|
|
|
@ -83,14 +83,14 @@ class Manager {
|
|
|
|
public function startRegistration(IUser $user, string $serverHost): PublicKeyCredentialCreationOptions {
|
|
|
|
public function startRegistration(IUser $user, string $serverHost): PublicKeyCredentialCreationOptions {
|
|
|
|
$rpEntity = new PublicKeyCredentialRpEntity(
|
|
|
|
$rpEntity = new PublicKeyCredentialRpEntity(
|
|
|
|
'Nextcloud', //Name
|
|
|
|
'Nextcloud', //Name
|
|
|
|
$this->stripPort($serverHost), //ID
|
|
|
|
$this->stripPort($serverHost), //ID
|
|
|
|
null //Icon
|
|
|
|
null //Icon
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
$userEntity = new PublicKeyCredentialUserEntity(
|
|
|
|
$userEntity = new PublicKeyCredentialUserEntity(
|
|
|
|
$user->getUID(), //Name
|
|
|
|
$user->getUID(), // Name
|
|
|
|
$user->getUID(), //ID
|
|
|
|
$user->getUID(), // ID
|
|
|
|
$user->getDisplayName() //Display name
|
|
|
|
$user->getDisplayName() // Display name
|
|
|
|
// 'https://foo.example.co/avatar/123e4567-e89b-12d3-a456-426655440000' //Icon
|
|
|
|
// 'https://foo.example.co/avatar/123e4567-e89b-12d3-a456-426655440000' //Icon
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
@ -107,9 +107,10 @@ class Manager {
|
|
|
|
];
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
|
|
|
|
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
|
|
|
|
|
|
|
|
null,
|
|
|
|
|
|
|
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
|
|
|
|
null,
|
|
|
|
null,
|
|
|
|
false,
|
|
|
|
false,
|
|
|
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
|
|
|
|
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
return new PublicKeyCredentialCreationOptions(
|
|
|
|
return new PublicKeyCredentialCreationOptions(
|
|
|
|
@ -117,11 +118,10 @@ class Manager {
|
|
|
|
$userEntity,
|
|
|
|
$userEntity,
|
|
|
|
$challenge,
|
|
|
|
$challenge,
|
|
|
|
$publicKeyCredentialParametersList,
|
|
|
|
$publicKeyCredentialParametersList,
|
|
|
|
$timeout,
|
|
|
|
|
|
|
|
$excludedPublicKeyDescriptors,
|
|
|
|
|
|
|
|
$authenticatorSelectionCriteria,
|
|
|
|
$authenticatorSelectionCriteria,
|
|
|
|
PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
|
|
|
|
PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
|
|
|
|
null
|
|
|
|
$excludedPublicKeyDescriptors,
|
|
|
|
|
|
|
|
$timeout,
|
|
|
|
);
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -149,7 +149,7 @@ class Manager {
|
|
|
|
try {
|
|
|
|
try {
|
|
|
|
// Load the data
|
|
|
|
// Load the data
|
|
|
|
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
|
|
|
|
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
|
|
|
|
$response = $publicKeyCredential->getResponse();
|
|
|
|
$response = $publicKeyCredential->response;
|
|
|
|
|
|
|
|
|
|
|
|
// Check if the response is an Authenticator Attestation Response
|
|
|
|
// Check if the response is an Authenticator Attestation Response
|
|
|
|
if (!$response instanceof AuthenticatorAttestationResponse) {
|
|
|
|
if (!$response instanceof AuthenticatorAttestationResponse) {
|
|
|
|
@ -162,7 +162,9 @@ class Manager {
|
|
|
|
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
|
|
|
|
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
|
|
|
|
$response,
|
|
|
|
$response,
|
|
|
|
$publicKeyCredentialCreationOptions,
|
|
|
|
$publicKeyCredentialCreationOptions,
|
|
|
|
$request);
|
|
|
|
$request,
|
|
|
|
|
|
|
|
['localhost'],
|
|
|
|
|
|
|
|
);
|
|
|
|
} catch (\Throwable $exception) {
|
|
|
|
} catch (\Throwable $exception) {
|
|
|
|
throw $exception;
|
|
|
|
throw $exception;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -180,18 +182,18 @@ class Manager {
|
|
|
|
$registeredPublicKeyCredentialDescriptors = array_map(function (PublicKeyCredentialEntity $entity) {
|
|
|
|
$registeredPublicKeyCredentialDescriptors = array_map(function (PublicKeyCredentialEntity $entity) {
|
|
|
|
$credential = $entity->toPublicKeyCredentialSource();
|
|
|
|
$credential = $entity->toPublicKeyCredentialSource();
|
|
|
|
return new PublicKeyCredentialDescriptor(
|
|
|
|
return new PublicKeyCredentialDescriptor(
|
|
|
|
$credential->getType(),
|
|
|
|
$credential->type,
|
|
|
|
$credential->getPublicKeyCredentialId()
|
|
|
|
$credential->publicKeyCredentialId,
|
|
|
|
);
|
|
|
|
);
|
|
|
|
}, $this->credentialMapper->findAllForUid($uid));
|
|
|
|
}, $this->credentialMapper->findAllForUid($uid));
|
|
|
|
|
|
|
|
|
|
|
|
// Public Key Credential Request Options
|
|
|
|
// Public Key Credential Request Options
|
|
|
|
return new PublicKeyCredentialRequestOptions(
|
|
|
|
return new PublicKeyCredentialRequestOptions(
|
|
|
|
random_bytes(32), // Challenge
|
|
|
|
random_bytes(32), // Challenge
|
|
|
|
60000, // Timeout
|
|
|
|
$this->stripPort($serverHost), // Relying Party ID
|
|
|
|
$this->stripPort($serverHost), // Relying Party ID
|
|
|
|
$registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes
|
|
|
|
$registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes
|
|
|
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED,
|
|
|
|
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
|
|
|
|
60000, // Timeout
|
|
|
|
);
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -213,16 +215,15 @@ class Manager {
|
|
|
|
$tokenBindingHandler,
|
|
|
|
$tokenBindingHandler,
|
|
|
|
$extensionOutputCheckerHandler,
|
|
|
|
$extensionOutputCheckerHandler,
|
|
|
|
$algorithmManager,
|
|
|
|
$algorithmManager,
|
|
|
|
null,
|
|
|
|
|
|
|
|
$this->logger,
|
|
|
|
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
$authenticatorAssertionResponseValidator->setLogger($this->logger);
|
|
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
try {
|
|
|
|
$this->logger->debug('Loading publickey credentials from: ' . $data);
|
|
|
|
$this->logger->debug('Loading publickey credentials from: ' . $data);
|
|
|
|
|
|
|
|
|
|
|
|
// Load the data
|
|
|
|
// Load the data
|
|
|
|
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
|
|
|
|
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
|
|
|
|
$response = $publicKeyCredential->getResponse();
|
|
|
|
$response = $publicKeyCredential->response;
|
|
|
|
|
|
|
|
|
|
|
|
// Check if the response is an Authenticator Attestation Response
|
|
|
|
// Check if the response is an Authenticator Attestation Response
|
|
|
|
if (!$response instanceof AuthenticatorAssertionResponse) {
|
|
|
|
if (!$response instanceof AuthenticatorAssertionResponse) {
|
|
|
|
@ -233,18 +234,17 @@ class Manager {
|
|
|
|
$request = ServerRequest::fromGlobals();
|
|
|
|
$request = ServerRequest::fromGlobals();
|
|
|
|
|
|
|
|
|
|
|
|
$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
|
|
|
|
$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
|
|
|
|
$publicKeyCredential->getRawId(),
|
|
|
|
$publicKeyCredential->rawId,
|
|
|
|
$response,
|
|
|
|
$response,
|
|
|
|
$publicKeyCredentialRequestOptions,
|
|
|
|
$publicKeyCredentialRequestOptions,
|
|
|
|
$request,
|
|
|
|
$request,
|
|
|
|
$uid
|
|
|
|
$uid,
|
|
|
|
|
|
|
|
['localhost'],
|
|
|
|
);
|
|
|
|
);
|
|
|
|
} catch (\Throwable $e) {
|
|
|
|
} catch (\Throwable $e) {
|
|
|
|
throw $e;
|
|
|
|
throw $e;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
Ferdinand Thiessen
2 months ago