Complete certificate chain verification (#137)

Root certificates
Untrusted certificates
CRL fixed

.gitattributes

@@ -1,7 +1,5 @@
 * text=auto
 
 /.github export-ignore
-/tests export-ignore
 /.gitattributes export-ignore
-/.gitignore export-ignore
-/phpunit.xml.dist export-ignore
+/README.md export-ignore

composer.json

@@ -21,6 +21,7 @@
         "ext-openssl": "*",
         "ext-mbstring": "*",
         "beberlei/assert": "^3.2",
+        "fgrosse/phpasn1": "^2.1",
         "psr/http-client": "^1.0",
         "psr/http-factory": "^1.0",
         "psr/http-message": "^1.0",
@@ -29,6 +30,7 @@
         "spomky-labs/base64url": "^2.0",
         "spomky-labs/cbor-php": "^1.1|^2.0",
         "symfony/process": "^3.0|^4.0|^5.0",
+        "thecodingmachine/safe": "^1.1",
         "web-auth/cose-lib": "self.version",
         "web-auth/metadata-service": "self.version"
     },

src/AttestationStatement/AndroidKeyAttestationStatementSupport.php

@@ -52,7 +52,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {

src/AttestationStatement/AndroidSafetyNetAttestationStatementSupport.php

@@ -132,7 +132,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {
@@ -256,9 +256,9 @@ private function checkGoogleApiResponse(ResponseInterface $response): void
     }
 
     /**
-     * @param array<string> $certificates
+     * @param string[] $certificates
      *
-     * @return array<string>
+     * @return string[]
      */
     private function convertCertificatesToPem(array $certificates): array
     {

src/AttestationStatement/AppleAttestationStatementSupport.php

@@ -47,7 +47,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {

src/AttestationStatement/AttestationStatement.php

@@ -34,7 +34,7 @@ class AttestationStatement implements JsonSerializable
     private $fmt;
 
     /**
-     * @var array<string, mixed>
+     * @var mixed[]
      */
     private $attStmt;
 
@@ -49,7 +49,7 @@ class AttestationStatement implements JsonSerializable
     private $type;
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public function __construct(string $fmt, array $attStmt, string $type, TrustPath $trustPath)
     {
@@ -60,39 +60,39 @@ public function __construct(string $fmt, array $attStmt, string $type, TrustPath
     }
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public static function createNone(string $fmt, array $attStmt, TrustPath $trustPath): self
     {
         return new self($fmt, $attStmt, self::TYPE_NONE, $trustPath);
     }
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public static function createBasic(string $fmt, array $attStmt, TrustPath $trustPath): self
     {
         return new self($fmt, $attStmt, self::TYPE_BASIC, $trustPath);
     }
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public static function createSelf(string $fmt, array $attStmt, TrustPath $trustPath): self
     {
         return new self($fmt, $attStmt, self::TYPE_SELF, $trustPath);
     }
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public static function createAttCA(string $fmt, array $attStmt, TrustPath $trustPath): self
     {
         return new self($fmt, $attStmt, self::TYPE_ATTCA, $trustPath);
     }
 
     /**
-     * @param array<string, mixed> $attStmt
+     * @param mixed[] $attStmt
      */
     public static function createEcdaa(string $fmt, array $attStmt, TrustPath $trustPath): self
     {
@@ -105,7 +105,7 @@ public function getFmt(): string
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     public function getAttStmt(): array
     {
@@ -138,7 +138,7 @@ public function getType(): string
     }
 
     /**
-     * @param array<string, mixed> $data
+     * @param mixed[] $data
      */
     public static function createFromArray(array $data): self
     {
@@ -155,7 +155,7 @@ public static function createFromArray(array $data): self
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     public function jsonSerialize(): array
     {

src/AttestationStatement/AttestationStatementSupport.php

@@ -20,7 +20,7 @@ interface AttestationStatementSupport
     public function name(): string;
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement;
 

src/AttestationStatement/FidoU2FAttestationStatementSupport.php

@@ -46,7 +46,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {

src/AttestationStatement/NoneAttestationStatementSupport.php

@@ -26,7 +26,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {

src/AttestationStatement/PackedAttestationStatementSupport.php

@@ -59,7 +59,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {
@@ -92,7 +92,7 @@ public function isValid(string $clientDataJSONHash, AttestationStatement $attest
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     private function loadBasicType(array $attestation): AttestationStatement
     {
@@ -113,7 +113,7 @@ private function loadEcdaaType(array $attestation): AttestationStatement
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     private function loadEmptyType(array $attestation): AttestationStatement
     {

src/AttestationStatement/TPMAttestationStatementSupport.php

@@ -46,7 +46,7 @@ public function name(): string
     }
 
     /**
-     * @param array<string, mixed> $attestation
+     * @param mixed[] $attestation
      */
     public function load(array $attestation): AttestationStatement
     {
@@ -125,7 +125,7 @@ private function checkUniquePublicKey(string $unique, string $cborPublicKey): vo
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     private function checkCertInfo(string $data): array
     {
@@ -167,7 +167,7 @@ private function checkCertInfo(string $data): array
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     private function checkPubArea(string $data): array
     {
@@ -200,7 +200,7 @@ private function checkPubArea(string $data): array
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     private function getParameters(string $type, StringStream $stream): array
     {
@@ -300,8 +300,6 @@ private function checkCertificate(string $attestnCert, AuthenticatorData $authen
 
         // id-fido-gen-ce-aaguid OID check
         Assertion::false(in_array('1.3.6.1.4.1.45724.1.1.4', $parsed['extensions'], true) && !hash_equals($authenticatorData->getAttestedCredentialData()->getAaguid()->getBytes(), $parsed['extensions']['1.3.6.1.4.1.45724.1.1.4']), 'The value of the "aaguid" does not match with the certificate');
-
-        // TODO: For attestationRoot in metadata.attestationRootCertificates, generate verification chain verifX5C by appending attestationRoot to the x5c. Try verifying verifX5C. If successful go to next step. If fail try next attestationRoot. If no attestationRoots left to try, fail.
     }
 
     private function processWithECDAA(): bool

src/AttestedCredentialData.php

@@ -67,7 +67,7 @@ public function getCredentialPublicKey(): ?string
     }
 
     /**
-     * @param array<string, mixed> $json
+     * @param mixed[] $json
      */
     public static function createFromArray(array $json): self
     {
@@ -96,7 +96,7 @@ public static function createFromArray(array $json): self
     }
 
     /**
-     * @return array<string, mixed>
+     * @return mixed[]
      */
     public function jsonSerialize(): array
     {

src/AuthenticationExtensions/AuthenticationExtensionsClientInputs.php

@@ -26,7 +26,7 @@
 class AuthenticationExtensionsClientInputs implements JsonSerializable, Countable, IteratorAggregate
 {
     /**
-     * @var array<string, AuthenticationExtension>
+     * @var AuthenticationExtension[]
      */
     private $extensions = [];
 
@@ -36,7 +36,7 @@ public function add(AuthenticationExtension $extension): void
     }
 
     /**
-     * @param array<string, mixed> $json
+     * @param mixed[] $json
      */
     public static function createFromArray(array $json): self
     {
@@ -64,7 +64,7 @@ public function get(string $key)
     }
 
     /**
-     * @return array<string, AuthenticationExtension>
+     * @return AuthenticationExtension[]
      */
     public function jsonSerialize(): array
     {

src/AuthenticationExtensions/AuthenticationExtensionsClientOutputs.php

@@ -27,7 +27,7 @@
 class AuthenticationExtensionsClientOutputs implements JsonSerializable, Countable, IteratorAggregate
 {
     /**
-     * @var array<string, AuthenticationExtension>
+     * @var AuthenticationExtension[]
      */
     private $extensions = [];
 
@@ -45,7 +45,7 @@ public static function createFromString(string $data): self
     }
 
     /**
-     * @param array<string, mixed> $json
+     * @param mixed[] $json
      */
     public static function createFromArray(array $json): self
     {
@@ -73,7 +73,7 @@ public function get(string $key)
     }
 
     /**
-     * @return array<string, AuthenticationExtension>
+     * @return AuthenticationExtension[]
      */
     public function jsonSerialize(): array
     {

src/AuthenticatorAssertionResponseValidator.php

@@ -169,7 +169,7 @@ public function check(string $credentialId, AuthenticatorAssertionResponse $auth
             Assertion::true(hash_equals($rpIdHash, $authenticatorAssertionResponse->getAuthenticatorData()->getRpIdHash()), 'rpId hash mismatch.');
 
             /* @see 7.2.12 */
-            Assertion::true($authenticatorAssertionResponse->getAuthenticatorData()->isUserPresent(), 'User was not present');
+            //Nothing to do. The verification of the bit is done during the authenticator data loading
             /* @see 7.2.13 */
             if (AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED === $publicKeyCredentialRequestOptions->getUserVerification()) {
                 Assertion::true($authenticatorAssertionResponse->getAuthenticatorData()->isUserVerified(), 'User authentication required.');