Skip to content

fix: use spomky-labs/pki-framework to replace native php openssl functions for attestation statements (backport to 5.2.x)#790

Merged
Spomky merged 2 commits into5.2.xfrom
bugfix/attestation-statements-5.2.x
Dec 20, 2025
Merged

fix: use spomky-labs/pki-framework to replace native php openssl functions for attestation statements (backport to 5.2.x)#790
Spomky merged 2 commits into5.2.xfrom
bugfix/attestation-statements-5.2.x

Conversation

@Spomky
Copy link
Copy Markdown
Contributor

@Spomky Spomky commented Dec 20, 2025

Backport of #773 to 5.2.x

Bug Description

In certain environments, WebAuthn TPM attestation validation fails due to inconsistent behavior of openssl_x509_parse() across different OpenSSL versions:

  • OpenSSL 3.0.17 (Docker/Debian) → returns '2.23.133.8.3'
  • OpenSSL 3.6.0+ (macOS) → returns 'Attestation Identity Key Certificate'
  • Other versions may return different values → ❌ FAIL

Solution

Replace openssl_x509_parse() and openssl_pkey_get_details() with spomky-labs/pki-framework for deterministic ASN.1 parsing.

Changes

  • AndroidKey: Robust parsing of extension 1.3.6.1.4.1.11129.2.1.17
  • Apple: Fixed nonce verification (hash_equals for timing attack prevention)
  • Packed: Stricter Subject field validation, AAGUID extension criticality check
  • TPM: Fixed OID 2.23.133.8.3 check (main bug fix)

Tests

All tests pass (10/10 tests, 69 assertions)

Security

  • ✅ No BC break
  • ✅ Improved security (hash_equals, stricter validations)
  • ✅ Better W3C WebAuthn 3 spec conformance

Related: #773

@Spomky Spomky force-pushed the bugfix/attestation-statements-5.2.x branch from 8f4d671 to a5de827 Compare December 20, 2025 10:21
zll600 and others added 2 commits December 20, 2025 11:25
@zll600 @Spomky
refactor: use spomky-labs/pki-framework to replace native php openssl…
b5bc5f2 
… functions for attestation statements
@Spomky
chore: apply code style fixes and update PHPStan baseline
ad2b1b9 
- Fix code style (ECS) in AndroidKey and Apple attestation statement supports
- Regenerate PHPStan baseline to account for removed openssl_* function calls
@Spomky Spomky force-pushed the bugfix/attestation-statements-5.2.x branch from a5de827 to ad2b1b9 Compare December 20, 2025 10:29
@Spomky Spomky merged commit 77b6650 into 5.2.x Dec 20, 2025
13 of 14 checks passed
@Spomky Spomky deleted the bugfix/attestation-statements-5.2.x branch December 20, 2025 10:31
@Spomky Spomky added this to the 5.2.3 milestone Dec 20, 2025
@Spomky Spomky added the bug Something isn't working label Dec 20, 2025
@Spomky Spomky self-assigned this Dec 20, 2025
@Spomky Spomky mentioned this pull request Dec 20, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Spomky Spomky

Labels

bug Something isn't working

Projects

None yet

Milestone

5.2.3

Development

Successfully merging this pull request may close these issues.

2 participants

@Spomky @zll600