mirrors/PocketMine-MP
1
0
Fork 0
mirror of https://github.com/pmmp/PocketMine-MP.git synced 2025-09-07 18:32:55 +00:00
Code Issues Projects Releases Wiki Activity

Implement JWT signature verification and Xbox Live checks, close #315

Browse Source 
This can be enabled or disabled using the "online-mode" directive in
server.properties.

NOTE: For safety reasons it is enabled by default, since many naive server owners currently believe that authentication is not needed because "the client is forced to sign-in".
Newsflash for readers: the forced authentication is easily bypassed using a LAN proxy.

Un-authenticated LAN connections will still work fine if the online mode is disabled.

Added the following API methods:
- Server->getOnlineMode() : bool
- Server->requiresAuthentication() : bool
- Player->isAuthenticated() : bool

JWT verification is rather expensive, so it is done in an AsyncTask. Make sure you don't hog your worker threads.
This commit is contained in:
Dylan K. Taylor
2017-09-25 12:30:58 +01:00
parent 8ca59d12e9
commit 03d3e595d6
4 changed files with 224 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
src/pocketmine/network/mcpe/VerifyLoginTask.php Normal file
View File

@ -0,0 +1,144 @@
<?php
/*
*
* ____ _ _ __ __ _ __ __ ____
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* @author PocketMine Team
* @link http://www.pocketmine.net/
*
*
*/
declare(strict_types=1);
namespace pocketmine\network\mcpe;
use pocketmine\network\mcpe\protocol\LoginPacket;
use pocketmine\Player;
use pocketmine\scheduler\AsyncTask;
use pocketmine\Server;
use pocketmine\utils\MainLogger;
class VerifyLoginTask extends AsyncTask{
const MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8ELkixyLcwlZryUQcu1TvPOmI2B7vX83ndnWRUaXm74wFfa5f/lwQNTfrLVHa2PmenpGI6JhIMUJaWZrjmMj90NoKNFSNBuKdm8rYiXsfaz3K36x/1U26HpG0ZxK/V1V";
/** @var LoginPacket */
private $packet;
/**
* @var bool
* Whether the keychain signatures were validated correctly. This will be set to false if any link in the keychain
* has an invalid signature. If false, the keychain might have been tampered with.
* The player will always be disconnected if this is false.
*/
private $valid = true;
/**
* @var bool
* Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
* root public key.
*/
private $authenticated = false;
public function __construct(Player $player, LoginPacket $packet){
$this->storeLocal($player);
$this->packet = $packet;
}
public function onRun(){
$packet = $this->packet; //Get it in a local variable to make sure it stays unserialized
$currentKey = null;
foreach($packet->chainData["chain"] as $jwt){
if(!$this->validateToken($jwt, $currentKey)){
$this->valid = false;
return;
}
}
if(!$this->validateToken($packet->clientDataJwt, $currentKey)){
$this->valid = false;
}
}
private function validateToken(string $jwt, ?string &$currentPublicKey) : bool{
[$headB64, $payloadB64, $sigB64] = explode('.', $jwt);
$headers = json_decode(base64_decode(strtr($headB64, '-_', '+/'), true), true);
if($currentPublicKey === null){ //First link, check that it is self-signed
$currentPublicKey = $headers["x5u"];
}
$plainSignature = base64_decode(strtr($sigB64, '-_', '+/'), true);
//OpenSSL wants a DER-encoded signature, so we extract R and S from the plain signature and crudely serialize it.
assert(strlen($plainSignature) === 96);
[$rString, $sString] = str_split($plainSignature, 48);
$rString = ltrim($rString, "\x00");
if(ord($rString{0}) >= 128){ //Would be considered signed, pad it with an extra zero
$rString = "\x00" . $rString;
}
$sString = ltrim($sString, "\x00");
if(ord($sString{0}) >= 128){ //Would be considered signed, pad it with an extra zero
$sString = "\x00" . $sString;
}
//0x02 = Integer ASN.1 tag
$sequence = "\x02" . chr(strlen($rString)) . $rString . "\x02" . chr(strlen($sString)) . $sString;
//0x30 = Sequence ASN.1 tag
$derSignature = "\x30" . chr(strlen($sequence)) . $sequence;
$v = openssl_verify("$headB64.$payloadB64", $derSignature, "-----BEGIN PUBLIC KEY-----\n" . wordwrap($currentPublicKey, 64, "\n", true) . "\n-----END PUBLIC KEY-----\n", OPENSSL_ALGO_SHA384);
if($v !== 1){
return false; //bad signature, it might have been tampered with
}
if($currentPublicKey === self::MOJANG_ROOT_PUBLIC_KEY){
$this->authenticated = true; //we're signed into xbox live
}
$claims = json_decode(base64_decode(strtr($payloadB64, '-_', '+/'), true), true);
$time = time();
if(isset($claims["nbf"]) and $claims["nbf"] > $time){
return false; //token can't be used yet
}
if(isset($claims["exp"]) and $claims["exp"] < $time){
return false; //token has expired
}
$currentPublicKey = $claims["identityPublicKey"]; //the next link should be signed with this
return true;
}
public function onCompletion(Server $server){
/** @var Player $player */
$player = $this->fetchLocal($server);
if($player->isClosed()){
$server->getLogger()->error("Player " . $player->getName() . " was disconnected before their login could be verified");
}else{
$player->onVerifyCompleted($this->packet, $this->valid, $this->authenticated);
}
}
}