WebAuthn初步接好

2022-08-08 02:07:27 +08:00
parent 50934228ef
commit 30b38e3f4b
16 changed files with 1329 additions and 5 deletions
--- a/app/Http/Controllers/UserWebAuthnController.php
+++ b/app/Http/Controllers/UserWebAuthnController.php
@@ -0,0 +1,168 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\WebAuthn\Repository\PublicKeyCredentialSourceRepositoryImpl;
+use App\WebAuthn\WebAuthnService;
+use Cose\Algorithm\Manager;
+use Cose\Algorithm\Signature\ECDSA\ES256;
+use Cose\Algorithm\Signature\RSA\RS256;
+use Cose\Algorithms;
+use GuzzleHttp\Psr7\ServerRequest;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller as BaseController;
+use Illuminate\Support\Facades\Auth;
+use Webauthn\AttestationStatement\AttestationObjectLoader;
+use Webauthn\AttestationStatement\AttestationStatementSupportManager;
+use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
+use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\AuthenticatorAssertionResponseValidator;
+use Webauthn\AuthenticatorAttestationResponse;
+use Webauthn\AuthenticatorAttestationResponseValidator;
+use Webauthn\AuthenticatorSelectionCriteria;
+use Webauthn\PublicKeyCredentialCreationOptions;
+use Webauthn\PublicKeyCredentialLoader;
+use Webauthn\PublicKeyCredentialParameters;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialRpEntity;
+use Webauthn\PublicKeyCredentialSourceRepository;
+use Webauthn\PublicKeyCredentialUserEntity;
+use Webauthn\TokenBinding\IgnoreTokenBindingHandler;
+
+class UserWebAuthnController extends BaseController
+{
+    private $TIMEOUT = 45000;
+    private $attestationStatementSupportManager = null;
+
+    public function register_options(Request $request): PublicKeyCredentialCreationOptions
+    {
+        $userEntity = new PublicKeyCredentialUserEntity(
+            $request->user("web")->name,
+            $request->user("web")->id,
+            $request->user("web")->name,
+        );
+        $challenge = random_bytes(16);
+        $request->session()->put("webauthn_register_challenge", $challenge);
+        return WebAuthnService::createRequestOptions($userEntity, $challenge);
+    }
+
+    public function login_options(Request $request): PublicKeyCredentialRequestOptions
+    {
+        $challenge = random_bytes(32);
+        $request->session()->put("webauthn_login_challenge", $challenge);
+        $publicKeyCredentialRequestOptions = new PublicKeyCredentialRequestOptions(
+            $challenge
+        );
+        $publicKeyCredentialRequestOptions->setUserVerification(
+            PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED
+        );
+        $publicKeyCredentialRequestOptions->allowCredentials([]);
+        $publicKeyCredentialRequestOptions->setTimeout($this->TIMEOUT);
+        return $publicKeyCredentialRequestOptions;
+    }
+
+    public function register_validate(Request $request)
+    {
+        if (!$request->session()->has("webauthn_register_challenge")) {
+            ///
+        }
+        $publicKeyCredential = $this->get_public_key_credential_loader()->loadArray($request->json()->all());
+        $authenticatorAttestationResponse = $publicKeyCredential->getResponse();
+        if (!$authenticatorAttestationResponse instanceof AuthenticatorAttestationResponse) {
+            //e.g. process here with a redirection to the public key creation page.
+        }
+        $userEntity = new PublicKeyCredentialUserEntity(
+            $request->user("web")->name,
+            $request->user("web")->id,
+            $request->user("web")->name,
+        );
+        $challenge = $request->session()->remove("webauthn_register_challenge");
+        $publicKeyCredentialCreationOptions = WebAuthnService::createRequestOptions($userEntity, $challenge);
+        $publicKeyCredentialSource = $this->get_authn_attestation_response_validator()->check(
+            $authenticatorAttestationResponse,
+            $publicKeyCredentialCreationOptions,
+            ServerRequest::fromGlobals(),
+            ["localhost"]
+        );
+        $this->get_pub_key_cred_source_repository()->saveCredentialSource($publicKeyCredentialSource);
+        return $publicKeyCredentialSource;
+    }
+
+    public function login_validate(Request $request)
+    {
+        if (!$request->session()->has("webauthn_login_challenge")) {
+            ///
+        }
+        $publicKeyCredentialRequestOptions = new PublicKeyCredentialRequestOptions(
+            $request->session()->remove("webauthn_login_challenge")
+        );
+        $publicKeyCredential = $this->get_public_key_credential_loader()->loadArray($request->json()->all());
+        $authenticatorAssertionResponse = $publicKeyCredential->getResponse();
+        if (!$authenticatorAssertionResponse instanceof AuthenticatorAssertionResponse) {
+            //e.g. process here with a redirection to the public key login/MFA page.
+        }
+        try {
+            $publicKeyCredentialSource = $this->get_authn_assertion_response_validator()->check(
+                $publicKeyCredential->getRawId(),
+                $authenticatorAssertionResponse,
+                $publicKeyCredentialRequestOptions,
+                ServerRequest::fromGlobals(),
+                $authenticatorAssertionResponse->getUserHandle(),
+                ["localhost"]
+            );
+        } catch (\Throwable $e) {
+            return redirect(route("login"));
+        }
+        Auth::loginUsingId($publicKeyCredentialSource->getUserHandle());
+        return redirect()->intended();
+    }
+
+    private function get_authn_attestation_response_validator(): AuthenticatorAttestationResponseValidator
+    {
+        $authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
+            $this->get_attestation_stmt_sup_mgr(),
+            WebAuthnService::getPublicKeyCredentialSourceRepository(),
+            new IgnoreTokenBindingHandler(),
+            new ExtensionOutputCheckerHandler()
+        );
+        return $authenticatorAttestationResponseValidator;
+    }
+
+    private function get_authn_assertion_response_validator(): AuthenticatorAssertionResponseValidator
+    {
+        $algorithmManager = new Manager();
+        $algorithmManager->add(new ES256());
+        $algorithmManager->add(new RS256());
+        $authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
+            WebAuthnService::getPublicKeyCredentialSourceRepository(),
+            new IgnoreTokenBindingHandler(),
+            new ExtensionOutputCheckerHandler(),
+            $algorithmManager
+        );
+        return $authenticatorAssertionResponseValidator;
+    }
+
+    private function get_public_key_credential_loader(): PublicKeyCredentialLoader
+    {
+        $publicKeyCredentialLoader = new PublicKeyCredentialLoader(
+            $this->get_attestation_loader()
+        );
+        return $publicKeyCredentialLoader;
+    }
+
+    private function get_attestation_loader(): AttestationObjectLoader
+    {
+        $attestationObjectLoader = new AttestationObjectLoader($this->get_attestation_stmt_sup_mgr());
+        return $attestationObjectLoader;
+    }
+
+    private function get_attestation_stmt_sup_mgr()
+    {
+        if ($this->attestationStatementSupportManager === null) {
+            $this->attestationStatementSupportManager = new AttestationStatementSupportManager();
+            $this->attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
+        }
+        return $this->attestationStatementSupportManager;
+    }
+}