getCreateArgs * | * navigator.credentials.create <-------------' * | * '-------------------------> processCreate * | * alert ok or fail <----------------' * * ------------------------------------------------------------ * * VALIDATION * * window.fetch ------------------> getGetArgs * | * navigator.credentials.get <----------------' * | * '-------------------------> processGet * | * alert ok or fail <----------------' * * ------------------------------------------------------------ */ require_once './restricted/WebAuthn/src/WebAuthn.php'; require_once("./restricted/mysql.php"); try { session_start(); // read get argument and post body $fn = filter_input(INPUT_GET, 'fn'); $requireResidentKey = false; $userVerification = false; $formats = []; $msg=""; $formats[] = 'android-key'; $formats[] = 'android-safetynet'; $formats[] = 'apple'; $formats[] = 'fido-u2f'; $formats[] = 'none'; $formats[] = 'packed'; $formats[] = 'tpm'; $userId = "E071229F004A4CDE"; $userName = "SmartHomeWagner"; $userDisplayName = "2025Bym0"; $post = trim(file_get_contents('php://input')); if ($post) { $post = json_decode($post, null, 512, JSON_THROW_ON_ERROR); } $rpId = "nas.el-wa.org"; if ($rpId === false) { throw new Exception('invalid relying party ID'); } // cross-platform: true, if type internal is not allowed // false, if only internal is allowed // null, if internal and cross-platform is allowed $crossPlatformAttachment = null; // new Instance of the server library. // make sure that $rpId is the domain name. $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/isrg-root-x2.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/solo.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/solokey_f1.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/solokey_r1.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/apple.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/yubico.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/hypersecu.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/globalSign.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/googleHardware.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/microsoftTpmCollection.pem'); $WebAuthn->addRootCertificates('./restricted/WebAuthn/rootCertificates/mds'); // ------------------------------------ // request for create arguments // ------------------------------------ if ($fn === 'getCreateArgs') { $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment); header('Content-Type: application/json'); print(json_encode($createArgs)); // save challange to session. you have to deliver it to processGet later. $_SESSION['challenge'] = $WebAuthn->getChallenge(); // ------------------------------------ // request for get arguments // ------------------------------------ } else if ($fn === 'getGetArgs') { $ids = []; $mysql = new mysqli($mysql_server,$mysql_user,$mysql_pass,$mysql_db); $result = mysqli_query($mysql,"SELECT credentialId FROM users WHERE userId = '".base64_encode($userId)."';"); if(!$result){ $msg = "Error:
".mysqli_error($mysql)."
"; } if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $ids[] = base64_decode($row["credentialId"]); } } /* if ($requireResidentKey) { if (!isset($_SESSION['registrations']) || !is_array($_SESSION['registrations']) || count($_SESSION['registrations']) === 0) { throw new Exception('we do not have any registrations in session to check the registration'); } } else { // load registrations from session stored there by processCreate. // normaly you have to load the credential Id's for a username // from the database. if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) { foreach ($_SESSION['registrations'] as $reg) { if ($reg->userId === $userId) { $ids[] = $reg->credentialId; } } } } */ if (count($ids) === 0) { throw new Exception('no registrations in session for userId ' . $userId); } $getArgs = $WebAuthn->getGetArgs($ids, 60*4, true, true, true, true, true, $userVerification); header('Content-Type: application/json'); print(json_encode($getArgs)); // save challange to session. you have to deliver it to processGet later. $_SESSION['challenge'] = $WebAuthn->getChallenge(); // ------------------------------------ // process create // ------------------------------------ } else if ($fn === 'processCreate') { $mysql = new mysqli($mysql_server,$mysql_user,$mysql_pass,$mysql_db); $clientDataJSON = !empty($post->clientDataJSON) ? base64_decode($post->clientDataJSON) : null; $attestationObject = !empty($post->attestationObject) ? base64_decode($post->attestationObject) : null; $challenge = $_SESSION['challenge'] ?? null; // processCreate returns data to be stored for future logins. // in this example we store it in the php session. // Normally you have to store the data in a database connected // with the username. $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false); // add user infos $data->userId = $userId; $data->userName = $userName; $data->userDisplayName = $userDisplayName; //set Null to 0 $data->signatureCounter ??= 0; /* if (!isset($_SESSION['registrations']) || !array_key_exists('registrations', $_SESSION) || !is_array($_SESSION['registrations'])) { $_SESSION['registrations'] = []; }*/ if(!mysqli_query($mysql,"INSERT INTO users SET userId = '".base64_encode($data->userId)."', credentialId = '".base64_encode($data->credentialId)."', credentialPublicKey = '".base64_encode($data->credentialPublicKey)."', signatureCounter = '".base64_encode($data->signatureCounter)."', name = '".mysqli_real_escape_string($mysql,filter_input(INPUT_GET, 'name'))."';")){ $msg = "Error:
".mysqli_error($mysql)."
"; } else{ if ($data->rootValid === false) { $msg = 'registration ok, but certificate does not match any of the selected root ca.'; } // $msg = "Data: ".json_last_error();//json_encode($data);//'registration success.'; } /* $_SESSION['registrations'][] = $data; */ $return = new stdClass(); $return->success = true; $return->msg = $msg; header('Content-Type: application/json'); print(json_encode($return)); // ------------------------------------ // proccess get // ------------------------------------ } else if ($fn === 'processGet') { $clientDataJSON = !empty($post->clientDataJSON) ? base64_decode($post->clientDataJSON) : null; $authenticatorData = !empty($post->authenticatorData) ? base64_decode($post->authenticatorData) : null; $signature = !empty($post->signature) ? base64_decode($post->signature) : null; $userHandle = !empty($post->userHandle) ? base64_decode($post->userHandle) : null; $id = !empty($post->id) ? base64_decode($post->id) : null; $challenge = $_SESSION['challenge'] ?? ''; $credentialPublicKey = null; // looking up correspondending public key of the credential id // you should also validate that only ids of the given user name // are taken for the login. $mysql_server = "localhost:3310"; $mysql_user = "Logins"; $mysql_pass = "SPykMjT(CC.P_*b7"; $mysql_db = "Logins"; $mysql = new mysqli($mysql_server,$mysql_user,$mysql_pass,$mysql_db); $result = mysqli_query($mysql,"SELECT credentialPublicKey, userId, name FROM users WHERE credentialId = '".base64_encode($id)."';"); if(!$result){ $msg = "Error:
".mysqli_error($mysql)."
"; } if ($result->num_rows > 0) { $row = $result->fetch_assoc(); $credentialPublicKey = base64_decode($row["credentialPublicKey"]); $reg = (object) ['userId' => base64_decode($row["userId"])]; $username = $row["name"]; } /*else { if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) { foreach ($_SESSION['registrations'] as $reg) { if ($reg->credentialId === $id) { $credentialPublicKey = $reg->credentialPublicKey; break; } } } }*/ if ($credentialPublicKey === null) { throw new Exception('Public Key for credential ID not found!'); } // if we have resident key, we have to verify that the userHandle is the provided userId at registration if ($requireResidentKey && $userHandle !== hex2bin($reg->userId)) { throw new \Exception('userId doesnt match (is ' . bin2hex($userHandle) . ' but expect ' . $reg->userId . ')'); } // process the get request. throws WebAuthnException if it fails $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $credentialPublicKey, $challenge, null, $userVerification === 'required'); $return = new stdClass(); $return->success = true; $authKey = strval(random_int(0,99999999)); $result = mysqli_query($mysql,"UPDATE users SET authKey=".$authKey.", lastAuth=NOW() WHERE credentialId = '".base64_encode($id)."';"); $_SESSION["Logged"] = true; $_SESSION["user"] = $username; $_SESSION["authKey"] = $authKey; header('Content-Type: application/json'); print(json_encode($return)); // ------------------------------------ // proccess clear registrations // ------------------------------------ } else if ($fn === 'clearRegistrations') { $_SESSION['registrations'] = null; $_SESSION['challenge'] = null; $return = new stdClass(); $return->success = true; $return->msg = 'all registrations deleted'; header('Content-Type: application/json'); print(json_encode($return)); // ------------------------------------ // display stored data as HTML // ------------------------------------ } /*else if ($fn === 'getStoredDataHtml') { $html = '' . "\n"; $html .= ''; $html .= ''; if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) { $html .= '

There are ' . count($_SESSION['registrations']) . ' registrations in this session:

'; foreach ($_SESSION['registrations'] as $reg) { $html .= ''; foreach ($reg as $key => $value) { if (is_bool($value)) { $value = $value ? 'yes' : 'no'; } else if (is_null($value)) { $value = 'null'; } else if (is_object($value)) { $value = chunk_split(strval($value), 64); } else if (is_string($value) && strlen($value) > 0 && htmlspecialchars($value, ENT_QUOTES) === '') { $value = chunk_split(bin2hex($value), 64); } $html .= ''; } $html .= '
' . htmlspecialchars($key) . '' . nl2br(htmlspecialchars($value)) . '
'; } } else { $html .= '

There are no registrations.

'; } $html .= ''; header('Content-Type: text/html'); print $html; // ------------------------------------ // get root certs from FIDO Alliance Metadata Service // ------------------------------------ } */else if ($fn === 'queryFidoMetaDataService') { $mdsFolder = './restricted/WebAuthn/rootCertificates/mds'; $success = false; $msg = null; // fetch only 1x / 24h $lastFetch = \is_file($mdsFolder . '/lastMdsFetch.txt') ? \strtotime(\file_get_contents($mdsFolder . '/lastMdsFetch.txt')) : 0; if ($lastFetch + (3600*48) < \time()) { $cnt = $WebAuthn->queryFidoMetaDataService($mdsFolder); $success = true; \file_put_contents($mdsFolder . '/lastMdsFetch.txt', date('r')); $msg = 'successfully queried FIDO Alliance Metadata Service - ' . $cnt . ' certificates downloaded.'; } else { $msg = 'Fail: last fetch was at ' . date('r', $lastFetch) . ' - fetch only 1x every 48h'; } $return = new stdClass(); $return->success = $success; $return->msg = $msg; header('Content-Type: application/json'); print(json_encode($return)); } } catch (Throwable $ex) { $return = new stdClass(); $return->success = false; $return->msg = $ex->getMessage(); header('Content-Type: application/json'); print(json_encode($return)); }