[WebAuthn] disable rootCA default

data/web/inc/prerequisites.inc.php

@@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 $formats = $GLOBALS['FIDO2_FORMATS'];
 $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 // only include root ca's when needed
-$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y');
-if (!$WEBAUTHN_DISABLE_ROOTCA){
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
-    $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
-}
+if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
 
 // Redis
 $redis = new Redis();

docker-compose.yml

@@ -157,7 +157,7 @@ services:
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - MASTER=${MASTER:-y}
         - DEV_MODE=${DEV_MODE:-n}
-        - WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n}
+        - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
       restart: always
       networks:
         mailcow-network:

generate_config.sh

@@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
 # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
 ACME_CONTACT=
 
-# Disable including device root ca's for WebAuthn
-# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers
-# It will solve "Error: invalid root certificate" at TFA device registration
-# Suported devices are 
-#   solo certified
-#   apple certified
-#   nitro certified
-#   yubico certified
-#   hypersecu certified
-#   globalSign certified
-#   googleHardware certified
-#   microsoftTpmCollection certified
-#   huawei certified
-#   trustkey certified
-#   bsi certified
-WEBAUTHN_DISABLE_ROOTCA=n
+# Enable webauthn device manufacturer verification
+# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_RESPECT_ROOTCA=n
 
 EOF
 

update.sh

@@ -307,7 +307,7 @@ CONFIG_ARRAY=(
   "ADDITIONAL_SERVER_NAMES"
   "ACME_CONTACT"
   "WATCHDOG_VERBOSE"
-  "WEBAUTHN_DISABLE_ROOTCA"
+  "WEBAUTHN_RESPECT_ROOTCA"
 )
 
 sed -i --follow-symlinks '$a\' mailcow.conf
@@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
       echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
       echo 'ACME_CONTACT=' >> mailcow.conf
   fi
-  elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
+  elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
     if ! grep -q ${option} mailcow.conf; then
-      echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
-      echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
-      echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
-      echo '# Suported devices are' >> mailcow.conf
-      echo '#   solo certified' >> mailcow.conf
-      echo '#   apple certified' >> mailcow.conf
-      echo '#   nitro certified' >> mailcow.conf
-      echo '#   yubico certified' >> mailcow.conf
-      echo '#   hypersecu certified' >> mailcow.conf
-      echo '#   globalSign certified' >> mailcow.conf
-      echo '#   googleHardware certified' >> mailcow.conf
-      echo '#   microsoftTpmCollection certified' >> mailcow.conf
-      echo '#   huawei certified' >> mailcow.conf
-      echo '#   trustkey certified' >> mailcow.conf
-      echo '#   bsi certified' >> mailcow.conf
-      echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
+      echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
+      echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
+      echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
+      echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
     fi
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
     if ! grep -q ${option} mailcow.conf; then