From 7df2bb28f8d7baa1bbe893bdc394262409a042a0 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 19 Jan 2022 21:35:21 +0100 Subject: [PATCH] [WebAuthn] disable rootCA default --- data/web/inc/prerequisites.inc.php | 15 +-------------- docker-compose.yml | 2 +- generate_config.sh | 20 ++++---------------- update.sh | 24 ++++++------------------ 4 files changed, 12 insertions(+), 49 deletions(-) diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php index 2cf71bd8..6a6832ef 100644 --- a/data/web/inc/prerequisites.inc.php +++ b/data/web/inc/prerequisites.inc.php @@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider); $formats = $GLOBALS['FIDO2_FORMATS']; $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats); // only include root ca's when needed -$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y'); -if (!$WEBAUTHN_DISABLE_ROOTCA){ - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem'); - $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem'); -} +if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates'); // Redis $redis = new Redis(); diff --git a/docker-compose.yml b/docker-compose.yml index 6e0a6ed7..eb28ec8e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -157,7 +157,7 @@ services: - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} - MASTER=${MASTER:-y} - DEV_MODE=${DEV_MODE:-n} - - WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n} + - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n} restart: always networks: mailcow-network: diff --git a/generate_config.sh b/generate_config.sh index 23673527..8664b790 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS= # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/ ACME_CONTACT= -# Disable including device root ca's for WebAuthn -# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers -# It will solve "Error: invalid root certificate" at TFA device registration -# Suported devices are -# solo certified -# apple certified -# nitro certified -# yubico certified -# hypersecu certified -# globalSign certified -# googleHardware certified -# microsoftTpmCollection certified -# huawei certified -# trustkey certified -# bsi certified -WEBAUTHN_DISABLE_ROOTCA=n +# Enable webauthn device manufacturer verification +# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed +# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates +WEBAUTHN_RESPECT_ROOTCA=n EOF diff --git a/update.sh b/update.sh index 73636828..7565c9d7 100755 --- a/update.sh +++ b/update.sh @@ -307,7 +307,7 @@ CONFIG_ARRAY=( "ADDITIONAL_SERVER_NAMES" "ACME_CONTACT" "WATCHDOG_VERBOSE" - "WEBAUTHN_DISABLE_ROOTCA" + "WEBAUTHN_RESPECT_ROOTCA" ) sed -i --follow-symlinks '$a\' mailcow.conf @@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf echo 'ACME_CONTACT=' >> mailcow.conf fi - elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then + elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then if ! grep -q ${option} mailcow.conf; then - echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf - echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf - echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf - echo '# Suported devices are' >> mailcow.conf - echo '# solo certified' >> mailcow.conf - echo '# apple certified' >> mailcow.conf - echo '# nitro certified' >> mailcow.conf - echo '# yubico certified' >> mailcow.conf - echo '# hypersecu certified' >> mailcow.conf - echo '# globalSign certified' >> mailcow.conf - echo '# googleHardware certified' >> mailcow.conf - echo '# microsoftTpmCollection certified' >> mailcow.conf - echo '# huawei certified' >> mailcow.conf - echo '# trustkey certified' >> mailcow.conf - echo '# bsi certified' >> mailcow.conf - echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf + echo "# Enable webauthn device manufacturer verification" >> mailcow.conf + echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf + echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf + echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf fi elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then if ! grep -q ${option} mailcow.conf; then