284 lines
10 KiB
PHP
284 lines
10 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/*
|
|
* The MIT License (MIT)
|
|
*
|
|
* Copyright (c) 2014-2021 Spomky-Labs
|
|
*
|
|
* This software may be modified and distributed under the terms
|
|
* of the MIT license. See the LICENSE file for details.
|
|
*/
|
|
|
|
namespace Webauthn\MetadataService;
|
|
|
|
use Assert\Assertion;
|
|
use Base64Url\Base64Url;
|
|
use function count;
|
|
use InvalidArgumentException;
|
|
use function is_array;
|
|
use Jose\Component\KeyManagement\JWKFactory;
|
|
use Jose\Component\Signature\Algorithm\ES256;
|
|
use Jose\Component\Signature\Serializer\CompactSerializer;
|
|
use League\Uri\UriString;
|
|
use LogicException;
|
|
use Psr\Http\Client\ClientInterface;
|
|
use Psr\Http\Message\RequestFactoryInterface;
|
|
use Psr\Log\LoggerInterface;
|
|
use Psr\Log\NullLogger;
|
|
use function Safe\json_decode;
|
|
use function Safe\sprintf;
|
|
use Throwable;
|
|
use Webauthn\CertificateToolbox;
|
|
|
|
class MetadataService
|
|
{
|
|
/**
|
|
* @var ClientInterface
|
|
*/
|
|
private $httpClient;
|
|
|
|
/**
|
|
* @var RequestFactoryInterface
|
|
*/
|
|
private $requestFactory;
|
|
|
|
/**
|
|
* @var array
|
|
*/
|
|
private $additionalQueryStringValues;
|
|
|
|
/**
|
|
* @var array
|
|
*/
|
|
private $additionalHeaders;
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
private $serviceUri;
|
|
|
|
/**
|
|
* @var LoggerInterface
|
|
*/
|
|
private $logger;
|
|
|
|
public function __construct(string $serviceUri, ClientInterface $httpClient, RequestFactoryInterface $requestFactory, array $additionalQueryStringValues = [], array $additionalHeaders = [], ?LoggerInterface $logger = null)
|
|
{
|
|
if (0 !== count($additionalQueryStringValues)) {
|
|
@trigger_error('The argument "additionalQueryStringValues" is deprecated since version 3.3 and will be removed in 4.0. Please set an empty array instead and us the method `addQueryStringValues`.', E_USER_DEPRECATED);
|
|
}
|
|
if (0 !== count($additionalQueryStringValues)) {
|
|
@trigger_error('The argument "additionalHeaders" is deprecated since version 3.3 and will be removed in 4.0. Please set an empty array instead and us the method `addHeaders`.', E_USER_DEPRECATED);
|
|
}
|
|
if (null !== $logger) {
|
|
@trigger_error('The argument "logger" is deprecated since version 3.3 and will be removed in 4.0. Please use the method "setLogger" instead.', E_USER_DEPRECATED);
|
|
}
|
|
$this->serviceUri = $serviceUri;
|
|
$this->httpClient = $httpClient;
|
|
$this->requestFactory = $requestFactory;
|
|
$this->additionalQueryStringValues = $additionalQueryStringValues;
|
|
$this->additionalHeaders = $additionalHeaders;
|
|
$this->logger = $logger ?? new NullLogger();
|
|
}
|
|
|
|
public function addQueryStringValues(array $additionalQueryStringValues): self
|
|
{
|
|
$this->additionalQueryStringValues = $additionalQueryStringValues;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function addHeaders(array $additionalHeaders): self
|
|
{
|
|
$this->additionalHeaders = $additionalHeaders;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function setLogger(LoggerInterface $logger): self
|
|
{
|
|
$this->logger = $logger;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function has(string $aaguid): bool
|
|
{
|
|
try {
|
|
$toc = $this->fetchMetadataTOCPayload();
|
|
} catch (Throwable $e) {
|
|
return false;
|
|
}
|
|
foreach ($toc->getEntries() as $entry) {
|
|
if ($entry->getAaguid() === $aaguid && null !== $entry->getUrl()) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public function get(string $aaguid): MetadataStatement
|
|
{
|
|
$toc = $this->fetchMetadataTOCPayload();
|
|
foreach ($toc->getEntries() as $entry) {
|
|
if ($entry->getAaguid() === $aaguid && null !== $entry->getUrl()) {
|
|
$mds = $this->fetchMetadataStatementFor($entry);
|
|
$mds
|
|
->setStatusReports($entry->getStatusReports())
|
|
->setRootCertificates($toc->getRootCertificates())
|
|
;
|
|
|
|
return $mds;
|
|
}
|
|
}
|
|
|
|
throw new InvalidArgumentException(sprintf('The Metadata Statement with AAGUID "%s" is missing', $aaguid));
|
|
}
|
|
|
|
/**
|
|
* @deprecated This method is deprecated since v3.3 and will be removed in v4.0
|
|
*/
|
|
public function getMetadataStatementFor(MetadataTOCPayloadEntry $entry, string $hashingFunction = 'sha256'): MetadataStatement
|
|
{
|
|
return $this->fetchMetadataStatementFor($entry, $hashingFunction);
|
|
}
|
|
|
|
public function fetchMetadataStatementFor(MetadataTOCPayloadEntry $entry, string $hashingFunction = 'sha256'): MetadataStatement
|
|
{
|
|
$this->logger->info('Trying to get the metadata statement for a given entry', ['entry' => $entry]);
|
|
try {
|
|
$hash = $entry->getHash();
|
|
$url = $entry->getUrl();
|
|
if (null === $hash || null === $url) {
|
|
throw new LogicException('The Metadata Statement has not been published');
|
|
}
|
|
$uri = $this->buildUri($url);
|
|
$result = $this->fetchMetadataStatement($uri, true, $hash, $hashingFunction);
|
|
$this->logger->info('The metadata statement exists');
|
|
$this->logger->debug('Metadata Statement', ['mds' => $result]);
|
|
|
|
return $result;
|
|
} catch (Throwable $throwable) {
|
|
$this->logger->error('An error occurred', [
|
|
'exception' => $throwable,
|
|
]);
|
|
throw $throwable;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @deprecated This method is deprecated since v3.3 and will be removed in v4.0
|
|
*/
|
|
public function getMetadataTOCPayload(): MetadataTOCPayload
|
|
{
|
|
return $this->fetchMetadataTOCPayload();
|
|
}
|
|
|
|
private function fetchMetadataTOCPayload(): MetadataTOCPayload
|
|
{
|
|
$this->logger->info('Trying to get the metadata service TOC payload');
|
|
try {
|
|
$uri = $this->buildUri($this->serviceUri);
|
|
$toc = $this->fetchTableOfContent($uri);
|
|
$this->logger->info('The TOC payload has been received');
|
|
$this->logger->debug('TOC payload', ['toc' => $toc]);
|
|
|
|
return $toc;
|
|
} catch (Throwable $throwable) {
|
|
$this->logger->error('An error occurred', [
|
|
'exception' => $throwable,
|
|
]);
|
|
throw $throwable;
|
|
}
|
|
}
|
|
|
|
private function buildUri(string $uri): string
|
|
{
|
|
$parsedUri = UriString::parse($uri);
|
|
$queryString = $parsedUri['query'];
|
|
$query = [];
|
|
if (null !== $queryString) {
|
|
parse_str($queryString, $query);
|
|
}
|
|
foreach ($this->additionalQueryStringValues as $k => $v) {
|
|
if (!isset($query[$k])) {
|
|
$query[$k] = $v;
|
|
continue;
|
|
}
|
|
if (!is_array($query[$k])) {
|
|
$query[$k] = [$query[$k], $v];
|
|
continue;
|
|
}
|
|
$query[$k][] = $v;
|
|
}
|
|
$parsedUri['query'] = 0 === count($query) ? null : http_build_query($query, '', '&', PHP_QUERY_RFC3986);
|
|
|
|
return UriString::build($parsedUri);
|
|
}
|
|
|
|
private function fetchTableOfContent(string $uri): MetadataTOCPayload
|
|
{
|
|
$content = $this->fetch($uri);
|
|
$rootCertificates = [];
|
|
$payload = $this->getJwsPayload($content, $rootCertificates);
|
|
$data = json_decode($payload, true);
|
|
|
|
$toc = MetadataTOCPayload::createFromArray($data);
|
|
$toc->setRootCertificates($rootCertificates);
|
|
|
|
return $toc;
|
|
}
|
|
|
|
private function fetchMetadataStatement(string $uri, bool $isBase64UrlEncoded, string $hash = '', string $hashingFunction = 'sha256'): MetadataStatement
|
|
{
|
|
$payload = $this->fetch($uri);
|
|
if ('' !== $hash) {
|
|
Assertion::true(hash_equals($hash, hash($hashingFunction, $payload, true)), 'The hash cannot be verified. The metadata statement shall be rejected');
|
|
}
|
|
$json = $isBase64UrlEncoded ? Base64Url::decode($payload) : $payload;
|
|
$data = json_decode($json, true);
|
|
|
|
return MetadataStatement::createFromArray($data);
|
|
}
|
|
|
|
private function fetch(string $uri): string
|
|
{
|
|
$request = $this->requestFactory->createRequest('GET', $uri);
|
|
foreach ($this->additionalHeaders as $k => $v) {
|
|
$request = $request->withHeader($k, $v);
|
|
}
|
|
$response = $this->httpClient->sendRequest($request);
|
|
Assertion::eq(200, $response->getStatusCode(), sprintf('Unable to contact the server. Response code is %d', $response->getStatusCode()));
|
|
$content = $response->getBody()->getContents();
|
|
Assertion::notEmpty($content, 'Unable to contact the server. The response has no content');
|
|
|
|
return $content;
|
|
}
|
|
|
|
private function getJwsPayload(string $token, array &$rootCertificates): string
|
|
{
|
|
$jws = (new CompactSerializer())->unserialize($token);
|
|
Assertion::eq(1, $jws->countSignatures(), 'Invalid response from the metadata service. Only one signature shall be present.');
|
|
$signature = $jws->getSignature(0);
|
|
$payload = $jws->getPayload();
|
|
Assertion::notEmpty($payload, 'Invalid response from the metadata service. The token payload is empty.');
|
|
$header = $signature->getProtectedHeader();
|
|
Assertion::keyExists($header, 'alg', 'The "alg" parameter is missing.');
|
|
Assertion::eq($header['alg'], 'ES256', 'The expected "alg" parameter value should be "ES256".');
|
|
Assertion::keyExists($header, 'x5c', 'The "x5c" parameter is missing.');
|
|
Assertion::isArray($header['x5c'], 'The "x5c" parameter should be an array.');
|
|
$key = JWKFactory::createFromX5C($header['x5c']);
|
|
$rootCertificates = array_map(static function (string $x509): string {
|
|
return CertificateToolbox::fixPEMStructure($x509);
|
|
}, $header['x5c']);
|
|
$algorithm = new ES256();
|
|
$isValid = $algorithm->verify($key, $signature->getEncodedProtectedHeader().'.'.$jws->getEncodedPayload(), $signature->getSignature());
|
|
Assertion::true($isValid, 'Invalid response from the metadata service. The token signature is invalid.');
|
|
|
|
return $jws->getPayload();
|
|
}
|
|
}
|