Skip to content

Commit 20adb4a

Browse files
xellioRichard Prillwitz
xellio
and
Richard Prillwitz
authored
#94 Check for known android key hashes (#95)
* #94 Check for known android key hashes instead of URL origin check in case the origin string starts with android:apk-key-hash:; * Fixed haystack needle order; --------- Co-authored-by: Richard Prillwitz <richard.prillwitz@proton.ch>
1 parent 53d9f76 commit 20adb4a

1 file changed

Lines changed: 35 additions & 0 deletions

File tree

src/WebAuthn.php

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ class WebAuthn {
3030
private $_signatureCounter;
3131
private $_caFiles;
3232
private $_formats;
33+
private $_androidKeyHashes;
3334

3435
/**
3536
* Initialize a new WebAuthn server
@@ -90,6 +91,23 @@ public function addRootCertificates($path, $certFileExtensions=null) {
9091
}
9192
}
9293

94+
/**
95+
* add key hashes for android verification
96+
* @param array<string> $hashes
97+
* @return void
98+
*/
99+
public function addAndroidKeyHashes($hashes) {
100+
if (!\is_array($this->_androidKeyHashes)) {
101+
$this->_androidKeyHashes = [];
102+
}
103+
104+
foreach ($hashes as $hash) {
105+
if (is_string($hash)) {
106+
$this->_androidKeyHashes[] = $hash;
107+
}
108+
}
109+
}
110+
93111
/**
94112
* Returns the generated challenge to save for later validation
95113
* @return ByteBuffer
@@ -603,6 +621,10 @@ public function queryFidoMetaDataService($certFolder, $deleteCerts=true) {
603621
* @throws WebAuthnException
604622
*/
605623
private function _checkOrigin($origin) {
624+
if (str_starts_with($origin, 'android:apk-key-hash:')) {
625+
return $this->_checkAndroidKeyHashes($origin);
626+
}
627+
606628
// https://www.w3.org/TR/webauthn/#rp-id
607629

608630
// The origin's scheme must be https
@@ -619,6 +641,19 @@ private function _checkOrigin($origin) {
619641
return \preg_match('/' . \preg_quote($this->_rpId) . '$/i', $host) === 1;
620642
}
621643

644+
/**
645+
* checks if the origin value contains a known android key hash
646+
* @param string $origin
647+
* @return boolean
648+
*/
649+
private function _checkAndroidKeyHashes($origin) {
650+
$parts = explode('android:apk-key-hash:', $origin);
651+
if (count($parts) !== 2) {
652+
return false;
653+
}
654+
return in_array($parts[1], $this->_androidKeyHashes, true);
655+
}
656+
622657
/**
623658
* generates a new challange
624659
* @param int $length

0 commit comments

Comments
 (0)