Project-Pro/idpan.poznan.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Jacek Pyziak
2026-02-08 21:16:11 +01:00
commit e17b7026fd
8881 changed files with 1160453 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

256
plugins/multifactorauth/webauthn/src/CredentialRepository.php Normal file
View File

@@ -0,0 +1,256 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn;
use Joomla\CMS\Factory;
use Joomla\CMS\MVC\Factory\MVCFactoryInterface;
use Joomla\CMS\User\UserFactoryInterface;
use Joomla\Component\Users\Administrator\Helper\Mfa as MfaHelper;
use Joomla\Component\Users\Administrator\Table\MfaTable;
use Webauthn\AttestationStatement\AttestationStatement;
use Webauthn\AttestedCredentialData;
use Webauthn\PublicKeyCredentialDescriptor;
use Webauthn\PublicKeyCredentialSource;
use Webauthn\PublicKeyCredentialSourceRepository;
use Webauthn\PublicKeyCredentialUserEntity;
use Webauthn\TrustPath\EmptyTrustPath;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Implementation of the credentials repository for the WebAuthn library.
*
* Important assumption: interaction with Webauthn through the library is only performed for the currently logged in
* user. Therefore all Methods which take a credential ID work by checking the Joomla MFA records of the current
* user only. This is a necessity. The records are stored encrypted, therefore we cannot do a partial search in the
* table. We have to load the records, decrypt them and inspect them. We cannot do that for thousands of records but
* we CAN do that for the few records each user has under their account.
*
* This behavior can be changed by passing a user ID in the constructor of the class.
*
* @since 4.2.0
*/
class CredentialRepository implements PublicKeyCredentialSourceRepository
{
/**
* The user ID we will operate with
*
* @var integer
* @since 4.2.0
*/
private $userId = 0;
/**
* CredentialRepository constructor.
*
* @param int $userId The user ID this repository will be working with.
*
* @throws \Exception
* @since 4.2.0
*/
public function __construct(int $userId = 0)
{
if (empty($userId)) {
$user = Factory::getApplication()->getIdentity()
?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);
$userId = $user->id;
}
$this->userId = $userId;
}
/**
* Finds a WebAuthn record given a credential ID
*
* @param string $publicKeyCredentialId The public credential ID to look for
*
* @return PublicKeyCredentialSource|null
* @since 4.2.0
*/
public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
{
$publicKeyCredentialUserEntity = new PublicKeyCredentialUserEntity('', $this->userId, '', '');
$credentials = $this->findAllForUserEntity($publicKeyCredentialUserEntity);
foreach ($credentials as $record) {
if ($record->getAttestedCredentialData()->getCredentialId() != $publicKeyCredentialId) {
continue;
}
return $record;
}
return null;
}
/**
* Find all WebAuthn entries given a user entity
*
* @param PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity The user entity to search by
*
* @return array|PublicKeyCredentialSource[]
* @throws \Exception
* @since 4.2.0
*/
public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array
{
if (empty($publicKeyCredentialUserEntity)) {
$userId = $this->userId;
} else {
$userId = $publicKeyCredentialUserEntity->getId();
}
$return = [];
$results = MfaHelper::getUserMfaRecords($userId);
if (count($results) < 1) {
return $return;
}
/** @var MfaTable $result */
foreach ($results as $result) {
$options = $result->options;
if (!is_array($options) || empty($options)) {
continue;
}
if (!isset($options['attested']) && !isset($options['pubkeysource'])) {
continue;
}
if (isset($options['attested']) && is_string($options['attested'])) {
$options['attested'] = json_decode($options['attested'], true);
$return[$result->id] = $this->attestedCredentialToPublicKeyCredentialSource(
AttestedCredentialData::createFromArray($options['attested']),
$userId
);
} elseif (isset($options['pubkeysource']) && is_string($options['pubkeysource'])) {
$options['pubkeysource'] = json_decode($options['pubkeysource'], true);
$return[$result->id] = PublicKeyCredentialSource::createFromArray($options['pubkeysource']);
} elseif (isset($options['pubkeysource']) && is_array($options['pubkeysource'])) {
$return[$result->id] = PublicKeyCredentialSource::createFromArray($options['pubkeysource']);
}
}
return $return;
}
/**
* Converts a legacy AttestedCredentialData object stored in the database into a PublicKeyCredentialSource object.
*
* This makes several assumptions which can be problematic and the reason why the WebAuthn library version 2 moved
* away from attested credentials to public key credential sources:
*
* - The credential is always of the public key type (that's safe as the only option supported)
* - You can access it with any kind of authenticator transport: USB, NFC, Internal or Bluetooth LE (possibly
* dangerous)
* - There is no attestations (generally safe since browsers don't seem to support attestation yet)
* - There is no trust path (generally safe since browsers don't seem to provide one)
* - No counter was stored (dangerous since it can lead to replay attacks).
*
* @param AttestedCredentialData $record Legacy attested credential data object
* @param int $userId User ID we are getting the credential source for
*
* @return PublicKeyCredentialSource
* @since 4.2.0
*/
private function attestedCredentialToPublicKeyCredentialSource(AttestedCredentialData $record, int $userId): PublicKeyCredentialSource
{
return new PublicKeyCredentialSource(
$record->getCredentialId(),
PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,
[
PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_USB,
PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_NFC,
PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_INTERNAL,
PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_BLE,
],
AttestationStatement::TYPE_NONE,
new EmptyTrustPath(),
$record->getAaguid(),
$record->getCredentialPublicKey(),
$userId,
0
);
}
/**
* Save a WebAuthn record
*
* @param PublicKeyCredentialSource $publicKeyCredentialSource The record to save
*
* @return void
* @throws \Exception
* @since 4.2.0
*/
public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredentialSource): void
{
// I can only create or update credentials for the user this class was created for
if ($publicKeyCredentialSource->getUserHandle() != $this->userId) {
throw new \RuntimeException('Cannot create or update WebAuthn credentials for a different user.', 403);
}
// Do I have an existing record for this credential?
$recordId = null;
$publicKeyCredentialUserEntity = new PublicKeyCredentialUserEntity('', $this->userId, '', '');
$credentials = $this->findAllForUserEntity($publicKeyCredentialUserEntity);
foreach ($credentials as $id => $record) {
if ($record->getAttestedCredentialData()->getCredentialId() != $publicKeyCredentialSource->getAttestedCredentialData()->getCredentialId()) {
continue;
}
$recordId = $id;
break;
}
// Create or update a record
/** @var MVCFactoryInterface $factory */
$factory = Factory::getApplication()->bootComponent('com_users')->getMVCFactory();
/** @var MfaTable $mfaTable */
$mfaTable = $factory->createTable('Mfa', 'Administrator');
if ($recordId) {
$mfaTable->load($recordId);
$options = $mfaTable->options;
if (isset($options['attested'])) {
unset($options['attested']);
}
$options['pubkeysource'] = $publicKeyCredentialSource;
$mfaTable->save(
[
'options' => $options,
]
);
} else {
$mfaTable->reset();
$mfaTable->save(
[
'user_id' => $this->userId,
'title' => 'WebAuthn auto-save',
'method' => 'webauthn',
'default' => 0,
'options' => ['pubkeysource' => $publicKeyCredentialSource],
]
);
}
}
}

437
plugins/multifactorauth/webauthn/src/Extension/Webauthn.php Normal file
View File

@@ -0,0 +1,437 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Extension;
use Exception;
use Joomla\CMS\Event\MultiFactor\Captive;
use Joomla\CMS\Event\MultiFactor\GetMethod;
use Joomla\CMS\Event\MultiFactor\GetSetup;
use Joomla\CMS\Event\MultiFactor\SaveSetup;
use Joomla\CMS\Event\MultiFactor\Validate;
use Joomla\CMS\Language\Text;
use Joomla\CMS\Plugin\CMSPlugin;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\CMS\Uri\Uri;
use Joomla\CMS\User\User;
use Joomla\CMS\User\UserFactoryAwareTrait;
use Joomla\Component\Users\Administrator\DataShape\CaptiveRenderOptions;
use Joomla\Component\Users\Administrator\DataShape\MethodDescriptor;
use Joomla\Component\Users\Administrator\DataShape\SetupRenderOptions;
use Joomla\Component\Users\Administrator\Table\MfaTable;
use Joomla\Event\SubscriberInterface;
use Joomla\Input\Input;
use Joomla\Plugin\Multifactorauth\Webauthn\Helper\Credentials;
use RuntimeException;
use Webauthn\PublicKeyCredentialRequestOptions;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Joomla Multi-factor Authentication plugin for WebAuthn
*
* @since 4.2.0
*/
class Webauthn extends CMSPlugin implements SubscriberInterface
{
use UserFactoryAwareTrait;
/**
* Auto-load the plugin's language files
*
* @var boolean
* @since 4.2.0
*/
protected $autoloadLanguage = true;
/**
* The MFA Method name handled by this plugin
*
* @var string
* @since 4.2.0
*/
private $mfaMethodName = 'webauthn';
/**
* Returns an array of events this subscriber will listen to.
*
* @return array
*
* @since 4.2.0
*/
public static function getSubscribedEvents(): array
{
return [
'onUserMultifactorGetMethod' => 'onUserMultifactorGetMethod',
'onUserMultifactorCaptive' => 'onUserMultifactorCaptive',
'onUserMultifactorGetSetup' => 'onUserMultifactorGetSetup',
'onUserMultifactorSaveSetup' => 'onUserMultifactorSaveSetup',
'onUserMultifactorValidate' => 'onUserMultifactorValidate',
];
}
/**
* Gets the identity of this MFA Method
*
* @param GetMethod $event The event we are handling
*
* @return void
* @since 4.2.0
*/
public function onUserMultifactorGetMethod(GetMethod $event): void
{
$event->addResult(
new MethodDescriptor(
[
'name' => $this->mfaMethodName,
'display' => Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_DISPLAYEDAS'),
'shortinfo' => Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_SHORTINFO'),
'image' => 'media/plg_multifactorauth_webauthn/images/webauthn.svg',
'allowMultiple' => true,
'allowEntryBatching' => true,
]
)
);
}
/**
* Returns the information which allows Joomla to render the MFA setup page. This is the page
* which allows the user to add or modify a MFA Method for their user account. If the record
* does not correspond to your plugin return an empty array.
*
* @param GetSetup $event The event we are handling
*
* @return void
* @throws \Exception
* @since 4.2.0
*/
public function onUserMultifactorGetSetup(GetSetup $event): void
{
/**
* @var MfaTable $record The record currently selected by the user.
*/
$record = $event['record'];
// Make sure we are actually meant to handle this Method
if ($record->method != $this->mfaMethodName) {
return;
}
// Get some values assuming that we are NOT setting up U2F (the key is already registered)
$submitClass = '';
$submitIcon = 'icon icon-ok';
$submitText = 'JSAVE';
$preMessage = Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_CONFIGURED');
$type = 'input';
$html = '';
$hiddenData = [];
/**
* If there are no authenticators set up yet I need to show a different message and take a different action when
* my user clicks the submit button.
*/
if (!is_array($record->options) || empty($record->options['credentialId'] ?? '')) {
$document = $this->getApplication()->getDocument();
$wam = $document->getWebAssetManager();
$wam->getRegistry()->addExtensionRegistryFile('plg_multifactorauth_webauthn');
$layoutPath = PluginHelper::getLayoutPath('multifactorauth', 'webauthn');
ob_start();
include $layoutPath;
$html = ob_get_clean();
$type = 'custom';
// Load JS translations
Text::script('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_NOTAVAILABLE_HEAD');
$document->addScriptOptions('com_users.pagetype', 'setup', false);
// Save the WebAuthn request to the session
$user = $this->getApplication()->getIdentity() ?: $this->getUserFactory()->loadUserById(0);
$hiddenData['pkRequest'] = base64_encode(Credentials::requestAttestation($user));
// Special button handling
$submitClass = "multifactorauth_webauthn_setup";
$submitIcon = 'icon icon-lock';
$submitText = 'PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_REGISTERKEY';
// Message to display
$preMessage = Text::sprintf(
'PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_INSTRUCTIONS',
Text::_($submitText)
);
}
$event->addResult(
new SetupRenderOptions(
[
'default_title' => Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_DISPLAYEDAS'),
'pre_message' => $preMessage,
'hidden_data' => $hiddenData,
'field_type' => $type,
'input_type' => 'hidden',
'html' => $html,
'show_submit' => true,
'submit_class' => $submitClass,
'submit_icon' => $submitIcon,
'submit_text' => $submitText,
]
)
);
}
/**
* Parse the input from the MFA setup page and return the configuration information to be saved to the database. If
* the information is invalid throw a RuntimeException to signal the need to display the editor page again. The
* message of the exception will be displayed to the user. If the record does not correspond to your plugin return
* an empty array.
*
* @param SaveSetup $event The event we are handling
*
* @return void The configuration data to save to the database
* @since 4.2.0
*/
public function onUserMultifactorSaveSetup(SaveSetup $event): void
{
/**
* @var MfaTable $record The record currently selected by the user.
* @var Input $input The user input you are going to take into account.
*/
$record = $event['record'];
$input = $event['input'];
// Make sure we are actually meant to handle this Method
if ($record->method != $this->mfaMethodName) {
return;
}
// Editing an existing authenticator: only the title is saved
if (is_array($record->options) && !empty($record->options['credentialId'] ?? '')) {
$event->addResult($record->options);
return;
}
$code = $input->get('code', null, 'base64');
$session = $this->getApplication()->getSession();
$registrationRequest = $session->get('plg_multifactorauth_webauthn.publicKeyCredentialCreationOptions', null);
// If there was no registration request BUT there is a registration response throw an error
if (empty($registrationRequest) && !empty($code)) {
throw new \RuntimeException(Text::_('JERROR_ALERTNOAUTHOR'), 403);
}
// If there is no registration request (and there isn't a registration response) we are just saving the title.
if (empty($registrationRequest)) {
$event->addResult($record->options);
return;
}
// In any other case try to authorize the registration
try {
$publicKeyCredentialSource = Credentials::verifyAttestation($code);
} catch (\Exception $err) {
throw new \RuntimeException($err->getMessage(), 403);
} finally {
// Unset the request data from the session.
$session->set('plg_multifactorauth_webauthn.publicKeyCredentialCreationOptions', null);
$session->set('plg_multifactorauth_webauthn.registration_user_id', null);
}
// Return the configuration to be serialized
$event->addResult(
[
'credentialId' => base64_encode($publicKeyCredentialSource->getAttestedCredentialData()->getCredentialId()),
'pubkeysource' => json_encode($publicKeyCredentialSource),
'counter' => 0,
]
);
}
/**
* Returns the information which allows Joomla to render the Captive MFA page. This is the page
* which appears right after you log in and asks you to validate your login with MFA.
*
* @param Captive $event The event we are handling
*
* @return void
* @throws \Exception
* @since 4.2.0
*/
public function onUserMultifactorCaptive(Captive $event): void
{
/**
* @var MfaTable $record The record currently selected by the user.
*/
$record = $event['record'];
// Make sure we are actually meant to handle this Method
if ($record->method != $this->mfaMethodName) {
return;
}
/**
* The following code looks stupid. An explanation is in order.
*
* What we normally want to do is save the authentication data returned by getAuthenticateData into the session.
* This is what is sent to the authenticator through the Javascript API and signed. The signature is posted back
* to the form as the "code" which is read by onUserMultifactorauthValidate. That Method will read the authentication
* data from the session and pass it along with the key registration data (from the database) and the
* authentication response (the "code" submitted in the form) to the WebAuthn library for validation.
*
* Validation will work as long as the challenge recorded in the encrypted AUTHENTICATION RESPONSE matches, upon
* decryption, the challenge recorded in the AUTHENTICATION DATA.
*
* I observed that for whatever stupid reason the browser was sometimes sending TWO requests to the server's
* Captive login page but only rendered the FIRST. This meant that the authentication data sent to the key had
* already been overwritten in the session by the "invisible" second request. As a result the challenge would
* not match and we'd get a validation error.
*
* The code below will attempt to read the authentication data from the session first. If it exists it will NOT
* try to replace it (technically it replaces it with a copy of the same data - same difference!). If nothing
* exists in the session, however, it WILL store the (random seeded) result of the getAuthenticateData Method.
* Therefore the first request to the Captive login page will store a new set of authentication data whereas the
* second, "invisible", request will just reuse the same data as the first request, fixing the observed issue in
* a way that doesn't compromise security.
*
* In case you are wondering, yes, the data is removed from the session in the onUserMultifactorauthValidate Method.
* In fact it's the first thing we do after reading it, preventing constant reuse of the same set of challenges.
*
* That was fun to debug - for "poke your eyes with a rusty fork" values of fun.
*/
$session = $this->getApplication()->getSession();
$pkOptionsEncoded = $session->get('plg_multifactorauth_webauthn.publicKeyCredentialRequestOptions', null);
$force = $this->getApplication()->getInput()->getInt('force', 0);
try {
if ($force) {
throw new \RuntimeException('Expected exception (good): force a new key request');
}
if (empty($pkOptionsEncoded)) {
throw new \RuntimeException('Expected exception (good): we do not have a pending key request');
}
$serializedOptions = base64_decode($pkOptionsEncoded);
$pkOptions = unserialize($serializedOptions);
if (!is_object($pkOptions) || empty($pkOptions) || !($pkOptions instanceof PublicKeyCredentialRequestOptions)) {
throw new \RuntimeException('The pending key request is corrupt; a new one will be created');
}
$pkRequest = json_encode($pkOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
} catch (\Exception $e) {
$pkRequest = Credentials::requestAssertion($record->user_id);
}
$document = $this->getApplication()->getDocument();
$wam = $document->getWebAssetManager();
$wam->getRegistry()->addExtensionRegistryFile('plg_multifactorauth_webauthn');
try {
$document->addScriptOptions('com_users.authData', base64_encode($pkRequest), false);
$layoutPath = PluginHelper::getLayoutPath('multifactorauth', 'webauthn');
ob_start();
include $layoutPath;
$html = ob_get_clean();
} catch (\Exception $e) {
return;
}
// Load JS translations
Text::script('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_NOTAVAILABLE_HEAD');
Text::script('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_NO_STORED_CREDENTIAL');
$document->addScriptOptions('com_users.pagetype', 'validate', false);
$event->addResult(
new CaptiveRenderOptions(
[
'pre_message' => Text::sprintf(
'PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_INSTRUCTIONS',
Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_VALIDATEKEY')
),
'field_type' => 'custom',
'input_type' => 'hidden',
'placeholder' => '',
'label' => '',
'html' => $html,
'post_message' => '',
'hide_submit' => false,
'submit_icon' => 'icon icon-lock',
'submit_text' => 'PLG_MULTIFACTORAUTH_WEBAUTHN_LBL_VALIDATEKEY',
'allowEntryBatching' => true,
]
)
);
}
/**
* Validates the Multi-factor Authentication code submitted by the user in the Multi-Factor
* Authentication page. If the record does not correspond to your plugin return FALSE.
*
* @param Validate $event The event we are handling
*
* @return void
* @since 4.2.0
*/
public function onUserMultifactorValidate(Validate $event): void
{
// This method is only available on HTTPS
if (Uri::getInstance()->getScheme() !== 'https') {
$event->addResult(false);
return;
}
/**
* @var MfaTable $record The MFA Method's record you're validating against
* @var User $user The user record
* @var string $code The submitted code
*/
$record = $event['record'];
$user = $event['user'];
$code = $event['code'];
// Make sure we are actually meant to handle this Method
if ($record->method != $this->mfaMethodName) {
$event->addResult(false);
return;
}
// Double check the MFA Method is for the correct user
if ($user->id != $record->user_id) {
$event->addResult(false);
return;
}
try {
Credentials::verifyAssertion($code);
} catch (\Exception $e) {
try {
$this->getApplication()->enqueueMessage($e->getMessage(), 'error');
} catch (\Exception $e) {
}
$event->addResult(false);
return;
}
$event->addResult(true);
}
}

334
plugins/multifactorauth/webauthn/src/Helper/Credentials.php Normal file
View File

@@ -0,0 +1,334 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Helper;
use Exception;
use Joomla\CMS\Application\CMSApplication;
use Joomla\CMS\Factory;
use Joomla\CMS\Language\Text;
use Joomla\CMS\Uri\Uri;
use Joomla\CMS\User\User;
use Joomla\CMS\User\UserFactoryInterface;
use Joomla\Plugin\Multifactorauth\Webauthn\CredentialRepository;
use Joomla\Plugin\Multifactorauth\Webauthn\Hotfix\Server;
use Joomla\Session\SessionInterface;
use Laminas\Diactoros\ServerRequestFactory;
use Webauthn\AttestedCredentialData;
use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
use Webauthn\AuthenticatorSelectionCriteria;
use Webauthn\PublicKeyCredentialCreationOptions;
use Webauthn\PublicKeyCredentialDescriptor;
use Webauthn\PublicKeyCredentialRequestOptions;
use Webauthn\PublicKeyCredentialRpEntity;
use Webauthn\PublicKeyCredentialSource;
use Webauthn\PublicKeyCredentialUserEntity;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Helper class to aid in credentials creation (link an authenticator to a user account)
*
* @since 4.2.0
*/
abstract class Credentials
{
/**
* Authenticator registration step 1: create a public key for credentials attestation.
*
* The result is a JSON string which can be used in Javascript code with navigator.credentials.create().
*
* @param User $user The Joomla user to create the public key for
*
* @return string
* @throws \Exception On error
* @since 4.2.0
*/
public static function requestAttestation(User $user): string
{
$publicKeyCredentialCreationOptions = self::getWebauthnServer($user->id)
->generatePublicKeyCredentialCreationOptions(
self::getUserEntity($user),
PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
self::getPubKeyDescriptorsForUser($user),
new AuthenticatorSelectionCriteria(
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
false,
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
),
new AuthenticationExtensionsClientInputs()
);
// Save data in the session
$session = Factory::getApplication()->getSession();
$session->set(
'plg_multifactorauth_webauthn.publicKeyCredentialCreationOptions',
base64_encode(serialize($publicKeyCredentialCreationOptions))
);
$session->set('plg_multifactorauth_webauthn.registration_user_id', $user->id);
return json_encode($publicKeyCredentialCreationOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
}
/**
* Authenticator registration step 2: verify the credentials attestation by the authenticator
*
* This returns the attested credential data on success.
*
* An exception will be returned on error. Also, under very rare conditions, you may receive NULL instead of
* attested credential data which means that something was off in the returned data from the browser.
*
* @param string $data The JSON-encoded data returned by the browser during the authentication flow
*
* @return AttestedCredentialData|null
* @throws \Exception When something does not check out
* @since 4.2.0
*/
public static function verifyAttestation(string $data): ?PublicKeyCredentialSource
{
$session = Factory::getApplication()->getSession();
// Retrieve the PublicKeyCredentialCreationOptions object created earlier and perform sanity checks
$encodedOptions = $session->get('plg_multifactorauth_webauthn.publicKeyCredentialCreationOptions', null);
if (empty($encodedOptions)) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_NO_PK'));
}
try {
$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
} catch (\Exception $e) {
$publicKeyCredentialCreationOptions = null;
}
if (!is_object($publicKeyCredentialCreationOptions) || !($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialCreationOptions)) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_NO_PK'));
}
// Retrieve the stored user ID and make sure it's the same one in the request.
$storedUserId = $session->get('plg_multifactorauth_webauthn.registration_user_id', 0);
$myUser = Factory::getApplication()->getIdentity()
?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);
$myUserId = $myUser->id;
if (($myUser->guest) || ($myUserId != $storedUserId)) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_INVALID_USER'));
}
return self::getWebauthnServer($myUser->id)->loadAndCheckAttestationResponse(
base64_decode($data),
$publicKeyCredentialCreationOptions,
ServerRequestFactory::fromGlobals()
);
}
/**
* Authentication step 1: create a challenge for key verification
*
* @param int $userId The user ID to create a WebAuthn PK for
*
* @return string
* @throws \Exception On error
* @since 4.2.0
*/
public static function requestAssertion(int $userId): string
{
$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
$publicKeyCredentialRequestOptions = self::getWebauthnServer($userId)
->generatePublicKeyCredentialRequestOptions(
PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,
self::getPubKeyDescriptorsForUser($user)
);
// Save in session. This is used during the verification stage to prevent replay attacks.
/** @var SessionInterface $session */
$session = Factory::getApplication()->getSession();
$session->set('plg_multifactorauth_webauthn.publicKeyCredentialRequestOptions', base64_encode(serialize($publicKeyCredentialRequestOptions)));
$session->set('plg_multifactorauth_webauthn.userHandle', $userId);
$session->set('plg_multifactorauth_webauthn.userId', $userId);
// Return the JSON encoded data to the caller
return json_encode($publicKeyCredentialRequestOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
}
/**
* Authentication step 2: Checks if the browser's response to our challenge is valid.
*
* @param string $response Base64-encoded response
*
* @return void
* @throws \Exception When something does not check out.
* @since 4.2.0
*/
public static function verifyAssertion(string $response): void
{
/** @var SessionInterface $session */
$session = Factory::getApplication()->getSession();
$encodedPkOptions = $session->get('plg_multifactorauth_webauthn.publicKeyCredentialRequestOptions', null);
$userHandle = $session->get('plg_multifactorauth_webauthn.userHandle', null);
$userId = $session->get('plg_multifactorauth_webauthn.userId', null);
$session->set('plg_multifactorauth_webauthn.publicKeyCredentialRequestOptions', null);
$session->set('plg_multifactorauth_webauthn.userHandle', null);
$session->set('plg_multifactorauth_webauthn.userId', null);
if (empty($userId)) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
}
// Make sure the user exists
$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
if ($user->id != $userId) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
}
// Make sure the user is ourselves (we cannot perform MFA on behalf of another user!)
$currentUser = Factory::getApplication()->getIdentity()
?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);
if ($currentUser->id != $userId) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
}
// Make sure the public key credential request options in the session are valid
$serializedOptions = base64_decode($encodedPkOptions);
$publicKeyCredentialRequestOptions = unserialize($serializedOptions);
if (
!is_object($publicKeyCredentialRequestOptions)
|| empty($publicKeyCredentialRequestOptions)
|| !($publicKeyCredentialRequestOptions instanceof PublicKeyCredentialRequestOptions)
) {
throw new \RuntimeException(Text::_('PLG_MULTIFACTORAUTH_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
}
// Unserialize the browser response data
$data = base64_decode($response);
self::getWebauthnServer($user->id)->loadAndCheckAssertionResponse(
$data,
$publicKeyCredentialRequestOptions,
self::getUserEntity($user),
ServerRequestFactory::fromGlobals()
);
}
/**
* Get the user's avatar (through Gravatar)
*
* @param User $user The Joomla user object
* @param int $size The dimensions of the image to fetch (default: 64 pixels)
*
* @return string The URL to the user's avatar
*
* @since 4.2.0
*/
private static function getAvatar(User $user, int $size = 64)
{
$scheme = Uri::getInstance()->getScheme();
$subdomain = ($scheme == 'https') ? 'secure' : 'www';
return sprintf('%s://%s.gravatar.com/avatar/%s.jpg?s=%u&d=mm', $scheme, $subdomain, md5($user->email), $size);
}
/**
* Get a WebAuthn user entity for a Joomla user
*
* @param User $user The user to get an entity for
*
* @return PublicKeyCredentialUserEntity
* @since 4.2.0
*/
private static function getUserEntity(User $user): PublicKeyCredentialUserEntity
{
return new PublicKeyCredentialUserEntity(
$user->username,
$user->id,
$user->name,
self::getAvatar($user, 64)
);
}
/**
* Get the WebAuthn library server object
*
* @param int|null $userId The user ID holding the list of valid authenticators
*
* @return Server
* @since 4.2.0
*/
private static function getWebauthnServer(?int $userId): Server
{
/** @var CMSApplication $app */
try {
$app = Factory::getApplication();
$siteName = $app->get('sitename');
} catch (\Exception $e) {
$siteName = 'Joomla! Site';
}
// Credentials repository
$repository = new CredentialRepository($userId);
// Relaying Party -- Our site
$rpEntity = new PublicKeyCredentialRpEntity(
$siteName ?? 'Joomla! Site',
Uri::getInstance()->toString(['host']),
''
);
$refClass = new \ReflectionClass(Server::class);
$refConstructor = $refClass->getConstructor();
$params = $refConstructor->getParameters();
if (count($params) === 3) {
// WebAuthn library 2, 3
$server = new Server($rpEntity, $repository, null);
} else {
// WebAuthn library 4 (based on the deprecated comments in library version 3)
$server = new Server($rpEntity, $repository);
}
// Ed25519 is only available with libsodium
if (!function_exists('sodium_crypto_sign_seed_keypair')) {
$server->setSelectedAlgorithms(['RS256', 'RS512', 'PS256', 'PS512', 'ES256', 'ES512']);
}
return $server;
}
/**
* Returns an array of the PK credential descriptors (registered authenticators) for the given user.
*
* @param User $user The user to get the descriptors for
*
* @return PublicKeyCredentialDescriptor[]
* @since 4.2.0
*/
private static function getPubKeyDescriptorsForUser(User $user): array
{
$userEntity = self::getUserEntity($user);
$repository = new CredentialRepository($user->id);
$descriptors = [];
$records = $repository->findAllForUserEntity($userEntity);
foreach ($records as $record) {
$descriptors[] = $record->getPublicKeyCredentialDescriptor();
}
return $descriptors;
}
}

267
plugins/multifactorauth/webauthn/src/Hotfix/AndroidKeyAttestationStatementSupport.php Normal file
View File

@@ -0,0 +1,267 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @copyright (C) 2014-2019 Spomky-Labs
* @license This software may be modified and distributed under the terms
* of the MIT license.
* See libraries/vendor/web-auth/webauthn-lib/LICENSE
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Hotfix;
use Assert\Assertion;
use CBOR\Decoder;
use CBOR\OtherObject\OtherObjectManager;
use CBOR\Tag\TagObjectManager;
use Cose\Algorithms;
use Cose\Key\Ec2Key;
use Cose\Key\Key;
use Cose\Key\RsaKey;
use FG\ASN1\ASNObject;
use FG\ASN1\ExplicitlyTaggedObject;
use FG\ASN1\Universal\OctetString;
use FG\ASN1\Universal\Sequence;
use Webauthn\AttestationStatement\AttestationStatement;
use Webauthn\AttestationStatement\AttestationStatementSupport;
use Webauthn\AuthenticatorData;
use Webauthn\CertificateToolbox;
use Webauthn\MetadataService\MetadataStatementRepository;
use Webauthn\StringStream;
use Webauthn\TrustPath\CertificateTrustPath;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* We had to fork the key attestation support object from the WebAuthn server package to address an
* issue with PHP 8.
*
* We are currently using an older version of the WebAuthn library (2.x) which was written before
* PHP 8 was developed. We cannot upgrade the WebAuthn library to a newer major version because of
* Joomla's Semantic Versioning promise.
*
* The AndroidKeyAttestationStatementSupport class forces an assertion on the result of the
* openssl_pkey_get_public() function, assuming it will return a resource. However, starting with
* PHP 8.0 this function returns an OpenSSLAsymmetricKey object and the assertion fails. As a
* result, you cannot use Android or FIDO U2F keys with WebAuthn.
*
* The assertion check is in a private method, therefore we have to fork both attestation support
* class to change the assertion. The assertion takes place through a third party library we cannot
* (and should not!) modify.
*
* @since 4.2.0
*
* @deprecated 4.2 will be removed in 6.0
* Will be removed without replacement
* We will upgrade the WebAuthn library to version 3 or later and this will go away.
*/
final class AndroidKeyAttestationStatementSupport implements AttestationStatementSupport
{
/**
* @var Decoder
* @since 4.2.0
*/
private $decoder;
/**
* @var MetadataStatementRepository|null
* @since 4.2.0
*/
private $metadataStatementRepository;
/**
* @param Decoder|null $decoder Obvious
* @param MetadataStatementRepository|null $metadataStatementRepository Obvious
*
* @since 4.2.0
*/
public function __construct(
?Decoder $decoder = null,
?MetadataStatementRepository $metadataStatementRepository = null
) {
if ($decoder !== null) {
@trigger_error('The argument "$decoder" is deprecated since 2.1 and will be removed in v3.0. Set null instead', E_USER_DEPRECATED);
}
if ($metadataStatementRepository === null) {
@trigger_error(
'Setting "null" for argument "$metadataStatementRepository" is deprecated since 2.1 and will be mandatory in v3.0.',
E_USER_DEPRECATED
);
}
$this->decoder = $decoder ?? new Decoder(new TagObjectManager(), new OtherObjectManager());
$this->metadataStatementRepository = $metadataStatementRepository;
}
/**
* @return string
* @since 4.2.0
*/
public function name(): string
{
return 'android-key';
}
/**
* @param array $attestation Obvious
*
* @return AttestationStatement
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function load(array $attestation): AttestationStatement
{
Assertion::keyExists($attestation, 'attStmt', 'Invalid attestation object');
foreach (['sig', 'x5c', 'alg'] as $key) {
Assertion::keyExists($attestation['attStmt'], $key, sprintf('The attestation statement value "%s" is missing.', $key));
}
$certificates = $attestation['attStmt']['x5c'];
Assertion::isArray($certificates, 'The attestation statement value "x5c" must be a list with at least one certificate.');
Assertion::greaterThan(\count($certificates), 0, 'The attestation statement value "x5c" must be a list with at least one certificate.');
Assertion::allString($certificates, 'The attestation statement value "x5c" must be a list with at least one certificate.');
$certificates = CertificateToolbox::convertAllDERToPEM($certificates);
return AttestationStatement::createBasic($attestation['fmt'], $attestation['attStmt'], new CertificateTrustPath($certificates));
}
/**
* @param string $clientDataJSONHash Obvious
* @param AttestationStatement $attestationStatement Obvious
* @param AuthenticatorData $authenticatorData Obvious
*
* @return boolean
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function isValid(
string $clientDataJSONHash,
AttestationStatement $attestationStatement,
AuthenticatorData $authenticatorData
): bool {
$trustPath = $attestationStatement->getTrustPath();
Assertion::isInstanceOf($trustPath, CertificateTrustPath::class, 'Invalid trust path');
$certificates = $trustPath->getCertificates();
if ($this->metadataStatementRepository !== null) {
$certificates = CertificateToolbox::checkAttestationMedata(
$attestationStatement,
$authenticatorData->getAttestedCredentialData()->getAaguid()->toString(),
$certificates,
$this->metadataStatementRepository
);
}
// Decode leaf attestation certificate
$leaf = $certificates[0];
$this->checkCertificateAndGetPublicKey($leaf, $clientDataJSONHash, $authenticatorData);
$signedData = $authenticatorData->getAuthData() . $clientDataJSONHash;
$alg = $attestationStatement->get('alg');
return openssl_verify($signedData, $attestationStatement->get('sig'), $leaf, Algorithms::getOpensslAlgorithmFor((int) $alg)) === 1;
}
/**
* @param string $certificate Obvious
* @param string $clientDataHash Obvious
* @param AuthenticatorData $authenticatorData Obvious
*
* @return void
* @throws \Assert\AssertionFailedException
* @throws \FG\ASN1\Exception\ParserException
* @since 4.2.0
*/
private function checkCertificateAndGetPublicKey(
string $certificate,
string $clientDataHash,
AuthenticatorData $authenticatorData
): void {
$resource = openssl_pkey_get_public($certificate);
if (version_compare(PHP_VERSION, '8.0', 'lt')) {
Assertion::isResource($resource, 'Unable to read the certificate');
} else {
/** @noinspection PhpElementIsNotAvailableInCurrentPhpVersionInspection */
Assertion::isInstanceOf($resource, \OpenSSLAsymmetricKey::class, 'Unable to read the certificate');
}
$details = openssl_pkey_get_details($resource);
Assertion::isArray($details, 'Unable to read the certificate');
// Check that authData publicKey matches the public key in the attestation certificate
$attestedCredentialData = $authenticatorData->getAttestedCredentialData();
Assertion::notNull($attestedCredentialData, 'No attested credential data found');
$publicKeyData = $attestedCredentialData->getCredentialPublicKey();
Assertion::notNull($publicKeyData, 'No attested public key found');
$publicDataStream = new StringStream($publicKeyData);
$coseKey = $this->decoder->decode($publicDataStream)->getNormalizedData(false);
Assertion::true($publicDataStream->isEOF(), 'Invalid public key data. Presence of extra bytes.');
$publicDataStream->close();
$publicKey = Key::createFromData($coseKey);
Assertion::true(($publicKey instanceof Ec2Key) || ($publicKey instanceof RsaKey), 'Unsupported key type');
Assertion::eq($publicKey->asPEM(), $details['key'], 'Invalid key');
$certDetails = openssl_x509_parse($certificate);
// Find Android KeyStore Extension with OID “1.3.6.1.4.1.11129.2.1.17” in certificate extensions
Assertion::keyExists($certDetails, 'extensions', 'The certificate has no extension');
Assertion::isArray($certDetails['extensions'], 'The certificate has no extension');
Assertion::keyExists(
$certDetails['extensions'],
'1.3.6.1.4.1.11129.2.1.17',
'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is missing'
);
$extension = $certDetails['extensions']['1.3.6.1.4.1.11129.2.1.17'];
$extensionAsAsn1 = ASNObject::fromBinary($extension);
Assertion::isInstanceOf($extensionAsAsn1, Sequence::class, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
$objects = $extensionAsAsn1->getChildren();
// Check that attestationChallenge is set to the clientDataHash.
Assertion::keyExists($objects, 4, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
Assertion::isInstanceOf($objects[4], OctetString::class, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
Assertion::eq($clientDataHash, hex2bin(($objects[4])->getContent()), 'The client data hash is not valid');
// Check that both teeEnforced and softwareEnforced structures dont contain allApplications(600) tag.
Assertion::keyExists($objects, 6, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
$softwareEnforcedFlags = $objects[6];
Assertion::isInstanceOf($softwareEnforcedFlags, Sequence::class, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
$this->checkAbsenceOfAllApplicationsTag($softwareEnforcedFlags);
Assertion::keyExists($objects, 7, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
$teeEnforcedFlags = $objects[6];
Assertion::isInstanceOf($teeEnforcedFlags, Sequence::class, 'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is invalid');
$this->checkAbsenceOfAllApplicationsTag($teeEnforcedFlags);
}
/**
* @param Sequence $sequence Obvious
*
* @return void
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
private function checkAbsenceOfAllApplicationsTag(Sequence $sequence): void
{
foreach ($sequence->getChildren() as $tag) {
Assertion::isInstanceOf($tag, ExplicitlyTaggedObject::class, 'Invalid tag');
/**
* @var ExplicitlyTaggedObject $tag It is silly that I have to do that for PHPCS to be happy.
*/
Assertion::notEq(600, (int) $tag->getTag(), 'Forbidden tag 600 found');
}
}
}

226
plugins/multifactorauth/webauthn/src/Hotfix/FidoU2FAttestationStatementSupport.php Normal file
View File

@@ -0,0 +1,226 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @copyright (C) 2014-2019 Spomky-Labs
* @license This software may be modified and distributed under the terms
* of the MIT license.
* See libraries/vendor/web-auth/webauthn-lib/LICENSE
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Hotfix;
use Assert\Assertion;
use CBOR\Decoder;
use CBOR\MapObject;
use CBOR\OtherObject\OtherObjectManager;
use CBOR\Tag\TagObjectManager;
use Cose\Key\Ec2Key;
use Webauthn\AttestationStatement\AttestationStatement;
use Webauthn\AttestationStatement\AttestationStatementSupport;
use Webauthn\AuthenticatorData;
use Webauthn\CertificateToolbox;
use Webauthn\MetadataService\MetadataStatementRepository;
use Webauthn\StringStream;
use Webauthn\TrustPath\CertificateTrustPath;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* We had to fork the key attestation support object from the WebAuthn server package to address an
* issue with PHP 8.
*
* We are currently using an older version of the WebAuthn library (2.x) which was written before
* PHP 8 was developed. We cannot upgrade the WebAuthn library to a newer major version because of
* Joomla's Semantic Versioning promise.
*
* The FidoU2FAttestationStatementSupport class forces an assertion on the result of the
* openssl_pkey_get_public() function, assuming it will return a resource. However, starting with
* PHP 8.0 this function returns an OpenSSLAsymmetricKey object and the assertion fails. As a
* result, you cannot use Android or FIDO U2F keys with WebAuthn.
*
* The assertion check is in a private method, therefore we have to fork both attestation support
* class to change the assertion. The assertion takes place through a third party library we cannot
* (and should not!) modify.
*
* @since 4.2.0
*
* @deprecated 4.2 will be removed in 6.0
* Will be removed without replacement
* We will upgrade the WebAuthn library to version 3 or later and this will go away.
*/
final class FidoU2FAttestationStatementSupport implements AttestationStatementSupport
{
/**
* @var Decoder
* @since 4.2.0
*/
private $decoder;
/**
* @var MetadataStatementRepository|null
* @since 4.2.0
*/
private $metadataStatementRepository;
/**
* @param Decoder|null $decoder Obvious
* @param MetadataStatementRepository|null $metadataStatementRepository Obvious
*
* @since 4.2.0
*/
public function __construct(
?Decoder $decoder = null,
?MetadataStatementRepository $metadataStatementRepository = null
) {
if ($decoder !== null) {
@trigger_error('The argument "$decoder" is deprecated since 2.1 and will be removed in v3.0. Set null instead', E_USER_DEPRECATED);
}
if ($metadataStatementRepository === null) {
@trigger_error(
'Setting "null" for argument "$metadataStatementRepository" is deprecated since 2.1 and will be mandatory in v3.0.',
E_USER_DEPRECATED
);
}
$this->decoder = $decoder ?? new Decoder(new TagObjectManager(), new OtherObjectManager());
$this->metadataStatementRepository = $metadataStatementRepository;
}
/**
* @return string
* @since 4.2.0
*/
public function name(): string
{
return 'fido-u2f';
}
/**
* @param array $attestation Obvious
*
* @return AttestationStatement
* @throws \Assert\AssertionFailedException
*
* @since 4.2.0
*/
public function load(array $attestation): AttestationStatement
{
Assertion::keyExists($attestation, 'attStmt', 'Invalid attestation object');
foreach (['sig', 'x5c'] as $key) {
Assertion::keyExists($attestation['attStmt'], $key, sprintf('The attestation statement value "%s" is missing.', $key));
}
$certificates = $attestation['attStmt']['x5c'];
Assertion::isArray($certificates, 'The attestation statement value "x5c" must be a list with one certificate.');
Assertion::count($certificates, 1, 'The attestation statement value "x5c" must be a list with one certificate.');
Assertion::allString($certificates, 'The attestation statement value "x5c" must be a list with one certificate.');
reset($certificates);
$certificates = CertificateToolbox::convertAllDERToPEM($certificates);
$this->checkCertificate($certificates[0]);
return AttestationStatement::createBasic($attestation['fmt'], $attestation['attStmt'], new CertificateTrustPath($certificates));
}
/**
* @param string $clientDataJSONHash Obvious
* @param AttestationStatement $attestationStatement Obvious
* @param AuthenticatorData $authenticatorData Obvious
*
* @return boolean
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function isValid(
string $clientDataJSONHash,
AttestationStatement $attestationStatement,
AuthenticatorData $authenticatorData
): bool {
Assertion::eq(
$authenticatorData->getAttestedCredentialData()->getAaguid()->toString(),
'00000000-0000-0000-0000-000000000000',
'Invalid AAGUID for fido-u2f attestation statement. Shall be "00000000-0000-0000-0000-000000000000"'
);
if ($this->metadataStatementRepository !== null) {
CertificateToolbox::checkAttestationMedata(
$attestationStatement,
$authenticatorData->getAttestedCredentialData()->getAaguid()->toString(),
[],
$this->metadataStatementRepository
);
}
$trustPath = $attestationStatement->getTrustPath();
Assertion::isInstanceOf($trustPath, CertificateTrustPath::class, 'Invalid trust path');
$dataToVerify = "\0";
$dataToVerify .= $authenticatorData->getRpIdHash();
$dataToVerify .= $clientDataJSONHash;
$dataToVerify .= $authenticatorData->getAttestedCredentialData()->getCredentialId();
$dataToVerify .= $this->extractPublicKey($authenticatorData->getAttestedCredentialData()->getCredentialPublicKey());
return openssl_verify($dataToVerify, $attestationStatement->get('sig'), $trustPath->getCertificates()[0], OPENSSL_ALGO_SHA256) === 1;
}
/**
* @param string|null $publicKey Obvious
*
* @return string
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
private function extractPublicKey(?string $publicKey): string
{
Assertion::notNull($publicKey, 'The attested credential data does not contain a valid public key.');
$publicKeyStream = new StringStream($publicKey);
$coseKey = $this->decoder->decode($publicKeyStream);
Assertion::true($publicKeyStream->isEOF(), 'Invalid public key. Presence of extra bytes.');
$publicKeyStream->close();
Assertion::isInstanceOf($coseKey, MapObject::class, 'The attested credential data does not contain a valid public key.');
$coseKey = $coseKey->getNormalizedData();
$ec2Key = new Ec2Key($coseKey + [Ec2Key::TYPE => 2, Ec2Key::DATA_CURVE => Ec2Key::CURVE_P256]);
return "\x04" . $ec2Key->x() . $ec2Key->y();
}
/**
* @param string $publicKey Obvious
*
* @return void
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
private function checkCertificate(string $publicKey): void
{
try {
$resource = openssl_pkey_get_public($publicKey);
if (version_compare(PHP_VERSION, '8.0', 'lt')) {
Assertion::isResource($resource, 'Unable to read the certificate');
} else {
/** @noinspection PhpElementIsNotAvailableInCurrentPhpVersionInspection */
Assertion::isInstanceOf($resource, \OpenSSLAsymmetricKey::class, 'Unable to read the certificate');
}
} catch (\Throwable $throwable) {
throw new \InvalidArgumentException('Invalid certificate or certificate chain', 0, $throwable);
}
$details = openssl_pkey_get_details($resource);
Assertion::keyExists($details, 'ec', 'Invalid certificate or certificate chain');
Assertion::keyExists($details['ec'], 'curve_name', 'Invalid certificate or certificate chain');
Assertion::eq($details['ec']['curve_name'], 'prime256v1', 'Invalid certificate or certificate chain');
Assertion::keyExists($details['ec'], 'curve_oid', 'Invalid certificate or certificate chain');
Assertion::eq($details['ec']['curve_oid'], '1.2.840.10045.3.1.7', 'Invalid certificate or certificate chain');
}
}

451
plugins/multifactorauth/webauthn/src/Hotfix/Server.php Normal file
View File

@@ -0,0 +1,451 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Multifactorauth.webauthn
*
* @copyright (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @copyright (C) 2014-2019 Spomky-Labs
* @license This software may be modified and distributed under the terms
* of the MIT license.
* See libraries/vendor/web-auth/webauthn-lib/LICENSE
*/
namespace Joomla\Plugin\Multifactorauth\Webauthn\Hotfix;
use Assert\Assertion;
use Cose\Algorithm\Algorithm;
use Cose\Algorithm\ManagerFactory;
use Cose\Algorithm\Signature\ECDSA;
use Cose\Algorithm\Signature\EdDSA;
use Cose\Algorithm\Signature\RSA;
use Psr\Http\Client\ClientInterface;
use Psr\Http\Message\RequestFactoryInterface;
use Psr\Http\Message\ServerRequestInterface;
use Webauthn\AttestationStatement\AndroidSafetyNetAttestationStatementSupport;
use Webauthn\AttestationStatement\AttestationObjectLoader;
use Webauthn\AttestationStatement\AttestationStatementSupportManager;
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
use Webauthn\AuthenticatorAssertionResponse;
use Webauthn\AuthenticatorAssertionResponseValidator;
use Webauthn\AuthenticatorAttestationResponse;
use Webauthn\AuthenticatorAttestationResponseValidator;
use Webauthn\AuthenticatorSelectionCriteria;
use Webauthn\MetadataService\MetadataStatementRepository;
use Webauthn\PublicKeyCredentialCreationOptions;
use Webauthn\PublicKeyCredentialDescriptor;
use Webauthn\PublicKeyCredentialLoader;
use Webauthn\PublicKeyCredentialParameters;
use Webauthn\PublicKeyCredentialRequestOptions;
use Webauthn\PublicKeyCredentialRpEntity;
use Webauthn\PublicKeyCredentialSource;
use Webauthn\PublicKeyCredentialSourceRepository;
use Webauthn\PublicKeyCredentialUserEntity;
use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Customised WebAuthn server object.
*
* We had to fork the server object from the WebAuthn server package to address an issue with PHP 8.
*
* We are currently using an older version of the WebAuthn library (2.x) which was written before
* PHP 8 was developed. We cannot upgrade the WebAuthn library to a newer major version because of
* Joomla's Semantic Versioning promise.
*
* The FidoU2FAttestationStatementSupport and AndroidKeyAttestationStatementSupport classes force
* an assertion on the result of the openssl_pkey_get_public() function, assuming it will return a
* resource. However, starting with PHP 8.0 this function returns an OpenSSLAsymmetricKey object
* and the assertion fails. As a result, you cannot use Android or FIDO U2F keys with WebAuthn.
*
* The assertion check is in a private method, therefore we have to fork both attestation support
* classes to change the assertion. The assertion takes place through a third party library we
* cannot (and should not!) modify.
*
* The assertions objects, however, are injected to the attestation support manager in a private
* method of the Server object. Because literally everything in this class is private we have no
* option than to fork the entire class to apply our two forked attestation support classes.
*
* This is marked as deprecated because we'll be able to upgrade the WebAuthn library on Joomla 5.
*
* @since 4.2.0
*
* @deprecated 4.2 will be removed in 6.0
* Will be removed without replacement
* We will upgrade the WebAuthn library to version 3 or later and this will go away.
*/
class Server extends \Webauthn\Server
{
/**
* @var integer
* @since 4.2.0
*/
public $timeout = 60000;
/**
* @var integer
* @since 4.2.0
*/
public $challengeSize = 32;
/**
* @var PublicKeyCredentialRpEntity
* @since 4.2.0
*/
private $rpEntity;
/**
* @var ManagerFactory
* @since 4.2.0
*/
private $coseAlgorithmManagerFactory;
/**
* @var PublicKeyCredentialSourceRepository
* @since 4.2.0
*/
private $publicKeyCredentialSourceRepository;
/**
* @var TokenBindingNotSupportedHandler
* @since 4.2.0
*/
private $tokenBindingHandler;
/**
* @var ExtensionOutputCheckerHandler
* @since 4.2.0
*/
private $extensionOutputCheckerHandler;
/**
* @var string[]
* @since 4.2.0
*/
private $selectedAlgorithms;
/**
* @var MetadataStatementRepository|null
* @since 4.2.0
*/
private $metadataStatementRepository;
/**
* @var ClientInterface
* @since 4.2.0
*/
private $httpClient;
/**
* @var string
* @since 4.2.0
*/
private $googleApiKey;
/**
* @var RequestFactoryInterface
* @since 4.2.0
*/
private $requestFactory;
/**
* Overridden constructor.
*
* @param PublicKeyCredentialRpEntity $relayingParty Obvious
* @param PublicKeyCredentialSourceRepository $publicKeyCredentialSourceRepository Obvious
* @param MetadataStatementRepository|null $metadataStatementRepository Obvious
*
* @since 4.2.0
*/
public function __construct(
PublicKeyCredentialRpEntity $relayingParty,
PublicKeyCredentialSourceRepository $publicKeyCredentialSourceRepository,
?MetadataStatementRepository $metadataStatementRepository
) {
$this->rpEntity = $relayingParty;
$this->coseAlgorithmManagerFactory = new ManagerFactory();
$this->coseAlgorithmManagerFactory->add('RS1', new RSA\RS1());
$this->coseAlgorithmManagerFactory->add('RS256', new RSA\RS256());
$this->coseAlgorithmManagerFactory->add('RS384', new RSA\RS384());
$this->coseAlgorithmManagerFactory->add('RS512', new RSA\RS512());
$this->coseAlgorithmManagerFactory->add('PS256', new RSA\PS256());
$this->coseAlgorithmManagerFactory->add('PS384', new RSA\PS384());
$this->coseAlgorithmManagerFactory->add('PS512', new RSA\PS512());
$this->coseAlgorithmManagerFactory->add('ES256', new ECDSA\ES256());
$this->coseAlgorithmManagerFactory->add('ES256K', new ECDSA\ES256K());
$this->coseAlgorithmManagerFactory->add('ES384', new ECDSA\ES384());
$this->coseAlgorithmManagerFactory->add('ES512', new ECDSA\ES512());
$this->coseAlgorithmManagerFactory->add('Ed25519', new EdDSA\Ed25519());
$this->selectedAlgorithms = ['RS256', 'RS512', 'PS256', 'PS512', 'ES256', 'ES512', 'Ed25519'];
$this->publicKeyCredentialSourceRepository = $publicKeyCredentialSourceRepository;
$this->tokenBindingHandler = new TokenBindingNotSupportedHandler();
$this->extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
$this->metadataStatementRepository = $metadataStatementRepository;
}
/**
* @param string[] $selectedAlgorithms Obvious
*
* @return void
* @since 4.2.0
*/
public function setSelectedAlgorithms(array $selectedAlgorithms): void
{
$this->selectedAlgorithms = $selectedAlgorithms;
}
/**
* @param TokenBindingNotSupportedHandler $tokenBindingHandler Obvious
*
* @return void
* @since 4.2.0
*/
public function setTokenBindingHandler(TokenBindingNotSupportedHandler $tokenBindingHandler): void
{
$this->tokenBindingHandler = $tokenBindingHandler;
}
/**
* @param string $alias Obvious
* @param Algorithm $algorithm Obvious
*
* @return void
* @since 4.2.0
*/
public function addAlgorithm(string $alias, Algorithm $algorithm): void
{
$this->coseAlgorithmManagerFactory->add($alias, $algorithm);
$this->selectedAlgorithms[] = $alias;
$this->selectedAlgorithms = array_unique($this->selectedAlgorithms);
}
/**
* @param ExtensionOutputCheckerHandler $extensionOutputCheckerHandler Obvious
*
* @return void
* @since 4.2.0
*/
public function setExtensionOutputCheckerHandler(ExtensionOutputCheckerHandler $extensionOutputCheckerHandler): void
{
$this->extensionOutputCheckerHandler = $extensionOutputCheckerHandler;
}
/**
* @param string|null $userVerification Obvious
* @param PublicKeyCredentialDescriptor[] $allowedPublicKeyDescriptors Obvious
* @param AuthenticationExtensionsClientInputs|null $extensions Obvious
*
* @return PublicKeyCredentialRequestOptions
* @throws \Exception
* @since 4.2.0
*/
public function generatePublicKeyCredentialRequestOptions(
?string $userVerification = PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,
array $allowedPublicKeyDescriptors = [],
?AuthenticationExtensionsClientInputs $extensions = null
): PublicKeyCredentialRequestOptions {
return new PublicKeyCredentialRequestOptions(
random_bytes($this->challengeSize),
$this->timeout,
$this->rpEntity->getId(),
$allowedPublicKeyDescriptors,
$userVerification,
$extensions ?? new AuthenticationExtensionsClientInputs()
);
}
/**
* @param PublicKeyCredentialUserEntity $userEntity Obvious
* @param string|null $attestationMode Obvious
* @param PublicKeyCredentialDescriptor[] $excludedPublicKeyDescriptors Obvious
* @param AuthenticatorSelectionCriteria|null $criteria Obvious
* @param AuthenticationExtensionsClientInputs|null $extensions Obvious
*
* @return PublicKeyCredentialCreationOptions
* @throws \Exception
* @since 4.2.0
*/
public function generatePublicKeyCredentialCreationOptions(
PublicKeyCredentialUserEntity $userEntity,
?string $attestationMode = PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
array $excludedPublicKeyDescriptors = [],
?AuthenticatorSelectionCriteria $criteria = null,
?AuthenticationExtensionsClientInputs $extensions = null
): PublicKeyCredentialCreationOptions {
$coseAlgorithmManager = $this->coseAlgorithmManagerFactory->create($this->selectedAlgorithms);
$publicKeyCredentialParametersList = [];
foreach ($coseAlgorithmManager->all() as $algorithm) {
$publicKeyCredentialParametersList[] = new PublicKeyCredentialParameters(
PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,
$algorithm::identifier()
);
}
$criteria = $criteria ?? new AuthenticatorSelectionCriteria();
$extensions = $extensions ?? new AuthenticationExtensionsClientInputs();
$challenge = random_bytes($this->challengeSize);
return new PublicKeyCredentialCreationOptions(
$this->rpEntity,
$userEntity,
$challenge,
$publicKeyCredentialParametersList,
$this->timeout,
$excludedPublicKeyDescriptors,
$criteria,
$attestationMode,
$extensions
);
}
/**
* @param string $data Obvious
* @param PublicKeyCredentialCreationOptions $publicKeyCredentialCreationOptions Obvious
* @param ServerRequestInterface $serverRequest Obvious
*
* @return PublicKeyCredentialSource
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function loadAndCheckAttestationResponse(
string $data,
PublicKeyCredentialCreationOptions $publicKeyCredentialCreationOptions,
ServerRequestInterface $serverRequest
): PublicKeyCredentialSource {
$attestationStatementSupportManager = $this->getAttestationStatementSupportManager();
$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);
$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
$authenticatorResponse = $publicKeyCredential->getResponse();
Assertion::isInstanceOf($authenticatorResponse, AuthenticatorAttestationResponse::class, 'Not an authenticator attestation response');
$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
$attestationStatementSupportManager,
$this->publicKeyCredentialSourceRepository,
$this->tokenBindingHandler,
$this->extensionOutputCheckerHandler
);
return $authenticatorAttestationResponseValidator->check($authenticatorResponse, $publicKeyCredentialCreationOptions, $serverRequest);
}
/**
* @param string $data Obvious
* @param PublicKeyCredentialRequestOptions $publicKeyCredentialRequestOptions Obvious
* @param PublicKeyCredentialUserEntity|null $userEntity Obvious
* @param ServerRequestInterface $serverRequest Obvious
*
* @return PublicKeyCredentialSource
* @throws \Assert\AssertionFailedException
* @since 4.2.0
*/
public function loadAndCheckAssertionResponse(
string $data,
PublicKeyCredentialRequestOptions $publicKeyCredentialRequestOptions,
?PublicKeyCredentialUserEntity $userEntity,
ServerRequestInterface $serverRequest
): PublicKeyCredentialSource {
$attestationStatementSupportManager = $this->getAttestationStatementSupportManager();
$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);
$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
$authenticatorResponse = $publicKeyCredential->getResponse();
Assertion::isInstanceOf($authenticatorResponse, AuthenticatorAssertionResponse::class, 'Not an authenticator assertion response');
$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
$this->publicKeyCredentialSourceRepository,
null,
$this->tokenBindingHandler,
$this->extensionOutputCheckerHandler,
$this->coseAlgorithmManagerFactory->create($this->selectedAlgorithms)
);
return $authenticatorAssertionResponseValidator->check(
$publicKeyCredential->getRawId(),
$authenticatorResponse,
$publicKeyCredentialRequestOptions,
$serverRequest,
null !== $userEntity ? $userEntity->getId() : null
);
}
/**
* @param ClientInterface $client Obvious
* @param string $apiKey Obvious
* @param RequestFactoryInterface $requestFactory Obvious
*
* @return void
* @since 4.2.0
*/
public function enforceAndroidSafetyNetVerification(
ClientInterface $client,
string $apiKey,
RequestFactoryInterface $requestFactory
): void {
$this->httpClient = $client;
$this->googleApiKey = $apiKey;
$this->requestFactory = $requestFactory;
}
/**
* @return AttestationStatementSupportManager
* @since 4.2.0
*/
private function getAttestationStatementSupportManager(): AttestationStatementSupportManager
{
$attestationStatementSupportManager = new AttestationStatementSupportManager();
$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
if ($this->metadataStatementRepository !== null) {
$coseAlgorithmManager = $this->coseAlgorithmManagerFactory->create($this->selectedAlgorithms);
$attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport(null, $this->metadataStatementRepository));
/**
* Work around a third party library (web-token/jwt-signature-algorithm-eddsa) bug.
*
* On PHP 8 libsodium is compiled into PHP, it is not an extension. However, the third party library does
* not check if the libsodium function are available; it checks if the "sodium" extension is loaded. This of
* course causes an immediate failure with a Runtime exception EVEN IF the attested data isn't attested by
* Android Safety Net. Therefore we have to not even load the AndroidSafetyNetAttestationStatementSupport
* class in this case...
*/
if (function_exists('sodium_crypto_sign_seed_keypair') && function_exists('extension_loaded') && extension_loaded('sodium')) {
$attestationStatementSupportManager->add(
new AndroidSafetyNetAttestationStatementSupport(
$this->httpClient,
$this->googleApiKey,
$this->requestFactory,
2000,
60000,
$this->metadataStatementRepository
)
);
}
$attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport(null, $this->metadataStatementRepository));
$attestationStatementSupportManager->add(new TPMAttestationStatementSupport($this->metadataStatementRepository));
$attestationStatementSupportManager->add(
new PackedAttestationStatementSupport(
null,
$coseAlgorithmManager,
$this->metadataStatementRepository
)
);
}
return $attestationStatementSupportManager;
}
}