Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[WebAuthn] disable rootCA default

FreddleSpl0it 3 years ago
parent
5858c464d9
commit
7df2bb28f8
4 changed files with 13 additions and 50 deletions
Unified View Show Diff Stats
  1. 1 14
      data/web/inc/prerequisites.inc.php
  2. 1 1
      docker-compose.yml
  3. 4 16
      generate_config.sh
  4. 7 19
      update.sh

+ 1 - 14
data/web/inc/prerequisites.inc.php
View File 

@@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 
 $formats = $GLOBALS['FIDO2_FORMATS'];
 
 $formats = $GLOBALS['FIDO2_FORMATS'];
 
 $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 
 $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 
 // only include root ca's when needed
 
 // only include root ca's when needed
 
-$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y');
 
-if (!$WEBAUTHN_DISABLE_ROOTCA){
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
 
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
 
-}
 
+if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
 
 
 
 // Redis
 
 // Redis
 
 $redis = new Redis();
 
 $redis = new Redis();

+ 1 - 1
docker-compose.yml
View File 

@@ -157,7 +157,7 @@ services:
 
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
 
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
 
         - MASTER=${MASTER:-y}
 
         - MASTER=${MASTER:-y}
 
         - DEV_MODE=${DEV_MODE:-n}
 
         - DEV_MODE=${DEV_MODE:-n}
 
-        - WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n}
 
+        - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
 
       restart: always
 
       restart: always
 
       networks:
 
       networks:
 
         mailcow-network:
 
         mailcow-network:

+ 4 - 16
generate_config.sh
View File 

@@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
 
 # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
 
 # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
 
 ACME_CONTACT=
 
 ACME_CONTACT=
 
 
 
-# Disable including device root ca's for WebAuthn
 
-# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers
 
-# It will solve "Error: invalid root certificate" at TFA device registration
 
-# Suported devices are 
-#   solo certified
 
-#   apple certified
 
-#   nitro certified
 
-#   yubico certified
 
-#   hypersecu certified
 
-#   globalSign certified
 
-#   googleHardware certified
 
-#   microsoftTpmCollection certified
 
-#   huawei certified
 
-#   trustkey certified
 
-#   bsi certified
 
-WEBAUTHN_DISABLE_ROOTCA=n
 
+# Enable webauthn device manufacturer verification
 
+# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
 
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
 
+WEBAUTHN_RESPECT_ROOTCA=n
 
 
 
 EOF
 
 EOF

+ 7 - 19
update.sh
View File 

@@ -307,7 +307,7 @@ CONFIG_ARRAY=(
 
   "ADDITIONAL_SERVER_NAMES"
 
   "ADDITIONAL_SERVER_NAMES"
 
   "ACME_CONTACT"
 
   "ACME_CONTACT"
 
   "WATCHDOG_VERBOSE"
 
   "WATCHDOG_VERBOSE"
 
-  "WEBAUTHN_DISABLE_ROOTCA"
 
+  "WEBAUTHN_RESPECT_ROOTCA"
 
 )
 
 )
 
 
 
 sed -i --follow-symlinks '$a\' mailcow.conf
 
 sed -i --follow-symlinks '$a\' mailcow.conf
 
@@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
 
       echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
 
       echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
 
       echo 'ACME_CONTACT=' >> mailcow.conf
 
       echo 'ACME_CONTACT=' >> mailcow.conf
 
   fi
 
   fi
 
-  elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
 
-    if ! grep -q ${option} mailcow.conf; then
 
-      echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
 
-      echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
 
-      echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
 
-      echo '# Suported devices are' >> mailcow.conf
 
-      echo '#   solo certified' >> mailcow.conf
 
-      echo '#   apple certified' >> mailcow.conf
 
-      echo '#   nitro certified' >> mailcow.conf
 
-      echo '#   yubico certified' >> mailcow.conf
 
-      echo '#   hypersecu certified' >> mailcow.conf
 
-      echo '#   globalSign certified' >> mailcow.conf
 
-      echo '#   googleHardware certified' >> mailcow.conf
 
-      echo '#   microsoftTpmCollection certified' >> mailcow.conf
 
-      echo '#   huawei certified' >> mailcow.conf
 
-      echo '#   trustkey certified' >> mailcow.conf
 
-      echo '#   bsi certified' >> mailcow.conf
 
-      echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
 
+  elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
 
+    if ! grep -q ${option} mailcow.conf; then
 
+      echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
 
+      echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
 
+      echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
 
+      echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
 
     fi
 
     fi
 
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
 
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
 
     if ! grep -q ${option} mailcow.conf; then
 
     if ! grep -q ${option} mailcow.conf; then