PocketMine-MP 5.21.2 git-a6534ecbbbcf369264567d27e5ed70f7f5be9816
Loading...
Searching...
No Matches
ProcessLoginTask.php
1<?php
2
3/*
4 *
5 * ____ _ _ __ __ _ __ __ ____
6 * | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
7 * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
8 * | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
9 * |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
10 *
11 * This program is free software: you can redistribute it and/or modify
12 * it under the terms of the GNU Lesser General Public License as published by
13 * the Free Software Foundation, either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * @author PocketMine Team
17 * @link http://www.pocketmine.net/
18 *
19 *
20 */
21
22declare(strict_types=1);
23
24namespace pocketmine\network\mcpe\auth;
25
34use function base64_decode;
35use function igbinary_serialize;
36use function igbinary_unserialize;
37use function time;
38
40 private const TLS_KEY_ON_COMPLETION = "completion";
41
47 public const MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAECRXueJeTDqNRRgJi/vlRufByu/2G0i2Ebt6YMar5QX/R0DIIyrJMcUpruK4QveTfJSTp3Shlq4Gk34cD/4GUWwkv0DVuzeuB+tXija7HBxii03NHDbPAD0AKnLr2wdAp";
48
49 private const CLOCK_DRIFT_MAX = 60;
50
51 private string $chain;
52
60 private NonThreadSafeValue|string|null $error = "Unknown";
65 private bool $authenticated = false;
66 private ?string $clientPublicKey = null;
67
72 public function __construct(
73 array $chainJwts,
74 private string $clientDataJwt,
75 private bool $authRequired,
76 \Closure $onCompletion
77 ){
78 $this->storeLocal(self::TLS_KEY_ON_COMPLETION, $onCompletion);
79 $this->chain = igbinary_serialize($chainJwts);
80 }
81
82 public function onRun() : void{
83 try{
84 $this->clientPublicKey = $this->validateChain();
85 $this->error = null;
86 }catch(VerifyLoginException $e){
87 $disconnectMessage = $e->getDisconnectMessage();
88 $this->error = $disconnectMessage instanceof Translatable ? new NonThreadSafeValue($disconnectMessage) : $disconnectMessage;
89 }
90 }
91
92 private function validateChain() : string{
94 $chain = igbinary_unserialize($this->chain);
95
96 $currentKey = null;
97 $first = true;
98
99 foreach($chain as $jwt){
100 $this->validateToken($jwt, $currentKey, $first);
101 if($first){
102 $first = false;
103 }
104 }
105
107 $clientKey = $currentKey;
108
109 $this->validateToken($this->clientDataJwt, $currentKey);
110
111 return $clientKey;
112 }
113
117 private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
118 try{
119 [$headersArray, $claimsArray, ] = JwtUtils::parse($jwt);
120 }catch(JwtException $e){
121 throw new VerifyLoginException("Failed to parse JWT: " . $e->getMessage(), null, 0, $e);
122 }
123
124 $mapper = new \JsonMapper();
125 $mapper->bExceptionOnMissingData = true;
126 $mapper->bExceptionOnUndefinedProperty = true;
127 $mapper->bStrictObjectTypeChecking = true;
128 $mapper->bEnforceMapType = false;
129
130 try{
132 $headers = $mapper->map($headersArray, new JwtHeader());
133 }catch(\JsonMapper_Exception $e){
134 throw new VerifyLoginException("Invalid JWT header: " . $e->getMessage(), null, 0, $e);
135 }
136
137 $headerDerKey = base64_decode($headers->x5u, true);
138 if($headerDerKey === false){
139 throw new VerifyLoginException("Invalid JWT public key: base64 decoding error decoding x5u");
140 }
141
142 if($currentPublicKey === null){
143 if(!$first){
144 throw new VerifyLoginException("Missing JWT public key", KnownTranslationFactory::pocketmine_disconnect_invalidSession_missingKey());
145 }
146 }elseif($headerDerKey !== $currentPublicKey){
147 //Fast path: if the header key doesn't match what we expected, the signature isn't going to validate anyway
148 throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
149 }
150
151 try{
152 $signingKeyOpenSSL = JwtUtils::parseDerPublicKey($headerDerKey);
153 }catch(JwtException $e){
154 throw new VerifyLoginException("Invalid JWT public key: " . $e->getMessage(), null, 0, $e);
155 }
156 try{
157 if(!JwtUtils::verify($jwt, $signingKeyOpenSSL)){
158 throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
159 }
160 }catch(JwtException $e){
161 throw new VerifyLoginException($e->getMessage(), null, 0, $e);
162 }
163
164 if($headers->x5u === self::MOJANG_ROOT_PUBLIC_KEY){
165 $this->authenticated = true; //we're signed into xbox live
166 }
167
168 $mapper = new \JsonMapper();
169 $mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
170 $mapper->bExceptionOnMissingData = true;
171 $mapper->bStrictObjectTypeChecking = true;
172 $mapper->bEnforceMapType = false;
173 $mapper->bRemoveUndefinedAttributes = true;
174 try{
176 $claims = $mapper->map($claimsArray, new JwtChainLinkBody());
177 }catch(\JsonMapper_Exception $e){
178 throw new VerifyLoginException("Invalid chain link body: " . $e->getMessage(), null, 0, $e);
179 }
180
181 $time = time();
182 if(isset($claims->nbf) && $claims->nbf > $time + self::CLOCK_DRIFT_MAX){
183 throw new VerifyLoginException("JWT not yet valid", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooEarly());
184 }
185
186 if(isset($claims->exp) && $claims->exp < $time - self::CLOCK_DRIFT_MAX){
187 throw new VerifyLoginException("JWT expired", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooLate());
188 }
189
190 if(isset($claims->identityPublicKey)){
191 $identityPublicKey = base64_decode($claims->identityPublicKey, true);
192 if($identityPublicKey === false){
193 throw new VerifyLoginException("Invalid identityPublicKey: base64 error decoding");
194 }
195 try{
196 //verify key format and parameters
197 JwtUtils::parseDerPublicKey($identityPublicKey);
198 }catch(JwtException $e){
199 throw new VerifyLoginException("Invalid identityPublicKey: " . $e->getMessage(), null, 0, $e);
200 }
201 $currentPublicKey = $identityPublicKey; //if there are further links, the next link should be signed with this
202 }
203 }
204
205 public function onCompletion() : void{
210 $callback = $this->fetchLocal(self::TLS_KEY_ON_COMPLETION);
211 $callback($this->authenticated, $this->authRequired, $this->error instanceof NonThreadSafeValue ? $this->error->deserialize() : $this->error, $this->clientPublicKey);
212 }
213}
__construct(array $chainJwts, private string $clientDataJwt, private bool $authRequired, \Closure $onCompletion)
storeLocal(string $key, mixed $complexData)