blob: 2b51ba8b7505dc808862eaef27d6fa76ddd8c9fb [file] [log] [blame]
Copybara botbe50d492023-11-30 00:16:42 +01001<?php
2
3
4namespace lbuchs\WebAuthn\Attestation\Format;
5use lbuchs\WebAuthn\Attestation\AuthenticatorData;
6use lbuchs\WebAuthn\WebAuthnException;
7use lbuchs\WebAuthn\Binary\ByteBuffer;
8
9class U2f extends FormatBase {
10 private $_alg = -7;
11 private $_signature;
12 private $_x5c;
13
14 public function __construct($AttestionObject, AuthenticatorData $authenticatorData) {
15 parent::__construct($AttestionObject, $authenticatorData);
16
17 // check u2f data
18 $attStmt = $this->_attestationObject['attStmt'];
19
20 if (\array_key_exists('alg', $attStmt) && $attStmt['alg'] !== $this->_alg) {
21 throw new WebAuthnException('u2f only accepts algorithm -7 ("ES256"), but got ' . $attStmt['alg'], WebAuthnException::INVALID_DATA);
22 }
23
24 if (!\array_key_exists('sig', $attStmt) || !\is_object($attStmt['sig']) || !($attStmt['sig'] instanceof ByteBuffer)) {
25 throw new WebAuthnException('no signature found', WebAuthnException::INVALID_DATA);
26 }
27
28 if (!\array_key_exists('x5c', $attStmt) || !\is_array($attStmt['x5c']) || \count($attStmt['x5c']) !== 1) {
29 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
30 }
31
32 if (!\is_object($attStmt['x5c'][0]) || !($attStmt['x5c'][0] instanceof ByteBuffer)) {
33 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);
34 }
35
36 $this->_signature = $attStmt['sig']->getBinaryString();
37 $this->_x5c = $attStmt['x5c'][0]->getBinaryString();
38 }
39
40
41 /*
42 * returns the key certificate in PEM format
43 * @return string
44 */
45 public function getCertificatePem() {
46 $pem = '-----BEGIN CERTIFICATE-----' . "\n";
47 $pem .= \chunk_split(\base64_encode($this->_x5c), 64, "\n");
48 $pem .= '-----END CERTIFICATE-----' . "\n";
49 return $pem;
50 }
51
52 /**
53 * @param string $clientDataHash
54 */
55 public function validateAttestation($clientDataHash) {
56 $publicKey = \openssl_pkey_get_public($this->getCertificatePem());
57
58 if ($publicKey === false) {
59 throw new WebAuthnException('invalid public key: ' . \openssl_error_string(), WebAuthnException::INVALID_PUBLIC_KEY);
60 }
61
62 // Let verificationData be the concatenation of (0x00 || rpIdHash || clientDataHash || credentialId || publicKeyU2F)
63 $dataToVerify = "\x00";
64 $dataToVerify .= $this->_authenticatorData->getRpIdHash();
65 $dataToVerify .= $clientDataHash;
66 $dataToVerify .= $this->_authenticatorData->getCredentialId();
67 $dataToVerify .= $this->_authenticatorData->getPublicKeyU2F();
68
69 $coseAlgorithm = $this->_getCoseAlgorithm($this->_alg);
70
71 // check certificate
72 return \openssl_verify($dataToVerify, $this->_signature, $publicKey, $coseAlgorithm->openssl) === 1;
73 }
74
75 /**
76 * validates the certificate against root certificates
77 * @param array $rootCas
78 * @return boolean
79 * @throws WebAuthnException
80 */
81 public function validateRootCertificate($rootCas) {
82 $chainC = $this->_createX5cChainFile();
83 if ($chainC) {
84 $rootCas[] = $chainC;
85 }
86
87 $v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas);
88 if ($v === -1) {
89 throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED);
90 }
91 return $v;
92 }
93}