[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  declare(strict_types=1);
   4  
   5  /*
   6   * The MIT License (MIT)
   7   *
   8   * Copyright (c) 2014-2019 Spomky-Labs
   9   *
  10   * This software may be modified and distributed under the terms
  11   * of the MIT license.  See the LICENSE file for details.
  12   */
  13  
  14  namespace Webauthn;
  15  
  16  use Assert\Assertion;
  17  use InvalidArgumentException;
  18  use Symfony\Component\Process\Process;
  19  use Webauthn\AttestationStatement\AttestationStatement;
  20  use Webauthn\MetadataService\MetadataStatement;
  21  use Webauthn\MetadataService\MetadataStatementRepository;
  22  
  23  class CertificateToolbox
  24  {
  25      public static function checkChain(array $certificates, array $trustedCertificates = []): void
  26      {
  27          $certificates = array_unique(array_merge($certificates, $trustedCertificates));
  28          if (0 === \count($certificates)) {
  29              return;
  30          }
  31          self::checkCertificatesValidity($certificates);
  32          $filenames = [];
  33  
  34          $leafFilename = tempnam(sys_get_temp_dir(), 'webauthn-leaf-');
  35          Assertion::string($leafFilename, 'Unable to get a temporary filename');
  36  
  37          $leafCertificate = array_shift($certificates);
  38          $result = file_put_contents($leafFilename, $leafCertificate);
  39          Assertion::integer($result, 'Unable to write temporary data');
  40          $filenames[] = $leafFilename;
  41  
  42          $processArguments = [];
  43  
  44          if (0 !== \count($certificates)) {
  45              $caFilename = tempnam(sys_get_temp_dir(), 'webauthn-ca-');
  46              Assertion::string($caFilename, 'Unable to get a temporary filename');
  47  
  48              $caCertificate = array_pop($certificates);
  49              $result = file_put_contents($caFilename, $caCertificate);
  50              Assertion::integer($result, 'Unable to write temporary data');
  51  
  52              $processArguments[] = '-CAfile';
  53              $processArguments[] = $caFilename;
  54              $filenames[] = $caFilename;
  55          }
  56  
  57          if (0 !== \count($certificates)) {
  58              $untrustedFilename = tempnam(sys_get_temp_dir(), 'webauthn-untrusted-');
  59              Assertion::string($untrustedFilename, 'Unable to get a temporary filename');
  60  
  61              foreach ($certificates as $certificate) {
  62                  $result = file_put_contents($untrustedFilename, $certificate, FILE_APPEND);
  63                  Assertion::integer($result, 'Unable to write temporary data');
  64                  $result = file_put_contents($untrustedFilename, PHP_EOL, FILE_APPEND);
  65                  Assertion::integer($result, 'Unable to write temporary data');
  66              }
  67              $processArguments[] = '-untrusted';
  68              $processArguments[] = $untrustedFilename;
  69              $filenames[] = $untrustedFilename;
  70          }
  71  
  72          $processArguments[] = $leafFilename;
  73          array_unshift($processArguments, 'openssl', 'verify');
  74  
  75          $process = new Process($processArguments);
  76          $process->start();
  77          while ($process->isRunning()) {
  78          }
  79          foreach ($filenames as $filename) {
  80              $result = unlink($filename);
  81              Assertion::true($result, 'Unable to delete temporary file');
  82          }
  83  
  84          if (!$process->isSuccessful()) {
  85              throw new InvalidArgumentException('Invalid certificate or certificate chain. Error is: '.$process->getErrorOutput());
  86          }
  87      }
  88  
  89      public static function checkAttestationMedata(AttestationStatement $attestationStatement, string $aaguid, array $certificates, MetadataStatementRepository $metadataStatementRepository): array
  90      {
  91          $metadataStatement = $metadataStatementRepository->findOneByAAGUID($aaguid);
  92          if (null === $metadataStatement) {
  93              //Check certificate CA chain
  94              self::checkChain($certificates);
  95  
  96              return $certificates;
  97          }
  98  
  99          //FIXME: to decide later if relevant
 100          /*Assertion::eq('fido2', $metadataStatement->getProtocolFamily(), sprintf('The protocol family of the authenticator "%s" should be "fido2". Got "%s".', $aaguid, $metadataStatement->getProtocolFamily()));
 101          if (null !== $metadataStatement->getAssertionScheme()) {
 102              Assertion::eq('FIDOV2', $metadataStatement->getAssertionScheme(), sprintf('The assertion scheme of the authenticator "%s" should be "FIDOV2". Got "%s".', $aaguid, $metadataStatement->getAssertionScheme()));
 103          }*/
 104  
 105          // Check Attestation Type is allowed
 106          if (0 !== \count($metadataStatement->getAttestationTypes())) {
 107              $type = self::getAttestationType($attestationStatement);
 108              Assertion::inArray($type, $metadataStatement->getAttestationTypes(), 'Invalid attestation statement. The attestation type is not allowed for this authenticator');
 109          }
 110  
 111          $attestationRootCertificates = $metadataStatement->getAttestationRootCertificates();
 112          if (0 === \count($attestationRootCertificates)) {
 113              self::checkChain($certificates);
 114  
 115              return $certificates;
 116          }
 117  
 118          foreach ($attestationRootCertificates as $key => $attestationRootCertificate) {
 119              $attestationRootCertificates[$key] = self::fixPEMStructure($attestationRootCertificate);
 120          }
 121  
 122          //Check certificate CA chain
 123          self::checkChain($certificates, $attestationRootCertificates);
 124  
 125          return $certificates;
 126      }
 127  
 128      private static function getAttestationType(AttestationStatement $attestationStatement): int
 129      {
 130          switch ($attestationStatement->getType()) {
 131              case AttestationStatement::TYPE_BASIC:
 132                  return MetadataStatement::ATTESTATION_BASIC_FULL;
 133              case AttestationStatement::TYPE_SELF:
 134                  return MetadataStatement::ATTESTATION_BASIC_SURROGATE;
 135              case AttestationStatement::TYPE_ATTCA:
 136                  return MetadataStatement::ATTESTATION_ATTCA;
 137              case AttestationStatement::TYPE_ECDAA:
 138                  return MetadataStatement::ATTESTATION_ECDAA;
 139              default:
 140                  throw new InvalidArgumentException('Invalid attestation type');
 141          }
 142      }
 143  
 144      public static function fixPEMStructure(string $certificate): string
 145      {
 146          $pemCert = '-----BEGIN CERTIFICATE-----'.PHP_EOL;
 147          $pemCert .= chunk_split($certificate, 64, PHP_EOL);
 148          $pemCert .= '-----END CERTIFICATE-----'.PHP_EOL;
 149  
 150          return $pemCert;
 151      }
 152  
 153      public static function convertDERToPEM(string $certificate): string
 154      {
 155          $derCertificate = self::unusedBytesFix($certificate);
 156  
 157          return self::fixPEMStructure(base64_encode($derCertificate));
 158      }
 159  
 160      public static function convertAllDERToPEM(array $certificates): array
 161      {
 162          $certs = [];
 163          foreach ($certificates as $publicKey) {
 164              $certs[] = self::convertDERToPEM($publicKey);
 165          }
 166  
 167          return $certs;
 168      }
 169  
 170      private static function unusedBytesFix(string $certificate): string
 171      {
 172          $certificateHash = hash('sha256', $certificate);
 173          if (\in_array($certificateHash, self::getCertificateHashes(), true)) {
 174              $certificate[mb_strlen($certificate, '8bit') - 257] = "\0";
 175          }
 176  
 177          return $certificate;
 178      }
 179  
 180      /**
 181       * @param string[] $certificates
 182       */
 183      private static function checkCertificatesValidity(array $certificates): void
 184      {
 185          foreach ($certificates as $certificate) {
 186              $parsed = openssl_x509_parse($certificate);
 187              Assertion::isArray($parsed, 'Unable to read the certificate');
 188              Assertion::keyExists($parsed, 'validTo_time_t', 'The certificate has no validity period');
 189              Assertion::keyExists($parsed, 'validFrom_time_t', 'The certificate has no validity period');
 190              Assertion::lessOrEqualThan(time(), $parsed['validTo_time_t'], 'The certificate expired');
 191              Assertion::greaterOrEqualThan(time(), $parsed['validFrom_time_t'], 'The certificate is not usable yet');
 192          }
 193      }
 194  
 195      /**
 196       * @return string[]
 197       */
 198      private static function getCertificateHashes(): array
 199      {
 200          return [
 201              '349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8',
 202              'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f',
 203              '1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae',
 204              'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb',
 205              '6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897',
 206              'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511',
 207          ];
 208      }
 209  }