Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
- Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
- PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.
/lib/webauthn/src/Attestation/Format/ -> U2f.php (source)
1 <?php 2 3 4 namespace lbuchs\WebAuthn\Attestation\Format; 5 use lbuchs\WebAuthn\Attestation\AuthenticatorData; 6 use lbuchs\WebAuthn\WebAuthnException; 7 use lbuchs\WebAuthn\Binary\ByteBuffer; 8 9 class U2f extends FormatBase { 10 private $_alg = -7; 11 private $_signature; 12 private $_x5c; 13 14 public function __construct($AttestionObject, AuthenticatorData $authenticatorData) { 15 parent::__construct($AttestionObject, $authenticatorData); 16 17 // check u2f data 18 $attStmt = $this->_attestationObject['attStmt']; 19 20 if (\array_key_exists('alg', $attStmt) && $attStmt['alg'] !== $this->_alg) { 21 throw new WebAuthnException('u2f only accepts algorithm -7 ("ES256"), but got ' . $attStmt['alg'], WebAuthnException::INVALID_DATA); 22 } 23 24 if (!\array_key_exists('sig', $attStmt) || !\is_object($attStmt['sig']) || !($attStmt['sig'] instanceof ByteBuffer)) { 25 throw new WebAuthnException('no signature found', WebAuthnException::INVALID_DATA); 26 } 27 28 if (!\array_key_exists('x5c', $attStmt) || !\is_array($attStmt['x5c']) || \count($attStmt['x5c']) !== 1) { 29 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA); 30 } 31 32 if (!\is_object($attStmt['x5c'][0]) || !($attStmt['x5c'][0] instanceof ByteBuffer)) { 33 throw new WebAuthnException('invalid x5c certificate', WebAuthnException::INVALID_DATA); 34 } 35 36 $this->_signature = $attStmt['sig']->getBinaryString(); 37 $this->_x5c = $attStmt['x5c'][0]->getBinaryString(); 38 } 39 40 41 /* 42 * returns the key certificate in PEM format 43 * @return string 44 */ 45 public function getCertificatePem() { 46 $pem = '-----BEGIN CERTIFICATE-----' . "\n"; 47 $pem .= \chunk_split(\base64_encode($this->_x5c), 64, "\n"); 48 $pem .= '-----END CERTIFICATE-----' . "\n"; 49 return $pem; 50 } 51 52 /** 53 * @param string $clientDataHash 54 */ 55 public function validateAttestation($clientDataHash) { 56 $publicKey = \openssl_pkey_get_public($this->getCertificatePem()); 57 58 if ($publicKey === false) { 59 throw new WebAuthnException('invalid public key: ' . \openssl_error_string(), WebAuthnException::INVALID_PUBLIC_KEY); 60 } 61 62 // Let verificationData be the concatenation of (0x00 || rpIdHash || clientDataHash || credentialId || publicKeyU2F) 63 $dataToVerify = "\x00"; 64 $dataToVerify .= $this->_authenticatorData->getRpIdHash(); 65 $dataToVerify .= $clientDataHash; 66 $dataToVerify .= $this->_authenticatorData->getCredentialId(); 67 $dataToVerify .= $this->_authenticatorData->getPublicKeyU2F(); 68 69 $coseAlgorithm = $this->_getCoseAlgorithm($this->_alg); 70 71 // check certificate 72 return \openssl_verify($dataToVerify, $this->_signature, $publicKey, $coseAlgorithm->openssl) === 1; 73 } 74 75 /** 76 * validates the certificate against root certificates 77 * @param array $rootCas 78 * @return boolean 79 * @throws WebAuthnException 80 */ 81 public function validateRootCertificate($rootCas) { 82 $chainC = $this->_createX5cChainFile(); 83 if ($chainC) { 84 $rootCas[] = $chainC; 85 } 86 87 $v = \openssl_x509_checkpurpose($this->getCertificatePem(), -1, $rootCas); 88 if ($v === -1) { 89 throw new WebAuthnException('error on validating root certificate: ' . \openssl_error_string(), WebAuthnException::CERTIFICATE_NOT_TRUSTED); 90 } 91 return $v; 92 } 93 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
