WE2-729 Updated readme

Guido Gröön · mrts · commit 457a0bae788a · 2022-11-25T17:51:04.000+02:00
WE2-729 Added copyright information to some functions
Code unification
diff --git a/README.md b/README.md
@@ -4,6 +4,8 @@
 
 web-eid-authtoken-validation-php is a PHP library for issuing challenge nonces and validating Web eID authentication tokens during secure authentication with electronic ID (eID) smart cards in web applications.
 
+The logic of this repository is based on the [Java library](https://github.com/web-eid/web-eid-authtoken-validation-java). We also draw inspiration from the [PHP library](https://github.com/Muzosh/web-eid-authtoken-validation-php) created by Petr Muzikant and used some of his code.
+
 More information about the Web eID project is available on the project [website](https://web-eid.eu/).
 
 # Quickstart
diff --git a/src/certificate/CertificateValidator.php b/src/certificate/CertificateValidator.php
@@ -42,6 +42,9 @@ public function __construct()
         throw new BadFunctionCallException("Utility class");
     }
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public static function certificateIsValidOnDate(X509 $subjectCertificate, DateTime $date, string $subject): void
     {
         if (!$subjectCertificate->validateDate($date)) {
@@ -63,6 +66,9 @@ public static function trustedCACertificatesAreValidOnDate(TrustedCertificates $
         }
     }
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public static function validateIsSignedByTrustedCA(X509 $certificate, TrustedCertificates $trustedCertificates): X509
     {
         foreach ($trustedCertificates->getCertificates() as $trustedCertificate) {
diff --git a/src/challenge/ChallengeNonceGeneratorBuilder.php b/src/challenge/ChallengeNonceGeneratorBuilder.php
@@ -44,6 +44,9 @@ class ChallengeNonceGeneratorBuilder
      */
     private $secureRandom;
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public function __construct()
     {
         // 5 minutes
@@ -57,6 +60,8 @@ public function __construct()
      * Override default nonce time-to-live duration.
      * <p>
      * When the time-to-live passes, the nonce is considered to be expired.
+     * 
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
      *
      * @param int $seconds - challenge nonce time-to-live duration in seconds
      * @return ChallengeNonceGeneratorBuilder builder instance
@@ -92,6 +97,11 @@ public function withSecureRandom(callable $secureRandom): ChallengeNonceGenerato
         return $this;
     }
 
+    /**
+     * Validates the configuration and builds the {@link ChallengeNonceGenerator} instance.
+     *
+     * @return new challenge nonce generator instance
+     */
     public function build(): ChallengeNonceGenerator
     {
         // Force to use PHP session based nounce store when store is not set
@@ -102,7 +112,7 @@ public function build(): ChallengeNonceGenerator
         return new ChallengeNonceGeneratorImpl($this->challengeNonceStore, $this->secureRandom, $this->ttl);
     }
 
-    private function  validateParameters(): void
+    private function validateParameters(): void
     {
         if (is_null($this->challengeNonceStore)) {
             throw new InvalidArgumentException("Challenge nonce store must not be null");
diff --git a/src/challenge/ChallengeNonceGeneratorImpl.php b/src/challenge/ChallengeNonceGeneratorImpl.php
@@ -30,19 +30,19 @@ final class ChallengeNonceGeneratorImpl implements ChallengeNonceGenerator
 {
     private ChallengeNonceStore $challengeNonceStore;
     private $secureRandom;
-    private int $ttlSeconds;
+    private int $ttl;
 
-    public function __construct(ChallengeNonceStore $challengeNonceStore, callable $secureRandom, int $ttlSeconds)
+    public function __construct(ChallengeNonceStore $challengeNonceStore, callable $secureRandom, int $ttl)
     {
         $this->challengeNonceStore = $challengeNonceStore;
         $this->secureRandom = $secureRandom;
-        $this->ttlSeconds = $ttlSeconds;
+        $this->ttl = $ttl;
     }
 
     public function generateAndStoreNonce(): ChallengeNonce
     {
         $nonceString = call_user_func($this->secureRandom, self::NONCE_LENGTH);
-        $expirationTime = DateAndTime::utcNow()->modify("+{$this->ttlSeconds} seconds");
+        $expirationTime = DateAndTime::utcNow()->modify("+{$this->ttl} seconds");
         $base64Nonce = base64_encode($nonceString);
         $challengeNonce = new ChallengeNonce($base64Nonce, $expirationTime);
         $this->challengeNonceStore->put($challengeNonce);
diff --git a/src/util/CollectionsUtil.php b/src/util/CollectionsUtil.php
@@ -12,6 +12,9 @@
 use TypeError;
 use web_eid\web_eid_authtoken_validation_php\validator\certvalidators\SubjectCertificateValidator;
 
+/**
+ * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+ */
 abstract class Collection implements Countable, IteratorAggregate, ArrayAccess
 {
     protected array $array;
diff --git a/src/util/DateAndTime.php b/src/util/DateAndTime.php
@@ -67,6 +67,9 @@ public static function requirePositiveDuration(int $duration, string $fieldName)
         }
     }
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public static function toUtcString(?DateTime $date): string
     {
         if (is_null($date)) {
@@ -76,9 +79,13 @@ public static function toUtcString(?DateTime $date): string
     }
 }
 
+/**
+ * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+ */
 final class DefaultClock
 {
     private static DefaultClock $instance;
+    private DateTime $mockedClock;
 
     public static function getInstance()
     {
diff --git a/src/validator/AuthTokenValidationConfiguration.php b/src/validator/AuthTokenValidationConfiguration.php
@@ -45,6 +45,9 @@ final class AuthTokenValidationConfiguration
     private UriCollection $nonceDisabledOcspUrls;
     private ?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration = null;
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public function __construct()
     {
         // Don't allow Estonian Mobile-ID policy by default.
@@ -120,13 +123,13 @@ public function getNonceDisabledOcspUrls(): UriCollection
     public function validate(): void
     {
         if (is_null($this->siteOrigin)) {
-            throw new InvalidArgumentException('Origin URI must not be null');
+            throw new InvalidArgumentException("Origin URI must not be null");
         }
 
         self::validateIsOriginURL($this->siteOrigin);
 
         if (count($this->trustedCACertificates) == 0) {
-            throw new InvalidArgumentException('At least one trusted certificate authority must be provided');
+            throw new InvalidArgumentException("At least one trusted certificate authority must be provided");
         }
 
         DateAndTime::requirePositiveDuration($this->ocspRequestTimeout, "OCSP request timeout");
@@ -143,7 +146,7 @@ public function validateIsOriginURL(Uri $uri): void
     {
         // 1. Verify that the URI can be converted to absolute URL.
         if (!$uri->isAbsolute()) {
-            throw new InvalidArgumentException('Provided URI is not a valid URL');
+            throw new InvalidArgumentException("Provided URI is not a valid URL");
         }
 
         $reference = $uri->createFromArray([
@@ -154,7 +157,7 @@ public function validateIsOriginURL(Uri $uri): void
 
         // 2. Verify that the URI contains only HTTPS scheme, host and optional port components.
         if ($uri->getUrl() !== $reference->getUrl()) {
-            throw new InvalidArgumentException('Origin URI must only contain the HTTPS scheme, host and optional port component');
+            throw new InvalidArgumentException("Origin URI must only contain the HTTPS scheme, host and optional port component");
         }
     }
 }
diff --git a/src/validator/AuthTokenValidatorBuilder.php b/src/validator/AuthTokenValidatorBuilder.php
@@ -67,6 +67,8 @@ public function withSiteOrigin(Uri $origin): AuthTokenValidatorBuilder
      * <p>
      * At least one trusted intermediate Certificate Authority must be provided as a mandatory configuration parameter.
      *
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     * 
      * @param X509 $certificates trusted intermediate Certificate Authority certificates
      * @return the builder instance for method chaining
      */
@@ -83,6 +85,8 @@ public function withTrustedCertificateAuthorities(X509 ...$certificates): AuthTo
      * Adds the given policies to the list of disallowed user certificate policies.
      * In order for the user certificate to be considered valid, it must not contain any policies
      * present in this list.
+     * 
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
      *
      * @param string $policies disallowed user certificate policies as string array
      * @return the builder instance for method chaining
@@ -133,6 +137,8 @@ public function withOcspRequestTimeout(int $ocspRequestTimeout): AuthTokenValida
      * Adds the given URLs to the list of OCSP URLs for which the nonce protocol extension will be disabled.
      * The OCSP URL is extracted from the user certificate and some OCSP services don't support the nonce extension.
      *
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     * 
      * @param URI $urls OCSP URLs for which the nonce protocol extension will be disabled
      * @return the builder instance for method chaining
      */
diff --git a/src/validator/AuthTokenValidatorImpl.php b/src/validator/AuthTokenValidatorImpl.php
@@ -44,6 +44,7 @@
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspClientImpl;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspServiceProvider;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspServiceConfiguration;
+use web_eid\web_eid_authtoken_validation_php\util\TrustedCertificates;
 
 final class AuthTokenValidatorImpl implements AuthTokenValidator
 {
@@ -54,11 +55,15 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator
     private AuthTokenValidationConfiguration $configuration;
     private SubjectCertificateValidatorBatch $simpleSubjectCertificateValidators;
     private AuthTokenSignatureValidator $authTokenSignatureValidator;
+    private TrustedCertificates $trustedCACertificates;
     private Log $logger;
 
     private OcspClient $ocspClient;
     private OcspServiceProvider $ocspServiceProvider;
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public function __construct(AuthTokenValidationConfiguration $configuration)
     {
         $this->logger = Log::getLogger(self::class);
@@ -67,9 +72,10 @@ public function __construct(AuthTokenValidationConfiguration $configuration)
         $this->configuration = clone $configuration;
 
         // Create and cache trusted CA certificate JCA objects for SubjectCertificateTrustedValidator and AiaOcspService.
-        $this->trustedCertificates = CertificateValidator::buildTrustFromCertificates($configuration->getTrustedCACertificates());
+        $this->trustedCACertificates = CertificateValidator::buildTrustFromCertificates($configuration->getTrustedCACertificates());
+
         $this->simpleSubjectCertificateValidators = new SubjectCertificateValidatorBatch(
-            new SubjectCertificateExpiryValidator($this->trustedCertificates),
+            new SubjectCertificateExpiryValidator($this->trustedCACertificates),
             new SubjectCertificatePurposeValidator(),
             new SubjectCertificatePolicyValidator($configuration->getDisallowedSubjectCertificatePolicies())
         );
@@ -80,7 +86,7 @@ public function __construct(AuthTokenValidationConfiguration $configuration)
                 $configuration->getDesignatedOcspServiceConfiguration(),
                 new AiaOcspServiceConfiguration(
                     $configuration->getNonceDisabledOcspUrls(),
-                    $this->trustedCertificates
+                    $this->trustedCACertificates
                 )
             );
         }
@@ -91,10 +97,10 @@ public function __construct(AuthTokenValidationConfiguration $configuration)
     private function validateTokenLength(string $authToken): void
     {
         if (is_null($authToken) || strlen($authToken) < self::TOKEN_MIN_LENGTH) {
-            throw new AuthTokenParseException('Auth token is null or too short');
+            throw new AuthTokenParseException("Auth token is null or too short");
         }
         if (strlen($authToken) > self::TOKEN_MAX_LENGTH) {
-            throw new AuthTokenParseException('Auth token is too long');
+            throw new AuthTokenParseException("Auth token is too long");
         }
     }
 
@@ -136,16 +142,16 @@ public function validate(WebEidAuthToken $authToken, string $currentChallengeNon
         }
     }
 
-    private function validateToken(WebEidAuthToken $authToken, string $currentChallengeNonce): X509
+    private function validateToken(WebEidAuthToken $token, string $currentChallengeNonce): X509
     {
-        if (is_null($authToken->getFormat()) || substr($authToken->getFormat(), 0, strlen(self::CURRENT_TOKEN_FORMAT_VERSION)) != self::CURRENT_TOKEN_FORMAT_VERSION) {
+        if (is_null($token->getFormat()) || substr($token->getFormat(), 0, strlen(self::CURRENT_TOKEN_FORMAT_VERSION)) != self::CURRENT_TOKEN_FORMAT_VERSION) {
             throw new AuthTokenParseException("Only token format version '" . self::CURRENT_TOKEN_FORMAT_VERSION . "' is currently supported");
         }
-        if (is_null($authToken->getUnverifiedCertificate()) || empty($authToken->getUnverifiedCertificate())) {
+        if (is_null($token->getUnverifiedCertificate()) || empty($token->getUnverifiedCertificate())) {
             throw new AuthTokenParseException("'unverifiedCertificate' field is missing, null or empty");
         }
         $subjectCertificate = new X509();
-        if (!$subjectCertificate->loadX509($authToken->getUnverifiedCertificate())) {
+        if (!$subjectCertificate->loadX509($token->getUnverifiedCertificate())) {
             throw new CertificateDecodingException("'unverifiedCertificate' decode failed");
         }
 
@@ -156,8 +162,8 @@ private function validateToken(WebEidAuthToken $authToken, string $currentChalle
         // have been implicitly and correctly verified without the need to implement any additional checks.
 
         $this->authTokenSignatureValidator->validate(
-            $authToken->getAlgorithm(),
-            $authToken->getSignature(),
+            $token->getAlgorithm(),
+            $token->getSignature(),
             $subjectCertificate->getPublicKey(),
             $currentChallengeNonce
         );
@@ -168,7 +174,7 @@ private function validateToken(WebEidAuthToken $authToken, string $currentChalle
     private function getCertTrustValidators(): SubjectCertificateValidatorBatch
     {
 
-        $certTrustedValidator = new SubjectCertificateTrustedValidator($this->trustedCertificates);
+        $certTrustedValidator = new SubjectCertificateTrustedValidator($this->trustedCACertificates);
 
         $validatorBatch = new SubjectCertificateValidatorBatch(
             $certTrustedValidator
diff --git a/src/validator/certvalidators/SubjectCertificatePurposeValidator.php b/src/validator/certvalidators/SubjectCertificatePurposeValidator.php
@@ -44,6 +44,8 @@ public function __construct()
     /**
      * Validates that the purpose of the user certificate from the authentication token contains client authentication.
      *
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     * 
      * @param subjectCertificate user certificate to be validated
      * @throws UserCertificateMissingPurposeException
      */
diff --git a/src/validator/certvalidators/SubjectCertificateTrustedValidator.php b/src/validator/certvalidators/SubjectCertificateTrustedValidator.php
@@ -31,21 +31,21 @@
 
 final class SubjectCertificateTrustedValidator implements SubjectCertificateValidator
 {
-    private TrustedCertificates $trustedCertificates;
+    private TrustedCertificates $trustedCACertificates;
     private X509 $subjectCertificateIssuerCertificate;
     private Log $logger;
 
-    public function __construct(TrustedCertificates $trustedCertificates)
+    public function __construct(TrustedCertificates $trustedCACertificates)
     {
         $this->logger = Log::getLogger(self::class);
-        $this->trustedCertificates = $trustedCertificates;
+        $this->trustedCACertificates = $trustedCACertificates;
     }
 
     public function validate(X509 $subjectCertificate): void
     {
         $this->subjectCertificateIssuerCertificate = CertificateValidator::validateIsSignedByTrustedCA(
             $subjectCertificate,
-            $this->trustedCertificates
+            $this->trustedCACertificates
         );
 
         $this->logger->debug("Subject certificate is signed by a trusted CA");
diff --git a/src/validator/certvalidators/SubjectCertificateValidator.php b/src/validator/certvalidators/SubjectCertificateValidator.php
@@ -26,6 +26,11 @@
 
 use phpseclib3\File\X509;
 
+/**
+ * Validators perform the actual user certificate validation actions.
+ * <p>
+ * They are used by AuthTokenValidatorImpl and are not part of the public API.
+ */
 interface SubjectCertificateValidator
 {
     public function validate(X509 $subjectCertificate): void;
diff --git a/src/validator/certvalidators/SubjectCertificateValidatorBatch.php b/src/validator/certvalidators/SubjectCertificateValidatorBatch.php
@@ -33,6 +33,9 @@ class SubjectCertificateValidatorBatch
 {
     private SubjectCertificateValidatorCollection $validatorList;
 
+    /**
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
+     */
     public function __construct(SubjectCertificateValidator ...$validatorList)
     {
         $this->validatorList = new SubjectCertificateValidatorCollection(...$validatorList);
diff --git a/src/validator/ocsp/OcspUrl.php b/src/validator/ocsp/OcspUrl.php
@@ -40,6 +40,8 @@ public function __construct()
 
     /**
      * Returns the OCSP responder {@link URI} or {@code null} if it doesn't have one.
+     * 
+     * @copyright 2022 Petr Muzikant pmuzikant@email.cz
      */
     public static function getOcspUri(X509 $certificate): ?Uri
     {

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,9 @@ public function __construct()`
`42`	`42`	`throw new BadFunctionCallException("Utility class");`
`43`	`43`	`}`
`44`	`44`
	`45`	`+ /**`
	`46`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`47`	`+ */`
`45`	`48`	`public static function certificateIsValidOnDate(X509 $subjectCertificate, DateTime $date, string $subject): void`
`46`	`49`	`{`
`47`	`50`	`if (!$subjectCertificate->validateDate($date)) {`
`@@ -63,6 +66,9 @@ public static function trustedCACertificatesAreValidOnDate(TrustedCertificates $`
`63`	`66`	`}`
`64`	`67`	`}`
`65`	`68`
	`69`	`+ /**`
	`70`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`71`	`+ */`
`66`	`72`	`public static function validateIsSignedByTrustedCA(X509 $certificate, TrustedCertificates $trustedCertificates): X509`
`67`	`73`	`{`
`68`	`74`	`foreach ($trustedCertificates->getCertificates() as $trustedCertificate) {`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,9 @@ class ChallengeNonceGeneratorBuilder`
`44`	`44`	`*/`
`45`	`45`	`private $secureRandom;`
`46`	`46`
	`47`	`+ /**`
	`48`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`49`	`+ */`
`47`	`50`	`public function __construct()`
`48`	`51`	`{`
`49`	`52`	`// 5 minutes`
`@@ -57,6 +60,8 @@ public function __construct()`
`57`	`60`	`* Override default nonce time-to-live duration.`
`58`	`61`	`* <p>`
`59`	`62`	`* When the time-to-live passes, the nonce is considered to be expired.`
	`63`	`+ *`
	`64`	`+ * @copyright 2022 Petr Muzikant [email protected]`
`60`	`65`	`*`
`61`	`66`	`* @param int $seconds - challenge nonce time-to-live duration in seconds`
`62`	`67`	`* @return ChallengeNonceGeneratorBuilder builder instance`
`@@ -92,6 +97,11 @@ public function withSecureRandom(callable $secureRandom): ChallengeNonceGenerato`
`92`	`97`	`return $this;`
`93`	`98`	`}`
`94`	`99`
	`100`	`+ /**`
	`101`	`+ * Validates the configuration and builds the {@link ChallengeNonceGenerator} instance.`
	`102`	`+ *`
	`103`	`+ * @return new challenge nonce generator instance`
	`104`	`+ */`
`95`	`105`	`public function build(): ChallengeNonceGenerator`
`96`	`106`	`{`
`97`	`107`	`// Force to use PHP session based nounce store when store is not set`
`@@ -102,7 +112,7 @@ public function build(): ChallengeNonceGenerator`
`102`	`112`	`return new ChallengeNonceGeneratorImpl($this->challengeNonceStore, $this->secureRandom, $this->ttl);`
`103`	`113`	`}`
`104`	`114`
`105`		`- private function validateParameters(): void`
	`115`	`+ private function validateParameters(): void`
`106`	`116`	`{`
`107`	`117`	`if (is_null($this->challengeNonceStore)) {`
`108`	`118`	`throw new InvalidArgumentException("Challenge nonce store must not be null");`
Original file line number	Diff line number	Diff line change
`@@ -30,19 +30,19 @@ final class ChallengeNonceGeneratorImpl implements ChallengeNonceGenerator`
`30`	`30`	`{`
`31`	`31`	`private ChallengeNonceStore $challengeNonceStore;`
`32`	`32`	`private $secureRandom;`
`33`		`- private int $ttlSeconds;`
	`33`	`+ private int $ttl;`
`34`	`34`
`35`		`- public function __construct(ChallengeNonceStore $challengeNonceStore, callable $secureRandom, int $ttlSeconds)`
	`35`	`+ public function __construct(ChallengeNonceStore $challengeNonceStore, callable $secureRandom, int $ttl)`
`36`	`36`	`{`
`37`	`37`	`$this->challengeNonceStore = $challengeNonceStore;`
`38`	`38`	`$this->secureRandom = $secureRandom;`
`39`		`- $this->ttlSeconds = $ttlSeconds;`
	`39`	`+ $this->ttl = $ttl;`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`public function generateAndStoreNonce(): ChallengeNonce`
`43`	`43`	`{`
`44`	`44`	`$nonceString = call_user_func($this->secureRandom, self::NONCE_LENGTH);`
`45`		`- $expirationTime = DateAndTime::utcNow()->modify("+{$this->ttlSeconds} seconds");`
	`45`	`+ $expirationTime = DateAndTime::utcNow()->modify("+{$this->ttl} seconds");`
`46`	`46`	`$base64Nonce = base64_encode($nonceString);`
`47`	`47`	`$challengeNonce = new ChallengeNonce($base64Nonce, $expirationTime);`
`48`	`48`	`$this->challengeNonceStore->put($challengeNonce);`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,9 @@`
`12`	`12`	`use TypeError;`
`13`	`13`	`use web_eid\web_eid_authtoken_validation_php\validator\certvalidators\SubjectCertificateValidator;`
`14`	`14`
	`15`	`+/**`
	`16`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`17`	`+ */`
`15`	`18`	`abstract class Collection implements Countable, IteratorAggregate, ArrayAccess`
`16`	`19`	`{`
`17`	`20`	`protected array $array;`
Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,9 @@ public static function requirePositiveDuration(int $duration, string $fieldName)`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`
	`70`	`+ /**`
	`71`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`72`	`+ */`
`70`	`73`	`public static function toUtcString(?DateTime $date): string`
`71`	`74`	`{`
`72`	`75`	`if (is_null($date)) {`
`@@ -76,9 +79,13 @@ public static function toUtcString(?DateTime $date): string`
`76`	`79`	`}`
`77`	`80`	`}`
`78`	`81`
	`82`	`+/**`
	`83`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`84`	`+ */`
`79`	`85`	`final class DefaultClock`
`80`	`86`	`{`
`81`	`87`	`private static DefaultClock $instance;`
	`88`	`+ private DateTime $mockedClock;`
`82`	`89`
`83`	`90`	`public static function getInstance()`
`84`	`91`	`{`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,9 @@ final class AuthTokenValidationConfiguration`
`45`	`45`	`private UriCollection $nonceDisabledOcspUrls;`
`46`	`46`	`private ?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration = null;`
`47`	`47`
	`48`	`+ /**`
	`49`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`50`	`+ */`
`48`	`51`	`public function __construct()`
`49`	`52`	`{`
`50`	`53`	`// Don't allow Estonian Mobile-ID policy by default.`
`@@ -120,13 +123,13 @@ public function getNonceDisabledOcspUrls(): UriCollection`
`120`	`123`	`public function validate(): void`
`121`	`124`	`{`
`122`	`125`	`if (is_null($this->siteOrigin)) {`
`123`		`- throw new InvalidArgumentException('Origin URI must not be null');`
	`126`	`+ throw new InvalidArgumentException("Origin URI must not be null");`
`124`	`127`	`}`
`125`	`128`
`126`	`129`	`self::validateIsOriginURL($this->siteOrigin);`
`127`	`130`
`128`	`131`	`if (count($this->trustedCACertificates) == 0) {`
`129`		`- throw new InvalidArgumentException('At least one trusted certificate authority must be provided');`
	`132`	`+ throw new InvalidArgumentException("At least one trusted certificate authority must be provided");`
`130`	`133`	`}`
`131`	`134`
`132`	`135`	`DateAndTime::requirePositiveDuration($this->ocspRequestTimeout, "OCSP request timeout");`
`@@ -143,7 +146,7 @@ public function validateIsOriginURL(Uri $uri): void`
`143`	`146`	`{`
`144`	`147`	`// 1. Verify that the URI can be converted to absolute URL.`
`145`	`148`	`if (!$uri->isAbsolute()) {`
`146`		`- throw new InvalidArgumentException('Provided URI is not a valid URL');`
	`149`	`+ throw new InvalidArgumentException("Provided URI is not a valid URL");`
`147`	`150`	`}`
`148`	`151`
`149`	`152`	`$reference = $uri->createFromArray([`
`@@ -154,7 +157,7 @@ public function validateIsOriginURL(Uri $uri): void`
`154`	`157`
`155`	`158`	`// 2. Verify that the URI contains only HTTPS scheme, host and optional port components.`
`156`	`159`	`if ($uri->getUrl() !== $reference->getUrl()) {`
`157`		`- throw new InvalidArgumentException('Origin URI must only contain the HTTPS scheme, host and optional port component');`
	`160`	`+ throw new InvalidArgumentException("Origin URI must only contain the HTTPS scheme, host and optional port component");`
`158`	`161`	`}`
`159`	`162`	`}`
`160`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ public function __construct()`
`44`	`44`	`/**`
`45`	`45`	`* Validates that the purpose of the user certificate from the authentication token contains client authentication.`
`46`	`46`	`*`
	`47`	`+ * @copyright 2022 Petr Muzikant [email protected]`
	`48`	`+ *`
`47`	`49`	`* @param subjectCertificate user certificate to be validated`
`48`	`50`	`* @throws UserCertificateMissingPurposeException`
`49`	`51`	`*/`