Harmonizing the PHP library with Java library

Mihkel Kivisild · mrts · commit 0433eb3c9377 · 2025-03-20T14:58:50.000+02:00
WE2-971

Signed-off-by: Mihkel Kivisild &lt;mihkel.kivisild@cgi.com&gt;
diff --git a/example/src/Auth.php b/example/src/Auth.php
@@ -88,14 +88,13 @@ public function getNonce()
 
     private function getPrincipalNameFromCertificate(X509 $userCertificate): string
     {
+        $givenName = CertificateData::getSubjectGivenName($userCertificate);
         $surname = CertificateData::getSubjectSurname($userCertificate);
-        $givenname = CertificateData::getSubjectGivenName($userCertificate);
-        if ($surname && $givenname) {
-            $principalName = $givenname . " " . $surname;
+        if ($givenName && $surname) {
+            return $givenName . " " . $surname;
         } else {
-            $principalName = CertificateData::getSubjectCN($userCertificate);
+            return CertificateData::getSubjectCN($userCertificate);
         }
-        return $principalName;
     }
 
     /**
diff --git a/src/authtoken/WebEidAuthToken.php b/src/authtoken/WebEidAuthToken.php
@@ -48,10 +48,6 @@ class WebEidAuthToken
      * @var string Format
      */
     private ?string $format = null;
-    /**
-     * @var string App version
-     */
-    private ?string $appVersion = null;
 
     public function __construct(string $authenticationTokenJSON)
     {
@@ -76,10 +72,6 @@ public function __construct(string $authenticationTokenJSON)
         if (isset($jsonDecoded['format'])) {
             $this->format = $this->filterString('format', $jsonDecoded['format']);
         }
-        // appVersion
-        if (isset($jsonDecoded['appVersion'])) {
-            $this->appVersion = $this->filterString('appVersion', $jsonDecoded['appVersion']);
-        }
     }
 
     public function getUnverifiedCertificate(): ?string
@@ -102,11 +94,6 @@ public function getFormat(): ?string
         return $this->format;
     }
 
-    public function getAppVersion(): ?string
-    {
-        return $this->appVersion;
-    }
-
     private function filterString(string $key, $data): string
     {
         $type = gettype($data);
diff --git a/src/certificate/CertificateData.php b/src/certificate/CertificateData.php
@@ -80,15 +80,14 @@ public static function getSubjectCountryCode(X509 $certificate): ?string
     /**
      * Get specified subject field from x509 certificate
      *
-     * @return string
+     * @return ?string
      */
     private static function getField(X509 $certificate, string $fieldId): ?string
     {
         $result = $certificate->getSubjectDNProp($fieldId);
         if ($result) {
-            return join(" ", $result);
-        }
-        else {
+            return join(", ", $result);
+        } else {
             return null;
         }
     }
diff --git a/src/validator/AuthTokenSignatureValidator.php b/src/validator/AuthTokenSignatureValidator.php
@@ -54,19 +54,19 @@ public function __construct(Uri $siteOrigin)
 
     public function validate(string $algorithm, string $signature, $publicKey, string $currentChallengeNonce): void
     {
-        $this->requireNotEmpty($algorithm, "algorithm");
-        $this->requireNotEmpty($signature, "signature");
+        if (empty($currentChallengeNonce)) {
+            throw new ChallengeNullOrEmptyException();
+        }
 
         if (is_null($publicKey)) {
             throw new InvalidArgumentException("Public key is null");
         }
 
-        if (empty($currentChallengeNonce)) {
-            throw new ChallengeNullOrEmptyException();
-        }
+        $this->requireNotEmpty($algorithm, "algorithm");
+        $this->requireNotEmpty($signature, "signature");
 
         if (!in_array($algorithm, self::ALLOWED_SIGNATURE_ALGORITHMS)) {
-            throw new AuthTokenParseException("Invalid signature algorithm");
+            throw new AuthTokenParseException("Unsupported signature algorithm");
         }
 
         $decodedSignature = base64_decode($signature);
diff --git a/src/validator/ocsp/OcspRequestBuilder.php b/src/validator/ocsp/OcspRequestBuilder.php
@@ -26,6 +26,7 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
+use InvalidArgumentException;
 use web_eid\web_eid_authtoken_validation_php\ocsp\OcspRequest;
 use web_eid\web_eid_authtoken_validation_php\util\SecureRandom;
 
@@ -58,6 +59,9 @@ public function enableOcspNonce(bool $ocspNonceEnabled): OcspRequestBuilder
     public function build(): OcspRequest
     {
         $ocspRequest = new OcspRequest();
+        if (is_null($this->certificateId)) {
+            throw new InvalidArgumentException("Certificate Id must not be null");
+        }
         $ocspRequest->addCertificateId($this->certificateId);
 
         if ($this->ocspNonceEnabled) {
diff --git a/src/validator/ocsp/OcspServiceProvider.php b/src/validator/ocsp/OcspServiceProvider.php
@@ -26,6 +26,7 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
+use InvalidArgumentException;
 use phpseclib3\File\X509;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspService;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspServiceConfiguration;
@@ -41,7 +42,8 @@ class OcspServiceProvider
     public function __construct(?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration, AiaOcspServiceConfiguration $aiaOcspServiceConfiguration)
     {
         $this->designatedOcspService = !is_null($designatedOcspServiceConfiguration) ? new DesignatedOcspService($designatedOcspServiceConfiguration) : null;
-        $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration;
+        $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration ?? throw new InvalidArgumentException("AIA Ocsp Service Configuration must not be null");
+
     }
 
     /**
diff --git a/src/validator/ocsp/OcspUrl.php b/src/validator/ocsp/OcspUrl.php
@@ -28,6 +28,7 @@
 use phpseclib3\File\X509;
 use GuzzleHttp\Psr7\Uri;
 use Exception;
+use InvalidArgumentException;
 
 final class OcspUrl
 {
@@ -43,6 +44,9 @@ public function __construct()
      */
     public static function getOcspUri(X509 $certificate): ?Uri
     {
+        if (is_null($certificate)) {
+            throw new InvalidArgumentException("Certificate must not be null");
+        }
         $authorityInformationAccess = $certificate->getExtension("id-pe-authorityInfoAccess");
         if ($authorityInformationAccess) {
             foreach ($authorityInformationAccess as $accessDescription) {
diff --git a/src/validator/ocsp/service/AiaOcspService.php b/src/validator/ocsp/service/AiaOcspService.php
@@ -35,6 +35,7 @@
 use DateTime;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspResponseValidator;
 use Exception;
+use InvalidArgumentException;
 
 /**
  * An OCSP service that uses the responders from the Certificates' Authority Information Access (AIA) extension.
@@ -48,6 +49,9 @@ class AiaOcspService implements OcspService
 
     public function __construct(AiaOcspServiceConfiguration $configuration, X509 $certificate)
     {
+        if (is_null($configuration)) {
+            throw new InvalidArgumentException("Configuration cannot be null");
+        }
         $this->url = self::getOcspAiaUrlFromCertificate($certificate);
         $this->trustedCACertificates = $configuration->getTrustedCACertificates();
         $this->supportsNonce = !in_array($this->url->jsonSerialize(), $configuration->getNonceDisabledOcspUrls()->getUrlsArray());
diff --git a/tests/authtoken/WebEidAuthTokenTest.php b/tests/authtoken/WebEidAuthTokenTest.php
@@ -48,7 +48,6 @@ public function testValidateAuthTokenParameters(): void
         $this->assertEquals("RS256", $authToken->getAlgorithm());
         $this->assertEquals("HBjNXIaUskXbfhzYQHvwjKDUWfNu4yxXZh", $authToken->getSignature());
         $this->assertEquals("web-eid:1.0", $authToken->getFormat());
-        $this->assertEquals("https://web-eid.eu/web-eid-app/releases/v2.0.0", $authToken->getAppVersion());
     }
 
     public function testWhenNotAuthToken(): void
diff --git a/tests/certificate/CertificateDataTest.php b/tests/certificate/CertificateDataTest.php
@@ -49,20 +49,22 @@ public function testWhenOrganizationCertificateThenSubjectCNAndIdCodeAndCountryC
         $this->assertEquals("EE", CertificateData::getSubjectCountryCode($cert));
     }
 
-    public function testWhenOrganizationCertificateThenSubjectGivenNameAndSurnameAreNull(): void
+    public function testWhenOrganizationCertificateThenSubjectGivenNameAndSurnameAreEmpty(): void
     {
         $cert = Certificates::getOrganizationCert();
-        $this->assertEquals(null, CertificateData::getSubjectGivenName($cert));
-        $this->assertEquals(null, CertificateData::getSubjectSurname($cert));
+        $givenName = CertificateData::getSubjectGivenName($cert);
+        $surname = CertificateData::getSubjectSurname($cert);
+        $this->assertEmpty($givenName);
+        $this->assertEmpty($surname);
     }
 
     public function testWhenOrganizationCertificateThenSucceeds(): void
     {
         $cert = Certificates::getOrganizationCert();
+        $givenName = CertificateData::getSubjectGivenName($cert);
         $surname = CertificateData::getSubjectSurname($cert);
-        $givenname = CertificateData::getSubjectGivenName($cert);
-        if ($surname && $givenname) {
-            $principalName = $givenname . " " . $surname;
+        if ($givenName && $surname) {
+            $principalName = $givenName . " " . $surname;
         } else {
             $principalName = CertificateData::getSubjectCN($cert);
         }
diff --git a/tests/validator/AuthTokenAlgorithmTest.php b/tests/validator/AuthTokenAlgorithmTest.php
@@ -35,7 +35,7 @@ public function testWhenAlgorithmNoneThenValidationFails(): void
         $authToken = $this->replaceTokenField(self::VALID_AUTH_TOKEN, "algorithm", "NONE");
 
         $this->expectException(AuthTokenParseException::class);
-        $this->expectExceptionMessage("Invalid signature algorithm");
+        $this->expectExceptionMessage("Unsupported signature algorithm");
         $this->validator->validate($authToken, self::VALID_AUTH_TOKEN);
     }
 
@@ -53,7 +53,7 @@ public function testWhenAlgorithmInvalidThenParsingFails(): void
         $authToken = $this->replaceTokenField(self::VALID_AUTH_TOKEN, "algorithm", "\\u0000\\t\\ninvalid");
 
         $this->expectException(AuthTokenParseException::class);
-        $this->expectExceptionMessage("Invalid signature algorithm");
+        $this->expectExceptionMessage("Unsupported signature algorithm");
         $this->validator->validate($authToken, self::VALID_AUTH_TOKEN);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -88,14 +88,13 @@ public function getNonce()`
`88`	`88`
`89`	`89`	`private function getPrincipalNameFromCertificate(X509 $userCertificate): string`
`90`	`90`	`{`
	`91`	`+ $givenName = CertificateData::getSubjectGivenName($userCertificate);`
`91`	`92`	`$surname = CertificateData::getSubjectSurname($userCertificate);`
`92`		`- $givenname = CertificateData::getSubjectGivenName($userCertificate);`
`93`		`- if ($surname && $givenname) {`
`94`		`- $principalName = $givenname . " " . $surname;`
	`93`	`+ if ($givenName && $surname) {`
	`94`	`+ return $givenName . " " . $surname;`
`95`	`95`	`} else {`
`96`		`- $principalName = CertificateData::getSubjectCN($userCertificate);`
	`96`	`+ return CertificateData::getSubjectCN($userCertificate);`
`97`	`97`	`}`
`98`		`- return $principalName;`
`99`	`98`	`}`
`100`	`99`
`101`	`100`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,10 +48,6 @@ class WebEidAuthToken`
`48`	`48`	`* @var string Format`
`49`	`49`	`*/`
`50`	`50`	`private ?string $format = null;`
`51`		`- /**`
`52`		`- * @var string App version`
`53`		`- */`
`54`		`- private ?string $appVersion = null;`
`55`	`51`
`56`	`52`	`public function __construct(string $authenticationTokenJSON)`
`57`	`53`	`{`
`@@ -76,10 +72,6 @@ public function __construct(string $authenticationTokenJSON)`
`76`	`72`	`if (isset($jsonDecoded['format'])) {`
`77`	`73`	`$this->format = $this->filterString('format', $jsonDecoded['format']);`
`78`	`74`	`}`
`79`		`- // appVersion`
`80`		`- if (isset($jsonDecoded['appVersion'])) {`
`81`		`- $this->appVersion = $this->filterString('appVersion', $jsonDecoded['appVersion']);`
`82`		`- }`
`83`	`75`	`}`
`84`	`76`
`85`	`77`	`public function getUnverifiedCertificate(): ?string`
`@@ -102,11 +94,6 @@ public function getFormat(): ?string`
`102`	`94`	`return $this->format;`
`103`	`95`	`}`
`104`	`96`
`105`		`- public function getAppVersion(): ?string`
`106`		`- {`
`107`		`- return $this->appVersion;`
`108`		`- }`
`109`		`-`
`110`	`97`	`private function filterString(string $key, $data): string`
`111`	`98`	`{`
`112`	`99`	`$type = gettype($data);`
Original file line number	Diff line number	Diff line change
`@@ -80,15 +80,14 @@ public static function getSubjectCountryCode(X509 $certificate): ?string`
`80`	`80`	`/**`
`81`	`81`	`* Get specified subject field from x509 certificate`
`82`	`82`	`*`
`83`		`- * @return string`
	`83`	`+ * @return ?string`
`84`	`84`	`*/`
`85`	`85`	`private static function getField(X509 $certificate, string $fieldId): ?string`
`86`	`86`	`{`
`87`	`87`	`$result = $certificate->getSubjectDNProp($fieldId);`
`88`	`88`	`if ($result) {`
`89`		`- return join(" ", $result);`
`90`		`- }`
`91`		`- else {`
	`89`	`+ return join(", ", $result);`
	`90`	`+ } else {`
`92`	`91`	`return null;`
`93`	`92`	`}`
`94`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@`
`26`	`26`
`27`	`27`	`namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;`
`28`	`28`
	`29`	`+use InvalidArgumentException;`
`29`	`30`	`use phpseclib3\File\X509;`
`30`	`31`	`use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspService;`
`31`	`32`	`use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspServiceConfiguration;`
`@@ -41,7 +42,8 @@ class OcspServiceProvider`
`41`	`42`	`public function __construct(?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration, AiaOcspServiceConfiguration $aiaOcspServiceConfiguration)`
`42`	`43`	`{`
`43`	`44`	`$this->designatedOcspService = !is_null($designatedOcspServiceConfiguration) ? new DesignatedOcspService($designatedOcspServiceConfiguration) : null;`
`44`		`- $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration;`
	`45`	`+ $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration ?? throw new InvalidArgumentException("AIA Ocsp Service Configuration must not be null");`
	`46`	`+`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@ public function testValidateAuthTokenParameters(): void`
`48`	`48`	`$this->assertEquals("RS256", $authToken->getAlgorithm());`
`49`	`49`	`$this->assertEquals("HBjNXIaUskXbfhzYQHvwjKDUWfNu4yxXZh", $authToken->getSignature());`
`50`	`50`	`$this->assertEquals("web-eid:1.0", $authToken->getFormat());`
`51`		`- $this->assertEquals("https://web-eid.eu/web-eid-app/releases/v2.0.0", $authToken->getAppVersion());`
`52`	`51`	`}`
`53`	`52`
`54`	`53`	`public function testWhenNotAuthToken(): void`
Original file line number	Diff line number	Diff line change
`@@ -49,20 +49,22 @@ public function testWhenOrganizationCertificateThenSubjectCNAndIdCodeAndCountryC`
`49`	`49`	`$this->assertEquals("EE", CertificateData::getSubjectCountryCode($cert));`
`50`	`50`	`}`
`51`	`51`
`52`		`- public function testWhenOrganizationCertificateThenSubjectGivenNameAndSurnameAreNull(): void`
	`52`	`+ public function testWhenOrganizationCertificateThenSubjectGivenNameAndSurnameAreEmpty(): void`
`53`	`53`	`{`
`54`	`54`	`$cert = Certificates::getOrganizationCert();`
`55`		`- $this->assertEquals(null, CertificateData::getSubjectGivenName($cert));`
`56`		`- $this->assertEquals(null, CertificateData::getSubjectSurname($cert));`
	`55`	`+ $givenName = CertificateData::getSubjectGivenName($cert);`
	`56`	`+ $surname = CertificateData::getSubjectSurname($cert);`
	`57`	`+ $this->assertEmpty($givenName);`
	`58`	`+ $this->assertEmpty($surname);`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`public function testWhenOrganizationCertificateThenSucceeds(): void`
`60`	`62`	`{`
`61`	`63`	`$cert = Certificates::getOrganizationCert();`
	`64`	`+ $givenName = CertificateData::getSubjectGivenName($cert);`
`62`	`65`	`$surname = CertificateData::getSubjectSurname($cert);`
`63`		`- $givenname = CertificateData::getSubjectGivenName($cert);`
`64`		`- if ($surname && $givenname) {`
`65`		`- $principalName = $givenname . " " . $surname;`
	`66`	`+ if ($givenName && $surname) {`
	`67`	`+ $principalName = $givenName . " " . $surname;`
`66`	`68`	`} else {`
`67`	`69`	`$principalName = CertificateData::getSubjectCN($cert);`
`68`	`70`	`}`