[WebAuthn] disable rootCA default
parent
5858c464d9
commit
7df2bb28f8
|
@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
|
||||||
$formats = $GLOBALS['FIDO2_FORMATS'];
|
$formats = $GLOBALS['FIDO2_FORMATS'];
|
||||||
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
|
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
|
||||||
// only include root ca's when needed
|
// only include root ca's when needed
|
||||||
$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y');
|
if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
|
||||||
if (!$WEBAUTHN_DISABLE_ROOTCA){
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
|
|
||||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
|
|
||||||
}
|
|
||||||
|
|
||||||
// Redis
|
// Redis
|
||||||
$redis = new Redis();
|
$redis = new Redis();
|
||||||
|
|
|
@ -157,7 +157,7 @@ services:
|
||||||
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
|
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
|
||||||
- MASTER=${MASTER:-y}
|
- MASTER=${MASTER:-y}
|
||||||
- DEV_MODE=${DEV_MODE:-n}
|
- DEV_MODE=${DEV_MODE:-n}
|
||||||
- WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n}
|
- WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
|
||||||
restart: always
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
mailcow-network:
|
mailcow-network:
|
||||||
|
|
|
@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
|
||||||
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
|
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
|
||||||
ACME_CONTACT=
|
ACME_CONTACT=
|
||||||
|
|
||||||
# Disable including device root ca's for WebAuthn
|
# Enable webauthn device manufacturer verification
|
||||||
# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers
|
# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
|
||||||
# It will solve "Error: invalid root certificate" at TFA device registration
|
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
|
||||||
# Suported devices are
|
WEBAUTHN_RESPECT_ROOTCA=n
|
||||||
# solo certified
|
|
||||||
# apple certified
|
|
||||||
# nitro certified
|
|
||||||
# yubico certified
|
|
||||||
# hypersecu certified
|
|
||||||
# globalSign certified
|
|
||||||
# googleHardware certified
|
|
||||||
# microsoftTpmCollection certified
|
|
||||||
# huawei certified
|
|
||||||
# trustkey certified
|
|
||||||
# bsi certified
|
|
||||||
WEBAUTHN_DISABLE_ROOTCA=n
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
24
update.sh
24
update.sh
|
@ -307,7 +307,7 @@ CONFIG_ARRAY=(
|
||||||
"ADDITIONAL_SERVER_NAMES"
|
"ADDITIONAL_SERVER_NAMES"
|
||||||
"ACME_CONTACT"
|
"ACME_CONTACT"
|
||||||
"WATCHDOG_VERBOSE"
|
"WATCHDOG_VERBOSE"
|
||||||
"WEBAUTHN_DISABLE_ROOTCA"
|
"WEBAUTHN_RESPECT_ROOTCA"
|
||||||
)
|
)
|
||||||
|
|
||||||
sed -i --follow-symlinks '$a\' mailcow.conf
|
sed -i --follow-symlinks '$a\' mailcow.conf
|
||||||
|
@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
|
||||||
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
|
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
|
||||||
echo 'ACME_CONTACT=' >> mailcow.conf
|
echo 'ACME_CONTACT=' >> mailcow.conf
|
||||||
fi
|
fi
|
||||||
elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
|
elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
|
||||||
if ! grep -q ${option} mailcow.conf; then
|
if ! grep -q ${option} mailcow.conf; then
|
||||||
echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
|
echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
|
||||||
echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
|
echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
|
||||||
echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
|
echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
|
||||||
echo '# Suported devices are' >> mailcow.conf
|
echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
|
||||||
echo '# solo certified' >> mailcow.conf
|
|
||||||
echo '# apple certified' >> mailcow.conf
|
|
||||||
echo '# nitro certified' >> mailcow.conf
|
|
||||||
echo '# yubico certified' >> mailcow.conf
|
|
||||||
echo '# hypersecu certified' >> mailcow.conf
|
|
||||||
echo '# globalSign certified' >> mailcow.conf
|
|
||||||
echo '# googleHardware certified' >> mailcow.conf
|
|
||||||
echo '# microsoftTpmCollection certified' >> mailcow.conf
|
|
||||||
echo '# huawei certified' >> mailcow.conf
|
|
||||||
echo '# trustkey certified' >> mailcow.conf
|
|
||||||
echo '# bsi certified' >> mailcow.conf
|
|
||||||
echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
|
|
||||||
fi
|
fi
|
||||||
elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
|
elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
|
||||||
if ! grep -q ${option} mailcow.conf; then
|
if ! grep -q ${option} mailcow.conf; then
|
||||||
|
|
Loading…
Reference in New Issue