simplesamlphp /
simplesamlphp-module-webauthn
@@ -202,7 +202,7 @@ |
||
| 202 | 202 | 'private' => false, |
| 203 | 203 | ]); |
| 204 | 204 | $response->setExpires(new DateTime('Thu, 19 Nov 1981 08:52:00 GMT')); |
| 205 | - */ |
|
| 205 | + */ |
|
| 206 | 206 | |
| 207 | 207 | return $response; |
| 208 | 208 | } |
@@ -202,7 +202,7 @@ |
||
| 202 | 202 | 'private' => false, |
| 203 | 203 | ]); |
| 204 | 204 | $response->setExpires(new DateTime('Thu, 19 Nov 1981 08:52:00 GMT')); |
| 205 | - */ |
|
| 205 | + */ |
|
| 206 | 206 | |
| 207 | 207 | return $response; |
| 208 | 208 | } |
@@ -202,7 +202,7 @@ |
||
| 202 | 202 | 'private' => false, |
| 203 | 203 | ]); |
| 204 | 204 | $response->setExpires(new DateTime('Thu, 19 Nov 1981 08:52:00 GMT')); |
| 205 | - */ |
|
| 205 | + */ |
|
| 206 | 206 | |
| 207 | 207 | return $response; |
| 208 | 208 | } |
@@ -90,8 +90,8 @@ |
||
| 90 | 90 | $this->stateData->scope = $moduleConfig['scope']; |
| 91 | 91 | } |
| 92 | 92 | |
| 93 | - // Set the derived scope so we can compare it to the sent host at a later point |
|
| 94 | - $httpUtils = new Utils\HTTP(); |
|
| 93 | + // Set the derived scope so we can compare it to the sent host at a later point |
|
| 94 | + $httpUtils = new Utils\HTTP(); |
|
| 95 | 95 | $baseurl = $httpUtils->getSelfHost(); |
| 96 | 96 | $hostname = parse_url($baseurl, PHP_URL_HOST); |
| 97 | 97 | if ($hostname !== null) { |
@@ -14,7 +14,7 @@ |
||
| 14 | 14 | public static function saveStateAndRedirect(array &$state): void |
| 15 | 15 | { |
| 16 | 16 | $id = Auth\State::saveState($state, 'webauthn:request'); |
| 17 | - $url = Module::getModuleURL('webauthn/webauthn'); |
|
| 17 | + $url = Module::getModuleURL('webauthn/webauthn'); |
|
| 18 | 18 | $httpUtils = new Utils\HTTP(); |
| 19 | 19 | $httpUtils->redirectTrustedURL($url, ['StateId' => $id]); |
| 20 | 20 | } |
@@ -103,8 +103,8 @@ |
||
| 103 | 103 | $t->data['FIDO2Tokens'] = $state['FIDO2Tokens']; |
| 104 | 104 | |
| 105 | 105 | $challenge = str_split($state['FIDO2SignupChallenge'], 2); |
| 106 | - $entityid = $state['Source']['entityid']; |
|
| 107 | - $configUtils = new Utils\Config(); |
|
| 106 | + $entityid = $state['Source']['entityid']; |
|
| 107 | + $configUtils = new Utils\Config(); |
|
| 108 | 108 | $username = str_split( |
| 109 | 109 | hash('sha512', $state['FIDO2Username'] . '|' . $configUtils->getSecretSalt() . '|' . $entityid), |
| 110 | 110 | 2 |
@@ -118,9 +118,9 @@ discard block |
||
| 118 | 118 | case "android-safetynet": |
| 119 | 119 | $this->validateAttestationFormatAndroidSafetyNet($attestationArray); |
| 120 | 120 | break; |
| 121 | - case "apple": |
|
| 122 | - $this->validateAttestationFormatApple($attestationArray); |
|
| 123 | - break; |
|
| 121 | + case "apple": |
|
| 122 | + $this->validateAttestationFormatApple($attestationArray); |
|
| 123 | + break; |
|
| 124 | 124 | case "tpm": |
| 125 | 125 | case "android-key": |
| 126 | 126 | $this->fail("Attestation format " . $attestationArray['fmt'] . " validation not supported right now."); |
@@ -158,9 +158,9 @@ discard block |
||
| 158 | 158 | private function validateAttestationFormatApple(array $attestationArray): void |
| 159 | 159 | { |
| 160 | 160 | |
| 161 | - // found at: https://www.apple.com/certificateauthority/private/ |
|
| 161 | + // found at: https://www.apple.com/certificateauthority/private/ |
|
| 162 | 162 | |
| 163 | - $APPLE_WEBAUTHN_ROOT_CA = "-----BEGIN CERTIFICATE----- |
|
| 163 | + $APPLE_WEBAUTHN_ROOT_CA = "-----BEGIN CERTIFICATE----- |
|
| 164 | 164 | MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w |
| 165 | 165 | HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ |
| 166 | 166 | bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx |
@@ -175,67 +175,67 @@ discard block |
||
| 175 | 175 | 1bWeT0vT |
| 176 | 176 | -----END CERTIFICATE-----"; |
| 177 | 177 | // § 8.8 Bullet 1 of the draft spec at https://pr-preview.s3.amazonaws.com/alanwaketan/webauthn/pull/1491.html#sctn-apple-anonymous-attestation |
| 178 | - // draft implemented in state of 11 Feb 2021 |
|
| 178 | + // draft implemented in state of 11 Feb 2021 |
|
| 179 | 179 | |
| 180 | - // I can't help but notice that the verification procedure does NOTHING with CA certs from the chain, nor is there a root to validate to! |
|
| 181 | - // Found the root CA with Google, see above, and will perform chain validation even if the spec doesn't say so. |
|
| 180 | + // I can't help but notice that the verification procedure does NOTHING with CA certs from the chain, nor is there a root to validate to! |
|
| 181 | + // Found the root CA with Google, see above, and will perform chain validation even if the spec doesn't say so. |
|
| 182 | 182 | |
| 183 | - // first, clear the openssl error backlog. We might need error data in case things go sideways. |
|
| 184 | - while(openssl_error_string() !== false); |
|
| 183 | + // first, clear the openssl error backlog. We might need error data in case things go sideways. |
|
| 184 | + while(openssl_error_string() !== false); |
|
| 185 | 185 | |
| 186 | 186 | $stmtDecoded = $attestationArray['attStmt']; |
| 187 | - if (!isset($stmtDecoded['x5c'])) { |
|
| 188 | - $this->fail("Apple attestation statement does not contain an x5c attestation statement!"); |
|
| 189 | - } |
|
| 190 | - // § 8.8 Bullet 2 |
|
| 187 | + if (!isset($stmtDecoded['x5c'])) { |
|
| 188 | + $this->fail("Apple attestation statement does not contain an x5c attestation statement!"); |
|
| 189 | + } |
|
| 190 | + // § 8.8 Bullet 2 |
|
| 191 | 191 | $nonceToHash = $attestationArray['authData'] . $this->clientDataHash; |
| 192 | - // § 8.8 Bullet 3 |
|
| 193 | - $nonce = hash("sha256", $nonceToHash, true); // does raw_output have to be FALSE or TRUE? |
|
| 192 | + // § 8.8 Bullet 3 |
|
| 193 | + $nonce = hash("sha256", $nonceToHash, true); // does raw_output have to be FALSE or TRUE? |
|
| 194 | 194 | $cryptoUtils = new Utils\Crypto(); |
| 195 | 195 | $certProps = openssl_x509_parse($cryptoUtils->der2pem($stmtDecoded['x5c'][0])); |
| 196 | - // § 8.8 Bullet 4 |
|
| 196 | + // § 8.8 Bullet 4 |
|
| 197 | 197 | if ( |
| 198 | - !isset($certProps['extensions']['1.2.840.113635.100.8.2']) |
|
| 198 | + !isset($certProps['extensions']['1.2.840.113635.100.8.2']) |
|
| 199 | 199 | || empty($certProps['extensions']['1.2.840.113635.100.8.2']) |
| 200 | 200 | ) { |
| 201 | 201 | $this->fail( "The required nonce value is not present in the OID." ); |
| 202 | 202 | } |
| 203 | - $toCompare = substr($certProps['extensions']['1.2.840.113635.100.8.2'], 6); |
|
| 204 | - if ($nonce != $toCompare) { |
|
| 205 | - $this->fail("There is a mismatch between the nonce and the OID (XXX $nonce XXX , XXX $toCompare XXX )."); |
|
| 206 | - } |
|
| 207 | - |
|
| 208 | - // chain validation first |
|
| 209 | - foreach ( $stmtDecoded['x5c'] as $runIndex => $runCert ) { |
|
| 210 | - if (isset($stmtDecoded['x5c'][$runIndex + 1])) { // there is a next cert, so follow the chain |
|
| 211 | - $certResource = openssl_x509_read($cryptoUtils->der2pem($runCert)); |
|
| 212 | - $signerPubKey = openssl_pkey_get_public($cryptoUtils->der2pem($stmtDecoded['x5c'][$runIndex + 1])); |
|
| 213 | - if (openssl_x509_verify($certResource, $signerPubKey) != 1) { |
|
| 214 | - $this->fail("Error during chain validation of the attestation certificate (while validating cert #$runIndex, which is " |
|
| 203 | + $toCompare = substr($certProps['extensions']['1.2.840.113635.100.8.2'], 6); |
|
| 204 | + if ($nonce != $toCompare) { |
|
| 205 | + $this->fail("There is a mismatch between the nonce and the OID (XXX $nonce XXX , XXX $toCompare XXX )."); |
|
| 206 | + } |
|
| 207 | + |
|
| 208 | + // chain validation first |
|
| 209 | + foreach ( $stmtDecoded['x5c'] as $runIndex => $runCert ) { |
|
| 210 | + if (isset($stmtDecoded['x5c'][$runIndex + 1])) { // there is a next cert, so follow the chain |
|
| 211 | + $certResource = openssl_x509_read($cryptoUtils->der2pem($runCert)); |
|
| 212 | + $signerPubKey = openssl_pkey_get_public($cryptoUtils->der2pem($stmtDecoded['x5c'][$runIndex + 1])); |
|
| 213 | + if (openssl_x509_verify($certResource, $signerPubKey) != 1) { |
|
| 214 | + $this->fail("Error during chain validation of the attestation certificate (while validating cert #$runIndex, which is " |
|
| 215 | 215 | . $cryptoUtils->der2pem($runCert) |
| 216 | 216 | . "; next cert was " |
| 217 | 217 | . $cryptoUtils->der2pem($stmtDecoded['x5c'][$runIndex + 1])); |
| 218 | - } |
|
| 219 | - } else { // last cert, compare to the root |
|
| 220 | - $certResource = openssl_x509_read($cryptoUtils->der2pem($runCert)); |
|
| 221 | - $signerPubKey = openssl_pkey_get_public($APPLE_WEBAUTHN_ROOT_CA); |
|
| 222 | - if (openssl_x509_verify($certResource, $signerPubKey) != 1) { |
|
| 218 | + } |
|
| 219 | + } else { // last cert, compare to the root |
|
| 220 | + $certResource = openssl_x509_read($cryptoUtils->der2pem($runCert)); |
|
| 221 | + $signerPubKey = openssl_pkey_get_public($APPLE_WEBAUTHN_ROOT_CA); |
|
| 222 | + if (openssl_x509_verify($certResource, $signerPubKey) != 1) { |
|
| 223 | 223 | $this->fail("Error during root CA validation of the attestation chain certificate, which is " . $cryptoUtils->der2pem($runCert)); |
| 224 | 224 | } |
| 225 | - } |
|
| 226 | - } |
|
| 225 | + } |
|
| 226 | + } |
|
| 227 | 227 | |
| 228 | 228 | $keyResource = openssl_pkey_get_public($cryptoUtils->der2pem($stmtDecoded['x5c'][0])); |
| 229 | 229 | if ($keyResource === FALSE) { |
| 230 | - $this->fail("Did not get a parseable X.509 structure out of the Apple attestation statement - x5c nr. 0 statement was: XXX " |
|
| 230 | + $this->fail("Did not get a parseable X.509 structure out of the Apple attestation statement - x5c nr. 0 statement was: XXX " |
|
| 231 | 231 | . $stmtDecoded['x5c'][0] |
| 232 | 232 | . " XXX; PEM equivalent is " |
| 233 | 233 | . $cryptoUtils->der2pem($stmtDecoded['x5c'][0]) |
| 234 | 234 | . ". OpenSSL error: " |
| 235 | 235 | . openssl_error_string() |
| 236 | 236 | ); |
| 237 | - } |
|
| 238 | - // $this->credential is a public key in CBOR, not "PEM". We need to convert it first. |
|
| 237 | + } |
|
| 238 | + // $this->credential is a public key in CBOR, not "PEM". We need to convert it first. |
|
| 239 | 239 | $keyArray = $this->cborDecode(hex2bin($this->credential)); |
| 240 | 240 | $keyObject = new Ec2Key($keyArray); |
| 241 | 241 | $credentialResource = openssl_pkey_get_public($keyObject->asPEM()); |
@@ -249,20 +249,20 @@ discard block |
||
| 249 | 249 | . openssl_error_string() |
| 250 | 250 | ); |
| 251 | 251 | } |
| 252 | - // § 8.8 Bullet 5 |
|
| 253 | - $credentialDetails = openssl_pkey_get_details($credentialResource); |
|
| 254 | - $keyDetails = openssl_pkey_get_details($keyResource); |
|
| 255 | - if ( $credentialDetails['bits'] != $keyDetails['bits'] || |
|
| 252 | + // § 8.8 Bullet 5 |
|
| 253 | + $credentialDetails = openssl_pkey_get_details($credentialResource); |
|
| 254 | + $keyDetails = openssl_pkey_get_details($keyResource); |
|
| 255 | + if ( $credentialDetails['bits'] != $keyDetails['bits'] || |
|
| 256 | 256 | $credentialDetails['key'] != $keyDetails['key'] || |
| 257 | 257 | $credentialDetails['type'] != $keyDetails['type'] ) { |
| 258 | - $this->fail("The credential public key does not match the certificate public key in attestationData. (" |
|
| 259 | - . $credentialDetails['key'] |
|
| 260 | - . " - " |
|
| 261 | - . $keyDetails['key'] |
|
| 262 | - . ")"); |
|
| 263 | - } |
|
| 264 | - $this->pass("Apple attestation format verification passed."); |
|
| 265 | - return; |
|
| 258 | + $this->fail("The credential public key does not match the certificate public key in attestationData. (" |
|
| 259 | + . $credentialDetails['key'] |
|
| 260 | + . " - " |
|
| 261 | + . $keyDetails['key'] |
|
| 262 | + . ")"); |
|
| 263 | + } |
|
| 264 | + $this->pass("Apple attestation format verification passed."); |
|
| 265 | + return; |
|
| 266 | 266 | } |
| 267 | 267 | |
| 268 | 268 | /** |
