yubico / php-u2flib-server Goto Github PK

Hi,
I included this Library into my Symfony Project.
I used the Bundle:
https://github.com/darookee/u2f-two-factor-bundle
to work with it.
But it will not work.
Everytime I try to validate my Yubikey Neo 4 device I get the following message:

Error in U2F.php line 266:
No matching request found

This is the Part where it seems to break (within the U2F Library)

foreach ($requests as $req) {
      if( !is_object( $req ) ) {
        throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.');
  }
  if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) {
        break;
  }
  $req = null;
}
if($req === null) {
  throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST );
}

What I could find out is, that the Challenge that the Library returns does not match the Challange that the Yubikey Returns.
I can't figure out what the Problem is.
As all Parts (the Bundle) just forward theire calls to the php-u2flib-server library.
Nothing more.
Please help.

How about include source code of http://demo.yubico.com/u2f as a example?

Hello,

First thanks for this amazing library, the library is compatible with Firefox ?

Current firefox version : 58.0a1 (2017-11-06) (64 bits)
I test with a yubikey neo

With firefox :

• about:config i security.webauth.u2f to true
• go to https://demo.yubico.com/u2f : test is OK

when i use the library on my site it work in Chrome, Opéra but not firefox

The library should be refactored to conform to PSR-4 at some point.

Ref https://github.com/padraic/humbug – I will see when I get time for this.

It seems this lib has no way to detect the security key is already registered or not in doRegister().
So, developers cannot prevent registration of registered security key!

To reproduce these failures:

php -dmbstring.func_overload=7 vendor/bin/phpunit

Solution: This constant-time encoding library offers two interfaces that will be useful:

1. Binary for the safeStrlen() and safeSubstr() methods.
2. Base64UrlSafe which converts to/from the Base64UrlSafe alphabet as defined in RFC 4648

Errors below:

$ php -dmbstring.func_overload=7 vendor/bin/phpunit 
PHPUnit 4.8.26 by Sebastian Bergmann and contributors.
Warning:    The Xdebug extension is not loaded
        No code coverage will be generated.

.EE.F.E........EFF.......

Time: 74 ms, Memory: 4.00MB

There were 4 errors:

1) U2FTest::testDoRegister
u2flib_server\Error: Decoding of public key failed

/var/www/php-u2flib-server/src/u2flib_server/U2F.php:198
/var/www/php-u2flib-server/tests/u2flib_test.php:52

2) U2FTest::testDoRegisterNoCert
u2flib_server\Error: Decoding of public key failed

/var/www/php-u2flib-server/src/u2flib_server/U2F.php:198
/var/www/php-u2flib-server/tests/u2flib_test.php:62

3) U2FTest::testDoRegisterAttest
u2flib_server\Error: Attestation certificate can not be validated

/var/www/php-u2flib-server/src/u2flib_server/U2F.php:193
/var/www/php-u2flib-server/tests/u2flib_test.php:103

4) U2FTest::testDoAuthenticate
u2flib_server\Error: Decoding of public key failed

/var/www/php-u2flib-server/src/u2flib_server/U2F.php:300
/var/www/php-u2flib-server/tests/u2flib_test.php:192

--

There were 3 failures:

1) U2FTest::testDoRegisterFail2
Failed asserting that 9 is equal to expected exception code 5.

2) U2FTest::testDoAuthenticateCtrFail
Failed asserting that 9 is equal to expected exception code 8.

3) U2FTest::testDoAuthenticateFail
Failed asserting that 9 is equal to expected exception code 3.

FAILURES!
Tests: 25, Assertions: 48, Errors: 4, Failures: 3.

PSR1 suggests to have a class per file. Currently, U2F.php has several classes in it and should be split into a file per class.

I installed U2F server library on CentOS 7, it works well with Chrome on the Local machine.
But when I try to test the U2F server with a remote Chrome, ie. connecting from different IP,
U2F server seemed unable to communicate with the Chrome thus responded with an error code: 2.
This problem also exists in the Java version of U2F server library.
The same Chrome works well at Yubico's Demo site and Google+ with a U2F token.
Could you please explain why does this error happen and how to resolve it?
Thanks!

This library expects a registration/authentication response to not contain the property errorCode (see here and here).

However, an errorCode value of 0 should be considered as OK.

This behaviour currently breaks functionality with (at least) Chrome for Android's implementation, which sets the property errorCode to 0 on success.

I'm trying to build a simple login site with a U2F device. Tested it on https://demo.yubico.com/u2f and works fine, but when I try to run both examples locally I get these errors:

For localstorage I get a HTML error 500 after the register POST; checking on the apache error log I got:

[Thu Apr 23 14:24:39.083298 2015] [:error] [pid 17385] [client 127.0.0.1:50108] PHP Fatal error:  Uncaught exception 'InvalidArgumentException' with message '$registrations of getRegisterData() method only accepts array.' in /home/www/Sites/u2f/u2flib_server/U2F.php:103\nStack trace:\n#0 /home/www/Sites/u2f/index.php(83): u2flib_server\\U2F->getRegisterData(NULL)\n#1 {main}\n  thrown in /home/www/Sites/u2f/u2flib_server/U2F.php on line 103, referer: http://u2f.local/

And for the pdo I get an alert with the message: "registration failed with errror: 2". Checking the db it inserts the entry on the users table but nothing on the registrations one.

I'd like to know if I'm missing something.

Thanks.

EDIT: Tested with https and changed the .local for .com on the virtualhost and /etc/hosts, now it shows the "security key access requested" modal and works fine. It seems the U2F extension is not custom-domain-friendly.

Please close the issue.

I tried to find a security contact, but got nowhere on that.

https://github.com/Yubico/php-u2flib-server/blob/master/src/u2flib_server/U2F.php#L61

Needs to check the &$crypto_strong parameter, and throw a 500-class error if it = false after the random sample.

How to fix?

The counter field in the table won't be updated correctly in the PDO example.
https://github.com/Yubico/php-u2flib-server/blob/master/examples/pdo/index.php#L82
this line uses $reg->id, however this doesn't exists within Registration. Due to that, the counter will never be updated and will be kept on 0.

Hi,

I would like to include u2f authentication to my homepage.

To start I tried to run the pdo example here.
If I try to register, I always get the following error in the js console in Firefox 60.1.0 (ESR):
TypeError: setting getter-only property "u2f" : u2f-api.js:16:5

Is the example broken or did I make some mistake?

Thanks
Julian

Composer has unpatched (and apparently unresolvable [reported in 2012 and still not fixed]) RCE MITM issues. This package imports them by reference.

Details @ composer/composer#1074

Hello,

can you please make more stable Releases.
the last Release is from on 3 Mar 2015.

I am looking for a simple way to add U2F support to a web application.
And it seems this project is capable of doing that, however I am a bit put off by the amount of dependencies pulled in.

Currently one seems to need:

• mcrypt PHP extension
• GMP PHP extension
• OpenSSL PHP extension (currently only used to generate random numbers)
• mdanter/ecc library
• PHPseclib library.

I know one can use Composer to simplify dependency management, however I would really prefer to just have a single PHP file solution instead.
Was wondering that since you are requiring OpenSSL anyway, if it wouldn't be possible to use OpenSSL for the ECDSA validation as well, and get rid of all the other dependencies.

As in:

• Add some code to convert the public ECC key provided by token to PEM format.
• Call openssl_verify($data_to_be_hashed, $sig, $pem_public_key, OPENSSL_ALGO_SHA256) instead of the $key->verifies() code to perform ECDSA validation in doAuthenticate()

Is there any reason that wouldn't work, and the existing approach is used?
(haven't tried it yet, as I don't have an U2F token to test with yet)

I get "Unknown or missing requestId in response." when running u2f-local.php and clicking on Register.

Chrome Version 68.0.3440.84 (Official Build) (64-bit)
PHP Version 7.2.2

Chrome 41 supports u2f without extensions, so the examples should be updated to take advantage of that.

Can you provide an explicit example for how to use this code?

E.g., I see cli. It wants two parameters -r and -o, but doesn't tell me what they are or what they do.

If I run the server "./u2f-server.phps -o ff -r mytest", I see a line of JSON output. Then it sits. I have no idea what it's waiting for as input. But if I type in anything (clearly what it doesn't expect), it throws an error about doRegister only accepting objects. (Error on U2F.php line 167).

Since you're defining your own Error class in the global namespace, this library will not work with PHP 7.

I understand this repo is for PHP. But I am interested in GO and I don't know how else to ask. Do you have any server side library for GO? I searched in your Github org and Google and did not find anything.

Thanks.

The reference applications incorrectly handle a rolled back counter -- needs to disable the login on valid signature with a rolled back counter to prevent security failures. Current model allows for counter iteration, defeating the security of the counter.

Hello, I am testing the PDO example with Google Chrome Version 67.0.3396.79 (Official Build) (64-bit) and Yubikey NEO.

When I click on Register button I always get the following error:

Register:  {version: "U2F_V2", challenge: "Zdd4xwVOidu7uhs72MP-vHBc4z-wkWG6EQAw30MYvGA", appId: "http://192.168.1.68"}

u2f-api.js:532 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://kmendfapggjehodndflmmgagdbamhnfd') does not match the recipient window's origin ('null').
(anonymous) @ u2f-api.js:532
load (async)
u2f.getIframePort_ @ u2f-api.js:530
u2f.getMessagePort @ u2f-api.js:155
u2f.getPortSingleton_ @ u2f-api.js:584
u2f.register @ u2f-api.js:642
(anonymous) @ (index):11
setTimeout (async)
(anonymous) @ (index):9

Am I doing something wrong?

some kind of warning if minimum requirements are not met as most deployment are 0.9.8

Description
While checking one of my projects for potentially unsafe usage of the openssl_random_pseudo_bytes function I also had a hit on the U2F::createChallenge method.

The createChallenge method generates random bytes using the $crypto_strong option the function facilitates which is a good thing. This value is also correctly checked in the if statement below the function call.

It, however, is also advised to test if the actual output of the openssl_random_pseudo_bytes is a non-false value. Which can occur when openssl_random_pseudo_bytes failed to generate the bytes.

Proposal
I'd like to add a second check to the existing if statement. Resulting in the same error when generating the challenge failed for some odd reason.

   /**
     * @return string
     * @throws Error
     */
    private function createChallenge()
    {
        $challenge = openssl_random_pseudo_bytes(32, $crypto_strong );
        if($crypto_strong !== true || $challenge === false) {
            throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM);
        }

        $challenge = $this->base64u_encode( $challenge );

        return $challenge;
    }

Since the Chrome extension is no longer required. See here for an example.

• Fix security issues
  • XSS in localstorage example
  • XSS in the PDO samples
• Do not bundle with releases (e.g. remove from composer file + release build)

[Sat Oct 10 00:16:38.667016 2015] [:error] [pid 52030] [client ::1:49579] PHP Fatal error:  Uncaught exception 'InvalidArgumentException' with message '$registrations of getRegisterData() method only accepts array.' in /Users/lukasreschke/Documents/Programming/php-u2flib-server/src/u2flib_server/U2F.php:103\nStack trace:\n#0 /Users/lukasreschke/Documents/Programming/php-u2flib-server/examples/localstorage/index.php(83): u2flib_server\\U2F->getRegisterData(NULL)\n#1 {main}\n  thrown in /Users/lukasreschke/Documents/Programming/php-u2flib-server/src/u2flib_server/U2F.php on line 103, referer: http://localhost/php-u2flib-server/examples/localstorage/

… likely the extension stuff … - thus dupe of #18

Can we get a Vagrantfile setup to exercise this project and enable a demo. Would make it more contributor-ready. Maybe PuPHPet?

I have proved that this script is INCOMPATIBLE with PHP 7 Preloading

The problem is with constants.

The namespaces constants are removed when the script is preloaded.

The solution I found was to move the constants into the class, so they become namespaced class constants.

The current doAuthenticate only checks the counter and if the signature is
valid. It should also check if the response challenge is the request
challenge.

Hello together,

is it possible that it should have also a handler for the id property in the castObjectToRegistration function in the file "U2F.php" ? So it will also return the id of the matching key, which will be good for database storing. Or i'm handling that wrong?

Thank you and best regards,
Maisen20

I'd appreciate if you could add ScrutinizerCI to this repository.

See https://scrutinizer-ci.com/tour/measure-and-improve-code-quality - for open-source projects on GitHub it's free and it's quite good. - See https://scrutinizer-ci.com/g/owncloud/core/ for an example.