-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
/
FidoU2FAttestationStatementSupport.php
220 lines (195 loc) · 8.73 KB
/
FidoU2FAttestationStatementSupport.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @copyright (C) 2014-2019 Spomky-Labs
* @license This software may be modified and distributed under the terms
* of the MIT license.
* See libraries/vendor/web-auth/webauthn-lib/LICENSE
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Hotfix;
use Assert\Assertion;
use CBOR\Decoder;
use CBOR\MapObject;
use CBOR\OtherObject\OtherObjectManager;
use CBOR\Tag\TagObjectManager;
use Cose\Key\Ec2Key;
use Webauthn\AttestationStatement\AttestationStatement;
use Webauthn\AttestationStatement\AttestationStatementSupport;
use Webauthn\AuthenticatorData;
use Webauthn\CertificateToolbox;
use Webauthn\MetadataService\MetadataStatementRepository;
use Webauthn\StringStream;
use Webauthn\TrustPath\CertificateTrustPath;
/**
* We had to fork the key attestation support object from the WebAuthn server package to address an
* issue with PHP 8.
*
* We are currently using an older version of the WebAuthn library (2.x) which was written before
* PHP 8 was developed. We cannot upgrade the WebAuthn library to a newer major version because of
* Joomla's Semantic Versioning promise.
*
* The FidoU2FAttestationStatementSupport class forces an assertion on the result of the
* openssl_pkey_get_public() function, assuming it will return a resource. However, starting with
* PHP 8.0 this function returns an OpenSSLAsymmetricKey object and the assertion fails. As a
* result, you cannot use Android or FIDO U2F keys with WebAuthn.
*
* The assertion check is in a private method, therefore we have to fork both attestation support
* class to change the assertion. The assertion takes place through a third party library we cannot
* (and should not!) modify.
*
* @since 4.2.0
*
* @deprecated 5.0 We will upgrade the WebAuthn library to version 3 or later and this will go away.
*/
final class FidoU2FAttestationStatementSupport implements AttestationStatementSupport
{
/**
* @var Decoder
* @since 4.2.0
*/
private $decoder;
/**
* @var MetadataStatementRepository|null
* @since 4.2.0
*/
private $metadataStatementRepository;
/**
* @param Decoder|null $decoder Obvious
* @param MetadataStatementRepository|null $metadataStatementRepository Obvious
*
* @since 4.2.0
*/
public function __construct(
?Decoder $decoder = null,
?MetadataStatementRepository $metadataStatementRepository = null
) {
if ($decoder !== null) {
@trigger_error('The argument "$decoder" is deprecated since 2.1 and will be removed in v3.0. Set null instead', E_USER_DEPRECATED);
}
if ($metadataStatementRepository === null) {
@trigger_error(
'Setting "null" for argument "$metadataStatementRepository" is deprecated since 2.1 and will be mandatory in v3.0.',
E_USER_DEPRECATED
);
}
$this->decoder = $decoder ?? new Decoder(new TagObjectManager(), new OtherObjectManager());
$this->metadataStatementRepository = $metadataStatementRepository;
}
/**
* @return string
* @since 4.2.0
*/
public function name(): string
{
return 'fido-u2f';
}
/**
* @param array $attestation Obvious
*
* @return AttestationStatement
* @throws \Assert\AssertionFailedException
*
* @since 4.2.0
*/
public function load(array $attestation): AttestationStatement
{
Assertion::keyExists($attestation, 'attStmt', 'Invalid attestation object');
foreach (['sig', 'x5c'] as $key) {
Assertion::keyExists($attestation['attStmt'], $key, sprintf('The attestation statement value "%s" is missing.', $key));
}
$certificates = $attestation['attStmt']['x5c'];
Assertion::isArray($certificates, 'The attestation statement value "x5c" must be a list with one certificate.');
Assertion::count($certificates, 1, 'The attestation statement value "x5c" must be a list with one certificate.');
Assertion::allString($certificates, 'The attestation statement value "x5c" must be a list with one certificate.');
reset($certificates);
$certificates = CertificateToolbox::convertAllDERToPEM($certificates);
$this->checkCertificate($certificates[0]);
return AttestationStatement::createBasic($attestation['fmt'], $attestation['attStmt'], new CertificateTrustPath($certificates));
}
/**
* @param string $clientDataJSONHash Obvious
* @param AttestationStatement $attestationStatement Obvious
* @param AuthenticatorData $authenticatorData Obvious
*
* @return boolean
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function isValid(
string $clientDataJSONHash,
AttestationStatement $attestationStatement,
AuthenticatorData $authenticatorData
): bool {
Assertion::eq(
$authenticatorData->getAttestedCredentialData()->getAaguid()->toString(),
'00000000-0000-0000-0000-000000000000',
'Invalid AAGUID for fido-u2f attestation statement. Shall be "00000000-0000-0000-0000-000000000000"'
);
if ($this->metadataStatementRepository !== null) {
CertificateToolbox::checkAttestationMedata(
$attestationStatement,
$authenticatorData->getAttestedCredentialData()->getAaguid()->toString(),
[],
$this->metadataStatementRepository
);
}
$trustPath = $attestationStatement->getTrustPath();
Assertion::isInstanceOf($trustPath, CertificateTrustPath::class, 'Invalid trust path');
$dataToVerify = "\0";
$dataToVerify .= $authenticatorData->getRpIdHash();
$dataToVerify .= $clientDataJSONHash;
$dataToVerify .= $authenticatorData->getAttestedCredentialData()->getCredentialId();
$dataToVerify .= $this->extractPublicKey($authenticatorData->getAttestedCredentialData()->getCredentialPublicKey());
return openssl_verify($dataToVerify, $attestationStatement->get('sig'), $trustPath->getCertificates()[0], OPENSSL_ALGO_SHA256) === 1;
}
/**
* @param string|null $publicKey Obvious
*
* @return string
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
private function extractPublicKey(?string $publicKey): string
{
Assertion::notNull($publicKey, 'The attested credential data does not contain a valid public key.');
$publicKeyStream = new StringStream($publicKey);
$coseKey = $this->decoder->decode($publicKeyStream);
Assertion::true($publicKeyStream->isEOF(), 'Invalid public key. Presence of extra bytes.');
$publicKeyStream->close();
Assertion::isInstanceOf($coseKey, MapObject::class, 'The attested credential data does not contain a valid public key.');
$coseKey = $coseKey->getNormalizedData();
$ec2Key = new Ec2Key($coseKey + [Ec2Key::TYPE => 2, Ec2Key::DATA_CURVE => Ec2Key::CURVE_P256]);
return "\x04" . $ec2Key->x() . $ec2Key->y();
}
/**
* @param string $publicKey Obvious
*
* @return void
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
private function checkCertificate(string $publicKey): void
{
try {
$resource = openssl_pkey_get_public($publicKey);
if (version_compare(PHP_VERSION, '8.0', 'lt')) {
Assertion::isResource($resource, 'Unable to read the certificate');
} else {
/** @noinspection PhpElementIsNotAvailableInCurrentPhpVersionInspection */
Assertion::isInstanceOf($resource, \OpenSSLAsymmetricKey::class, 'Unable to read the certificate');
}
} catch (\Throwable $throwable) {
throw new \InvalidArgumentException('Invalid certificate or certificate chain', 0, $throwable);
}
$details = openssl_pkey_get_details($resource);
Assertion::keyExists($details, 'ec', 'Invalid certificate or certificate chain');
Assertion::keyExists($details['ec'], 'curve_name', 'Invalid certificate or certificate chain');
Assertion::eq($details['ec']['curve_name'], 'prime256v1', 'Invalid certificate or certificate chain');
Assertion::keyExists($details['ec'], 'curve_oid', 'Invalid certificate or certificate chain');
Assertion::eq($details['ec']['curve_oid'], '1.2.840.10045.3.1.7', 'Invalid certificate or certificate chain');
}
}