From 715556b659a1476a37cf070844e5cb11129aa875 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Fri, 13 Sep 2024 17:09:55 +0200
Subject: [PATCH 1/5] #358 support DNs larger than 64 bytes

---
 lam/HISTORY          |   5 ++
 lam/lib/webauthn.inc | 109 +++++++++++++++++++++++++++++++++++--------
 2 files changed, 95 insertions(+), 19 deletions(-)

diff --git a/lam/HISTORY b/lam/HISTORY
index d4a25f66d..09c3667f8 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,3 +1,8 @@
+December 2024 9.0
+ - Fixed bugs:
+  -> WebAuthn: support DNs larger than 64 bytes (358)
+
+
 September 2024 8.9
  - Windows user: support for room number and personal title (needs to be activated in module settings) (343, 344)
  - Usability improvements (354)
diff --git a/lam/lib/webauthn.inc b/lam/lib/webauthn.inc
index 6577457c3..cdaa696fa 100644
--- a/lam/lib/webauthn.inc
+++ b/lam/lib/webauthn.inc
@@ -185,12 +185,22 @@ class WebauthnManager {
 	private function getUserEntity($dn) {
 		return new PublicKeyCredentialUserEntity(
 			$dn,
-			$dn,
+			$this->getUserIdFromDn($dn),
 			extractRDNValue($dn),
 			null
 		);
 	}
 
+	/**
+	 * Generates the user ID as hash of the user DN.
+	 *
+	 * @param string $dn user DN
+	 * @return string user ID
+	 */
+	private function getUserIdFromDn(string $dn) {
+		return hash('sha256', $dn);
+	}
+
 	/**
 	 * Returns the part that identifies the server and application.
 	 *
@@ -406,12 +416,19 @@ class WebauthnManager {
 			$psrFactory = new PsrHttpFactory($psr17Factory, $psr17Factory, $psr17Factory, $psr17Factory);
 			$psr7Request = $psrFactory->createRequest($symfonyRequest);
 			$publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString($_SESSION['webauthn_authentication']);
+			$credential = $database->findOneByCredentialId($publicKeyCredential->getRawId());
+			if ($credential === null) {
+				throw new LAMException(null, 'Unable to find credential');
+			}
+			$userId = $credential->getUserHandle();
+			// old entries use DN as user ID
+			$userHandle = ($userId === $userDn) ? $userDn : $this->getUserIdFromDn($userDn);
 			$responseValidator->check(
 				$publicKeyCredential->getRawId(),
 				$publicKeyCredential->getResponse(),
 				$publicKeyCredentialRequestOptions,
 				$psr7Request,
-				$userDn
+				$userHandle
 			);
 			return true;
 		}
@@ -472,8 +489,8 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 		$credentials = [];
 		try {
 			$pdo = $this->getPDO();
-			$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userId = :userid');
-			$statement->execute([':userid' => $publicKeyCredentialUserEntity->getId()]);
+			$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userDN = :userDN');
+			$statement->execute([':userDN' => $publicKeyCredentialUserEntity->getName()]);
 			$results = $statement->fetchAll();
 			foreach ($results as $result) {
 				$jsonArray = json_decode($result['credentialSource'], true);
@@ -497,20 +514,27 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 		$userId = $publicKeyCredentialSource->getUserHandle();
 		$currentTime = time();
 		$pdo = $this->getPDO();
-		$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userId = :userId and credentialId = :credentialId');
+		if (isset($_SESSION['selfService_clientDN'])) {
+			$userDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
+		}
+		else {
+			$userDn = $_SESSION['ldap']->getUserName();
+		}
+		$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userDN = :userDN and credentialId = :credentialId');
 		$statement->execute([
-			':userId' => $userId,
+			':userDN' => $userDn,
 			':credentialId' => $credentialId
 		]);
 		$results = $statement->fetchAll();
 		if (empty($results)) {
-			$statement = $pdo->prepare('insert into ' . $this->getTableName() . ' (userId, credentialId, credentialSource, registrationTime, lastUseTime) VALUES (?, ?, ?, ?, ?)');
+			$statement = $pdo->prepare('insert into ' . $this->getTableName() . ' (userId, credentialId, credentialSource, registrationTime, lastUseTime, userDN) VALUES (?, ?, ?, ?, ?, ?)');
 			$statement->execute([
 				$userId,
 				$credentialId,
 				$json,
 				$currentTime,
-				$currentTime
+				$currentTime,
+				$userDn
 			]);
 			logNewMessage(LOG_DEBUG, 'Stored new credential for ' . $userId);
 		}
@@ -518,15 +542,15 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 			$statement = $pdo->prepare(
 				'update ' . $this->getTableName() .
 				' set credentialSource = :credentialSource, lastUseTime = :lastUseTime' .
-				' WHERE userId = :userId AND credentialId = :credentialId'
+				' WHERE userDN = :userDN AND credentialId = :credentialId'
 			);
 			$statement->execute([
 				':credentialSource' => $json,
 				':lastUseTime' => $currentTime,
-				':userId' => $userId,
+				':userDN' => $userDn,
 				':credentialId' => $credentialId
 			]);
-			logNewMessage(LOG_DEBUG, 'Stored updated credential for ' . $userId);
+			logNewMessage(LOG_DEBUG, 'Stored updated credential for ' . $userDn);
 		}
 	}
 
@@ -557,7 +581,7 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 	 */
 	public function searchDevices(string $searchTerm) {
 		$pdo = $this->getPDO();
-		$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userId like :searchTerm order by userId,registrationTime');
+		$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userDN like :searchTerm order by userId,registrationTime');
 		$statement->execute([
 			':searchTerm' => $searchTerm
 		]);
@@ -566,7 +590,7 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 		foreach ($results as $result) {
 			$name = !empty($result['name']) ? $result['name'] : '';
 			$devices[] = [
-				'dn' => $result['userId'],
+				'dn' => $result['userDN'],
 				'credentialId' => $result['credentialId'],
 				'lastUseTime' => $result['lastUseTime'],
 				'registrationTime' => $result['registrationTime'],
@@ -586,9 +610,9 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 	public function deleteDevice(string $dn, string $credentialId) {
 		logNewMessage(LOG_NOTICE, 'Delete webauthn device ' . $credentialId . ' of ' . $dn);
 		$pdo = $this->getPDO();
-		$statement = $pdo->prepare('delete from ' . $this->getTableName() . ' where userId = :userId and credentialId = :credentialId');
+		$statement = $pdo->prepare('delete from ' . $this->getTableName() . ' where userDN = :userDN and credentialId = :credentialId');
 		$statement->execute([
-			':userId' => $dn,
+			':userDN' => $dn,
 			':credentialId' => $credentialId
 		]);
 		return $statement->rowCount() > 0;
@@ -604,9 +628,9 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 	 */
 	public function updateDeviceName(string $dn, string $credentialId, $name) {
 		$pdo = $this->getPDO();
-		$statement = $pdo->prepare('update ' . $this->getTableName() . ' set name = :name where userId = :userId and credentialId = :credentialId');
+		$statement = $pdo->prepare('update ' . $this->getTableName() . ' set name = :name where userDN = :userDN and credentialId = :credentialId');
 		$statement->execute([
-			':userId' => $dn,
+			':userDN' => $dn,
 			':credentialId' => $credentialId,
 			':name' => $name
 		]);
@@ -636,6 +660,7 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 			$this->createInitialSchema($pdo);
 		}
 		$this->addNameColumn($pdo);
+		$this->addUserDnColumn($pdo);
 	}
 
 	/**
@@ -676,6 +701,29 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 		}
 	}
 
+	/**
+	 * Adds the user DN column if not existing.
+	 *
+	 * @param PDO $pdo PDO
+	 */
+	protected function addUserDnColumn(PDO $pdo): void {
+		try {
+			$statement = $pdo->query("select * from pragma_table_info('" . $this->getTableName() . "') where name = 'userDN';");
+			$results = $statement->fetchAll();
+			if (empty($results)) {
+				$sql = 'alter table ' . $this->getTableName() . ' add column userDN VARCHAR(255);';
+				logNewMessage(LOG_DEBUG, $sql);
+				$pdo->exec($sql);
+				$sql = 'update ' . $this->getTableName() . ' set userDn = userId;';
+				logNewMessage(LOG_DEBUG, $sql);
+				$pdo->exec($sql);
+			}
+		}
+		catch (PDOException $e) {
+			logNewMessage(LOG_ERR, 'Unable to add userDN column to table: ' . $e->getMessage());
+		}
+	}
+
 	/**
 	 * Exports all entries.
 	 *
@@ -695,6 +743,7 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 				'registrationTime' => $dbRow['registrationTime'],
 				'lastUseTime' => $dbRow['lastUseTime'],
 				'name' => $dbRow['name'],
+				'userDN' => $dbRow['userDN'],
 			];
 		}
 		return $data;
@@ -713,14 +762,15 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 			return;
 		}
 		foreach ($data as $dbRow) {
-			$statement = $pdo->prepare('insert into ' . $this->getTableName() . ' (userId, credentialId, credentialSource, registrationTime, lastUseTime, name) VALUES (?, ?, ?, ?, ?, ?)');
+			$statement = $pdo->prepare('insert into ' . $this->getTableName() . ' (userId, credentialId, credentialSource, registrationTime, lastUseTime, name, userDN) VALUES (?, ?, ?, ?, ?, ?, ?)');
 			$statement->execute([
 				$dbRow['userId'],
 				$dbRow['credentialId'],
 				$dbRow['credentialSource'],
 				$dbRow['registrationTime'],
 				$dbRow['lastUseTime'],
-				$dbRow['name']
+				$dbRow['name'],
+				$dbRow['userDN'],
 			]);
 		}
 	}
@@ -835,6 +885,27 @@ class PublicKeyCredentialSourceRepositoryMySql extends PublicKeyCredentialSource
 		// added via initial schema
 	}
 
+	/**
+	 * {@inheritDoc}
+	 */
+	protected function addUserDnColumn(PDO $pdo): void {
+		try {
+			$statement = $pdo->query("show columns from " . $this->getTableName() . " like 'userDN';");
+			$results = $statement->fetchAll();
+			if (empty($results)) {
+				$sql = 'alter table ' . $this->getTableName() . ' add column userDN VARCHAR(255);';
+				logNewMessage(LOG_DEBUG, $sql);
+				$pdo->exec($sql);
+				$sql = 'update ' . $this->getTableName() . ' set userDn = userId;';
+				logNewMessage(LOG_DEBUG, $sql);
+				$pdo->exec($sql);
+			}
+		}
+		catch (PDOException $e) {
+			logNewMessage(LOG_ERR, 'Unable to add userDN column to table: ' . $e->getMessage());
+		}
+	}
+
 }
 
 

From 3d6bb70fc40e2cb6eb78bb4245e0237c4db806f8 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Mon, 16 Sep 2024 17:27:21 +0200
Subject: [PATCH 2/5] #358 support DNs larger than 64 bytes

---
 lam/lib/webauthn.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lam/lib/webauthn.inc b/lam/lib/webauthn.inc
index cdaa696fa..2ba196bc8 100644
--- a/lam/lib/webauthn.inc
+++ b/lam/lib/webauthn.inc
@@ -185,7 +185,7 @@ class WebauthnManager {
 	private function getUserEntity($dn) {
 		return new PublicKeyCredentialUserEntity(
 			$dn,
-			$this->getUserIdFromDn($dn),
+			self::getUserIdFromDn($dn),
 			extractRDNValue($dn),
 			null
 		);
@@ -197,7 +197,7 @@ class WebauthnManager {
 	 * @param string $dn user DN
 	 * @return string user ID
 	 */
-	private function getUserIdFromDn(string $dn) {
+	public static function getUserIdFromDn(string $dn) {
 		return hash('sha256', $dn);
 	}
 
@@ -422,7 +422,7 @@ class WebauthnManager {
 			}
 			$userId = $credential->getUserHandle();
 			// old entries use DN as user ID
-			$userHandle = ($userId === $userDn) ? $userDn : $this->getUserIdFromDn($userDn);
+			$userHandle = ($userId === $userDn) ? $userDn : self::getUserIdFromDn($userDn);
 			$responseValidator->check(
 				$publicKeyCredential->getRawId(),
 				$publicKeyCredential->getResponse(),
@@ -536,7 +536,7 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 				$currentTime,
 				$userDn
 			]);
-			logNewMessage(LOG_DEBUG, 'Stored new credential for ' . $userId);
+			logNewMessage(LOG_DEBUG, 'Stored new credential for ' . $userDn);
 		}
 		else {
 			$statement = $pdo->prepare(

From feea5f1888f0cc4ee51f92597e820f99a5c0e246 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Thu, 26 Sep 2024 20:14:34 +0200
Subject: [PATCH 3/5] #358 support DNs larger than 64 bytes

---
 ...eyCredentialSourceRepositorySQLiteTest.php | 32 +++++++++++--------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php b/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
index e935dc5c9..ef9737e5a 100644
--- a/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
+++ b/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
@@ -1,6 +1,7 @@
 <?php
 namespace LAM\LOGIN\WEBAUTHN;
 
+use Ldap;
 use PDO;
 use \PHPUnit\Framework\TestCase;
 use \Webauthn\PublicKeyCredentialDescriptor;
@@ -46,6 +47,8 @@ class PublicKeyCredentialSourceRepositorySQLiteTest extends TestCase {
 
 	protected function setUp(): void {
 		$this->database = new PublicKeyCredentialSourceRepositorySQLiteTestDb();
+		$_SESSION['ldap'] = new Ldap(null);
+		$_SESSION['ldap']->encrypt_login('cn=user1', 'password');
 	}
 
 	/**
@@ -60,7 +63,7 @@ public function test_findOneByCredentialId_emptyDb() {
 	 * Empty DB test
 	 */
 	public function test_findAllForUserEntity_emptyDb() {
-		$entity = new PublicKeyCredentialUserEntity("cn=test,dc=example", "cn=test,dc=example", "test", null);
+		$entity = new PublicKeyCredentialUserEntity("cn=test,dc=example", WebauthnManager::getUserIdFromDn("cn=test,dc=example"), "test", null);
 
 		$result = $this->database->findAllForUserEntity($entity);
 		$this->assertEmpty($result);
@@ -78,7 +81,7 @@ public function test_saveCredentialSource() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p1",
-			"uh1",
+			WebauthnManager::getUserIdFromDn("cn=user1"),
 			1);
 		$this->database->saveCredentialSource($source1);
 		$source2 = new PublicKeyCredentialSource(
@@ -89,9 +92,10 @@ public function test_saveCredentialSource() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p2",
-			"uh1",
+			WebauthnManager::getUserIdFromDn("cn=user1"),
 			1);
 		$this->database->saveCredentialSource($source2);
+		$_SESSION['ldap']->encrypt_login('cn=user2', 'password');
 		$source3 = new PublicKeyCredentialSource(
 			"id3",
 			PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,
@@ -100,7 +104,7 @@ public function test_saveCredentialSource() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p3",
-			"uh2",
+			WebauthnManager::getUserIdFromDn("cn=user2"),
 			1);
 		$this->database->saveCredentialSource($source3);
 
@@ -108,10 +112,10 @@ public function test_saveCredentialSource() {
 		$this->assertNotNull($this->database->findOneByCredentialId("id2"));
 		$this->assertNotNull($this->database->findOneByCredentialId("id3"));
 		$this->assertEquals(2, sizeof(
-			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("uh1", "uh1", "uh1", null))
+			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("cn=user1", WebauthnManager::getUserIdFromDn("uh1"), "uh1", null))
 		));
 		$this->assertEquals(1, sizeof(
-			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("uh2", "uh2", "uh2", null))
+			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("cn=user2", WebauthnManager::getUserIdFromDn("uh2"), "uh2", null))
 		));
 	}
 
@@ -125,7 +129,7 @@ public function test_hasRegisteredCredentials() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p1",
-			"uh1",
+			WebauthnManager::getUserIdFromDn("cn=user1"),
 			1);
 		$this->database->saveCredentialSource($source1);
 		$this->assertTrue($this->database->hasRegisteredCredentials());
@@ -140,12 +144,12 @@ public function test_searchDevices() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p1",
-			"uh1",
+			WebauthnManager::getUserIdFromDn("cn=user1"),
 			1);
 		$this->database->saveCredentialSource($source1);
-		$this->assertNotEmpty($this->database->searchDevices('uh1'));
-		$this->assertNotEmpty($this->database->searchDevices('%h1%'));
-		$this->assertEmpty($this->database->searchDevices('uh2'));
+		$this->assertNotEmpty($this->database->searchDevices('cn=user1'));
+		$this->assertNotEmpty($this->database->searchDevices('%user1%'));
+		$this->assertEmpty($this->database->searchDevices('cn=user2'));
 	}
 
 	public function test_deleteDevice() {
@@ -157,11 +161,11 @@ public function test_deleteDevice() {
 			new CertificateTrustPath(['x5c' => 'test']),
 			\Symfony\Component\Uid\Uuid::fromString('00000000-0000-0000-0000-000000000000'),
 			"p1",
-			"uh1",
+			WebauthnManager::getUserIdFromDn("cn=user1"),
 			1);
 		$this->database->saveCredentialSource($source1);
-		$this->assertTrue($this->database->deleteDevice('uh1', base64_encode('id1')));
-		$this->assertFalse($this->database->deleteDevice('uh1', base64_encode('id2')));
+		$this->assertTrue($this->database->deleteDevice('cn=user1', base64_encode('id1')));
+		$this->assertFalse($this->database->deleteDevice('cn=user1', base64_encode('id2')));
 	}
 
 }

From 0c8c482245ef82c11bda51cc527f5ddd8ae6777a Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Mon, 7 Oct 2024 07:49:50 +0200
Subject: [PATCH 4/5] #358 support DNs larger than 64 bytes

---
 lam/lib/webauthn.inc | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/lam/lib/webauthn.inc b/lam/lib/webauthn.inc
index 2ba196bc8..a109a35da 100644
--- a/lam/lib/webauthn.inc
+++ b/lam/lib/webauthn.inc
@@ -87,12 +87,11 @@ class WebauthnManager {
 	 * Returns if the given DN is registered for webauthn.
 	 *
 	 * @param string $dn DN
-	 * @return boolean is registered
+	 * @return bool is registered
 	 */
-	public function isRegistered($dn) {
+	public function isRegistered($dn): bool {
 		$database = $this->getDatabase();
-		$userEntity = $this->getUserEntity($dn);
-		$results = $database->findAllForUserEntity($userEntity);
+		$results = $database->findAllForUserDn($dn);
 		return !empty($results);
 	}
 
@@ -109,7 +108,7 @@ class WebauthnManager {
 		$userEntity = $this->getUserEntity($dn);
 		$challenge = $this->createChallenge();
 		$credentialParameters = $this->getCredentialParameters();
-		$excludedKeys = $this->getExcludedKeys($userEntity, $extraExcludedKeys);
+		$excludedKeys = $this->getExcludedKeys($dn, $extraExcludedKeys);
 		$timeout = $this->getTimeout();
 		$authenticatorSelectionCriteria = AuthenticatorSelectionCriteria::create()->setUserVerification(AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED);
 		$registrationObject = new PublicKeyCredentialCreationOptions(
@@ -184,7 +183,7 @@ class WebauthnManager {
 	 */
 	private function getUserEntity($dn) {
 		return new PublicKeyCredentialUserEntity(
-			$dn,
+			self::getUserIdFromDn($dn),
 			self::getUserIdFromDn($dn),
 			extractRDNValue($dn),
 			null
@@ -238,14 +237,14 @@ class WebauthnManager {
 	/**
 	 * Returns a list of all credential ids that are already registered.
 	 *
-	 * @param PublicKeyCredentialUserEntity $user user data
+	 * @param string $userDn user DN
 	 * @param array $extraExcludedKeys credentialIds that should be added to excluded keys
 	 * @return PublicKeyCredentialDescriptor[] credential ids
 	 */
-	private function getExcludedKeys($user, $extraExcludedKeys = []) {
+	private function getExcludedKeys(string $userDn, $extraExcludedKeys = []) {
 		$keys = [];
 		$repository = $this->getDatabase();
-		$credentialSources = $repository->findAllForUserEntity($user);
+		$credentialSources = $repository->findAllForUserDn($userDn);
 		foreach ($credentialSources as $credentialSource) {
 			$keys[] = new PublicKeyCredentialDescriptor(PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY, $credentialSource->getPublicKeyCredentialId());
 		}
@@ -367,8 +366,7 @@ class WebauthnManager {
 		$timeout = $this->getTimeout();
 		$challenge = $this->createChallenge();
 		$database = $this->getDatabase();
-		$userEntity = $this->getUserEntity($userDN);
-		$publicKeyCredentialSources = $database->findAllForUserEntity($userEntity);
+		$publicKeyCredentialSources = $database->findAllForUserDn($userDN);
 		$userVerification = PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_DISCOURAGED;
 		$extensions = new AuthenticationExtensionsClientInputs();
 		$relyingParty = $this->createRpEntry($isSelfService);
@@ -486,11 +484,21 @@ abstract class PublicKeyCredentialSourceRepositoryBase implements PublicKeyCrede
 	 * @return PublicKeyCredentialSource[] credential sources
 	 */
 	public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array {
+		return $this->findAllForUserDn($publicKeyCredentialUserEntity->getName());
+	}
+
+	/**
+	 * Finds all credential entries for the given user.
+	 *
+	 * @param string $userDn user DN
+	 * @return PublicKeyCredentialSource[] credential sources
+	 */
+	public function findAllForUserDn(string $userDn): array {
 		$credentials = [];
 		try {
 			$pdo = $this->getPDO();
 			$statement = $pdo->prepare('select * from ' . $this->getTableName() . ' where userDN = :userDN');
-			$statement->execute([':userDN' => $publicKeyCredentialUserEntity->getName()]);
+			$statement->execute([':userDN' => $userDn]);
 			$results = $statement->fetchAll();
 			foreach ($results as $result) {
 				$jsonArray = json_decode($result['credentialSource'], true);

From 90875951272c72deeee25f2435ace8b7816818b5 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Mon, 7 Oct 2024 07:58:32 +0200
Subject: [PATCH 5/5] #358 support DNs larger than 64 bytes

---
 .../PublicKeyCredentialSourceRepositorySQLiteTest.php  | 10 ++++------
 lam/tests/lib/WebauthnManagerTest.php                  |  8 ++++----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php b/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
index ef9737e5a..7b4cbb09b 100644
--- a/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
+++ b/lam/tests/lib/PublicKeyCredentialSourceRepositorySQLiteTest.php
@@ -62,10 +62,8 @@ public function test_findOneByCredentialId_emptyDb() {
 	/**
 	 * Empty DB test
 	 */
-	public function test_findAllForUserEntity_emptyDb() {
-		$entity = new PublicKeyCredentialUserEntity("cn=test,dc=example", WebauthnManager::getUserIdFromDn("cn=test,dc=example"), "test", null);
-
-		$result = $this->database->findAllForUserEntity($entity);
+	public function test_findAllForDn_emptyDb() {
+		$result = $this->database->findAllForUserDn("cn=test,dc=example");
 		$this->assertEmpty($result);
 	}
 
@@ -112,10 +110,10 @@ public function test_saveCredentialSource() {
 		$this->assertNotNull($this->database->findOneByCredentialId("id2"));
 		$this->assertNotNull($this->database->findOneByCredentialId("id3"));
 		$this->assertEquals(2, sizeof(
-			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("cn=user1", WebauthnManager::getUserIdFromDn("uh1"), "uh1", null))
+			$this->database->findAllForUserDn("cn=user1")
 		));
 		$this->assertEquals(1, sizeof(
-			$this->database->findAllForUserEntity(new PublicKeyCredentialUserEntity("cn=user2", WebauthnManager::getUserIdFromDn("uh2"), "uh2", null))
+			$this->database->findAllForUserDn("cn=user2")
 		));
 	}
 
diff --git a/lam/tests/lib/WebauthnManagerTest.php b/lam/tests/lib/WebauthnManagerTest.php
index 5b5390dcb..583a68687 100644
--- a/lam/tests/lib/WebauthnManagerTest.php
+++ b/lam/tests/lib/WebauthnManagerTest.php
@@ -59,7 +59,7 @@ class WebauthnManagerTest extends TestCase {
 	protected function setup(): void {
 		$this->database = $this
 			->getMockBuilder(PublicKeyCredentialSourceRepositorySQLite::class)
-			->onlyMethods(['getPdoUrl', 'findOneByCredentialId', 'findAllForUserEntity'])
+			->onlyMethods(['getPdoUrl', 'findOneByCredentialId', 'findAllForUserDn'])
 			->getMock();
 		$file = tmpfile();
 		$filePath = stream_get_meta_data($file)['uri'];
@@ -85,7 +85,7 @@ protected function setup(): void {
 	}
 
 	public function test_getAuthenticationObject() {
-		$this->database->method('findAllForUserEntity')->willReturn([]);
+		$this->database->method('findAllForUserDn')->willReturn([]);
 
 		$authenticationObj = $this->manager->getAuthenticationObject('uid=test,o=test', false);
 		$this->assertEquals(32, strlen($authenticationObj->getChallenge()));
@@ -99,14 +99,14 @@ public function test_getRegistrationObject() {
 	}
 
 	public function test_isRegistered_notRegistered() {
-		$this->database->method('findAllForUserEntity')->willReturn([]);
+		$this->database->method('findAllForUserDn')->willReturn([]);
 
 		$isRegistered = $this->manager->isRegistered('uid=test,o=test');
 		$this->assertFalse($isRegistered);
 	}
 
 	public function test_isRegistered_registered() {
-		$this->database->method('findAllForUserEntity')->willReturn([new PublicKeyCredentialSource(
+		$this->database->method('findAllForUserDn')->willReturn([new PublicKeyCredentialSource(
 				"id1",
 				PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,
 				[],