[pull] master from lbuchs:master

.gitignore

@@ -1,7 +1,13 @@
-# Netbeans project
-nbproject/
-/index.php
+# ide folders
+nbproject
+.idea
 
+# redirect page
+index.php
+
+# composer things
+composer.lock
+vendor
 
 # .pem files from FIDO Alliance Metadata Service (MDS)
 _test/rootCertificates/mds/*.pem

_test/client.html

@@ -279,8 +279,8 @@
          * @returns {undefined}
          */
         window.onload = function() {
-            if (location.protocol !== 'https:' && location.host !== 'localhost') {
-                location.href = location.href.replace('http', 'https');
+            if (!window.isSecureContext && location.protocol !== 'https:') {                
+                location.href = location.href.replace('http://', 'https://');
             }
             if (!document.getElementById('rpId').value) {
                 document.getElementById('rpId').value = location.hostname;

_test/rootCertificates/solokey_f1.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6TCCAdGgAwIBAgIUUAjLh3ownidqbj5fboDmufVXiecwDQYJKoZIhvcNAQEL
+BQAwMjERMA8GA1UECgwIU29sb0tleXMxCzAJBgNVBAYTAkNIMRAwDgYDVQQDDAdS
+b290IFIxMCAXDTIxMDUyODA4MjQxMloYDzIwNzEwNTE2MDgyNDEyWjAtMREwDwYD
+VQQKDAhTb2xvS2V5czELMAkGA1UEBhMCQ0gxCzAJBgNVBAMMAkYxMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEPCcSladE9kbZ0XI7jmtceNSHVrC1Rx0d3U8aMvKS
+CJimYSe7c0Jy7CZpw7TU6N6chNx6Q1jaZ/B3ZjPLGZBOMqOBxDCBwTAdBgNVHQ4E
+FgQUQWu2S++iGQ3kYl/9KQSWuYIptPgwHwYDVR0jBBgwFoAUVOPVaecSkRBulbOE
+QMfZOr8x1dcwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwMgYI
+KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vaS5zMnBraS5uZXQvcjEv
+MCcGA1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly9jLnMycGtpLm5ldC9yMS8wDQYJKoZI
+hvcNAQELBQADggIBACVIymBmQwWwIUKnffptCJPeAn4m+Vy7ntr6KeS6aM7NI3cb
+xzRq5tHOugtjFJsBSGynbF0/Kc+VnGR2lCFuVKeuusFsAhk4F13jaOTPSTWTXK6k
+2TdoqZ6wIqmQ7bAZVYqcE21ZkM/Bo5Ej+PZacGjlGaEHwjL5CU2scnZeqS8d1ago
+MCIfvRlYd2vkbPjqQx0t5jzEKZ7hF4y77kh0JArYpgpp0Sq4P96pPDwIZCvVGmGi
+jhNOie0UnF6trfTD1AAXtlPqYPK9gNpXlN2IhsIpNMf7YA9R1zjVvnfYnFS6Tr73
+0UzBct6jC9JompqvAo9NIe6cu/Qkc/KUL4JDt9iJWB8RN2aAnVCYQ+xT4evVFQCV
+F/1pbeSvFfPqCfazkSPIiff7n9Tmk1Wwe3VmkuU7HUmAkYaLazs7DLY/Cp0/1V1K
+pURMyawlUtv2J4PQqvOnMGUYupxp2l3DjdzHMx8RE+caCM2PxzPsUucLVHdOkBW2
+h6U5PIWJuZtbiabwFmQXahqSNkRO6kXRvedowqaHNZiIFi4VKqPHrJrEhNhncfJ/
+jwAAThoo5yyEgh3a+THoZKOFfZhzFJA9MVMwqQB00iSsF5HKC+MFUkHpKaV2DVjS
+mPXOYy4biL8XkOqQeJUuB5sQ/2LYxaaXj1dBrnR3cklHp2KKacWYdnLdEe8I
+-----END CERTIFICATE-----

_test/rootCertificates/solokey_r1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgIUR9xt5vBCCwFTaFGS3VFH0v49lmUwDQYJKoZIhvcNAQEL
+BQAwMjERMA8GA1UECgwIU29sb0tleXMxCzAJBgNVBAYTAkNIMRAwDgYDVQQDDAdS
+b290IFIxMCAXDTIxMDUyMTIyMTA1M1oYDzIwNzEwNTA5MjIxMDUzWjAyMREwDwYD
+VQQKDAhTb2xvS2V5czELMAkGA1UEBhMCQ0gxEDAOBgNVBAMMB1Jvb3QgUjEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCBybLOEMbhPyBEaHeqXJQUfRgd
+xZHFtum2oXknCineXh8NXBL8PJLJEYi4Clv/QQGj+VPGPOcF1nwMX5BsmTYsLPMo
+Rt7npI/xaPYdW/ByIvQQNqH3NTQjt8j4Wz0XWHL/VuqNFGZAdI4GN00NifKH1FCy
+wOgwyKHl74XmMJLzzigFoo8m5ZPD+uw7ZRt1Q28jFTJiB2qyMX1rn2wHZLnHHhgs
+wp0uApnQw5CGmhK3pkW8U9Gr3JH6K0q6NwZ4Pp1DPJFbl4J9cPFP2o25sOsf+jjX
+4Ko2J97qndoRxHFWjh6HLvbq6/RyySbVGBsBeep92QXidf/3Vgc+6xkgTmlWL+5W
+6mj7F8zhPAz8l8m3HEv/pVdsJikwrR2FAllw4T2nBYXhdJ4lPdH9HYZrbmyGVOcD
+1M/hQ2d/7X0H1K40KV1li1nYJHxkfcDKHeI5RcAaLE+n6ctLS5KqyJ0MXmmga6I7
+rd5cTfQqjYQm/YbfShK6ZsmsGC/KJGmFbx9kqsMbcg7a2qF1RT0WPFJd2F1glaon
+tsqPwFDi5mR7M46tjLAWJx2Wu5mbACedRoxKPMe8l+b1CQ7k+temvxNK0IvM38St
+z9UiVpl0VwACNpJ2MobM+XJNQNCbMbBt0n6wPmftqI5taoFxPTNM6t1F2utsjbdn
+M1/WUKOh5lhheBMDWQIDAQABo2MwYTAdBgNVHQ4EFgQUVOPVaecSkRBulbOEQMfZ
+Or8x1dcwHwYDVR0jBBgwFoAUVOPVaecSkRBulbOEQMfZOr8x1dcwDwYDVR0TAQH/
+BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAEh5VMjC
+YnWzJK8Rolmsbmpa7LQiS+WKk2ihYZRLUYlzET5+MDmue+n4sBuuuXPLaQsdnTSO
+xqmVts8bneacEckr0y8j5/2o5/5UPjAchXXK6PwHqnajk2kzCIH2tWTyhpKcxF1i
+fQo9RGA6igOjes8vMmKCFQg3A88wiAtrafgf/I3fVSHJOSeU29nqmVNHGU4tQFu0
+Frx/d3y5elo5rZpld71DwRA83qLUgJ3liancoSb/icR8igGyLxCcxmKU5fFItiG9
+4x+egnblyYfuhLbXU0k8LXJVMdDImZHEyI80EHOSpV3wZR5LyfiXu3fygxtOm6tL
+fi1khkJIfIPMyV1Y4B7y6zOlHbneF1F8P4pTjHTYFHKhNm1wWffrqgLDYdtLAXSV
+tyDM0zjtoRSHRYWsuwbeWdwoWHQeLkPzMtmFkHrPi0i3iv4GaianTnE1k1lX8Xf4
+HbWBHXoVJCoAwycJJqX2SPZwFlWGp8IMGLUNzjFtLP+D7pdUSBgkDqz6FumZQGx/
+KLHugnolEb8ZiOZKbaPOjc9EmXFjA42y4vXAip6ZZ2FfuWDqkPaU1WfM95cE0hf5
+BSbfxSSQ2V3z4sywzkfQxr7q2mYzJ9C2NhLYXMrc98L9uEd0O7dO0eEF+44gc5O7
+Bc7NuTA9//IG8nJb0MvD76TxHPlZuVnMdMb6
+-----END CERTIFICATE-----

_test/server.php

@@ -116,6 +116,8 @@
         // add root certificates to validate new registrations
         if (filter_input(INPUT_GET, 'solo')) {
             $WebAuthn->addRootCertificates('rootCertificates/solo.pem');
+            $WebAuthn->addRootCertificates('rootCertificates/solokey_f1.pem');
+            $WebAuthn->addRootCertificates('rootCertificates/solokey_r1.pem');
         }
         if (filter_input(INPUT_GET, 'apple')) {
             $WebAuthn->addRootCertificates('rootCertificates/apple.pem');
@@ -198,14 +200,14 @@
     // ------------------------------------
 
     } else if ($fn === 'processCreate') {
-        $clientDataJSON = base64_decode($post->clientDataJSON);
-        $attestationObject = base64_decode($post->attestationObject);
-        $challenge = $_SESSION['challenge'];
+        $clientDataJSON = !empty($post->clientDataJSON) ? base64_decode($post->clientDataJSON) : null;
+        $attestationObject = !empty($post->attestationObject) ? base64_decode($post->attestationObject) : null;
+        $challenge = $_SESSION['challenge'] ?? null;
 
         // processCreate returns data to be stored for future logins.
         // in this example we store it in the php session.
-        // Normaly you have to store the data in a database connected
-        // with the user name.
+        // Normally you have to store the data in a database connected
+        // with the username.
         $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);
 
         // add user infos
@@ -237,11 +239,11 @@
     // ------------------------------------
 
     } else if ($fn === 'processGet') {
-        $clientDataJSON = base64_decode($post->clientDataJSON);
-        $authenticatorData = base64_decode($post->authenticatorData);
-        $signature = base64_decode($post->signature);
-        $userHandle = base64_decode($post->userHandle);
-        $id = base64_decode($post->id);
+        $clientDataJSON = !empty($post->clientDataJSON) ? base64_decode($post->clientDataJSON) : null;
+        $authenticatorData = !empty($post->authenticatorData) ? base64_decode($post->authenticatorData) : null;
+        $signature = !empty($post->signature) ? base64_decode($post->signature) : null;
+        $userHandle = !empty($post->userHandle) ? base64_decode($post->userHandle) : null;
+        $id = !empty($post->id) ? base64_decode($post->id) : null;
         $challenge = $_SESSION['challenge'] ?? '';
         $credentialPublicKey = null;
 

composer.json

@@ -2,7 +2,7 @@
     "name": "lbuchs/webauthn",
     "description": "A simple PHP WebAuthn (FIDO2) server library",
     "keywords": [
-        "webauthn", "authentication"
+        "webauthn", "authentication", "passkey"
     ],
     "homepage": "https://github.com/lbuchs/webauthn",
     "license": "MIT",
@@ -13,7 +13,9 @@
         }
     ],
     "require": {
-        "php" : ">=8.0.0"
+        "php" : ">=8.0.0",
+        "ext-openssl": "*",
+        "ext-mbstring": "*"
     },
     "autoload": {
         "psr-4": {

src/Attestation/Format/FormatBase.php

@@ -89,7 +89,7 @@ protected function _createCertificatePem($x5c) {
 
     /**
      * creates a PEM encoded chain file
-     * @return type
+     * @return string|null
      */
     protected function _createX5cChainFile() {
         $content = '';

src/WebAuthn.php

@@ -30,6 +30,7 @@ class WebAuthn {
     private $_signatureCounter;
     private $_caFiles;
     private $_formats;
+    private $_androidKeyHashes;
 
     /**
      * Initialize a new WebAuthn server
@@ -90,6 +91,23 @@ public function addRootCertificates($path, $certFileExtensions=null) {
         }
     }
 
+    /**
+     * add key hashes for android verification
+     * @param array<string> $hashes
+     * @return void
+     */
+    public function addAndroidKeyHashes($hashes) {
+        if (!\is_array($this->_androidKeyHashes)) {
+            $this->_androidKeyHashes = [];
+        }
+
+        foreach ($hashes as $hash) {
+            if (is_string($hash)) {
+                $this->_androidKeyHashes[] = $hash;
+            }
+        }
+    }
+
     /**
      * Returns the generated challenge to save for later validation
      * @return ByteBuffer
@@ -154,7 +172,7 @@ public function getCreateArgs($userId, $userName, $userDisplayName, $timeout=20,
             $args->publicKey->authenticatorSelection->requireResidentKey = $requireResidentKey === 'required';
         }
 
-        // filte authenticators attached with the specified authenticator attachment modality
+        // filter authenticators attached with the specified authenticator attachment modality
         if (\is_bool($crossPlatformAttachment)) {
             $args->publicKey->authenticatorSelection->authenticatorAttachment = $crossPlatformAttachment ? 'cross-platform' : 'platform';
         }
@@ -603,6 +621,10 @@ public function queryFidoMetaDataService($certFolder, $deleteCerts=true) {
      * @throws WebAuthnException
      */
     private function _checkOrigin($origin) {
+        if (str_starts_with($origin, 'android:apk-key-hash:')) {
+            return $this->_checkAndroidKeyHashes($origin);
+        }
+
         // https://www.w3.org/TR/webauthn/#rp-id
 
         // The origin's scheme must be https
@@ -619,6 +641,19 @@ private function _checkOrigin($origin) {
         return \preg_match('/' . \preg_quote($this->_rpId) . '$/i', $host) === 1;
     }
 
+    /**
+     * checks if the origin value contains a known android key hash
+     * @param string $origin
+     * @return boolean
+     */
+    private function _checkAndroidKeyHashes($origin) {
+        $parts = explode('android:apk-key-hash:', $origin);
+        if (count($parts) !== 2) {
+            return false;
+        }
+        return in_array($parts[1], $this->_androidKeyHashes, true);
+    }
+
     /**
      * generates a new challange
      * @param int $length