-string $attestationResponse
395		*
396		* @psalm-return array{
397		* id: non-empty-string,
398		* rawId: non-empty-string,
399		* type: 'public-key',
400		* response: array{clientDataJSON: non-empty-string, attestationObject: non-empty-string}
401		* }
402		*
403		* @throws SodiumException
404		* @throws InvalidArgumentException
405		*/
406	4	private function getAttestationCredential(string $attestationResponse): array
407		{
408	4	$credential = json_decode($attestationResponse, true);
409	4	Assert::isArray($credential);
410	4	Assert::keyExists($credential, 'id');
411	4	Assert::stringNotEmpty($credential['id']);
412	4	Assert::keyExists($credential, 'rawId');
413	4	Assert::stringNotEmpty($credential['rawId']);
414	4	Assert::keyExists($credential, 'type');
415	4	Assert::string($credential['type']);
416	4	Assert::same($credential['type'], 'public-key');
417	4	Assert::keyExists($credential, 'response');
418	4	Assert::isArray($credential['response']);
419	4	Assert::keyExists($credential['response'], 'clientDataJSON');
420	4	Assert::stringNotEmpty($credential['response']['clientDataJSON']);
421	4	Assert::keyExists($credential['response'], 'attestationObject');
422	4	Assert::stringNotEmpty($credential['response']['attestationObject']);
423
424	4	$id = sodium_base642bin($credential['id'], SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
425	4	$rawId = sodium_base642bin($credential['rawId'], SODIUM_BASE64_VARIANT_ORIGINAL);
426	4	Assert::stringNotEmpty($id);
427	4	Assert::stringNotEmpty($rawId);
428	4	Assert::true(hash_equals($rawId, $id));
429
430	4	$clientDataJSON = sodium_base642bin($credential['response']['clientDataJSON'], SODIUM_BASE64_VARIANT_ORIGINAL);
431	4	Assert::stringNotEmpty($clientDataJSON);
432	4	$attestationObject = sodium_base642bin(
433	4	$credential['response']['attestationObject'],
434	4	SODIUM_BASE64_VARIANT_ORIGINAL,
435	4	);
436	4	Assert::stringNotEmpty($attestationObject);
437
438	4	return [
439	4	'id' => $credential['id'],
440	4	'rawId' => $rawId,
441	4	'type' => 'public-key',
442	4	'response' => ['clientDataJSON' => $clientDataJSON, 'attestationObject' => $attestationObject],
443	4	];
444		}
445
446		/**
447		* @see https://www.w3.org/TR/webauthn-3/#dictionary-client-data
448		*
449		* @psalm-param non-empty-string $clientDataJSON
450		*
451		* @return array{
		0 ignored issues – show Documentation Bug introduced 2023-01-17 03:56 UTC by Report Bug Copy Issue Report The doc comment `array{` at position `2` could not be parsed: the token is null at position 2. Loading history...
452		* type: 'webauthn.create'\|'webauthn.get',
453		* challenge: non-empty-string,
454		* origin: non-empty-string
455		* }
456		*/
457	8	private function getCollectedClientData(string $clientDataJSON): array
458		{
459	8	$clientData = json_decode($clientDataJSON, true);
460
461	8	Assert::isArray($clientData);
462	8	Assert::keyExists($clientData, 'type');
463	8	Assert::stringNotEmpty($clientData['type']);
464	8	Assert::inArray($clientData['type'], ['webauthn.create', 'webauthn.get']);
465	8	Assert::keyExists($clientData, 'challenge');
466	8	Assert::stringNotEmpty($clientData['challenge']);
467	8	Assert::keyExists($clientData, 'origin');
468	8	Assert::stringNotEmpty($clientData['origin']);
469
470	8	return [
471	8	'type' => $clientData['type'],
472	8	'challenge' => $clientData['challenge'],
473	8	'origin' => $clientData['origin'],
474	8	];
475		}
476
477		/**
478		* @psalm-param non-empty-string $attestationObjectEncoded
479		*
480		* @psalm-return array{fmt: string, attStmt: mixed[], authData: string}
481		*
482		* @throws WebAuthnException
483		*/
484	4	private function getAttestationObject(string $attestationObjectEncoded): array
485		{
486	4	$decoded = (new CBORDecoder())->decode(new DataStream($attestationObjectEncoded));
487
488	4	Assert::isArray($decoded);
489	4	Assert::keyExists($decoded, 'fmt');
490	4	Assert::string($decoded['fmt']);
491	4	Assert::keyExists($decoded, 'attStmt');
492	4	Assert::isArray($decoded['attStmt']);
493	4	Assert::keyExists($decoded, 'authData');
494	4	Assert::string($decoded['authData']);
495
496	4	return $decoded;
497		}
498		}
499

phpmyadmin / phpmyadmin

CustomServer::getCredentialCreationOptions() A last analyzed 2024-09-19 14:01 UTC

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like

CustomServer::getCredentialCreationOptions() A
last analyzed 2024-09-19 14:01 UTC