[WebAuthn] disable rootCA default

master
FreddleSpl0it 2022-01-19 21:35:21 +01:00
parent 5858c464d9
commit 7df2bb28f8
No known key found for this signature in database
GPG Key ID: 38F5FCC689C181F9
4 changed files with 12 additions and 49 deletions

View File

@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
$formats = $GLOBALS['FIDO2_FORMATS']; $formats = $GLOBALS['FIDO2_FORMATS'];
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats); $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
// only include root ca's when needed // only include root ca's when needed
$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y'); if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
if (!$WEBAUTHN_DISABLE_ROOTCA){
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
}
// Redis // Redis
$redis = new Redis(); $redis = new Redis();

View File

@ -157,7 +157,7 @@ services:
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
- MASTER=${MASTER:-y} - MASTER=${MASTER:-y}
- DEV_MODE=${DEV_MODE:-n} - DEV_MODE=${DEV_MODE:-n}
- WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n} - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
restart: always restart: always
networks: networks:
mailcow-network: mailcow-network:

View File

@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/ # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
ACME_CONTACT= ACME_CONTACT=
# Disable including device root ca's for WebAuthn # Enable webauthn device manufacturer verification
# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers # After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
# It will solve "Error: invalid root certificate" at TFA device registration # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
# Suported devices are WEBAUTHN_RESPECT_ROOTCA=n
# solo certified
# apple certified
# nitro certified
# yubico certified
# hypersecu certified
# globalSign certified
# googleHardware certified
# microsoftTpmCollection certified
# huawei certified
# trustkey certified
# bsi certified
WEBAUTHN_DISABLE_ROOTCA=n
EOF EOF

View File

@ -307,7 +307,7 @@ CONFIG_ARRAY=(
"ADDITIONAL_SERVER_NAMES" "ADDITIONAL_SERVER_NAMES"
"ACME_CONTACT" "ACME_CONTACT"
"WATCHDOG_VERBOSE" "WATCHDOG_VERBOSE"
"WEBAUTHN_DISABLE_ROOTCA" "WEBAUTHN_RESPECT_ROOTCA"
) )
sed -i --follow-symlinks '$a\' mailcow.conf sed -i --follow-symlinks '$a\' mailcow.conf
@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
echo 'ACME_CONTACT=' >> mailcow.conf echo 'ACME_CONTACT=' >> mailcow.conf
fi fi
elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
if ! grep -q ${option} mailcow.conf; then if ! grep -q ${option} mailcow.conf; then
echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
echo '# Suported devices are' >> mailcow.conf echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
echo '# solo certified' >> mailcow.conf
echo '# apple certified' >> mailcow.conf
echo '# nitro certified' >> mailcow.conf
echo '# yubico certified' >> mailcow.conf
echo '# hypersecu certified' >> mailcow.conf
echo '# globalSign certified' >> mailcow.conf
echo '# googleHardware certified' >> mailcow.conf
echo '# microsoftTpmCollection certified' >> mailcow.conf
echo '# huawei certified' >> mailcow.conf
echo '# trustkey certified' >> mailcow.conf
echo '# bsi certified' >> mailcow.conf
echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
fi fi
elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
if ! grep -q ${option} mailcow.conf; then if ! grep -q ${option} mailcow.conf; then