AutorÃa | Ultima modificación | Ver Log |
<?phpnamespace lbuchs\WebAuthn\Attestation\Format;use lbuchs\WebAuthn\Attestation\AuthenticatorData;use lbuchs\WebAuthn\WebAuthnException;use lbuchs\WebAuthn\Binary\ByteBuffer;class Packed extends FormatBase {private $_alg;private $_signature;private $_x5c;public function __construct($AttestionObject, AuthenticatorData $authenticatorData) {parent::__construct($AttestionObject, $authenticatorData);// check packed data$attStmt = $this->_attestationObject['attStmt'];if (!\array_key_exists('alg', $attStmt) || $this->_getCoseAlgorithm($attStmt['alg']) === null) {throw new WebAuthnException('unsupported alg: ' . $attStmt['alg'], WebAuthnException::INVALID_DATA);}if (!\array_key_exists('sig', $attStmt) || !\is_object($attStmt['sig']) || !($attStmt['sig'] instanceof ByteBuffer)) {throw new WebAuthnException('no signature found', WebAuthnException::INVALID_DATA);}$this->_alg = $attStmt['alg'];$this->_signature = $attStmt['sig']->getBinaryString();// certificate for validationif (\array_key_exists('x5c', $attStmt) && \is_array($attStmt['x5c']) && \count($attStmt['x5c']) > 0) {// The attestation certificate attestnCert MUST be the first element in the array$attestnCert = array_shift($attStmt['x5c']);if (!($attestnCert instanceof ByteBuffer)) {throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA);}$this->_x5c = $attestnCert->getBinaryString();// certificate chainforeach ($attStmt['x5c'] as $chain) {if ($chain instanceof ByteBuffer) {$this->_x5c_chain[] = $chain->getBinaryString();}}}}/** returns the key certificate in PEM format* @return string|null*/public function getCertificatePem() {if (!$this->_x5c) {return null;}return $this->_createCertificatePem($this->_x5c);}/*** @param string $clientDataHash*/public function validateAttestation($clientDataHash) {if ($this->_x5c) {return $this->_validateOverX5c($clientDataHash);} else {return $this->_validateSelfAttestation($clientDataHash);}}/*** validates the certificate against root certificates* @param array $rootCas* @return boolean* @throws WebAuthnException*/public function validateRootCertificate($rootCas) {if (!$this->_x5c) {return false;}$chainC = $this->_createX5cChainFile();if ($chainC) {$rootCas[] = $chainC;}$v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas);if ($v === -1) {throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED);}return $v;}/*** validate if x5c is present* @param string $clientDataHash* @return bool* @throws WebAuthnException*/protected function _validateOverX5c($clientDataHash) {$publicKey = \openssl_pkey_get_public($this->getCertificatePem());if ($publicKey === false) {throw new WebAuthnException('invalid public key: ' . \openssl_error_string(), WebAuthnException::INVALID_PUBLIC_KEY);}// Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash// using the attestation public key in attestnCert with the algorithm specified in alg.$dataToVerify = $this->_authenticatorData->getBinary();$dataToVerify .= $clientDataHash;$coseAlgorithm = $this->_getCoseAlgorithm($this->_alg);// check certificatereturn \openssl_verify($dataToVerify, $this->_signature, $publicKey, $coseAlgorithm->openssl) === 1;}/*** validate if self attestation is in use* @param string $clientDataHash* @return bool*/protected function _validateSelfAttestation($clientDataHash) {// Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash// using the credential public key with alg.$dataToVerify = $this->_authenticatorData->getBinary();$dataToVerify .= $clientDataHash;$publicKey = $this->_authenticatorData->getPublicKeyPem();// check certificatereturn \openssl_verify($dataToVerify, $this->_signature, $publicKey, OPENSSL_ALGO_SHA256) === 1;}}