Skip to content

Commit 6fad8c2

Browse files
cypherfoxcypherfox
committed
remove x509 cert fingerprint pinning
1 parent 4ba949e commit 6fad8c2

File tree

5 files changed

+89
-50
lines changed

5 files changed

+89
-50
lines changed

figo/Config.php

Lines changed: 80 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,86 @@ class Config {
3232
/** @var string figo Connect server address. This should be the full base url of the API */
3333
public static $API_ENDPOINT = "https://api.figo.me/v3";
3434

35-
/** @var string figo Connect SSL/TLS certificate fingerprints */
36-
public static $VALID_FINGERPRINTS = array("CD:F3:D3:26:27:89:91:B9:CD:AE:4B:10:6C:96:81:B7:EB:B3:38:10:C4:72:37:6A:4D:9C:84:B7:B3:DC:D6:8D",
37-
"79:B2:A2:93:00:85:3B:06:92:B1:B5:F2:24:79:48:58:3A:A5:22:0F:C5:CD:E9:49:9A:C8:45:1E:DB:E0:DA:50");
35+
public static $CA_CERT_BUNDLE = array(
36+
// Certificate:
37+
// Data:
38+
// Version: 3 (0x2)
39+
// Serial Number:
40+
// 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
41+
// Signature Algorithm: sha1WithRSAEncryption
42+
// Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
43+
// Validity
44+
// Not Before: Sep 30 21:12:19 2000 GMT
45+
// Not After : Sep 30 14:01:15 2021 GMT
46+
// Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
47+
// Subject Public Key Info:
48+
// Public Key Algorithm: rsaEncryption
49+
// Public-Key: (2048 bit)
50+
// Modulus:
51+
// 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
52+
// 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
53+
// c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
54+
// ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
55+
// 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
56+
// a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
57+
// 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
58+
// 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
59+
// 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
60+
// 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
61+
// 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
62+
// 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
63+
// 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
64+
// d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
65+
// eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
66+
// 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
67+
// 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
68+
// 02:5d
69+
// Exponent: 65537 (0x10001)
70+
// X509v3 extensions:
71+
// X509v3 Basic Constraints: critical
72+
// CA:TRUE
73+
// X509v3 Key Usage: critical
74+
// Certificate Sign, CRL Sign
75+
// X509v3 Subject Key Identifier:
76+
// C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
77+
// Signature Algorithm: sha1WithRSAEncryption
78+
// a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
79+
// 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
80+
// a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
81+
// 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
82+
// b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
83+
// 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
84+
// dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
85+
// e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
86+
// 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
87+
// 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
88+
// 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
89+
// 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
90+
// b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
91+
// 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
92+
// 82:35:35:10
93+
"-----BEGIN CERTIFICATE-----\n" .
94+
"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\n" .
95+
"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n" .
96+
"DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\n" .
97+
"PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\n" .
98+
"Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" .
99+
"AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\n" .
100+
"rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\n" .
101+
"OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\n" .
102+
"xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n" .
103+
"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\n" .
104+
"aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\n" .
105+
"HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\n" .
106+
"SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\n" .
107+
"ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\n" .
108+
"AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\n" .
109+
"R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\n" .
110+
"JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\n" .
111+
"Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n" .
112+
"-----END CERTIFICATE-----"
113+
); // end
114+
38115
/**
39116
* @var string User agent used for API requests
40117
*/

figo/Connection.php

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,6 @@ class Connection {
4343
* @var null API endpoint
4444
*/
4545
private $apiEndpoint;
46-
/**
47-
* @var array Fingerprints for API endpoint
48-
*/
49-
private $fingerprints;
5046

5147
/**
5248
* Constructor
@@ -55,14 +51,12 @@ class Connection {
5551
* @param string the client secret
5652
* @param string redirect URI
5753
* @param string $apiEndpoint Custom API endpoint
58-
* @param array $fingerprints Fingerprints for custom API endpoint
5954
*/
60-
public function __construct($client_id, $client_secret, $redirect_uri = null, $apiEndpoint = null, array $fingerprints = null) {
55+
public function __construct($client_id, $client_secret, $redirect_uri = null, $apiEndpoint = null) {
6156
// set default values
6257
$this->logger = new NullLogger();
6358
$this->apiEndpoint = Config::$API_ENDPOINT;
64-
$this->fingerprints = Config::$VALID_FINGERPRINTS;
65-
59+
6660
$this->client_id = $client_id;
6761
$this->client_secret = $client_secret;
6862
$this->redirect_uri = $redirect_uri;
@@ -72,9 +66,6 @@ public function __construct($client_id, $client_secret, $redirect_uri = null, $a
7266
}
7367
$this->apiUrl = parse_api_endpoint($this->apiEndpoint);
7468

75-
if ($fingerprints) {
76-
$this->fingerprints = $fingerprints;
77-
}
7869
}
7970

8071
/**
@@ -110,7 +101,7 @@ public function query_api($path, array $data = null, $method='POST', $encode='ht
110101
"Content-Type" => $content_type,
111102
"Content-Length" => strlen($data));
112103

113-
$request = new HttpsRequest($this->apiUrl['host'], $this->fingerprints, $this->logger);
104+
$request = new HttpsRequest($this->apiUrl['host'], $this->logger);
114105
$path = $this->apiUrl['path'] . $path;
115106
return $request->request($path, $data, $method, $headers, $language);
116107
}

figo/HttpsRequest.php

Lines changed: 2 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -37,16 +37,11 @@ class HttpsRequest {
3737
* @var string
3838
*/
3939
private $apiEndpoint;
40-
/**
41-
* @var array
42-
*/
43-
private $fingerprints;
44-
45-
public function __construct($apiEndpoint, array $fingerprints, LoggerInterface $logger)
40+
41+
public function __construct($apiEndpoint, LoggerInterface $logger)
4642
{
4743
$this->logger = $logger;
4844
$this->apiEndpoint = $apiEndpoint;
49-
$this->fingerprints = $fingerprints;
5045
}
5146

5247
/**
@@ -72,19 +67,6 @@ public function request($path, $data, $method, array $headers, $language = 'de')
7267
}
7368
stream_set_timeout($fp, 60);
7469

75-
// Verify fingerprint of server SSL/TLS certificate.
76-
$options = stream_context_get_options($context);
77-
if (isset($options["ssl"]) && isset($options["ssl"]["peer_certificate"])) {
78-
$certificate = $options["ssl"]["peer_certificate"];
79-
openssl_x509_export($certificate, $certificate);
80-
$fingerprint = hash("sha256", base64_decode(preg_replace("/-.*/", "", $certificate)));
81-
$fingerprint = implode(":", str_split(strtoupper($fingerprint), 2));
82-
if (!in_array($fingerprint, $this->fingerprints)) {
83-
fclose($fp);
84-
throw new Exception("ssl_error", "SSL/TLS certificate fingerprint mismatch.");
85-
}
86-
}
87-
8870
// Setup common HTTP headers.
8971
$headers["Host"] = parse_url(Config::$API_ENDPOINT)['host'];
9072
$headers["Accept"] = "application/json";

figo/Session.php

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -41,23 +41,17 @@ class Session {
4141
* @var null API endpoint
4242
*/
4343
private $apiEndpoint;
44-
/**
45-
* @var array Fingerprints for API endpoint
46-
*/
47-
private $fingerprints;
4844

4945
/**
5046
* Constructor
5147
*
5248
* @param string the access token
5349
* @param string $apiEndpoint Custom API endpoint
54-
* @param array $fingerprints Fingerprints for custom API endpoint
5550
*/
56-
public function __construct($access_token, $apiEndpoint = null, array $fingerprints = null) {
51+
public function __construct($access_token, $apiEndpoint = null) {
5752
// set default values
5853
$this->logger = new NullLogger();
5954
$this->apiEndpoint = Config::$API_ENDPOINT;
60-
$this->fingerprints = Config::$VALID_FINGERPRINTS;
6155

6256
$this->access_token = $access_token;
6357

@@ -66,9 +60,6 @@ public function __construct($access_token, $apiEndpoint = null, array $fingerpri
6660
}
6761
$this->apiUrl = parse_api_endpoint($this->apiEndpoint);
6862

69-
if ($fingerprints) {
70-
$this->fingerprints = $fingerprints;
71-
}
7263
}
7364

7465
/**
@@ -96,7 +87,7 @@ public function query_api($path, array $data = null, $method = "GET") {
9687
"Content-Type" => "application/json",
9788
"Content-Length" => strlen($data));
9889

99-
$request = new HttpsRequest($this->apiUrl['host'], $this->fingerprints, $this->logger);
90+
$request = new HttpsRequest($this->apiUrl['host'], $this->logger);
10091
$path = $this->apiUrl['path'] . $path;
10192
return $request->request($path, $data, $method, $headers);
10293
}

test/FigoTest.php

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,25 +32,23 @@ class SessionTest extends PHPUnit_Framework_TestCase {
3232
protected static $api_endpoint;
3333
protected static $connection;
3434
protected static $email;
35-
protected static $fingerprints;
3635
protected static $password;
3736
protected static $session;
3837

3938
protected $access_token;
4039
protected $account_id;
4140

4241
public static function setUpBeforeClass() {
43-
$fingerprints = explode(",", getenv("FIGO_SSL_FINGERPRINT"));
4442
$api_endpoint = getenv("FIGO_API_ENDPOINT");
4543
self::$connection = new Connection(getenv("FIGO_CLIENT_ID"), getenv("FIGO_CLIENT_SECRET"),
46-
"http://example.com/callback.php", $api_endpoint, $fingerprints);
44+
"http://example.com/callback.php", $api_endpoint);
4745
$name = "PHP SDK Test";
4846
self::$email = "php.sdk.".rand()."@figo.io";
4947
self::$password = "sdk_test_pass_".rand();
5048
self::$connection->create_user($name, self::$email, self::$password);
5149
$response = self::$connection->native_client_login(self::$email, self::$password);
5250
$access_token = $response["access_token"];
53-
self::$session = new Session($access_token, $api_endpoint, $fingerprints);
51+
self::$session = new Session($access_token, $api_endpoint);
5452
}
5553

5654
public static function tearDownAfterClass() {

0 commit comments

Comments
 (0)