webauthn
This commit is contained in:
Roland Gruber
parent
58e15da1a8
commit
4d5d93c62b
|
|
@ -10,6 +10,7 @@ use \htmlJavaScript;
|
||||||
use \htmlStatusMessage;
|
use \htmlStatusMessage;
|
||||||
use \htmlDiv;
|
use \htmlDiv;
|
||||||
use \LAMException;
|
use \LAMException;
|
||||||
|
use function LAM\LOGIN\WEBAUTHN\storeNewRegistration;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||||
|
|
@ -460,7 +461,7 @@ class DuoProvider extends BaseProvider {
|
||||||
* @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
|
* @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
|
||||||
*/
|
*/
|
||||||
public function verify2ndFactor($user, $password, $serial, $twoFactorInput) {
|
public function verify2ndFactor($user, $password, $serial, $twoFactorInput) {
|
||||||
logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user);
|
logNewMessage(LOG_DEBUG, 'DuoProvider: Checking 2nd factor for ' . $user);
|
||||||
$loginAttribute = $this->getLoginAttributeValue($user);
|
$loginAttribute = $this->getLoginAttributeValue($user);
|
||||||
$response = $_POST['sig_response'];
|
$response = $_POST['sig_response'];
|
||||||
include_once(__DIR__ . "/3rdParty/duo/Web.php");
|
include_once(__DIR__ . "/3rdParty/duo/Web.php");
|
||||||
|
|
@ -540,19 +541,15 @@ class WebauthnProvider extends BaseProvider {
|
||||||
* @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
|
* @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
|
||||||
*/
|
*/
|
||||||
public function verify2ndFactor($user, $password, $serial, $twoFactorInput) {
|
public function verify2ndFactor($user, $password, $serial, $twoFactorInput) {
|
||||||
logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user);
|
logNewMessage(LOG_DEBUG, 'WebauthnProvider: Checking 2nd factor for ' . $user);
|
||||||
$loginAttribute = $this->getLoginAttributeValue($user);
|
|
||||||
$response = $_POST['sig_response'];
|
$response = $_POST['sig_response'];
|
||||||
include_once(__DIR__ . "/3rdParty/duo/Web.php");
|
include_once __DIR__ . '/3rdParty/composer/autoload.php';
|
||||||
$result = \Duo\Web::verifyResponse(
|
include_once __DIR__ . '/webauthn.inc';
|
||||||
$this->config->twoFactorAuthenticationClientId,
|
$registrationObject = $_SESSION['webauthn_registration'];
|
||||||
$this->config->twoFactorAuthenticationSecretKey,
|
if (storeNewRegistration($registrationObject, $response)) {
|
||||||
$this->getAKey(),
|
|
||||||
$response);
|
|
||||||
if ($result === $loginAttribute) {
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
logNewMessage(LOG_ERR, 'DUO authentication failed');
|
logNewMessage(LOG_ERR, 'Webauthn authentication failed');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,13 +2,34 @@
|
||||||
|
|
||||||
namespace LAM\LOGIN\WEBAUTHN;
|
namespace LAM\LOGIN\WEBAUTHN;
|
||||||
|
|
||||||
|
use CBOR\Decoder;
|
||||||
|
use CBOR\OtherObject\OtherObjectManager;
|
||||||
|
use CBOR\Tag\TagObjectManager;
|
||||||
|
use Cose\Algorithm\Manager;
|
||||||
|
use Cose\Algorithm\Signature\ECDSA\ES256;
|
||||||
|
use Cose\Algorithm\Signature\ECDSA\ES384;
|
||||||
|
use Cose\Algorithm\Signature\ECDSA\ES512;
|
||||||
|
use Cose\Algorithm\Signature\EdDSA\EdDSA;
|
||||||
|
use Cose\Algorithm\Signature\RSA\RS1;
|
||||||
|
use Cose\Algorithm\Signature\RSA\RS256;
|
||||||
|
use Cose\Algorithm\Signature\RSA\RS384;
|
||||||
|
use Cose\Algorithm\Signature\RSA\RS512;
|
||||||
use \Cose\Algorithms;
|
use \Cose\Algorithms;
|
||||||
|
use http\Client;
|
||||||
|
use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport;
|
||||||
|
use Webauthn\AttestationStatement\AndroidSafetyNetAttestationStatementSupport;
|
||||||
|
use Webauthn\AttestationStatement\AttestationStatementSupportManager;
|
||||||
|
use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport;
|
||||||
|
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
|
||||||
|
use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
|
||||||
|
use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
|
||||||
use \Webauthn\PublicKeyCredentialCreationOptions;
|
use \Webauthn\PublicKeyCredentialCreationOptions;
|
||||||
use \Webauthn\PublicKeyCredentialRpEntity;
|
use \Webauthn\PublicKeyCredentialRpEntity;
|
||||||
use \Webauthn\PublicKeyCredentialParameters;
|
use \Webauthn\PublicKeyCredentialParameters;
|
||||||
use \Webauthn\PublicKeyCredentialUserEntity;
|
use \Webauthn\PublicKeyCredentialUserEntity;
|
||||||
use \Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
|
use \Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
|
||||||
use \Webauthn\AuthenticatorSelectionCriteria;
|
use \Webauthn\AuthenticatorSelectionCriteria;
|
||||||
|
use Webauthn\TokenBinding\IgnoreTokenBindingHandler;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
||||||
|
|
@ -52,7 +73,7 @@ function isRegistered($dn) {
|
||||||
*
|
*
|
||||||
* @param string $dn DN
|
* @param string $dn DN
|
||||||
* @param bool $isSelfService is executed in self service
|
* @param bool $isSelfService is executed in self service
|
||||||
* @return PublicKeyCredentialCreationOptions challenge
|
* @return PublicKeyCredentialCreationOptions registration object
|
||||||
*/
|
*/
|
||||||
function getRegistrationObject($dn, $isSelfService) {
|
function getRegistrationObject($dn, $isSelfService) {
|
||||||
$rpEntity = createRpEntry($isSelfService);
|
$rpEntity = createRpEntry($isSelfService);
|
||||||
|
|
@ -120,3 +141,51 @@ function getCredentialParameters() {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verifies the registration and stores it in the database.
|
||||||
|
*
|
||||||
|
* @param PublicKeyCredentialCreationOptions $registration registration object
|
||||||
|
* @param $clientResponse client response
|
||||||
|
* @return bool true if response is valid and registration succeeded
|
||||||
|
*/
|
||||||
|
function storeNewRegistration($registration, $clientResponse) {
|
||||||
|
$decoder = getCborDecoder();
|
||||||
|
$tokenBindingHandler = new IgnoreTokenBindingHandler();
|
||||||
|
$attestationSupportManager = getAttestationSupportManager($decoder);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns a CBOR decoder.
|
||||||
|
*
|
||||||
|
* @return Decoder decoder
|
||||||
|
*/
|
||||||
|
function getCborDecoder() {
|
||||||
|
return new Decoder(new TagObjectManager(), new OtherObjectManager());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Creates the attestation support manager.
|
||||||
|
*
|
||||||
|
* @param Decoder $decoder decoder
|
||||||
|
* @return AttestationStatementSupportManager manager
|
||||||
|
*/
|
||||||
|
function getAttestationSupportManager($decoder) {
|
||||||
|
$manager = new AttestationStatementSupportManager();
|
||||||
|
$manager->add(new NoneAttestationStatementSupport());
|
||||||
|
$manager->add(new FidoU2FAttestationStatementSupport());
|
||||||
|
$manager->add(new AndroidSafetyNetAttestationStatementSupport(new Client() /*TODO*/));
|
||||||
|
$manager->add(new AndroidKeyAttestationStatementSupport($decoder));
|
||||||
|
$manager->add(new TPMAttestationStatementSupport());
|
||||||
|
$coseManager = new Manager();
|
||||||
|
$coseManager->add(new ES256());
|
||||||
|
$coseManager->add(new ES384());
|
||||||
|
$coseManager->add(new ES512());
|
||||||
|
$coseManager->add(new EdDSA());
|
||||||
|
$coseManager->add(new RS1());
|
||||||
|
$coseManager->add(new RS256());
|
||||||
|
$coseManager->add(new RS384);
|
||||||
|
$coseManager->add(new RS512());
|
||||||
|
$manager->add(new PackedAttestationStatementSupport($decoder, $coseManager));
|
||||||
|
return $manager;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1424,8 +1424,10 @@ window.lam.webauthn.register = function(publicKey) {
|
||||||
attestationObject: window.lam.webauthn.arrayToBase64String(new Uint8Array(data.response.attestationObject))
|
attestationObject: window.lam.webauthn.arrayToBase64String(new Uint8Array(data.response.attestationObject))
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
console.log(publicKeyCredential);
|
let form = jQuery("#2faform");
|
||||||
//window.location = '/request_post?data='+btoa(JSON.stringify(publicKeyCredential));
|
let response = btoa(JSON.stringify(publicKeyCredential));
|
||||||
|
form.append('<input type="hidden" name="sig_response" value="' + response + '"/>');
|
||||||
|
form.submit();
|
||||||
}, function (error) {
|
}, function (error) {
|
||||||
console.log(error);
|
console.log(error);
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -132,7 +132,7 @@ printJsIncludes('..');
|
||||||
|
|
||||||
<br><br>
|
<br><br>
|
||||||
|
|
||||||
<form enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
|
<form id="2faform" enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
|
||||||
<?php
|
<?php
|
||||||
echo $config->getTwoFactorAuthenticationCaption();
|
echo $config->getTwoFactorAuthenticationCaption();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -197,6 +197,7 @@ class Ajax {
|
||||||
$isRegistered = isRegistered($userDN);
|
$isRegistered = isRegistered($userDN);
|
||||||
if (!$isRegistered) {
|
if (!$isRegistered) {
|
||||||
$registrationObject = getRegistrationObject($userDN, $isSelfService);
|
$registrationObject = getRegistrationObject($userDN, $isSelfService);
|
||||||
|
$_SESSION['webauthn_registration'] = $registrationObject;
|
||||||
echo json_encode(
|
echo json_encode(
|
||||||
array(
|
array(
|
||||||
'action' => 'register',
|
'action' => 'register',
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue