[ Index ] |
PHP Cross Reference of Joomla 4.2.2 documentation |
[Summary view] [Print] [Text view]
1 <?php 2 3 declare(strict_types=1); 4 5 /* 6 * The MIT License (MIT) 7 * 8 * Copyright (c) 2014-2019 Spomky-Labs 9 * 10 * This software may be modified and distributed under the terms 11 * of the MIT license. See the LICENSE file for details. 12 */ 13 14 namespace Webauthn; 15 16 use Assert\Assertion; 17 use InvalidArgumentException; 18 use Symfony\Component\Process\Process; 19 use Webauthn\AttestationStatement\AttestationStatement; 20 use Webauthn\MetadataService\MetadataStatement; 21 use Webauthn\MetadataService\MetadataStatementRepository; 22 23 class CertificateToolbox 24 { 25 public static function checkChain(array $certificates, array $trustedCertificates = []): void 26 { 27 $certificates = array_unique(array_merge($certificates, $trustedCertificates)); 28 if (0 === \count($certificates)) { 29 return; 30 } 31 self::checkCertificatesValidity($certificates); 32 $filenames = []; 33 34 $leafFilename = tempnam(sys_get_temp_dir(), 'webauthn-leaf-'); 35 Assertion::string($leafFilename, 'Unable to get a temporary filename'); 36 37 $leafCertificate = array_shift($certificates); 38 $result = file_put_contents($leafFilename, $leafCertificate); 39 Assertion::integer($result, 'Unable to write temporary data'); 40 $filenames[] = $leafFilename; 41 42 $processArguments = []; 43 44 if (0 !== \count($certificates)) { 45 $caFilename = tempnam(sys_get_temp_dir(), 'webauthn-ca-'); 46 Assertion::string($caFilename, 'Unable to get a temporary filename'); 47 48 $caCertificate = array_pop($certificates); 49 $result = file_put_contents($caFilename, $caCertificate); 50 Assertion::integer($result, 'Unable to write temporary data'); 51 52 $processArguments[] = '-CAfile'; 53 $processArguments[] = $caFilename; 54 $filenames[] = $caFilename; 55 } 56 57 if (0 !== \count($certificates)) { 58 $untrustedFilename = tempnam(sys_get_temp_dir(), 'webauthn-untrusted-'); 59 Assertion::string($untrustedFilename, 'Unable to get a temporary filename'); 60 61 foreach ($certificates as $certificate) { 62 $result = file_put_contents($untrustedFilename, $certificate, FILE_APPEND); 63 Assertion::integer($result, 'Unable to write temporary data'); 64 $result = file_put_contents($untrustedFilename, PHP_EOL, FILE_APPEND); 65 Assertion::integer($result, 'Unable to write temporary data'); 66 } 67 $processArguments[] = '-untrusted'; 68 $processArguments[] = $untrustedFilename; 69 $filenames[] = $untrustedFilename; 70 } 71 72 $processArguments[] = $leafFilename; 73 array_unshift($processArguments, 'openssl', 'verify'); 74 75 $process = new Process($processArguments); 76 $process->start(); 77 while ($process->isRunning()) { 78 } 79 foreach ($filenames as $filename) { 80 $result = unlink($filename); 81 Assertion::true($result, 'Unable to delete temporary file'); 82 } 83 84 if (!$process->isSuccessful()) { 85 throw new InvalidArgumentException('Invalid certificate or certificate chain. Error is: '.$process->getErrorOutput()); 86 } 87 } 88 89 public static function checkAttestationMedata(AttestationStatement $attestationStatement, string $aaguid, array $certificates, MetadataStatementRepository $metadataStatementRepository): array 90 { 91 $metadataStatement = $metadataStatementRepository->findOneByAAGUID($aaguid); 92 if (null === $metadataStatement) { 93 //Check certificate CA chain 94 self::checkChain($certificates); 95 96 return $certificates; 97 } 98 99 //FIXME: to decide later if relevant 100 /*Assertion::eq('fido2', $metadataStatement->getProtocolFamily(), sprintf('The protocol family of the authenticator "%s" should be "fido2". Got "%s".', $aaguid, $metadataStatement->getProtocolFamily())); 101 if (null !== $metadataStatement->getAssertionScheme()) { 102 Assertion::eq('FIDOV2', $metadataStatement->getAssertionScheme(), sprintf('The assertion scheme of the authenticator "%s" should be "FIDOV2". Got "%s".', $aaguid, $metadataStatement->getAssertionScheme())); 103 }*/ 104 105 // Check Attestation Type is allowed 106 if (0 !== \count($metadataStatement->getAttestationTypes())) { 107 $type = self::getAttestationType($attestationStatement); 108 Assertion::inArray($type, $metadataStatement->getAttestationTypes(), 'Invalid attestation statement. The attestation type is not allowed for this authenticator'); 109 } 110 111 $attestationRootCertificates = $metadataStatement->getAttestationRootCertificates(); 112 if (0 === \count($attestationRootCertificates)) { 113 self::checkChain($certificates); 114 115 return $certificates; 116 } 117 118 foreach ($attestationRootCertificates as $key => $attestationRootCertificate) { 119 $attestationRootCertificates[$key] = self::fixPEMStructure($attestationRootCertificate); 120 } 121 122 //Check certificate CA chain 123 self::checkChain($certificates, $attestationRootCertificates); 124 125 return $certificates; 126 } 127 128 private static function getAttestationType(AttestationStatement $attestationStatement): int 129 { 130 switch ($attestationStatement->getType()) { 131 case AttestationStatement::TYPE_BASIC: 132 return MetadataStatement::ATTESTATION_BASIC_FULL; 133 case AttestationStatement::TYPE_SELF: 134 return MetadataStatement::ATTESTATION_BASIC_SURROGATE; 135 case AttestationStatement::TYPE_ATTCA: 136 return MetadataStatement::ATTESTATION_ATTCA; 137 case AttestationStatement::TYPE_ECDAA: 138 return MetadataStatement::ATTESTATION_ECDAA; 139 default: 140 throw new InvalidArgumentException('Invalid attestation type'); 141 } 142 } 143 144 public static function fixPEMStructure(string $certificate): string 145 { 146 $pemCert = '-----BEGIN CERTIFICATE-----'.PHP_EOL; 147 $pemCert .= chunk_split($certificate, 64, PHP_EOL); 148 $pemCert .= '-----END CERTIFICATE-----'.PHP_EOL; 149 150 return $pemCert; 151 } 152 153 public static function convertDERToPEM(string $certificate): string 154 { 155 $derCertificate = self::unusedBytesFix($certificate); 156 157 return self::fixPEMStructure(base64_encode($derCertificate)); 158 } 159 160 public static function convertAllDERToPEM(array $certificates): array 161 { 162 $certs = []; 163 foreach ($certificates as $publicKey) { 164 $certs[] = self::convertDERToPEM($publicKey); 165 } 166 167 return $certs; 168 } 169 170 private static function unusedBytesFix(string $certificate): string 171 { 172 $certificateHash = hash('sha256', $certificate); 173 if (\in_array($certificateHash, self::getCertificateHashes(), true)) { 174 $certificate[mb_strlen($certificate, '8bit') - 257] = "\0"; 175 } 176 177 return $certificate; 178 } 179 180 /** 181 * @param string[] $certificates 182 */ 183 private static function checkCertificatesValidity(array $certificates): void 184 { 185 foreach ($certificates as $certificate) { 186 $parsed = openssl_x509_parse($certificate); 187 Assertion::isArray($parsed, 'Unable to read the certificate'); 188 Assertion::keyExists($parsed, 'validTo_time_t', 'The certificate has no validity period'); 189 Assertion::keyExists($parsed, 'validFrom_time_t', 'The certificate has no validity period'); 190 Assertion::lessOrEqualThan(time(), $parsed['validTo_time_t'], 'The certificate expired'); 191 Assertion::greaterOrEqualThan(time(), $parsed['validFrom_time_t'], 'The certificate is not usable yet'); 192 } 193 } 194 195 /** 196 * @return string[] 197 */ 198 private static function getCertificateHashes(): array 199 { 200 return [ 201 '349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8', 202 'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f', 203 '1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae', 204 'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb', 205 '6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897', 206 'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511', 207 ]; 208 } 209 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Wed Sep 7 05:41:13 2022 | Chilli.vc Blog - For Webmaster,Blog-Writer,System Admin and Domainer |