├── src ├── Signal │ ├── Signal.php │ ├── CurrentUserDetails.php │ ├── UnknownCredential.php │ └── AllAcceptedCredentials.php ├── Event │ ├── WebauthnEvent.php │ ├── CanDispatchEvents.php │ ├── NullEventDispatcher.php │ ├── AttestationObjectLoaded.php │ ├── MetadataStatementFound.php │ ├── AttestationStatementLoaded.php │ ├── AuthenticatorAttestationResponseValidationFailedEvent.php │ ├── BeforeCertificateChainValidation.php │ ├── CertificateChainValidationFailed.php │ ├── CertificateChainValidationSucceeded.php │ ├── BackupEligibilityChangedEvent.php │ ├── AuthenticatorAttestationResponseValidationSucceededEvent.php │ ├── BackupStatusChangedEvent.php │ ├── AuthenticatorAssertionResponseValidationSucceededEvent.php │ └── AuthenticatorAssertionResponseValidationFailedEvent.php ├── TrustPath │ ├── TrustPath.php │ ├── EmptyTrustPath.php │ └── CertificateTrustPath.php ├── Exception │ ├── AttestationStatementException.php │ ├── MetadataStatementException.php │ ├── RevokedCertificateException.php │ ├── WebauthnException.php │ ├── InvalidTrustPathException.php │ ├── MetadataServiceException.php │ ├── UnsupportedFeatureException.php │ ├── AuthenticationExtensionException.php │ ├── AuthenticatorResponseVerificationException.php │ ├── InvalidUserHandleException.php │ ├── CertificateException.php │ ├── AttestationStatementVerificationException.php │ ├── MetadataStatementLoadingException.php │ ├── ExpiredCertificateException.php │ ├── InvalidDataException.php │ ├── InvalidCertificateException.php │ ├── CertificateRevocationListException.php │ ├── MissingMetadataStatementException.php │ ├── CounterException.php │ ├── InvalidAttestationStatementException.php │ ├── AttestationStatementLoadingException.php │ └── CertificateChainException.php ├── CeremonyStep │ ├── TopOriginValidator.php │ ├── HostTopOriginValidator.php │ ├── CeremonyStep.php │ ├── CheckCredentialId.php │ ├── CeremonyStepManager.php │ ├── CheckChallenge.php │ ├── CheckBackupBitsAreConsistent.php │ ├── CheckCounter.php │ ├── CheckHasAttestedCredentialData.php │ ├── CheckAllowedCredentialList.php │ ├── CheckExtensions.php │ ├── CheckClientDataCollectorType.php │ ├── CheckTopOrigin.php │ ├── CheckUserVerification.php │ ├── CheckUserHandle.php │ ├── CheckUserWasPresent.php │ ├── CheckAttestationFormatIsKnownAndValid.php │ └── CheckRelyingPartyIdIdHash.php ├── AuthenticationExtensions │ ├── PseudoRandomFunctionInputExtension.php │ ├── ExtensionOutputChecker.php │ ├── AppIdExcludeInputExtension.php │ ├── AuthenticationExtension.php │ ├── UvmInputExtension.php │ ├── AppIdInputExtension.php │ ├── CredentialPropertiesInputExtension.php │ ├── ExtensionOutputError.php │ ├── ExtensionOutputCheckerHandler.php │ ├── AuthenticationExtensionLoader.php │ ├── LargeBlobInputExtension.php │ ├── PseudoRandomFunctionInputExtensionBuilder.php │ └── AuthenticationExtensions.php ├── MetadataService │ ├── CanLogData.php │ ├── MetadataStatementRepository.php │ ├── StatusReportRepository.php │ ├── CertificateChain │ │ ├── CertificateChainValidator.php │ │ └── CertificateToolbox.php │ ├── Statement │ │ ├── RogueListEntry.php │ │ ├── AuthenticatorGetInfo.php │ │ ├── AlternativeDescriptions.php │ │ ├── VerificationMethodANDCombinations.php │ │ ├── AbstractDescriptor.php │ │ ├── RgbPaletteEntry.php │ │ ├── Version.php │ │ ├── PatternAccuracyDescriptor.php │ │ ├── BiometricAccuracyDescriptor.php │ │ ├── ExtensionDescriptor.php │ │ ├── CodeAccuracyDescriptor.php │ │ ├── BiometricStatusReport.php │ │ ├── StatusReport.php │ │ ├── DisplayPNGCharacteristicsDescriptor.php │ │ └── AuthenticatorStatus.php │ └── Service │ │ ├── MetadataBLOBPayload.php │ │ ├── MetadataService.php │ │ ├── ChainedMetadataServices.php │ │ ├── InMemoryMetadataService.php │ │ ├── MetadataBLOBPayloadEntry.php │ │ ├── JsonMetadataService.php │ │ ├── FolderResourceMetadataService.php │ │ └── LocalResourceMetadataService.php ├── AttestationStatement │ ├── AttestationStatementSupportManagerAwareInterface.php │ ├── AttestationStatementSupportManagerAwareTrait.php │ ├── AttestationStatementSupport.php │ ├── AttestationObject.php │ ├── AttestationStatementSupportManager.php │ ├── NoneAttestationStatementSupport.php │ └── AttestationStatement.php ├── Counter │ ├── CounterChecker.php │ └── ThrowExceptionIfInvalid.php ├── AuthenticatorResponse.php ├── FakeCredentialGenerator.php ├── Credential.php ├── PublicKeyCredentialRpEntity.php ├── PublicKeyCredentialParameters.php ├── Util │ ├── Base64.php │ └── CoseSignatureFixer.php ├── ClientDataCollector │ ├── ClientDataCollector.php │ ├── WebauthnAuthenticationCollector.php │ └── ClientDataCollectorManager.php ├── AttestedCredentialData.php ├── PublicKeyCredentialUserEntity.php ├── Url.php ├── PublicKeyCredential.php ├── AuthenticatorAttestationResponse.php ├── Denormalizer │ ├── AuthenticationExtensionNormalizer.php │ ├── ExtensionDescriptorDenormalizer.php │ ├── CollectedClientDataDenormalizer.php │ ├── PublicKeyCredentialParametersDenormalizer.php │ ├── AttestationStatementDenormalizer.php │ ├── PublicKeyCredentialRpEntityDenormalizer.php │ ├── AttestedCredentialDataNormalizer.php │ ├── PublicKeyCredentialDescriptorNormalizer.php │ ├── SignalUnknownCredentialDenormalizer.php │ ├── VerificationMethodANDCombinationsDenormalizer.php │ ├── SignalCurrentUserDetailsDenormalizer.php │ ├── AuthenticatorResponseDenormalizer.php │ ├── PublicKeyCredentialDenormalizer.php │ ├── UrlNormalizer.php │ ├── SignalAllAcceptedCredentialsDenormalizer.php │ ├── PublicKeyCredentialUserEntityDenormalizer.php │ ├── AuthenticatorAttestationResponseDenormalizer.php │ ├── TrustPathDenormalizer.php │ ├── AuthenticationExtensionsDenormalizer.php │ ├── AttestationObjectDenormalizer.php │ └── AuthenticatorAssertionResponseDenormalizer.php ├── AuthenticatorAssertionResponse.php ├── PublicKeyCredentialEntity.php ├── PasskeyEndpointsResponse.php ├── StringStream.php ├── PublicKeyCredentialDescriptor.php ├── U2FPublicKey.php ├── PublicKeyCredentialOptions.php ├── SimpleFakeCredentialGenerator.php ├── PublicKeyCredentialSource.php ├── CredentialRecord.php ├── PublicKeyCredentialRequestOptions.php ├── AuthenticatorData.php └── AuthenticatorSelectionCriteria.php ├── LICENSE └── composer.json /src/Signal/Signal.php: -------------------------------------------------------------------------------- 1 | attestationStatementSupportManager = $manager; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /src/Event/AttestationObjectLoaded.php: -------------------------------------------------------------------------------- 1 | $info 11 | */ 12 | public function __construct( 13 | public array $info = [] 14 | ) { 15 | } 16 | 17 | /** 18 | * @param array $info 19 | */ 20 | public static function create(array $info = []): self 21 | { 22 | return new self($info); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/TrustPath/CertificateTrustPath.php: -------------------------------------------------------------------------------- 1 | $descriptions 11 | */ 12 | public function __construct( 13 | public array $descriptions = [] 14 | ) { 15 | } 16 | 17 | /** 18 | * @param array $descriptions 19 | */ 20 | public static function create(array $descriptions = []): self 21 | { 22 | return new self($descriptions); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialParameters.php: -------------------------------------------------------------------------------- 1 | $attestation 15 | */ 16 | public function load(array $attestation): AttestationStatement; 17 | 18 | public function isValid( 19 | string $clientDataJSONHash, 20 | AttestationStatement $attestationStatement, 21 | AuthenticatorData $authenticatorData 22 | ): bool; 23 | } 24 | -------------------------------------------------------------------------------- /src/CeremonyStep/HostTopOriginValidator.php: -------------------------------------------------------------------------------- 1 | host || throw AuthenticatorResponseVerificationException::create( 19 | 'The top origin does not correspond to the host.' 20 | ); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Signal/AllAcceptedCredentials.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 16 | 'Invalid data. The value of "maxRetries" must be a positive integer' 17 | ); 18 | $blockSlowdown >= 0 || throw MetadataStatementLoadingException::create( 19 | 'Invalid data. The value of "blockSlowdown" must be a positive integer' 20 | ); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/AuthenticationExtensions/ExtensionOutputCheckerHandler.php: -------------------------------------------------------------------------------- 1 | checkers[] = $checker; 22 | } 23 | 24 | public function check(AuthenticationExtensions $inputs, AuthenticationExtensions $outputs): void 25 | { 26 | foreach ($this->checkers as $checker) { 27 | $checker->check($inputs, $outputs); 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/CeremonyStep/CeremonyStep.php: -------------------------------------------------------------------------------- 1 | = 0 && $r <= 255) || throw MetadataStatementLoadingException::create('The key "r" is invalid'); 17 | ($g >= 0 && $g <= 255) || throw MetadataStatementLoadingException::create('The key "g" is invalid'); 18 | ($b >= 0 && $b <= 255) || throw MetadataStatementLoadingException::create('The key "b" is invalid'); 19 | } 20 | 21 | public static function create(int $r, int $g, int $b): self 22 | { 23 | return new self($r, $g, $b); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/AuthenticationExtensions/AuthenticationExtensionLoader.php: -------------------------------------------------------------------------------- 1 | normalize(); 17 | return AuthenticationExtensions::create( 18 | array_map( 19 | fn (mixed $value, string $key) => AuthenticationExtension::create($key, $value), 20 | $data, 21 | array_keys($data) 22 | ) 23 | ); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/Exception/InvalidAttestationStatementException.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create('Invalid argument "major"'); 19 | $minor >= 0 || throw MetadataStatementLoadingException::create('Invalid argument "minor"'); 20 | } 21 | 22 | public static function create(?int $major, ?int $minor): self 23 | { 24 | return new self($major, $minor); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Exception/AttestationStatementLoadingException.php: -------------------------------------------------------------------------------- 1 | $attestation 13 | */ 14 | public function __construct( 15 | public readonly array $attestation, 16 | string $message, 17 | ?Throwable $previous = null 18 | ) { 19 | parent::__construct($message, $previous); 20 | } 21 | 22 | /** 23 | * @param array $attestation 24 | */ 25 | public static function create( 26 | array $attestation, 27 | string $message = 'Invalid attestation object', 28 | ?Throwable $previous = null 29 | ): self { 30 | return new self($attestation, $message, $previous); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialUserEntity.php: -------------------------------------------------------------------------------- 1 | id = $id; 23 | $this->name = $name; 24 | } 25 | 26 | public static function create(string $name, string $id, string $displayName, ?string $icon = null): self 27 | { 28 | return new self($name, $id, $displayName, $icon); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/PatternAccuracyDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 17 | 'Invalid data. The value of "minComplexity" must be a positive integer' 18 | ); 19 | parent::__construct($maxRetries, $blockSlowdown); 20 | } 21 | 22 | public static function create(int $minComplexity, ?int $maxRetries = null, ?int $blockSlowdown = null): self 23 | { 24 | return new self($minComplexity, $maxRetries, $blockSlowdown); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Url.php: -------------------------------------------------------------------------------- 1 | $params Route parameters (only used when path is a route name) 18 | */ 19 | public function __construct( 20 | public string $path, 21 | public array $params = [], 22 | ) { 23 | } 24 | 25 | /** 26 | * @param array $params Route parameters 27 | */ 28 | public static function create(string $path, array $params = []): self 29 | { 30 | return new self($path, $params); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/BiometricAccuracyDescriptor.php: -------------------------------------------------------------------------------- 1 | response instanceof AuthenticatorAttestationResponse ? $this->response->transports : []; 28 | 29 | return PublicKeyCredentialDescriptor::create($this->type, $this->rawId, $transport); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/AuthenticatorAttestationResponse.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 21 | 'Invalid data. The parameter "tag" shall be a positive integer' 22 | ); 23 | } 24 | } 25 | 26 | public static function create( 27 | string $id, 28 | ?int $tag = null, 29 | ?string $data = null, 30 | bool $failIfUnknown = false 31 | ): self { 32 | return new self($id, $tag, $data, $failIfUnknown); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/AuthenticationExtensions/LargeBlobInputExtension.php: -------------------------------------------------------------------------------- 1 | $support, 22 | ]); 23 | } 24 | 25 | public static function read(): AuthenticationExtension 26 | { 27 | return self::create('largeBlob', [ 28 | 'read' => true, 29 | ]); 30 | } 31 | 32 | public static function write(string $value): AuthenticationExtension 33 | { 34 | return self::create('largeBlob', [ 35 | 'write' => $value, 36 | ]); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/Denormalizer/AuthenticationExtensionNormalizer.php: -------------------------------------------------------------------------------- 1 | 15 | */ 16 | public function getSupportedTypes(?string $format): array 17 | { 18 | return [ 19 | AuthenticationExtension::class => true, 20 | ]; 21 | } 22 | 23 | /** 24 | * @return array 25 | */ 26 | public function normalize(mixed $object, ?string $format = null, array $context = []): array 27 | { 28 | assert($object instanceof AuthenticationExtension); 29 | 30 | return $object->value; 31 | } 32 | 33 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 34 | { 35 | return $data instanceof AuthenticationExtension; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018-2022 Spomky-Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/CodeAccuracyDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create( 18 | 'Invalid data. The value of "base" must be a positive integer' 19 | ); 20 | $minLength >= 0 || throw MetadataStatementLoadingException::create( 21 | 'Invalid data. The value of "minLength" must be a positive integer' 22 | ); 23 | parent::__construct($maxRetries, $blockSlowdown); 24 | } 25 | 26 | public static function create(int $base, int $minLength, ?int $maxRetries = null, ?int $blockSlowdown = null): self 27 | { 28 | return new self($base, $minLength, $maxRetries, $blockSlowdown); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/Exception/CertificateChainException.php: -------------------------------------------------------------------------------- 1 | $untrustedCertificates 13 | * @param array $trustedCertificates 14 | */ 15 | public function __construct( 16 | public readonly array $untrustedCertificates, 17 | public readonly array $trustedCertificates, 18 | string $message, 19 | ?Throwable $previous = null 20 | ) { 21 | parent::__construct($message, $previous); 22 | } 23 | 24 | /** 25 | * @param array $untrustedCertificates 26 | * @param array $trustedCertificates 27 | */ 28 | public static function create( 29 | array $untrustedCertificates, 30 | array $trustedCertificates, 31 | string $message = 'Unable to validate the certificate chain.', 32 | ?Throwable $previous = null 33 | ): self { 34 | return new self($untrustedCertificates, $trustedCertificates, $message, $previous); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/AuthenticatorAssertionResponse.php: -------------------------------------------------------------------------------- 1 | type, 29 | $this->supportedTypes(), 30 | true 31 | ) || throw AuthenticatorResponseVerificationException::create( 32 | sprintf('The client data type is not "%s" supported.', implode('", "', $this->supportedTypes())) 33 | ); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/BiometricStatusReport.php: -------------------------------------------------------------------------------- 1 | 34 | */ 35 | public function getSupportedTypes(?string $format): array 36 | { 37 | return [ 38 | ExtensionDescriptor::class => true, 39 | ]; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialEntity.php: -------------------------------------------------------------------------------- 1 | name = $name; 29 | 30 | if ($icon !== null) { 31 | trigger_deprecation( 32 | 'web-auth/webauthn-lib', 33 | '5.1.0', 34 | 'The parameter "$icon" is deprecated since 5.1.0 and will be removed in 6.0.0. This value has no effect. Please set "null" instead.' 35 | ); 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/Denormalizer/CollectedClientDataDenormalizer.php: -------------------------------------------------------------------------------- 1 | 33 | */ 34 | public function getSupportedTypes(?string $format): array 35 | { 36 | return [ 37 | CollectedClientData::class => true, 38 | ]; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/Denormalizer/PublicKeyCredentialParametersDenormalizer.php: -------------------------------------------------------------------------------- 1 | 34 | */ 35 | public function getSupportedTypes(?string $format): array 36 | { 37 | return [ 38 | PublicKeyCredentialParameters::class => true, 39 | ]; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/Denormalizer/AttestationStatementDenormalizer.php: -------------------------------------------------------------------------------- 1 | attestationStatementSupportManager->get($data['fmt']); 21 | 22 | return $attestationStatementSupport->load($data); 23 | } 24 | 25 | public function supportsDenormalization( 26 | mixed $data, 27 | string $type, 28 | ?string $format = null, 29 | array $context = [] 30 | ): bool { 31 | return $type === AttestationStatement::class; 32 | } 33 | 34 | /** 35 | * @return array 36 | */ 37 | public function getSupportedTypes(?string $format): array 38 | { 39 | return [ 40 | AttestationStatement::class => true, 41 | ]; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/Denormalizer/PublicKeyCredentialRpEntityDenormalizer.php: -------------------------------------------------------------------------------- 1 | 15 | */ 16 | public function getSupportedTypes(?string $format): array 17 | { 18 | return [ 19 | PublicKeyCredentialRpEntity::class => true, 20 | ]; 21 | } 22 | 23 | /** 24 | * @return array 25 | */ 26 | public function normalize(mixed $object, ?string $format = null, array $context = []): ?array 27 | { 28 | assert($object instanceof PublicKeyCredentialRpEntity); 29 | $data = array_filter( 30 | [ 31 | 'id' => $object->id, 32 | 'name' => $object->name, 33 | 'icon' => $object->icon, 34 | ], 35 | static fn (?string $value): bool => ($value !== null && $value !== ''), 36 | ); 37 | 38 | return $data === [] ? null : $data; 39 | } 40 | 41 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 42 | { 43 | return $data instanceof PublicKeyCredentialRpEntity; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/ClientDataCollector/ClientDataCollectorManager.php: -------------------------------------------------------------------------------- 1 | clientDataCollectors as $clientDataCollector) { 30 | if (in_array($collectedClientData->type, $clientDataCollector->supportedTypes(), true)) { 31 | $clientDataCollector->verifyCollectedClientData( 32 | $collectedClientData, 33 | $publicKeyCredentialOptions, 34 | $authenticatorResponse, 35 | $host 36 | ); 37 | return; 38 | } 39 | } 40 | 41 | throw AuthenticatorResponseVerificationException::create('No client data collector found.'); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/Denormalizer/AttestedCredentialDataNormalizer.php: -------------------------------------------------------------------------------- 1 | 19 | */ 20 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 21 | { 22 | assert($data instanceof AttestedCredentialData); 23 | $result = [ 24 | 'aaguid' => $this->normalizer->normalize($data->aaguid, $format, $context), 25 | 'credentialId' => base64_encode($data->credentialId), 26 | ]; 27 | if ($data->credentialPublicKey !== null) { 28 | $result['credentialPublicKey'] = base64_encode($data->credentialPublicKey); 29 | } 30 | 31 | return $result; 32 | } 33 | 34 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 35 | { 36 | return $data instanceof AttestedCredentialData; 37 | } 38 | 39 | public function getSupportedTypes(?string $format): array 40 | { 41 | return [ 42 | AttestedCredentialData::class => true, 43 | ]; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckCredentialId.php: -------------------------------------------------------------------------------- 1 | publicKeyCredentialId; 35 | strlen($credentialId) <= 1023 || throw new AuthenticatorResponseVerificationException( 36 | 'Credential ID too long.' 37 | ); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/Denormalizer/PublicKeyCredentialDescriptorNormalizer.php: -------------------------------------------------------------------------------- 1 | 21 | */ 22 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 23 | { 24 | assert($data instanceof PublicKeyCredentialDescriptor); 25 | $result = [ 26 | 'type' => $data->type, 27 | 'id' => Base64UrlSafe::encodeUnpadded($data->id), 28 | ]; 29 | if (count($data->transports) !== 0) { 30 | $result['transports'] = $data->transports; 31 | } 32 | 33 | return $result; 34 | } 35 | 36 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 37 | { 38 | return $data instanceof PublicKeyCredentialDescriptor; 39 | } 40 | 41 | public function getSupportedTypes(?string $format): array 42 | { 43 | return [ 44 | PublicKeyCredentialDescriptor::class => true, 45 | ]; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/Denormalizer/SignalUnknownCredentialDenormalizer.php: -------------------------------------------------------------------------------- 1 | 19 | */ 20 | public function getSupportedTypes(?string $format): array 21 | { 22 | return [ 23 | UnknownCredential::class => true, 24 | ]; 25 | } 26 | 27 | /** 28 | * @return array 29 | */ 30 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 31 | { 32 | assert($data instanceof UnknownCredential); 33 | 34 | $normalized_rp = $this->normalizer->normalize($data->rp, $format, $context); 35 | 36 | $normalized_credential = $this->normalizer->normalize($data->credential, $format, $context); 37 | 38 | return [ 39 | 'rpId' => $normalized_rp['id'], 40 | 'credentialId' => $normalized_credential['id'], 41 | ]; 42 | } 43 | 44 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 45 | { 46 | return $data instanceof UnknownCredential; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/PasskeyEndpointsResponse.php: -------------------------------------------------------------------------------- 1 | 20 | */ 21 | public function getSupportedTypes(?string $format): array 22 | { 23 | return [ 24 | VerificationMethodANDCombinations::class => true, 25 | ]; 26 | } 27 | 28 | /** 29 | * @return array 30 | */ 31 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 32 | { 33 | assert($data instanceof VerificationMethodANDCombinations); 34 | 35 | return array_map( 36 | fn ($verificationMethod) => $this->normalizer->normalize($verificationMethod, $format, $context), 37 | $data->verificationMethods 38 | ); 39 | } 40 | 41 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 42 | { 43 | return $data instanceof VerificationMethodANDCombinations; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/Denormalizer/SignalCurrentUserDetailsDenormalizer.php: -------------------------------------------------------------------------------- 1 | 19 | */ 20 | public function getSupportedTypes(?string $format): array 21 | { 22 | return [ 23 | CurrentUserDetails::class => true, 24 | ]; 25 | } 26 | 27 | /** 28 | * @return array 29 | */ 30 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 31 | { 32 | assert($data instanceof CurrentUserDetails); 33 | 34 | $normalized_rp = $this->normalizer->normalize($data->rp, $format, $context); 35 | 36 | $normalized_user = $this->normalizer->normalize($data->user, $format, $context); 37 | 38 | return [ 39 | 'rpId' => $normalized_rp['id'], 40 | 'userId' => $normalized_user['id'], 41 | 'name' => $normalized_user['name'], 42 | 'displayName' => $normalized_user['displayName'], 43 | ]; 44 | } 45 | 46 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 47 | { 48 | return $data instanceof CurrentUserDetails; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/MetadataService/CertificateChain/CertificateToolbox.php: -------------------------------------------------------------------------------- 1 | self::fixPEMStructure($d, $type), $data); 23 | } 24 | 25 | public static function fixPEMStructure(string $data, string $type = 'CERTIFICATE'): string 26 | { 27 | if (str_contains($data, self::PEM_HEADER)) { 28 | return trim($data); 29 | } 30 | $pem = self::PEM_HEADER . $type . '-----' . PHP_EOL; 31 | $pem .= chunk_split($data, 64, PHP_EOL); 32 | 33 | return $pem . (self::PEM_FOOTER . $type . '-----' . PHP_EOL); 34 | } 35 | 36 | public static function convertDERToPEM(string $data, string $type = 'CERTIFICATE'): string 37 | { 38 | if (str_contains($data, self::PEM_HEADER)) { 39 | return $data; 40 | } 41 | 42 | return self::fixPEMStructure(base64_encode($data), $type); 43 | } 44 | 45 | /** 46 | * @param string[] $data 47 | * 48 | * @return string[] 49 | */ 50 | public static function convertAllDERToPEM(array $data, string $type = 'CERTIFICATE'): array 51 | { 52 | return array_map(static fn ($d): string => self::convertDERToPEM($d, $type), $data); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/CeremonyStep/CeremonyStepManager.php: -------------------------------------------------------------------------------- 1 | steps as $step) { 42 | $step->process( 43 | $credentialRecord, 44 | $authenticatorResponse, 45 | $publicKeyCredentialOptions, 46 | $userHandle, 47 | $host 48 | ); 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/StringStream.php: -------------------------------------------------------------------------------- 1 | length = strlen($data); 32 | $resource = fopen('php://memory', 'rb+'); 33 | assert($resource !== false, 'The resource could not be opened.'); 34 | fwrite($resource, $data); 35 | rewind($resource); 36 | $this->data = $resource; 37 | } 38 | 39 | public function read(int $length): string 40 | { 41 | if ($length <= 0) { 42 | return ''; 43 | } 44 | $read = fread($this->data, $length); 45 | assert($read !== false, 'The data could not be read.'); 46 | $bytesRead = strlen($read); 47 | strlen($read) === $length || throw InvalidDataException::create(null, sprintf( 48 | 'Out of range. Expected: %d, read: %d.', 49 | $length, 50 | $bytesRead 51 | )); 52 | $this->totalRead += $bytesRead; 53 | 54 | return $read; 55 | } 56 | 57 | public function close(): void 58 | { 59 | fclose($this->data); 60 | } 61 | 62 | public function isEOF(): bool 63 | { 64 | return $this->totalRead === $this->length; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckChallenge.php: -------------------------------------------------------------------------------- 1 | challenge !== '' || throw AuthenticatorResponseVerificationException::create( 34 | 'Invalid challenge.' 35 | ); 36 | hash_equals( 37 | $publicKeyCredentialOptions->challenge, 38 | $authenticatorResponse->clientDataJSON->challenge 39 | ) || throw AuthenticatorResponseVerificationException::create('Invalid challenge.'); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialDescriptor.php: -------------------------------------------------------------------------------- 1 | logger = $logger; 25 | } 26 | 27 | public function check(CredentialRecord|PublicKeyCredentialSource $credentialRecord, int $currentCounter): void 28 | { 29 | if ($credentialRecord instanceof PublicKeyCredentialSource) { 30 | trigger_deprecation( 31 | 'web-auth/webauthn-lib', 32 | '5.3', 33 | 'Passing a PublicKeyCredentialSource to "%s::check()" is deprecated, pass a CredentialRecord instead.', 34 | self::class 35 | ); 36 | } 37 | 38 | try { 39 | $currentCounter > $credentialRecord->counter || throw CounterException::create( 40 | $currentCounter, 41 | $credentialRecord->counter, 42 | 'Invalid counter.' 43 | ); 44 | } catch (CounterException $throwable) { 45 | $this->logger->error('The counter is invalid', [ 46 | 'current' => $currentCounter, 47 | 'new' => $credentialRecord->counter, 48 | ]); 49 | throw $throwable; 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/MetadataService/Service/ChainedMetadataServices.php: -------------------------------------------------------------------------------- 1 | addServices($service); 21 | } 22 | } 23 | 24 | public static function create(MetadataService ...$services): self 25 | { 26 | return new self(...$services); 27 | } 28 | 29 | public function addServices(MetadataService ...$services): self 30 | { 31 | foreach ($services as $service) { 32 | $this->services[] = $service; 33 | } 34 | 35 | return $this; 36 | } 37 | 38 | public function list(): iterable 39 | { 40 | foreach ($this->services as $service) { 41 | yield from $service->list(); 42 | } 43 | } 44 | 45 | public function has(string $aaguid): bool 46 | { 47 | foreach ($this->services as $service) { 48 | if ($service->has($aaguid)) { 49 | return true; 50 | } 51 | } 52 | 53 | return false; 54 | } 55 | 56 | public function get(string $aaguid): MetadataStatement 57 | { 58 | foreach ($this->services as $service) { 59 | if ($service->has($aaguid)) { 60 | return $service->get($aaguid); 61 | } 62 | } 63 | 64 | throw MissingMetadataStatementException::create($aaguid); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckBackupBitsAreConsistent.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 34 | if ($authData->isBackupEligible()) { 35 | return; 36 | } 37 | $authData->isBackedUp() !== true || throw AuthenticatorResponseVerificationException::create( 38 | 'Backup up bit is set but the backup is not eligible.' 39 | ); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/Denormalizer/AuthenticatorResponseDenormalizer.php: -------------------------------------------------------------------------------- 1 | AuthenticatorAttestationResponse::class, 24 | array_key_exists('signature', $data) => AuthenticatorAssertionResponse::class, 25 | default => throw InvalidDataException::create($data, 'Unable to create the response object'), 26 | }; 27 | 28 | return $this->denormalizer->denormalize($data, $realType, $format, $context); 29 | } 30 | 31 | public function supportsDenormalization( 32 | mixed $data, 33 | string $type, 34 | ?string $format = null, 35 | array $context = [] 36 | ): bool { 37 | return $type === AuthenticatorResponse::class; 38 | } 39 | 40 | /** 41 | * @return array 42 | */ 43 | public function getSupportedTypes(?string $format): array 44 | { 45 | return [ 46 | AuthenticatorResponse::class => true, 47 | ]; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/AuthenticationExtensions/PseudoRandomFunctionInputExtensionBuilder.php: -------------------------------------------------------------------------------- 1 | 14 | */ 15 | private array $values = []; 16 | 17 | private function __construct() 18 | { 19 | } 20 | 21 | public static function create(): self 22 | { 23 | return new self(); 24 | } 25 | 26 | public function withInputs(string $first, null|string $second = null): self 27 | { 28 | $eval = [ 29 | 'first' => Base64UrlSafe::encodeUnpadded($first), 30 | ]; 31 | if ($second !== null) { 32 | $eval['second'] = Base64UrlSafe::encodeUnpadded($second); 33 | } 34 | $this->values['eval'] = $eval; 35 | 36 | return $this; 37 | } 38 | 39 | public function withCredentialInputs(string $credentialId, string $first, null|string $second = null): self 40 | { 41 | $eval = [ 42 | 'first' => Base64UrlSafe::encodeUnpadded($first), 43 | ]; 44 | if ($second !== null) { 45 | $eval['second'] = Base64UrlSafe::encodeUnpadded($second); 46 | } 47 | if (! array_key_exists('evalByCredential', $this->values)) { 48 | $this->values['evalByCredential'] = []; 49 | } 50 | $this->values['evalByCredential'][$credentialId] = $eval; 51 | 52 | return $this; 53 | } 54 | 55 | public function build(): PseudoRandomFunctionInputExtension 56 | { 57 | return new PseudoRandomFunctionInputExtension('prf', $this->values); 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/U2FPublicKey.php: -------------------------------------------------------------------------------- 1 | __toString(); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckCounter.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 39 | $storedCounter = $credentialRecord->counter; 40 | $responseCounter = $authData->signCount; 41 | if ($responseCounter !== 0 || $storedCounter !== 0) { 42 | $this->counterChecker->check($credentialRecord, $responseCounter); 43 | } 44 | $credentialRecord->counter = $responseCounter; 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckHasAttestedCredentialData.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 34 | $authData 35 | ->hasAttestedCredentialData() || throw AuthenticatorResponseVerificationException::create( 36 | 'There is no attested credential data.' 37 | ); 38 | $authData->attestedCredentialData !== null || throw AuthenticatorResponseVerificationException::create( 39 | 'There is no attested credential data.' 40 | ); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/Denormalizer/PublicKeyCredentialDenormalizer.php: -------------------------------------------------------------------------------- 1 | denormalizer->denormalize($data['response'], AuthenticatorResponse::class, $format, $context), 35 | ); 36 | } 37 | 38 | public function supportsDenormalization( 39 | mixed $data, 40 | string $type, 41 | ?string $format = null, 42 | array $context = [] 43 | ): bool { 44 | return $type === PublicKeyCredential::class; 45 | } 46 | 47 | /** 48 | * @return array 49 | */ 50 | public function getSupportedTypes(?string $format): array 51 | { 52 | return [ 53 | PublicKeyCredential::class => true, 54 | ]; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckAllowedCredentialList.php: -------------------------------------------------------------------------------- 1 | allowCredentials) === 0) { 38 | return; 39 | } 40 | 41 | foreach ($publicKeyCredentialOptions->allowCredentials as $allowedCredential) { 42 | if (hash_equals($allowedCredential->id, $credentialRecord->publicKeyCredentialId)) { 43 | return; 44 | } 45 | } 46 | throw AuthenticatorResponseVerificationException::create('The credential ID is not allowed.'); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckExtensions.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 39 | $extensionsClientOutputs = $authData->extensions; 40 | if ($extensionsClientOutputs !== null) { 41 | $this->extensionOutputCheckerHandler->check( 42 | $publicKeyCredentialOptions->extensions, 43 | $extensionsClientOutputs 44 | ); 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/AttestationStatement/AttestationStatementSupportManager.php: -------------------------------------------------------------------------------- 1 | add(new NoneAttestationStatementSupport()); 20 | foreach ($attestationStatementSupports as $attestationStatementSupport) { 21 | if ($attestationStatementSupport instanceof AttestationStatementSupportManagerAwareInterface) { 22 | $attestationStatementSupport->setAttestationStatementSupportManager($this); 23 | } 24 | $this->add($attestationStatementSupport); 25 | } 26 | } 27 | 28 | /** 29 | * @param AttestationStatementSupport[] $attestationStatementSupports 30 | */ 31 | public static function create(array $attestationStatementSupports = []): self 32 | { 33 | return new self($attestationStatementSupports); 34 | } 35 | 36 | public function add(AttestationStatementSupport $attestationStatementSupport): void 37 | { 38 | $this->attestationStatementSupports[$attestationStatementSupport->name()] = $attestationStatementSupport; 39 | } 40 | 41 | public function has(string $name): bool 42 | { 43 | return array_key_exists($name, $this->attestationStatementSupports); 44 | } 45 | 46 | public function get(string $name): AttestationStatementSupport 47 | { 48 | $this->has($name) || throw InvalidDataException::create($name, sprintf( 49 | 'The attestation statement format "%s" is not supported.', 50 | $name 51 | )); 52 | 53 | return $this->attestationStatementSupports[$name]; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialOptions.php: -------------------------------------------------------------------------------- 1 | $extensions 28 | * @param string[] $hints 29 | * @protected 30 | */ 31 | public function __construct( 32 | public string $challenge, 33 | public null|int $timeout = null, 34 | null|array|AuthenticationExtensions $extensions = null, 35 | public array $hints = [], 36 | ) { 37 | ($this->timeout === null || $this->timeout > 0) || throw new InvalidArgumentException('Invalid timeout'); 38 | if ($extensions === null) { 39 | $this->extensions = AuthenticationExtensions::create(); 40 | } elseif ($extensions instanceof AuthenticationExtensions) { 41 | $this->extensions = $extensions; 42 | } else { 43 | $this->extensions = AuthenticationExtensions::create($extensions); 44 | } 45 | 46 | foreach ($this->hints as $hint) { 47 | is_string($hint) || throw new InvalidArgumentException('Invalid hint: hints must be strings'); 48 | in_array($hint, self::HINTS, true) || throw new InvalidArgumentException( 49 | sprintf('Invalid hint "%s". Allowed values are: %s', $hint, implode(', ', self::HINTS)) 50 | ); 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/Util/CoseSignatureFixer.php: -------------------------------------------------------------------------------- 1 | =8.2", 24 | "ext-json": "*", 25 | "ext-openssl": "*", 26 | "paragonie/constant_time_encoding": "^2.6|^3.0", 27 | "phpdocumentor/reflection-docblock": "^5.3", 28 | "psr/clock": "^1.0", 29 | "psr/event-dispatcher": "^1.0", 30 | "psr/log": "^1.0|^2.0|^3.0", 31 | "spomky-labs/cbor-php": "^3.0", 32 | "symfony/clock": "^6.4|^7.0|^8.0", 33 | "symfony/uid": "^6.4|^7.0|^8.0", 34 | "spomky-labs/pki-framework": "^1.0", 35 | "symfony/property-info": "^6.4|^7.0|^8.0", 36 | "symfony/property-access": "^6.4|^7.0|^8.0", 37 | "symfony/serializer": "^6.4|^7.0|^8.0", 38 | "symfony/deprecation-contracts": "^3.2", 39 | "web-auth/cose-lib": "^4.2.3" 40 | }, 41 | "autoload": { 42 | "psr-4": { 43 | "Webauthn\\": "src/" 44 | } 45 | }, 46 | "extra": { 47 | "thanks": { 48 | "name": "web-auth/webauthn-framework", 49 | "url": "https://github.com/web-auth/webauthn-framework" 50 | } 51 | }, 52 | "suggest": { 53 | "psr/log-implementation": "Recommended to receive logs from the library", 54 | "symfony/event-dispatcher": "Recommended to use dispatched events", 55 | "web-token/jwt-library": "Mandatory for fetching Metadata Statement from distant sources" 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckClientDataCollectorType.php: -------------------------------------------------------------------------------- 1 | clientDataCollectorManager = $clientDataCollectorManager ?? new ClientDataCollectorManager([ 24 | new WebauthnAuthenticationCollector(), 25 | ]); 26 | } 27 | 28 | public function process( 29 | CredentialRecord|PublicKeyCredentialSource $credentialRecord, 30 | AuthenticatorAssertionResponse|AuthenticatorAttestationResponse $authenticatorResponse, 31 | PublicKeyCredentialRequestOptions|PublicKeyCredentialCreationOptions $publicKeyCredentialOptions, 32 | ?string $userHandle, 33 | string $host 34 | ): void { 35 | if ($credentialRecord instanceof PublicKeyCredentialSource) { 36 | trigger_deprecation( 37 | 'web-auth/webauthn-lib', 38 | '5.3', 39 | 'Passing a PublicKeyCredentialSource to "%s::process()" is deprecated, pass a CredentialRecord instead.', 40 | self::class 41 | ); 42 | } 43 | $this->clientDataCollectorManager->collect( 44 | $authenticatorResponse->clientDataJSON, 45 | $publicKeyCredentialOptions, 46 | $authenticatorResponse, 47 | $host 48 | ); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckTopOrigin.php: -------------------------------------------------------------------------------- 1 | clientDataJSON->topOrigin; 39 | if ($topOrigin === null) { 40 | return; 41 | } 42 | if ($authenticatorResponse->clientDataJSON->crossOrigin !== true) { 43 | throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.'); 44 | } 45 | if ($this->topOriginValidator === null) { 46 | (new HostTopOriginValidator($host))->validate($topOrigin); 47 | } else { 48 | $this->topOriginValidator->validate($topOrigin); 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/StatusReport.php: -------------------------------------------------------------------------------- 1 | status, [ 55 | AuthenticatorStatus::ATTESTATION_KEY_COMPROMISE, 56 | AuthenticatorStatus::USER_KEY_PHYSICAL_COMPROMISE, 57 | AuthenticatorStatus::USER_KEY_REMOTE_COMPROMISE, 58 | AuthenticatorStatus::USER_VERIFICATION_BYPASS, 59 | ], true); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/Denormalizer/UrlNormalizer.php: -------------------------------------------------------------------------------- 1 | urlGenerator === null) { 32 | return $data->path; 33 | } 34 | 35 | // If the path is already a valid absolute URL (https://...), return it directly 36 | if (filter_var($data->path, FILTER_VALIDATE_URL) !== false) { 37 | return $data->path; 38 | } 39 | 40 | // Otherwise, try to generate an absolute URL from a Symfony route name 41 | try { 42 | return $this->urlGenerator->generate($data->path, $data->params, UrlGeneratorInterface::ABSOLUTE_URL); 43 | } catch (Throwable) { 44 | // If the URL cannot be generated, return the path as is 45 | return $data->path; 46 | } 47 | } 48 | 49 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 50 | { 51 | return $data instanceof Url; 52 | } 53 | 54 | /** 55 | * @return array 56 | */ 57 | public function getSupportedTypes(?string $format): array 58 | { 59 | return [ 60 | Url::class => true, 61 | ]; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckUserVerification.php: -------------------------------------------------------------------------------- 1 | userVerification : $publicKeyCredentialOptions->authenticatorSelection?->userVerification; 35 | if ($userVerification !== AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED) { 36 | return; 37 | } 38 | $authData = $authenticatorResponse instanceof AuthenticatorAssertionResponse ? $authenticatorResponse->authenticatorData : $authenticatorResponse->attestationObject->authData; 39 | $authData->isUserVerified() || throw AuthenticatorResponseVerificationException::create( 40 | 'User authentication required.' 41 | ); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/DisplayPNGCharacteristicsDescriptor.php: -------------------------------------------------------------------------------- 1 | = 0 || throw MetadataStatementLoadingException::create('Invalid width'); 28 | $height >= 0 || throw MetadataStatementLoadingException::create('Invalid height'); 29 | ($bitDepth >= 0 && $bitDepth <= 254) || throw MetadataStatementLoadingException::create('Invalid bit depth'); 30 | ($colorType >= 0 && $colorType <= 254) || throw MetadataStatementLoadingException::create( 31 | 'Invalid color type' 32 | ); 33 | ($compression >= 0 && $compression <= 254) || throw MetadataStatementLoadingException::create( 34 | 'Invalid compression' 35 | ); 36 | ($filter >= 0 && $filter <= 254) || throw MetadataStatementLoadingException::create('Invalid filter'); 37 | ($interlace >= 0 && $interlace <= 254) || throw MetadataStatementLoadingException::create( 38 | 'Invalid interlace' 39 | ); 40 | } 41 | 42 | /** 43 | * @param RgbPaletteEntry[] $plte 44 | */ 45 | public static function create( 46 | int $width, 47 | int $height, 48 | int $bitDepth, 49 | int $colorType, 50 | int $compression, 51 | int $filter, 52 | int $interlace, 53 | array $plte = [] 54 | ): self { 55 | return new self($width, $height, $bitDepth, $colorType, $compression, $filter, $interlace, $plte); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/Denormalizer/SignalAllAcceptedCredentialsDenormalizer.php: -------------------------------------------------------------------------------- 1 | 20 | */ 21 | public function getSupportedTypes(?string $format): array 22 | { 23 | return [ 24 | AllAcceptedCredentials::class => true, 25 | ]; 26 | } 27 | 28 | /** 29 | * @return array 30 | */ 31 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 32 | { 33 | assert($data instanceof AllAcceptedCredentials); 34 | 35 | $normalized_rp = $this->normalizer->normalize($data->rp, $format, $context); 36 | 37 | $normalized_user = $this->normalizer->normalize($data->user, $format, $context); 38 | 39 | $normalized_credentials = array_map( 40 | fn (PublicKeyCredentialDescriptor $credential) => $this->normalizer->normalize( 41 | $credential, 42 | $format, 43 | $context 44 | ), 45 | $data->allAcceptedCredentials 46 | ); 47 | 48 | return [ 49 | 'rpId' => $normalized_rp['id'], 50 | 'userId' => $normalized_user['id'], 51 | 'allAcceptedCredentialIds' => array_map( 52 | fn (array $credential): string => $credential['id'], 53 | $normalized_credentials 54 | ), 55 | ]; 56 | } 57 | 58 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 59 | { 60 | return $data instanceof AllAcceptedCredentials; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /src/Denormalizer/PublicKeyCredentialUserEntityDenormalizer.php: -------------------------------------------------------------------------------- 1 | 38 | */ 39 | public function getSupportedTypes(?string $format): array 40 | { 41 | return [ 42 | PublicKeyCredentialUserEntity::class => true, 43 | ]; 44 | } 45 | 46 | /** 47 | * @return array 48 | */ 49 | public function normalize(mixed $object, ?string $format = null, array $context = []): array 50 | { 51 | assert($object instanceof PublicKeyCredentialUserEntity); 52 | return [ 53 | 'id' => Base64UrlSafe::encodeUnpadded($object->id), 54 | 'name' => $object->name, 55 | 'displayName' => $object->displayName, 56 | ]; 57 | } 58 | 59 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 60 | { 61 | return $data instanceof PublicKeyCredentialUserEntity; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckUserHandle.php: -------------------------------------------------------------------------------- 1 | userHandle; 37 | $responseUserHandle = $authenticatorResponse->userHandle; 38 | if ($userHandle !== null) { //If the user was identified before the authentication ceremony was initiated, 39 | $credentialUserHandle === $userHandle || throw InvalidUserHandleException::create(); 40 | if ($responseUserHandle !== null && $responseUserHandle !== '') { 41 | $credentialUserHandle === $responseUserHandle || throw InvalidUserHandleException::create(); 42 | } 43 | } else { 44 | ($responseUserHandle !== '' && $credentialUserHandle === $responseUserHandle) || throw InvalidUserHandleException::create(); 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/Denormalizer/AuthenticatorAttestationResponseDenormalizer.php: -------------------------------------------------------------------------------- 1 | denormalizer->denormalize( 26 | $data['clientDataJSON'], 27 | CollectedClientData::class, 28 | $format, 29 | $context 30 | ); 31 | $attestationObject = $this->denormalizer->denormalize( 32 | $data['attestationObject'], 33 | AttestationObject::class, 34 | $format, 35 | $context 36 | ); 37 | 38 | return AuthenticatorAttestationResponse::create( 39 | $clientDataJSON, 40 | $attestationObject, 41 | $data['transports'] ?? [], 42 | ); 43 | } 44 | 45 | public function supportsDenormalization( 46 | mixed $data, 47 | string $type, 48 | ?string $format = null, 49 | array $context = [] 50 | ): bool { 51 | return $type === AuthenticatorAttestationResponse::class; 52 | } 53 | 54 | /** 55 | * @return array 56 | */ 57 | public function getSupportedTypes(?string $format): array 58 | { 59 | return [ 60 | AuthenticatorAttestationResponse::class => true, 61 | ]; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/MetadataService/Statement/AuthenticatorStatus.php: -------------------------------------------------------------------------------- 1 | requireUserPresence) { 47 | return; 48 | } 49 | 50 | $authData = $authenticatorResponse instanceof AuthenticatorAssertionResponse 51 | ? $authenticatorResponse->authenticatorData 52 | : $authenticatorResponse->attestationObject->authData; 53 | 54 | $authData->isUserPresent() || throw AuthenticatorResponseVerificationException::create( 55 | 'User was not present' 56 | ); 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/MetadataService/Service/InMemoryMetadataService.php: -------------------------------------------------------------------------------- 1 | addStatements($statement); 28 | } 29 | $this->dispatcher = new NullEventDispatcher(); 30 | } 31 | 32 | public function setEventDispatcher(EventDispatcherInterface $eventDispatcher): void 33 | { 34 | $this->dispatcher = $eventDispatcher; 35 | } 36 | 37 | public static function create(MetadataStatement ...$statements): self 38 | { 39 | return new self(...$statements); 40 | } 41 | 42 | public function addStatements(MetadataStatement ...$statements): self 43 | { 44 | foreach ($statements as $statement) { 45 | $aaguid = $statement->aaguid; 46 | if ($aaguid === null) { 47 | continue; 48 | } 49 | $this->statements[$aaguid] = $statement; 50 | } 51 | 52 | return $this; 53 | } 54 | 55 | public function list(): iterable 56 | { 57 | yield from array_keys($this->statements); 58 | } 59 | 60 | public function has(string $aaguid): bool 61 | { 62 | return array_key_exists($aaguid, $this->statements); 63 | } 64 | 65 | public function get(string $aaguid): MetadataStatement 66 | { 67 | array_key_exists($aaguid, $this->statements) || throw MissingMetadataStatementException::create($aaguid); 68 | $mds = $this->statements[$aaguid]; 69 | $this->dispatcher->dispatch(MetadataStatementFound::create($mds)); 70 | 71 | return $mds; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/Event/BackupEligibilityChangedEvent.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialSource(); 34 | } 35 | 36 | throw new LogicException(sprintf('Undefined property: %s::$%s', self::class, $name)); 37 | } 38 | 39 | /** 40 | * @deprecated since 5.3, use credentialRecord instead. Will be removed in 6.0. 41 | */ 42 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 43 | { 44 | if ($this->credentialRecord instanceof PublicKeyCredentialSource) { 45 | return $this->credentialRecord; 46 | } 47 | 48 | return PublicKeyCredentialSource::create( 49 | $this->credentialRecord->publicKeyCredentialId, 50 | $this->credentialRecord->type, 51 | $this->credentialRecord->transports, 52 | $this->credentialRecord->attestationType, 53 | $this->credentialRecord->trustPath, 54 | $this->credentialRecord->aaguid, 55 | $this->credentialRecord->credentialPublicKey, 56 | $this->credentialRecord->userHandle, 57 | $this->credentialRecord->counter, 58 | $this->credentialRecord->otherUI, 59 | $this->credentialRecord->backupEligible, 60 | $this->credentialRecord->backupStatus, 61 | $this->credentialRecord->uvInitialized, 62 | ); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/Denormalizer/TrustPathDenormalizer.php: -------------------------------------------------------------------------------- 1 | CertificateTrustPath::create($data['x5c']), 23 | $data === [], isset($data['type']) && $data['type'] === EmptyTrustPath::class => EmptyTrustPath::create(), 24 | default => throw new InvalidTrustPathException('Unsupported trust path type'), 25 | }; 26 | } 27 | 28 | public function supportsDenormalization( 29 | mixed $data, 30 | string $type, 31 | ?string $format = null, 32 | array $context = [] 33 | ): bool { 34 | return $type === TrustPath::class; 35 | } 36 | 37 | /** 38 | * @return array 39 | */ 40 | public function getSupportedTypes(?string $format): array 41 | { 42 | return [ 43 | TrustPath::class => true, 44 | ]; 45 | } 46 | 47 | /** 48 | * @return array 49 | */ 50 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 51 | { 52 | assert($data instanceof TrustPath); 53 | return match (true) { 54 | $data instanceof CertificateTrustPath => [ 55 | 'x5c' => $data->certificates, 56 | ], 57 | $data instanceof EmptyTrustPath => [], 58 | default => throw new InvalidTrustPathException('Unsupported trust path type'), 59 | }; 60 | } 61 | 62 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 63 | { 64 | return $data instanceof TrustPath; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /src/SimpleFakeCredentialGenerator.php: -------------------------------------------------------------------------------- 1 | cache === null) { 25 | return $this->generateCredentials($username); 26 | } 27 | 28 | $cacheKey = 'fake_credentials_' . hash('xxh128', $username); 29 | $cacheItem = $this->cache->getItem($cacheKey); 30 | if ($cacheItem->isHit()) { 31 | return $cacheItem->get(); 32 | } 33 | 34 | $credentials = $this->generateCredentials($username); 35 | $cacheItem->set($credentials); 36 | $this->cache->save($cacheItem); 37 | 38 | return $credentials; 39 | } 40 | 41 | /** 42 | * @return PublicKeyCredentialDescriptor[] 43 | */ 44 | private function generateCredentials(string $username): array 45 | { 46 | $transports = [ 47 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_USB, 48 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_NFC, 49 | PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_BLE, 50 | ]; 51 | $credentials = []; 52 | for ($i = 0; $i < random_int(1, 3); $i++) { 53 | $randomTransportKeys = array_rand($transports, random_int(1, count($transports))); 54 | if (is_int($randomTransportKeys)) { 55 | $randomTransportKeys = [$randomTransportKeys]; 56 | } 57 | $randomTransports = array_values(array_intersect_key($transports, array_flip($randomTransportKeys))); 58 | $credentials[] = PublicKeyCredentialDescriptor::create( 59 | PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY, 60 | hash('sha256', random_bytes(16) . $username), 61 | $randomTransports 62 | ); 63 | } 64 | 65 | return $credentials; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/Event/AuthenticatorAttestationResponseValidationSucceededEvent.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialSource(); 31 | } 32 | 33 | throw new LogicException(sprintf('Undefined property: %s::$%s', self::class, $name)); 34 | } 35 | 36 | /** 37 | * @deprecated since 5.3, use credentialRecord instead. Will be removed in 6.0. 38 | */ 39 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 40 | { 41 | if ($this->credentialRecord instanceof PublicKeyCredentialSource) { 42 | return $this->credentialRecord; 43 | } 44 | 45 | return PublicKeyCredentialSource::create( 46 | $this->credentialRecord->publicKeyCredentialId, 47 | $this->credentialRecord->type, 48 | $this->credentialRecord->transports, 49 | $this->credentialRecord->attestationType, 50 | $this->credentialRecord->trustPath, 51 | $this->credentialRecord->aaguid, 52 | $this->credentialRecord->credentialPublicKey, 53 | $this->credentialRecord->userHandle, 54 | $this->credentialRecord->counter, 55 | $this->credentialRecord->otherUI, 56 | $this->credentialRecord->backupEligible, 57 | $this->credentialRecord->backupStatus, 58 | $this->credentialRecord->uvInitialized, 59 | ); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/Event/BackupStatusChangedEvent.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialSource(); 35 | } 36 | 37 | throw new LogicException(sprintf('Undefined property: %s::$%s', self::class, $name)); 38 | } 39 | 40 | /** 41 | * @deprecated since 5.3, use credentialRecord instead. Will be removed in 6.0. 42 | */ 43 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 44 | { 45 | if ($this->credentialRecord instanceof PublicKeyCredentialSource) { 46 | return $this->credentialRecord; 47 | } 48 | 49 | return PublicKeyCredentialSource::create( 50 | $this->credentialRecord->publicKeyCredentialId, 51 | $this->credentialRecord->type, 52 | $this->credentialRecord->transports, 53 | $this->credentialRecord->attestationType, 54 | $this->credentialRecord->trustPath, 55 | $this->credentialRecord->aaguid, 56 | $this->credentialRecord->credentialPublicKey, 57 | $this->credentialRecord->userHandle, 58 | $this->credentialRecord->counter, 59 | $this->credentialRecord->otherUI, 60 | $this->credentialRecord->backupEligible, 61 | $this->credentialRecord->backupStatus, 62 | $this->credentialRecord->uvInitialized, 63 | ); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/MetadataService/Service/MetadataBLOBPayloadEntry.php: -------------------------------------------------------------------------------- 1 | extensions); 21 | } 22 | assert(is_array($data), 'The data should be an array.'); 23 | foreach ($data as $key => $value) { 24 | if (! is_string($key)) { 25 | continue; 26 | } 27 | $data[$key] = AuthenticationExtension::create($key, $value); 28 | } 29 | 30 | return AuthenticationExtensions::create($data); 31 | } 32 | 33 | public function supportsDenormalization( 34 | mixed $data, 35 | string $type, 36 | ?string $format = null, 37 | array $context = [] 38 | ): bool { 39 | return $type === AuthenticationExtensions::class; 40 | } 41 | 42 | /** 43 | * @return array 44 | */ 45 | public function getSupportedTypes(?string $format): array 46 | { 47 | return [ 48 | AuthenticationExtensions::class => true, 49 | ]; 50 | } 51 | 52 | /** 53 | * @return array 54 | */ 55 | public function normalize(mixed $data, ?string $format = null, array $context = []): array 56 | { 57 | assert($data instanceof AuthenticationExtensions); 58 | $extensions = []; 59 | foreach ($data->extensions as $extension) { 60 | $extensions[$extension->name] = $extension->value; 61 | } 62 | 63 | return $extensions; 64 | } 65 | 66 | public function supportsNormalization(mixed $data, ?string $format = null, array $context = []): bool 67 | { 68 | return $data instanceof AuthenticationExtensions; 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /src/Event/AuthenticatorAssertionResponseValidationSucceededEvent.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialSource(); 32 | } 33 | 34 | throw new LogicException(sprintf('Undefined property: %s::$%s', self::class, $name)); 35 | } 36 | 37 | /** 38 | * @deprecated since 5.3, use credentialRecord instead. Will be removed in 6.0. 39 | */ 40 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 41 | { 42 | if ($this->credentialRecord instanceof PublicKeyCredentialSource) { 43 | return $this->credentialRecord; 44 | } 45 | 46 | return PublicKeyCredentialSource::create( 47 | $this->credentialRecord->publicKeyCredentialId, 48 | $this->credentialRecord->type, 49 | $this->credentialRecord->transports, 50 | $this->credentialRecord->attestationType, 51 | $this->credentialRecord->trustPath, 52 | $this->credentialRecord->aaguid, 53 | $this->credentialRecord->credentialPublicKey, 54 | $this->credentialRecord->userHandle, 55 | $this->credentialRecord->counter, 56 | $this->credentialRecord->otherUI, 57 | $this->credentialRecord->backupEligible, 58 | $this->credentialRecord->backupStatus, 59 | $this->credentialRecord->uvInitialized, 60 | ); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /src/Event/AuthenticatorAssertionResponseValidationFailedEvent.php: -------------------------------------------------------------------------------- 1 | getPublicKeyCredentialSource(); 34 | } 35 | 36 | throw new LogicException(sprintf('Undefined property: %s::$%s', self::class, $name)); 37 | } 38 | 39 | /** 40 | * @deprecated since 5.3, use credentialRecord instead. Will be removed in 6.0. 41 | */ 42 | public function getPublicKeyCredentialSource(): PublicKeyCredentialSource 43 | { 44 | if ($this->credentialRecord instanceof PublicKeyCredentialSource) { 45 | return $this->credentialRecord; 46 | } 47 | 48 | return PublicKeyCredentialSource::create( 49 | $this->credentialRecord->publicKeyCredentialId, 50 | $this->credentialRecord->type, 51 | $this->credentialRecord->transports, 52 | $this->credentialRecord->attestationType, 53 | $this->credentialRecord->trustPath, 54 | $this->credentialRecord->aaguid, 55 | $this->credentialRecord->credentialPublicKey, 56 | $this->credentialRecord->userHandle, 57 | $this->credentialRecord->counter, 58 | $this->credentialRecord->otherUI, 59 | $this->credentialRecord->backupEligible, 60 | $this->credentialRecord->backupStatus, 61 | $this->credentialRecord->uvInitialized, 62 | ); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/Denormalizer/AttestationObjectDenormalizer.php: -------------------------------------------------------------------------------- 1 | decode($stream); 26 | 27 | $parsed instanceof Normalizable || throw InvalidDataException::create( 28 | $parsed, 29 | 'Invalid attestation object. Unexpected object.' 30 | ); 31 | $attestationObject = $parsed->normalize(); 32 | $stream->isEOF() || throw InvalidDataException::create( 33 | null, 34 | 'Invalid attestation object. Presence of extra bytes.' 35 | ); 36 | $stream->close(); 37 | $authData = $attestationObject['authData'] ?? throw InvalidDataException::create( 38 | $attestationObject, 39 | 'Invalid attestation object. Missing "authData" field.' 40 | ); 41 | 42 | return AttestationObject::create( 43 | $data, 44 | $this->denormalizer->denormalize($attestationObject, AttestationStatement::class, $format, $context), 45 | $this->denormalizer->denormalize($authData, AuthenticatorData::class, $format, $context), 46 | ); 47 | } 48 | 49 | public function supportsDenormalization( 50 | mixed $data, 51 | string $type, 52 | ?string $format = null, 53 | array $context = [] 54 | ): bool { 55 | return $type === AttestationObject::class; 56 | } 57 | 58 | /** 59 | * @return array 60 | */ 61 | public function getSupportedTypes(?string $format): array 62 | { 63 | return [ 64 | AttestationObject::class => true, 65 | ]; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/Denormalizer/AuthenticatorAssertionResponseDenormalizer.php: -------------------------------------------------------------------------------- 1 | denormalizer->denormalize($data['clientDataJSON'], CollectedClientData::class, $format, $context), 33 | $this->denormalizer->denormalize($data['authenticatorData'], AuthenticatorData::class, $format, $context), 34 | $data['signature'], 35 | $userHandle ?? null, 36 | ! isset($data['attestationObject']) ? null : $this->denormalizer->denormalize( 37 | $data['attestationObject'], 38 | AttestationObject::class, 39 | $format, 40 | $context 41 | ), 42 | ); 43 | } 44 | 45 | public function supportsDenormalization( 46 | mixed $data, 47 | string $type, 48 | ?string $format = null, 49 | array $context = [] 50 | ): bool { 51 | return $type === AuthenticatorAssertionResponse::class; 52 | } 53 | 54 | /** 55 | * @return array 56 | */ 57 | public function getSupportedTypes(?string $format): array 58 | { 59 | return [ 60 | AuthenticatorAssertionResponse::class => true, 61 | ]; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckAttestationFormatIsKnownAndValid.php: -------------------------------------------------------------------------------- 1 | attestationObject; 40 | if ($attestationObject === null) { 41 | return; 42 | } 43 | 44 | $fmt = $attestationObject->attStmt 45 | ->fmt; 46 | $this->attestationStatementSupportManager->has( 47 | $fmt 48 | ) || throw AuthenticatorResponseVerificationException::create('Unsupported attestation statement format.'); 49 | 50 | $attestationStatementSupport = $this->attestationStatementSupportManager->get($fmt); 51 | $clientDataJSONHash = hash('sha256', $authenticatorResponse->clientDataJSON ->rawData, true); 52 | $attestationStatementSupport->isValid( 53 | $clientDataJSONHash, 54 | $attestationObject->attStmt, 55 | $attestationObject->authData 56 | ) || throw AuthenticatorResponseVerificationException::create('Invalid attestation statement.'); 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/AttestationStatement/NoneAttestationStatementSupport.php: -------------------------------------------------------------------------------- 1 | dispatcher = new NullEventDispatcher(); 25 | } 26 | 27 | public function setEventDispatcher(EventDispatcherInterface $eventDispatcher): void 28 | { 29 | $this->dispatcher = $eventDispatcher; 30 | } 31 | 32 | public static function create(): self 33 | { 34 | return new self(); 35 | } 36 | 37 | public function name(): string 38 | { 39 | return 'none'; 40 | } 41 | 42 | /** 43 | * @param array $attestation 44 | */ 45 | public function load(array $attestation): AttestationStatement 46 | { 47 | $format = $attestation['fmt'] ?? null; 48 | $attestationStatement = $attestation['attStmt'] ?? []; 49 | 50 | (is_string($format) && $format !== '') || throw AttestationStatementLoadingException::create( 51 | $attestation, 52 | 'Invalid attestation object' 53 | ); 54 | (is_array( 55 | $attestationStatement 56 | ) && $attestationStatement === []) || throw AttestationStatementLoadingException::create( 57 | $attestation, 58 | 'Invalid attestation object' 59 | ); 60 | 61 | $attestationStatement = AttestationStatement::createNone( 62 | $format, 63 | $attestationStatement, 64 | EmptyTrustPath::create() 65 | ); 66 | $this->dispatcher->dispatch(AttestationStatementLoaded::create($attestationStatement)); 67 | 68 | return $attestationStatement; 69 | } 70 | 71 | public function isValid( 72 | string $clientDataJSONHash, 73 | AttestationStatement $attestationStatement, 74 | AuthenticatorData $authenticatorData 75 | ): bool { 76 | return count($attestationStatement->attStmt) === 0; 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialSource.php: -------------------------------------------------------------------------------- 1 | |null $otherUI 20 | */ 21 | public function __construct( 22 | public string $publicKeyCredentialId, 23 | public string $type, 24 | public array $transports, 25 | public string $attestationType, 26 | public TrustPath $trustPath, 27 | public Uuid $aaguid, 28 | public string $credentialPublicKey, 29 | public string $userHandle, 30 | public int $counter, 31 | public ?array $otherUI = null, 32 | public ?bool $backupEligible = null, 33 | public ?bool $backupStatus = null, 34 | public ?bool $uvInitialized = null, 35 | ) { 36 | } 37 | 38 | /** 39 | * @param string[] $transports 40 | * @param array|null $otherUI 41 | */ 42 | public static function create( 43 | string $publicKeyCredentialId, 44 | string $type, 45 | array $transports, 46 | string $attestationType, 47 | TrustPath $trustPath, 48 | Uuid $aaguid, 49 | string $credentialPublicKey, 50 | string $userHandle, 51 | int $counter, 52 | ?array $otherUI = null, 53 | ?bool $backupEligible = null, 54 | ?bool $backupStatus = null, 55 | ?bool $uvInitialized = null, 56 | ): self { 57 | return new self( 58 | $publicKeyCredentialId, 59 | $type, 60 | $transports, 61 | $attestationType, 62 | $trustPath, 63 | $aaguid, 64 | $credentialPublicKey, 65 | $userHandle, 66 | $counter, 67 | $otherUI, 68 | $backupEligible, 69 | $backupStatus, 70 | $uvInitialized 71 | ); 72 | } 73 | 74 | public function getPublicKeyCredentialDescriptor(): PublicKeyCredentialDescriptor 75 | { 76 | return PublicKeyCredentialDescriptor::create($this->type, $this->publicKeyCredentialId, $this->transports); 77 | } 78 | 79 | public function getAttestedCredentialData(): AttestedCredentialData 80 | { 81 | return AttestedCredentialData::create($this->aaguid, $this->publicKeyCredentialId, $this->credentialPublicKey); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /src/MetadataService/Service/JsonMetadataService.php: -------------------------------------------------------------------------------- 1 | dispatcher = new NullEventDispatcher(); 36 | $this->serializer = $serializer ?? (new WebauthnSerializerFactory( 37 | AttestationStatementSupportManager::create() 38 | ))->create(); 39 | foreach ($statements as $statement) { 40 | $this->addStatement($statement); 41 | } 42 | } 43 | 44 | public function setEventDispatcher(EventDispatcherInterface $eventDispatcher): void 45 | { 46 | $this->dispatcher = $eventDispatcher; 47 | } 48 | 49 | public function list(): iterable 50 | { 51 | yield from array_keys($this->statements); 52 | } 53 | 54 | public function has(string $aaguid): bool 55 | { 56 | return array_key_exists($aaguid, $this->statements); 57 | } 58 | 59 | public function get(string $aaguid): MetadataStatement 60 | { 61 | array_key_exists($aaguid, $this->statements) || throw MissingMetadataStatementException::create($aaguid); 62 | $mds = $this->statements[$aaguid]; 63 | $this->dispatcher->dispatch(MetadataStatementFound::create($mds)); 64 | 65 | return $mds; 66 | } 67 | 68 | private function addStatement(string $statement): void 69 | { 70 | $mds = $this->serializer->deserialize($statement, MetadataStatement::class, JsonEncoder::FORMAT); 71 | if ($mds->aaguid === null) { 72 | return; 73 | } 74 | $this->statements[$mds->aaguid] = $mds; 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/CredentialRecord.php: -------------------------------------------------------------------------------- 1 | |null $otherUI 21 | */ 22 | public function __construct( 23 | public string $publicKeyCredentialId, 24 | public string $type, 25 | public array $transports, 26 | public string $attestationType, 27 | public TrustPath $trustPath, 28 | public Uuid $aaguid, 29 | public string $credentialPublicKey, 30 | public string $userHandle, 31 | public int $counter, 32 | public ?array $otherUI = null, 33 | public ?bool $backupEligible = null, 34 | public ?bool $backupStatus = null, 35 | public ?bool $uvInitialized = null, 36 | ) { 37 | } 38 | 39 | /** 40 | * @param string[] $transports 41 | * @param array|null $otherUI 42 | */ 43 | public static function create( 44 | string $publicKeyCredentialId, 45 | string $type, 46 | array $transports, 47 | string $attestationType, 48 | TrustPath $trustPath, 49 | Uuid $aaguid, 50 | string $credentialPublicKey, 51 | string $userHandle, 52 | int $counter, 53 | ?array $otherUI = null, 54 | ?bool $backupEligible = null, 55 | ?bool $backupStatus = null, 56 | ?bool $uvInitialized = null, 57 | ): self { 58 | return new self( 59 | $publicKeyCredentialId, 60 | $type, 61 | $transports, 62 | $attestationType, 63 | $trustPath, 64 | $aaguid, 65 | $credentialPublicKey, 66 | $userHandle, 67 | $counter, 68 | $otherUI, 69 | $backupEligible, 70 | $backupStatus, 71 | $uvInitialized 72 | ); 73 | } 74 | 75 | public function getPublicKeyCredentialDescriptor(): PublicKeyCredentialDescriptor 76 | { 77 | return PublicKeyCredentialDescriptor::create($this->type, $this->publicKeyCredentialId, $this->transports); 78 | } 79 | 80 | public function getAttestedCredentialData(): AttestedCredentialData 81 | { 82 | return AttestedCredentialData::create($this->aaguid, $this->publicKeyCredentialId, $this->credentialPublicKey); 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /src/PublicKeyCredentialRequestOptions.php: -------------------------------------------------------------------------------- 1 | $extensions 31 | * @param string[] $hints 32 | */ 33 | public function __construct( 34 | string $challenge, 35 | public null|string $rpId = null, 36 | public array $allowCredentials = [], 37 | public null|string $userVerification = null, 38 | null|int $timeout = null, 39 | null|array|AuthenticationExtensions $extensions = null, 40 | array $hints = [], 41 | ) { 42 | in_array($userVerification, self::USER_VERIFICATION_REQUIREMENTS, true) || throw InvalidDataException::create( 43 | $userVerification, 44 | 'Invalid user verification requirement' 45 | ); 46 | parent::__construct( 47 | $challenge, 48 | $timeout, 49 | $extensions, 50 | $hints 51 | ); 52 | } 53 | 54 | /** 55 | * @param PublicKeyCredentialDescriptor[] $allowCredentials 56 | * @param positive-int $timeout 57 | * @param null|AuthenticationExtensions|array $extensions 58 | * @param string[] $hints 59 | */ 60 | public static function create( 61 | string $challenge, 62 | null|string $rpId = null, 63 | array $allowCredentials = [], 64 | null|string $userVerification = null, 65 | null|int $timeout = null, 66 | null|array|AuthenticationExtensions $extensions = null, 67 | array $hints = [], 68 | ): self { 69 | return new self($challenge, $rpId, $allowCredentials, $userVerification, $timeout, $extensions, $hints); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /src/AuthenticatorData.php: -------------------------------------------------------------------------------- 1 | flags) & self::FLAG_UP); 59 | } 60 | 61 | public function isUserVerified(): bool 62 | { 63 | return 0 !== (ord($this->flags) & self::FLAG_UV); 64 | } 65 | 66 | public function isBackupEligible(): bool 67 | { 68 | return 0 !== (ord($this->flags) & self::FLAG_BE); 69 | } 70 | 71 | public function isBackedUp(): bool 72 | { 73 | return 0 !== (ord($this->flags) & self::FLAG_BS); 74 | } 75 | 76 | public function hasAttestedCredentialData(): bool 77 | { 78 | return 0 !== (ord($this->flags) & self::FLAG_AT); 79 | } 80 | 81 | public function hasExtensions(): bool 82 | { 83 | return 0 !== (ord($this->flags) & self::FLAG_ED); 84 | } 85 | 86 | public function getReservedForFutureUse1(): int 87 | { 88 | return ord($this->flags) & self::FLAG_RFU1; 89 | } 90 | 91 | public function getReservedForFutureUse2(): int 92 | { 93 | return ord($this->flags) & self::FLAG_RFU2; 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /src/AttestationStatement/AttestationStatement.php: -------------------------------------------------------------------------------- 1 | $attStmt 26 | */ 27 | public function __construct( 28 | public readonly string $fmt, 29 | public readonly array $attStmt, 30 | public readonly string $type, 31 | public readonly TrustPath $trustPath 32 | ) { 33 | } 34 | 35 | public static function create(string $fmt, array $attStmt, string $type, TrustPath $trustPath): self 36 | { 37 | return new self($fmt, $attStmt, $type, $trustPath); 38 | } 39 | 40 | /** 41 | * @param array $attStmt 42 | */ 43 | public static function createNone(string $fmt, array $attStmt, TrustPath $trustPath): self 44 | { 45 | return self::create($fmt, $attStmt, self::TYPE_NONE, $trustPath); 46 | } 47 | 48 | /** 49 | * @param array $attStmt 50 | */ 51 | public static function createBasic(string $fmt, array $attStmt, TrustPath $trustPath): self 52 | { 53 | return self::create($fmt, $attStmt, self::TYPE_BASIC, $trustPath); 54 | } 55 | 56 | /** 57 | * @param array $attStmt 58 | */ 59 | public static function createSelf(string $fmt, array $attStmt, TrustPath $trustPath): self 60 | { 61 | return self::create($fmt, $attStmt, self::TYPE_SELF, $trustPath); 62 | } 63 | 64 | /** 65 | * @param array $attStmt 66 | */ 67 | public static function createAttCA(string $fmt, array $attStmt, TrustPath $trustPath): self 68 | { 69 | return self::create($fmt, $attStmt, self::TYPE_ATTCA, $trustPath); 70 | } 71 | 72 | /** 73 | * @param array $attStmt 74 | */ 75 | public static function createAnonymizationCA(string $fmt, array $attStmt, TrustPath $trustPath): self 76 | { 77 | return self::create($fmt, $attStmt, self::TYPE_ANONCA, $trustPath); 78 | } 79 | 80 | public function has(string $key): bool 81 | { 82 | return array_key_exists($key, $this->attStmt); 83 | } 84 | 85 | public function get(string $key): mixed 86 | { 87 | $this->has($key) || throw InvalidDataException::create($this->attStmt, sprintf( 88 | 'The attestation statement has no key "%s".', 89 | $key 90 | )); 91 | 92 | return $this->attStmt[$key]; 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /src/MetadataService/Service/FolderResourceMetadataService.php: -------------------------------------------------------------------------------- 1 | serializer = $serializer ?? (new WebauthnSerializerFactory( 29 | AttestationStatementSupportManager::create() 30 | ))->create(); 31 | $this->rootPath = rtrim($rootPath, DIRECTORY_SEPARATOR); 32 | is_dir($this->rootPath) || throw new InvalidArgumentException('The given parameter is not a valid folder.'); 33 | is_readable($this->rootPath) || throw new InvalidArgumentException( 34 | 'The given parameter is not a valid folder.' 35 | ); 36 | } 37 | 38 | public static function create(string $rootPath, ?SerializerInterface $serializer = null): self 39 | { 40 | return new self($rootPath, $serializer); 41 | } 42 | 43 | public function list(): iterable 44 | { 45 | $files = glob($this->rootPath . DIRECTORY_SEPARATOR . '*'); 46 | is_array($files) || throw MetadataStatementLoadingException::create('Unable to read files.'); 47 | foreach ($files as $file) { 48 | if (is_dir($file) || ! is_readable($file)) { 49 | continue; 50 | } 51 | 52 | yield basename($file); 53 | } 54 | } 55 | 56 | public function has(string $aaguid): bool 57 | { 58 | $filename = $this->rootPath . DIRECTORY_SEPARATOR . $aaguid; 59 | 60 | return is_file($filename) && is_readable($filename); 61 | } 62 | 63 | public function get(string $aaguid): MetadataStatement 64 | { 65 | $this->has($aaguid) || throw new InvalidArgumentException(sprintf( 66 | 'The MDS with the AAGUID "%s" does not exist.', 67 | $aaguid 68 | )); 69 | $filename = $this->rootPath . DIRECTORY_SEPARATOR . $aaguid; 70 | $content = file_get_contents($filename); 71 | assert($content !== false, 'The file exists and is readable.'); 72 | $data = trim($content); 73 | $mds = $this->serializer->deserialize($data, MetadataStatement::class, JsonEncoder::FORMAT); 74 | $mds->aaguid !== null || throw MetadataStatementLoadingException::create('Invalid Metadata Statement.'); 75 | 76 | return $mds; 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/CeremonyStep/CheckRelyingPartyIdIdHash.php: -------------------------------------------------------------------------------- 1 | authenticatorData : $authenticatorResponse->attestationObject->authData; 37 | $C = $authenticatorResponse->clientDataJSON; 38 | $attestedCredentialData = $credentialRecord->getAttestedCredentialData(); 39 | $credentialPublicKey = $attestedCredentialData->credentialPublicKey; 40 | $credentialPublicKey !== null || throw AuthenticatorResponseVerificationException::create( 41 | 'No public key available.' 42 | ); 43 | $isU2F = U2FPublicKey::isU2FKey($credentialPublicKey); 44 | $rpId = $publicKeyCredentialOptions->rpId ?? $publicKeyCredentialOptions->rp->id ?? $host; 45 | $facetId = $this->getFacetId($rpId, $publicKeyCredentialOptions->extensions, $authData ->extensions); 46 | $rpIdHash = hash('sha256', $isU2F ? $C->origin : $facetId, true); 47 | hash_equals( 48 | $rpIdHash, 49 | $authData 50 | ->rpIdHash 51 | ) || throw AuthenticatorResponseVerificationException::create('rpId hash mismatch.'); 52 | } 53 | 54 | private function getFacetId( 55 | string $rpId, 56 | AuthenticationExtensions $AuthenticationExtensions, 57 | null|AuthenticationExtensions $authenticationExtensionsClientOutputs 58 | ): string { 59 | if ($authenticationExtensionsClientOutputs === null || ! $AuthenticationExtensions->has( 60 | 'appid' 61 | ) || ! $authenticationExtensionsClientOutputs->has('appid')) { 62 | return $rpId; 63 | } 64 | $appId = $AuthenticationExtensions->get('appid') 65 | ->value; 66 | $wasUsed = $authenticationExtensionsClientOutputs->get('appid') 67 | ->value; 68 | if (! is_string($appId) || $wasUsed !== true) { 69 | return $rpId; 70 | } 71 | return $appId; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/AuthenticationExtensions/AuthenticationExtensions.php: -------------------------------------------------------------------------------- 1 | 21 | */ 22 | final class AuthenticationExtensions implements Countable, IteratorAggregate, ArrayAccess 23 | { 24 | /** 25 | * @var array 26 | * @readonly 27 | */ 28 | public array $extensions; 29 | 30 | /** 31 | * @param array $extensions 32 | */ 33 | public function __construct(array $extensions = []) 34 | { 35 | $list = []; 36 | foreach ($extensions as $key => $extension) { 37 | if ($extension instanceof AuthenticationExtension) { 38 | $list[$extension->name] = $extension; 39 | 40 | continue; 41 | } 42 | if (is_string($key)) { 43 | $list[$key] = AuthenticationExtension::create($key, $extension); 44 | continue; 45 | } 46 | throw new AuthenticationExtensionException('Invalid extension'); 47 | } 48 | $this->extensions = $list; 49 | } 50 | 51 | /** 52 | * @param array $extensions 53 | */ 54 | public static function create(array $extensions = []): static 55 | { 56 | return new static($extensions); 57 | } 58 | 59 | public function has(string $key): bool 60 | { 61 | return array_key_exists($key, $this->extensions); 62 | } 63 | 64 | public function get(string $key): AuthenticationExtension 65 | { 66 | $this->has($key) || throw AuthenticationExtensionException::create(sprintf( 67 | 'The extension with key "%s" is not available', 68 | $key 69 | )); 70 | 71 | return $this->extensions[$key]; 72 | } 73 | 74 | /** 75 | * @return Iterator 76 | */ 77 | public function getIterator(): Iterator 78 | { 79 | return new ArrayIterator($this->extensions); 80 | } 81 | 82 | public function count(int $mode = COUNT_NORMAL): int 83 | { 84 | return count($this->extensions, $mode); 85 | } 86 | 87 | public function offsetExists(mixed $offset): bool 88 | { 89 | return array_key_exists($offset, $this->extensions); 90 | } 91 | 92 | public function offsetGet(mixed $offset): mixed 93 | { 94 | return $this->extensions[$offset]; 95 | } 96 | 97 | public function offsetSet(mixed $offset, mixed $value): void 98 | { 99 | if ($value === null) { 100 | return; 101 | } 102 | if ($value instanceof AuthenticationExtension) { 103 | $this->extensions[$value->name] = $value; 104 | return; 105 | } 106 | if (is_string($offset)) { 107 | $this->extensions[$offset] = AuthenticationExtension::create($offset, $value); 108 | return; 109 | } 110 | throw new AuthenticationExtensionException('Invalid extension'); 111 | } 112 | 113 | public function offsetUnset(mixed $offset): void 114 | { 115 | unset($this->extensions[$offset]); 116 | } 117 | } 118 | -------------------------------------------------------------------------------- /src/AuthenticatorSelectionCriteria.php: -------------------------------------------------------------------------------- 1 | requireResidentKey = true; 77 | } else { 78 | $this->requireResidentKey = null; 79 | } 80 | } 81 | 82 | public static function create( 83 | ?string $authenticatorAttachment = null, 84 | string $userVerification = self::USER_VERIFICATION_REQUIREMENT_PREFERRED, 85 | null|string $residentKey = self::RESIDENT_KEY_REQUIREMENT_NO_PREFERENCE, 86 | ): self { 87 | return new self($authenticatorAttachment, $userVerification, $residentKey); 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /src/MetadataService/Service/LocalResourceMetadataService.php: -------------------------------------------------------------------------------- 1 | serializer = $serializer ?? (new WebauthnSerializerFactory( 36 | AttestationStatementSupportManager::create() 37 | ))->create(); 38 | $this->dispatcher = new NullEventDispatcher(); 39 | } 40 | 41 | public static function create( 42 | string $filename, 43 | bool $isBase64Encoded = false, 44 | ?SerializerInterface $serializer = null 45 | ): self { 46 | return new self($filename, $isBase64Encoded, $serializer); 47 | } 48 | 49 | public function setEventDispatcher(EventDispatcherInterface $eventDispatcher): void 50 | { 51 | $this->dispatcher = $eventDispatcher; 52 | } 53 | 54 | public function list(): iterable 55 | { 56 | $this->loadData(); 57 | $this->statement !== null || throw MetadataStatementLoadingException::create(); 58 | $aaguid = $this->statement->aaguid; 59 | if ($aaguid === null) { 60 | yield from []; 61 | } else { 62 | yield from [$aaguid]; 63 | } 64 | } 65 | 66 | public function has(string $aaguid): bool 67 | { 68 | $this->loadData(); 69 | $this->statement !== null || throw MetadataStatementLoadingException::create(); 70 | 71 | return $aaguid === $this->statement->aaguid; 72 | } 73 | 74 | public function get(string $aaguid): MetadataStatement 75 | { 76 | $this->loadData(); 77 | $this->statement !== null || throw MetadataStatementLoadingException::create(); 78 | 79 | if ($aaguid === $this->statement->aaguid) { 80 | $this->dispatcher->dispatch(MetadataStatementFound::create($this->statement)); 81 | 82 | return $this->statement; 83 | } 84 | 85 | throw MissingMetadataStatementException::create($aaguid); 86 | } 87 | 88 | private function loadData(): void 89 | { 90 | if ($this->statement !== null) { 91 | return; 92 | } 93 | 94 | $content = file_get_contents($this->filename); 95 | assert($content !== false, 'The file could not be read'); 96 | if ($this->isBase64Encoded) { 97 | $content = Base64::decode($content, true); 98 | } 99 | $this->statement = $this->serializer->deserialize($content, MetadataStatement::class, JsonEncoder::FORMAT); 100 | } 101 | } 102 | --------------------------------------------------------------------------------