web-eid / web-eid-authtoken-validation-php Goto Github PK
View Code? Open in Web Editor NEWWeb eID authentication token validation library for PHP
License: MIT License
Web eID authentication token validation library for PHP
License: MIT License
$result = openssl_verify($concatSignedFields, $decodedSignature, $publicKey, $hashAlgorithm);
if (!$result) {
throw new AuthTokenSignatureValidationException();
}
If openssl_verify fails for some reason, it returns value -1
. In PHP, boolval(-1)
returns true
. Thus the exception is not thrown and validation result looks like valid, even when the error occured.
Reproducible for example by calling $decodedSignature = AsnUtil::transcodeSignatureToDER($decodedSignature);
twice (to make the signature unrecognizable by OpenSSL).
This operation can make a valid signature become invalid!
My testing card returns ECDSA signature already in DER format (for example, my $signature before these lines is MEYCIQD5VsViadEM3SrP9Fxn9zrVEqk3cEAqLqexM7IiIhGEjAIhANXRZe/vpPrCa8u44rrxnzchhhzVcWdXtHdkOx3ld4/0
, i.e. it is parsable into https://lapo.it/asn1js/).
The openssl_verify
later on fails with error (returns -1), unless I comment the transcoding out (meaning, the validation library is not supposed to transcode that specific signature).
In my implementation, I used second condition !ASN1::asn1map(ASN1::decodeBER($derSig)[0], DssSigValue::MAP)
. It basically says: try to decode this DER string into a sequence with two children of type integer (= DssSigValue:MAP). If it is successful, there is no need to do the transcoding and continue with the validation. openssl_verify
returns 1.
Latest stable version 1.0.0 has guzzlehttp/psr7 fixed version 2.4.3 and phpseclib/phpseclib fixed version 3.0.14.
Please update required dependencies.
Details:
CVE-2023-29197
CVE-2023-27560
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.