386 lines
14 KiB
PHP
386 lines
14 KiB
PHP
<?php
|
|
/*
|
|
require_once 'WebAuthn.php';
|
|
try {
|
|
session_start();
|
|
|
|
// read get argument and post body
|
|
$fn = filter_input(INPUT_GET, 'fn');
|
|
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
|
|
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
|
|
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
|
|
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
|
|
$userName = preg_replace('/[^0-9a-z]/i', '', $userName);
|
|
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
|
|
|
|
$post = trim(file_get_contents('php://input'));
|
|
if ($post) {
|
|
$post = json_decode($post, null, 512, JSON_THROW_ON_ERROR);
|
|
}
|
|
|
|
if ($fn !== 'getStoredDataHtml') {
|
|
|
|
// Formats
|
|
$formats = [];
|
|
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
|
|
$formats[] = 'android-key';
|
|
//}
|
|
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
|
|
$formats[] = 'android-safetynet';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_apple')) {
|
|
$formats[] = 'apple';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
|
|
$formats[] = 'fido-u2f';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_none')) {
|
|
$formats[] = 'none';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_packed')) {
|
|
$formats[] = 'packed';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
|
|
$formats[] = 'tpm';
|
|
//}
|
|
|
|
$rpId=$_SERVER['SERVER_NAME'];
|
|
|
|
$typeUsb = true;
|
|
$typeNfc = true;
|
|
$typeBle = true;
|
|
$typeInt = true;
|
|
$typeHyb = true;
|
|
|
|
// cross-platform: true, if type internal is not allowed
|
|
// false, if only internal is allowed
|
|
// null, if internal and cross-platform is allowed
|
|
$crossPlatformAttachment = null;
|
|
if (($typeUsb || $typeNfc || $typeBle || $typeHyb) && !$typeInt) {
|
|
$crossPlatformAttachment = true;
|
|
|
|
} else if (!$typeUsb && !$typeNfc && !$typeBle && !$typeHyb && $typeInt) {
|
|
$crossPlatformAttachment = false;
|
|
}
|
|
|
|
|
|
// new Instance of the server library.
|
|
// make sure that $rpId is the domain name.
|
|
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
|
|
|
|
// add root certificates to validate new registrations
|
|
//if (filter_input(INPUT_GET, 'solo')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'apple')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'yubico')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'hypersecu')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'google')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
|
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'microsoft')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'mds')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
|
//}
|
|
|
|
}
|
|
|
|
// ------------------------------------
|
|
// request for create arguments
|
|
// ------------------------------------
|
|
|
|
if ($fn === 'getCreateArgs') {
|
|
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($createArgs));
|
|
|
|
// save challange to session. you have to deliver it to processGet later.
|
|
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
|
|
|
|
|
|
|
// ------------------------------------
|
|
// request for get arguments
|
|
// ------------------------------------
|
|
|
|
} else if ($fn === 'getGetArgs') {
|
|
$ids = [];
|
|
|
|
if ($requireResidentKey) {
|
|
if (!isset($_SESSION['registrations']) || !is_array($_SESSION['registrations']) || count($_SESSION['registrations']) === 0) {
|
|
throw new Exception('we do not have any registrations in session to check the registration');
|
|
}
|
|
|
|
} else {
|
|
// load registrations from session stored there by processCreate.
|
|
// normaly you have to load the credential Id's for a username
|
|
// from the database.
|
|
if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) {
|
|
foreach ($_SESSION['registrations'] as $reg) {
|
|
if ($reg->userId === $userId) {
|
|
$ids[] = $reg->credentialId;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (count($ids) === 0) {
|
|
throw new Exception('no registrations in session for userId ' . $userId);
|
|
}
|
|
}
|
|
|
|
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($getArgs));
|
|
|
|
// save challange to session. you have to deliver it to processGet later.
|
|
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
|
|
|
|
|
|
|
// ------------------------------------
|
|
// process create
|
|
// ------------------------------------
|
|
|
|
} else if ($fn === 'processCreate') {
|
|
$clientDataJSON = base64_decode($post->clientDataJSON);
|
|
$attestationObject = base64_decode($post->attestationObject);
|
|
$challenge = $_SESSION['challenge'];
|
|
|
|
// processCreate returns data to be stored for future logins.
|
|
// in this example we store it in the php session.
|
|
// Normaly you have to store the data in a database connected
|
|
// with the user name.
|
|
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);
|
|
|
|
// add user infos
|
|
$data->userId = $userId;
|
|
$data->userName = $userName;
|
|
$data->userDisplayName = $userDisplayName;
|
|
|
|
if (!isset($_SESSION['registrations']) || !array_key_exists('registrations', $_SESSION) || !is_array($_SESSION['registrations'])) {
|
|
$_SESSION['registrations'] = [];
|
|
}
|
|
$_SESSION['registrations'][] = $data;
|
|
|
|
$msg = 'registration success.';
|
|
|
|
$return = new stdClass();
|
|
$return->success = true;
|
|
$return->msg = $msg;
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($return));
|
|
|
|
}
|
|
|
|
} catch (Throwable $ex) {
|
|
$return = new stdClass();
|
|
$return->success = false;
|
|
$return->msg = $ex->getMessage();
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($return));
|
|
}
|
|
*/
|
|
?>
|
|
<?php
|
|
//with db:
|
|
|
|
require_once 'WebAuthn.php';
|
|
// Assuming you've already established a database connection here
|
|
include "../config.php";
|
|
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
|
if ($conn->connect_error) {
|
|
$success=0;
|
|
die("Connection failed: " . $conn->connect_error);
|
|
}
|
|
try {
|
|
session_start();
|
|
|
|
// read get argument and post body
|
|
$fn = filter_input(INPUT_GET, 'fn');
|
|
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
|
|
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
|
|
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
|
|
|
|
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
|
|
$userName = preg_replace('/[^0-9a-z]/i', '', $userName);
|
|
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
|
|
|
|
$post = trim(file_get_contents('php://input'));
|
|
if ($post) {
|
|
$post = json_decode($post, null, 512, JSON_THROW_ON_ERROR);
|
|
}
|
|
|
|
if ($fn !== 'getStoredDataHtml') {
|
|
|
|
// Formats
|
|
$formats = [];
|
|
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
|
|
$formats[] = 'android-key';
|
|
//}
|
|
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
|
|
$formats[] = 'android-safetynet';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_apple')) {
|
|
$formats[] = 'apple';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
|
|
$formats[] = 'fido-u2f';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_none')) {
|
|
$formats[] = 'none';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_packed')) {
|
|
$formats[] = 'packed';
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
|
|
$formats[] = 'tpm';
|
|
//}
|
|
|
|
$rpId=$_SERVER['SERVER_NAME'];
|
|
|
|
$typeUsb = true;
|
|
$typeNfc = true;
|
|
$typeBle = true;
|
|
$typeInt = true;
|
|
$typeHyb = true;
|
|
|
|
// cross-platform: true, if type internal is not allowed
|
|
// false, if only internal is allowed
|
|
// null, if internal and cross-platform is allowed
|
|
$crossPlatformAttachment = null;
|
|
if (($typeUsb || $typeNfc || $typeBle || $typeHyb) && !$typeInt) {
|
|
$crossPlatformAttachment = true;
|
|
|
|
} else if (!$typeUsb && !$typeNfc && !$typeBle && !$typeHyb && $typeInt) {
|
|
$crossPlatformAttachment = false;
|
|
}
|
|
|
|
|
|
// new Instance of the server library.
|
|
// make sure that $rpId is the domain name.
|
|
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
|
|
|
|
// add root certificates to validate new registrations
|
|
//if (filter_input(INPUT_GET, 'solo')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'apple')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'yubico')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'hypersecu')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'google')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
|
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'microsoft')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
|
//}
|
|
//if (filter_input(INPUT_GET, 'mds')) {
|
|
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
|
//}
|
|
|
|
}
|
|
|
|
// Handle different functions
|
|
if ($fn === 'getCreateArgs') {
|
|
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($createArgs));
|
|
|
|
// save challange to session. you have to deliver it to processGet later.
|
|
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
|
|
|
} else if ($fn === 'getGetArgs') {
|
|
$ids = [];
|
|
|
|
if ($requireResidentKey) {
|
|
if (!isset($_SESSION['registrations']) || !is_array($_SESSION['registrations']) || count($_SESSION['registrations']) === 0) {
|
|
throw new Exception('we do not have any registrations in session to check the registration');
|
|
}
|
|
|
|
} else {
|
|
// load registrations from session stored there by processCreate.
|
|
// normaly you have to load the credential Id's for a username
|
|
// from the database.
|
|
if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) {
|
|
foreach ($_SESSION['registrations'] as $reg) {
|
|
if ($reg->userId === $userId) {
|
|
$ids[] = $reg->credentialId;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (count($ids) === 0) {
|
|
throw new Exception('no registrations in session for userId ' . $userId);
|
|
}
|
|
}
|
|
|
|
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($getArgs));
|
|
|
|
// save challange to session. you have to deliver it to processGet later.
|
|
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
|
} else if ($fn === 'processCreate') {
|
|
// Process create
|
|
$challenge = $_SESSION['challenge'];
|
|
$clientDataJSON = base64_decode($post->clientDataJSON);
|
|
$attestationObject = base64_decode($post->attestationObject);
|
|
|
|
// Process create and store data in the database
|
|
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);
|
|
|
|
// add user infos
|
|
$data->userId = $userId;
|
|
$data->userName = $userName;
|
|
$data->userDisplayName = $userDisplayName;
|
|
|
|
// Store registration data in the database
|
|
$stmt = $conn->prepare("INSERT INTO users (user_hex_id, credential_id, public_key, counter) VALUES (?, ?, ?, ?)");
|
|
var_dump($data);
|
|
$stmt->execute([$userId, $data->credentialId, $data->publicKey, $data->counter]);
|
|
|
|
$msg = 'registration success.';
|
|
$return = new stdClass();
|
|
$return->success = true;
|
|
$return->msg = $msg;
|
|
header('Content-Type: application/json');
|
|
print(json_encode($return));
|
|
}
|
|
|
|
} catch (Throwable $ex) {
|
|
$return = new stdClass();
|
|
$return->success = false;
|
|
$return->msg = $ex->getMessage();
|
|
|
|
header('Content-Type: application/json');
|
|
print(json_encode($return));
|
|
}
|
|
?>
|