update

Peter · Peter · commit 1fa695839c79 · 2025-06-25T15:18:10.000+08:00
diff --git a/src/Attestation/Format/FormatBase.php b/src/Attestation/Format/FormatBase.php
@@ -1,165 +1,63 @@
 <?php
 
-namespace Onetech\WebAuthn\Attestation;
 
-use Onetech\WebAuthn\Attestation\Format\FormatBase;
-use Onetech\WebAuthn\WebAuthnException;
-use Onetech\WebAuthn\CBOR\CborDecoder;
-use Onetech\WebAuthn\Binary\ByteBuffer;
-
-/**
- * @author Lukas Buchs
- * @license https://github.com/lbuchs/WebAuthn/blob/master/LICENSE MIT
- */
-class AttestationObject
-{
-    private AuthenticatorData $_authenticatorData;
-    private FormatBase $_attestationFormat;
-    private string $_attestationFormatName;
-
-    /**
-     * @throws WebAuthnException
-     */
-    public function __construct($binary, $allowedFormats)
-    {
-        $enc = CborDecoder::decode($binary);
-        // validation
-        if (!\is_array($enc) || !\array_key_exists('fmt', $enc) || !is_string($enc['fmt'])) {
-            throw new WebAuthnException('invalid attestation format', WebAuthnException::INVALID_DATA);
-        }
-
-        if (!\array_key_exists('attStmt', $enc) || !\is_array($enc['attStmt'])) {
-            throw new WebAuthnException('invalid attestation format (attStmt not available)', WebAuthnException::INVALID_DATA);
-        }
-
-        if (!\array_key_exists('authData', $enc) || !\is_object($enc['authData']) || !($enc['authData'] instanceof ByteBuffer)) {
-            throw new WebAuthnException('invalid attestation format (authData not available)', WebAuthnException::INVALID_DATA);
-        }
-
-        $this->_authenticatorData = new AuthenticatorData($enc['authData']->getBinaryString());
-        $this->_attestationFormatName = $enc['fmt'];
-
-        // Format ok?
-        if (!in_array($this->_attestationFormatName, $allowedFormats)) {
-            throw new WebAuthnException('invalid attestation format: ' . $this->_attestationFormatName, WebAuthnException::INVALID_DATA);
-        }
+namespace Onetech\WebAuthn\Attestation\Format;
 
+use Onetech\WebAuthn\WebAuthnException;
+use Onetech\WebAuthn\Attestation\AuthenticatorData;
+use stdClass;
+use function count;
 
-        $this->_attestationFormat = match ($this->_attestationFormatName) {
-            'android-key' => new Format\AndroidKey($enc, $this->_authenticatorData),
-            'android-safetynet' => new Format\AndroidSafetyNet($enc, $this->_authenticatorData),
-            'apple' => new Format\Apple($enc, $this->_authenticatorData),
-            'fido-u2f' => new Format\U2f($enc, $this->_authenticatorData),
-            'none' => new Format\None($enc, $this->_authenticatorData),
-            'packed' => new Format\Packed($enc, $this->_authenticatorData),
-            'tpm' => new Format\Tpm($enc, $this->_authenticatorData),
-            default => throw new WebAuthnException('invalid attestation format: ' . $enc['fmt'], WebAuthnException::INVALID_DATA),
-        };
-    }
 
-    /**
-     * returns the attestation format name
-     * @return string
-     */
-    public function getAttestationFormatName(): string
-    {
-        return $this->_attestationFormatName;
-    }
+abstract class FormatBase
+{
+    protected ?array $_attestationObject;
+    protected ?AuthenticatorData $_authenticatorData;
+    protected array $_x5c_chain;
+    protected $_x5c_tempFile = null;
 
     /**
-     * returns the attestation format class
-     * @return FormatBase
+     *
+     * @param array $AttentionObject
+     * @param AuthenticatorData $authenticatorData
      */
-    public function getAttestationFormat(): FormatBase
+    public function __construct(array $AttentionObject, AuthenticatorData $authenticatorData)
     {
-        return $this->_attestationFormat;
+        $this->_attestationObject = $AttentionObject;
+        $this->_authenticatorData = $authenticatorData;
     }
 
     /**
-     * returns the attestation public key in PEM format
-     * @return AuthenticatorData
+     *
      */
-    public function getAuthenticatorData(): AuthenticatorData
+    public function __destruct()
     {
-        return $this->_authenticatorData;
+        // delete X.509 chain certificate file after use
+        if ($this->_x5c_tempFile && \is_file($this->_x5c_tempFile)) {
+            \unlink($this->_x5c_tempFile);
+        }
     }
 
     /**
-     * returns the certificate chain as PEM
+     * returns the certificate chain in PEM format
      * @return string|null
      */
     public function getCertificateChain(): ?string
     {
-        return $this->_attestationFormat->getCertificateChain();
-    }
-
-    /**
-     * return the certificate issuer as string
-     * @return string
-     */
-    public function getCertificateIssuer(): string
-    {
-        $pem = $this->getCertificatePem();
-        $issuer = '';
-        if ($pem) {
-            $certInfo = \openssl_x509_parse($pem);
-            if (\is_array($certInfo) && \array_key_exists('issuer', $certInfo) && \is_array($certInfo['issuer'])) {
-
-                $cn = $certInfo['issuer']['CN'] ?? '';
-                $o = $certInfo['issuer']['O'] ?? '';
-                $ou = $certInfo['issuer']['OU'] ?? '';
-
-                if ($cn) {
-                    $issuer .= $cn;
-                }
-                if ($issuer && ($o || $ou)) {
-                    $issuer .= ' (' . trim($o . ' ' . $ou) . ')';
-                } else {
-                    $issuer .= trim($o . ' ' . $ou);
-                }
-            }
+        if ($this->_x5c_tempFile && \is_file($this->_x5c_tempFile)) {
+            return \file_get_contents($this->_x5c_tempFile);
         }
-
-        return $issuer;
+        return null;
     }
 
     /**
-     * return the certificate subject as string
-     * @return string
-     */
-    public function getCertificateSubject(): string
-    {
-        $pem = $this->getCertificatePem();
-        $subject = '';
-        if ($pem) {
-            $certInfo = \openssl_x509_parse($pem);
-            if (\is_array($certInfo) && \array_key_exists('subject', $certInfo) && \is_array($certInfo['subject'])) {
-
-                $cn = $certInfo['subject']['CN'] ?? '';
-                $o = $certInfo['subject']['O'] ?? '';
-                $ou = $certInfo['subject']['OU'] ?? '';
-
-                if ($cn) {
-                    $subject .= $cn;
-                }
-                if ($subject && ($o || $ou)) {
-                    $subject .= ' (' . trim($o . ' ' . $ou) . ')';
-                } else {
-                    $subject .= trim($o . ' ' . $ou);
-                }
-            }
-        }
-
-        return $subject;
-    }
-
-    /**
-     * returns the key certificate in PEM format
-     * @return null|string
+     * returns the key X.509 certificate in PEM format
+     * @return string|null
      */
     public function getCertificatePem(): ?string
     {
-        return $this->_attestationFormat->getCertificatePem();
+        // need to be overwritten
+        return null;
     }
 
     /**
@@ -170,7 +68,8 @@ public function getCertificatePem(): ?string
      */
     public function validateAttestation(string $clientDataHash): bool
     {
-        return $this->_attestationFormat->validateAttestation($clientDataHash);
+        // need to be overwritten
+        return false;
     }
 
     /**
@@ -181,16 +80,127 @@ public function validateAttestation(string $clientDataHash): bool
      */
     public function validateRootCertificate(array $rootCas): bool
     {
-        return $this->_attestationFormat->validateRootCertificate($rootCas);
+        // need to be overwritten
+        return false;
     }
 
+
     /**
-     * checks if the RpId-Hash is valid
-     * @param string $rpIdHash
-     * @return bool
+     * create a PEM encoded certificate with X.509 binary data
+     * @param string $x5c
+     * @return string
      */
-    public function validateRpIdHash(string $rpIdHash): bool
+    protected function _createCertificatePem(string $x5c): string
     {
-        return $rpIdHash === $this->_authenticatorData->getRpIdHash();
+        $pem = '-----BEGIN CERTIFICATE-----' . "\n";
+        $pem .= \chunk_split(\base64_encode($x5c), 64, "\n");
+        $pem .= '-----END CERTIFICATE-----' . "\n";
+        return $pem;
+    }
+
+    /**
+     * creates a PEM encoded chain file
+     * @return string|null
+     */
+    protected function _createX5cChainFile(): ?string
+    {
+        $content = '';
+        if (count($this->_x5c_chain) > 0) {
+            foreach ($this->_x5c_chain as $x5c) {
+                $certInfo = \openssl_x509_parse($this->_createCertificatePem($x5c));
+
+                // check if certificate is self-signed
+                if (\is_array($certInfo) && \is_array($certInfo['issuer']) && \is_array($certInfo['subject'])) {
+                    $selfSigned = false;
+
+                    $subjectKeyIdentifier = $certInfo['extensions']['subjectKeyIdentifier'] ?? null;
+                    $authorityKeyIdentifier = $certInfo['extensions']['authorityKeyIdentifier'] ?? null;
+
+                    if ($authorityKeyIdentifier && str_starts_with($authorityKeyIdentifier, 'keyid:')) {
+                        $authorityKeyIdentifier = substr($authorityKeyIdentifier, 6);
+                    }
+                    if ($subjectKeyIdentifier && str_starts_with($subjectKeyIdentifier, 'keyid:')) {
+                        $subjectKeyIdentifier = substr($subjectKeyIdentifier, 6);
+                    }
+
+                    if (($subjectKeyIdentifier && !$authorityKeyIdentifier) || ($authorityKeyIdentifier && $authorityKeyIdentifier === $subjectKeyIdentifier)) {
+                        $selfSigned = true;
+                    }
+
+                    if (!$selfSigned) {
+                        $content .= "\n" . $this->_createCertificatePem($x5c) . "\n";
+                    }
+                }
+            }
+        }
+
+        if ($content) {
+            $this->_x5c_tempFile = \tempnam(\sys_get_temp_dir(), 'x5c_');
+            if (\file_put_contents($this->_x5c_tempFile, $content) !== false) {
+                return $this->_x5c_tempFile;
+            }
+        }
+
+        return null;
+    }
+
+
+    /**
+     * returns the name and openssl key for provided cose number.
+     * @param int $coseNumber
+     * @return stdClass|null
+     */
+    protected function _getCoseAlgorithm(int $coseNumber): ?stdClass
+    {
+        // https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+        $coseAlgorithms = array(
+            array(
+                'hash' => 'SHA1',
+                'openssl' => OPENSSL_ALGO_SHA1,
+                'cose' => array(
+                    -65535  // RS1
+                )),
+
+            array(
+                'hash' => 'SHA256',
+                'openssl' => OPENSSL_ALGO_SHA256,
+                'cose' => array(
+                    -257, // RS256
+                    -37,  // PS256
+                    -7,   // ES256
+                    5     // HMAC256
+                )),
+
+            array(
+                'hash' => 'SHA384',
+                'openssl' => OPENSSL_ALGO_SHA384,
+                'cose' => array(
+                    -258, // RS384
+                    -38,  // PS384
+                    -35,  // ES384
+                    6     // HMAC384
+                )),
+
+            array(
+                'hash' => 'SHA512',
+                'openssl' => OPENSSL_ALGO_SHA512,
+                'cose' => array(
+                    -259, // RS512
+                    -39,  // PS512
+                    -36,  // ES512
+                    7     // HMAC512
+                ))
+        );
+
+        foreach ($coseAlgorithms as $coseAlgorithm) {
+            if (\in_array($coseNumber, $coseAlgorithm['cose'], true)) {
+                $return = new stdClass();
+                $return->hash = $coseAlgorithm['hash'];
+                $return->openssl = $coseAlgorithm['openssl'];
+                return $return;
+            }
+        }
+
+        return null;
     }
 }
