From 6a95fb3e72294a1d4a14c3a724958537dfc80259 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Mon, 22 May 2023 16:14:06 +1000 Subject: [PATCH] WebAuthN: Disable EdDSA/Ed25519 for key registrations (#165) --- class-wporg-webauthn-provider.php | 30 ++++++++++++++++++++++++++++++ wporg-two-factor.php | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/class-wporg-webauthn-provider.php b/class-wporg-webauthn-provider.php index d279321b..0cea22d2 100644 --- a/class-wporg-webauthn-provider.php +++ b/class-wporg-webauthn-provider.php @@ -75,6 +75,9 @@ public function _add_filters() { // Disable the admin UI if it needs revalidation. add_action( 'show_user_security_settings', [ $this, '_show_user_security_settings' ], -1 ); + // Disable EdDSA support for keys, to enable Android NFC to work with modern keys. + add_action( 'wp_ajax_webauthn_preregister', [ $this, '_remove_eddsa_alg' ], 1 ); + // Extend the session revalidation after registering a new key. add_action( 'wp_ajax_webauthn_register', [ $this, '_extend_revalidation' ], 1 ); } @@ -125,6 +128,33 @@ public function _extend_revalidation() { } ); } + /** + * Resolve Android NFC Security Key issues when a newer key is registered through a desktop client. + * + * This disables EdDSA (aka. ES25519) support, which Android NFC appears to lack. + * + * @see https://github.com/sjinks/wp-two-factor-provider-webauthn/issues/221#issuecomment-1539543124 + */ + public function _remove_eddsa_alg() { + ob_start( function( $output ) { + $json = json_decode( $output ); + + if ( $json && ! empty( $json->data->options->pubKeyCredParams ) ) { + $json->data->options->pubKeyCredParams = array_values( + wp_list_filter( + $json->data->options->pubKeyCredParams, + [ 'alg' => -8 ], + 'NOT' + ) + ); + + $output = wp_json_encode( $json ); + } + + return $output; + } ); + } + public function _clear_cache() { wp_cache_delete( 'webauthn:' . get_current_user_id(), 'users' ); } diff --git a/wporg-two-factor.php b/wporg-two-factor.php index 1e7db3ac..995663d9 100644 --- a/wporg-two-factor.php +++ b/wporg-two-factor.php @@ -185,7 +185,7 @@ function user_requires_2fa( $user ) : bool { return false; } } - // @codeCoverageIgnoreEnd + // @codeCoverageIgnoreEnd $required = false;