From 7df2bb28f8d7baa1bbe893bdc394262409a042a0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 19 Jan 2022 21:35:21 +0100
Subject: [PATCH] [WebAuthn] disable rootCA default
---
data/web/inc/prerequisites.inc.php | 15 +--------------
docker-compose.yml | 2 +-
generate_config.sh | 20 ++++----------------
update.sh | 24 ++++++------------------
4 files changed, 12 insertions(+), 49 deletions(-)
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 2cf71bd8..6a6832ef 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
$formats = $GLOBALS['FIDO2_FORMATS'];
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
// only include root ca's when needed
-$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y');
-if (!$WEBAUTHN_DISABLE_ROOTCA){
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
- $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
-}
+if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
// Redis
$redis = new Redis();
diff --git a/docker-compose.yml b/docker-compose.yml
index 6e0a6ed7..eb28ec8e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -157,7 +157,7 @@ services:
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
- MASTER=${MASTER:-y}
- DEV_MODE=${DEV_MODE:-n}
- - WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n}
+ - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
restart: always
networks:
mailcow-network:
diff --git a/generate_config.sh b/generate_config.sh
index 23673527..8664b790 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
ACME_CONTACT=
-# Disable including device root ca's for WebAuthn
-# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers
-# It will solve "Error: invalid root certificate" at TFA device registration
-# Suported devices are
-# solo certified
-# apple certified
-# nitro certified
-# yubico certified
-# hypersecu certified
-# globalSign certified
-# googleHardware certified
-# microsoftTpmCollection certified
-# huawei certified
-# trustkey certified
-# bsi certified
-WEBAUTHN_DISABLE_ROOTCA=n
+# Enable webauthn device manufacturer verification
+# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_RESPECT_ROOTCA=n
EOF
diff --git a/update.sh b/update.sh
index 73636828..7565c9d7 100755
--- a/update.sh
+++ b/update.sh
@@ -307,7 +307,7 @@ CONFIG_ARRAY=(
"ADDITIONAL_SERVER_NAMES"
"ACME_CONTACT"
"WATCHDOG_VERBOSE"
- "WEBAUTHN_DISABLE_ROOTCA"
+ "WEBAUTHN_RESPECT_ROOTCA"
)
sed -i --follow-symlinks '$a\' mailcow.conf
@@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
echo 'ACME_CONTACT=' >> mailcow.conf
fi
- elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
+ elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
if ! grep -q ${option} mailcow.conf; then
- echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
- echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
- echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
- echo '# Suported devices are' >> mailcow.conf
- echo '# solo certified' >> mailcow.conf
- echo '# apple certified' >> mailcow.conf
- echo '# nitro certified' >> mailcow.conf
- echo '# yubico certified' >> mailcow.conf
- echo '# hypersecu certified' >> mailcow.conf
- echo '# globalSign certified' >> mailcow.conf
- echo '# googleHardware certified' >> mailcow.conf
- echo '# microsoftTpmCollection certified' >> mailcow.conf
- echo '# huawei certified' >> mailcow.conf
- echo '# trustkey certified' >> mailcow.conf
- echo '# bsi certified' >> mailcow.conf
- echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
+ echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
+ echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
+ echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
+ echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
fi
elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
if ! grep -q ${option} mailcow.conf; then