Sākums Izpētīt Palīdzība
Pierakstīties
mirrors
/
mailcow-dockerized
spogulis no https://github.com/mailcow/mailcow-dockerized
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: c150ac7b37
Atzari Tagi
mailcow-dockeri...
/
data
/
web
/
inc
/
lib
/
WebAuthn
/
Attestation
/
Format
/
AndroidSafetyNet.php

AndroidSafetyNet.php 5.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. <?php
    2. 

  2. 

  3. 

  4. namespace WebAuthn\Attestation\Format;
    5. 

  5. use WebAuthn\WebAuthnException;
    6. 

  6. use WebAuthn\Binary\ByteBuffer;
    7. 

  7. 

  8. class AndroidSafetyNet extends FormatBase {
    9. 

  9.     private $_signature;
    10. 

  10.     private $_signedValue;
    11. 

  11.     private $_x5c;
    12. 

  12.     private $_payload;
    13. 

  13. 

  14.     public function __construct($AttestionObject, \WebAuthn\Attestation\AuthenticatorData $authenticatorData) {
    15. 

  15.         parent::__construct($AttestionObject, $authenticatorData);
    16. 

  16. 

  17.         // check data
    18. 

  18.         $attStmt = $this->_attestationObject['attStmt'];
    19. 

  19. 

  20.         if (!\array_key_exists('ver', $attStmt) || !$attStmt['ver']) {
    21. 

  21.             throw new WebAuthnException('invalid Android Safety Net Format', WebAuthnException::INVALID_DATA);
    22. 

  22.         }
    23. 

  23. 

  24.         if (!\array_key_exists('response', $attStmt) || !($attStmt['response'] instanceof ByteBuffer)) {
    25. 

  25.             throw new WebAuthnException('invalid Android Safety Net Format', WebAuthnException::INVALID_DATA);
    26. 

  26.         }
    27. 

  27. 

  28.         $response = $attStmt['response']->getBinaryString();
    29. 

  29. 

  30.         // Response is a JWS [RFC7515] object in Compact Serialization.
    31. 

  31.         // JWSs have three segments separated by two period ('.') characters
    32. 

  32.         $parts = \explode('.', $response);
    33. 

  33.         unset ($response);
    34. 

  34.         if (\count($parts) !== 3) {
    35. 

  35.             throw new WebAuthnException('invalid JWS data', WebAuthnException::INVALID_DATA);
    36. 

  36.         }
    37. 

  37. 

  38.         $header = $this->_base64url_decode($parts[0]);
    39. 

  39.         $payload = $this->_base64url_decode($parts[1]);
    40. 

  40.         $this->_signature = $this->_base64url_decode($parts[2]);
    41. 

  41.         $this->_signedValue = $parts[0] . '.' . $parts[1];
    42. 

  42.         unset ($parts);
    43. 

  43. 

  44.         $header = \json_decode($header);
    45. 

  45.         $payload = \json_decode($payload);
    46. 

  46. 

  47.         if (!($header instanceof \stdClass)) {
    48. 

  48.             throw new WebAuthnException('invalid JWS header', WebAuthnException::INVALID_DATA);
    49. 

  49.         }
    50. 

  50.         if (!($payload instanceof \stdClass)) {
    51. 

  51.             throw new WebAuthnException('invalid JWS payload', WebAuthnException::INVALID_DATA);
    52. 

  52.         }
    53. 

  53. 

  54.         if (!$header->x5c || !is_array($header->x5c) || count($header->x5c) === 0) {
    55. 

  55.             throw new WebAuthnException('No X.509 signature in JWS Header', WebAuthnException::INVALID_DATA);
    56. 

  56.         }
    57. 

  57. 

  58.         // algorithm
    59. 

  59.         if (!\in_array($header->alg, array('RS256', 'ES256'))) {
    60. 

  60.             throw new WebAuthnException('invalid JWS algorithm ' . $header->alg, WebAuthnException::INVALID_DATA);
    61. 

  61.         }
    62. 

  62. 

  63.         $this->_x5c = \base64_decode($header->x5c[0]);
    64. 

  64.         $this->_payload = $payload;
    65. 

  65. 

  66.         if (count($header->x5c) > 1) {
    67. 

  67.             for ($i=1; $i<count($header->x5c); $i++) {
    68. 

  68.                 $this->_x5c_chain[] = \base64_decode($header->x5c[$i]);
    69. 

  69.             }
    70. 

  70.             unset ($i);
    71. 

  71.         }
    72. 

  72.     }
    73. 

  73. 

  74. 

  75.     /*
    76. 

  76.      * returns the key certificate in PEM format
    77. 

  77.      * @return string
    78. 

  78.      */
    79. 

  79.     public function getCertificatePem() {
    80. 

  80.         return $this->_createCertificatePem($this->_x5c);
    81. 

  81.     }
    82. 

  82. 

  83.     /**
    84. 

  84.      * @param string $clientDataHash
    85. 

  85.      */
    86. 

  86.     public function validateAttestation($clientDataHash) {
    87. 

  87.         $publicKey = \openssl_pkey_get_public($this->getCertificatePem());
    88. 

  88. 

  89.         // Verify that the nonce in the response is identical to the Base64 encoding
    90. 

  90.         // of the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
    91. 

  91.         if (!$this->_payload->nonce || $this->_payload->nonce !== \base64_encode(\hash('SHA256', $this->_authenticatorData->getBinary() . $clientDataHash, true))) {
    92. 

  92.             throw new WebAuthnException('invalid nonce in JWS payload', WebAuthnException::INVALID_DATA);
    93. 

  93.         }
    94. 

  94. 

  95.         // Verify that attestationCert is issued to the hostname "attest.android.com"
    96. 

  96.         $certInfo = \openssl_x509_parse($this->getCertificatePem());
    97. 

  97.         if (!\is_array($certInfo) || !$certInfo['subject'] || $certInfo['subject']['CN'] !== 'attest.android.com') {
    98. 

  98.             throw new WebAuthnException('invalid certificate CN in JWS (' . $certInfo['subject']['CN']. ')', WebAuthnException::INVALID_DATA);
    99. 

  99.         }
    100. 

  100. 

  101.         // Verify that the ctsProfileMatch attribute in the payload of response is true.
    102. 

  102.         if (!$this->_payload->ctsProfileMatch) {
    103. 

  103.             throw new WebAuthnException('invalid ctsProfileMatch in payload', WebAuthnException::INVALID_DATA);
    104. 

  104.         }
    105. 

  105. 

  106.         // check certificate
    107. 

  107.         return \openssl_verify($this->_signedValue, $this->_signature, $publicKey, OPENSSL_ALGO_SHA256) === 1;
    108. 

  108.     }
    109. 

  109. 

  110. 

  111.     /**
    112. 

  112.      * validates the certificate against root certificates
    113. 

  113.      * @param array $rootCas
    114. 

  114.      * @return boolean
    115. 

  115.      * @throws WebAuthnException
    116. 

  116.      */
    117. 

  117.     public function validateRootCertificate($rootCas) {
    118. 

  118.         $chainC = $this->_createX5cChainFile();
    119. 

  119.         if ($chainC) {
    120. 

  120.             $rootCas[] = $chainC;
    121. 

  121.         }
    122. 

  122. 

  123.         $v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas);
    124. 

  124.         if ($v === -1) {
    125. 

  125.             throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED);
    126. 

  126.         }
    127. 

  127.         return $v;
    128. 

  128.     }
    129. 

  129. 

  130. 

  131.     /**
    132. 

  132.      * decode base64 url
    133. 

  133.      * @param string $data
    134. 

  134.      * @return string
    135. 

  135.      */
    136. 

  136.     private function _base64url_decode($data) {
    137. 

  137.         return \base64_decode(\strtr($data, '-_', '+/') . \str_repeat('=', 3 - (3 + \strlen($data)) % 4));
    138. 

  138.     }
    139. 

  139. }
    140. 

  140.