NFC-102 Add web-eid-1.1 token support

Author: SanderKondratjevNortal

src/authtoken/SupportedSignatureAlgorithm.php

@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * Copyright (c) 2025-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\authtoken;
+
+class SupportedSignatureAlgorithm
+{
+    private string $cryptoAlgorithm;
+    private string $hashFunction;
+    private string $paddingScheme;
+
+    public function __construct(
+        string $cryptoAlgorithm = '',
+        string $hashFunction = '',
+        string $paddingScheme = ''
+    ) {
+        $this->cryptoAlgorithm = $cryptoAlgorithm;
+        $this->hashFunction = $hashFunction;
+        $this->paddingScheme = $paddingScheme;
+    }
+
+    public function getCryptoAlgorithm(): string
+    {
+        return $this->cryptoAlgorithm;
+    }
+
+    public function setCryptoAlgorithm(string $cryptoAlgorithm): void
+    {
+        $this->cryptoAlgorithm = $cryptoAlgorithm;
+    }
+
+    public function getHashFunction(): string
+    {
+        return $this->hashFunction;
+    }
+
+    public function setHashFunction(string $hashFunction): void
+    {
+        $this->hashFunction = $hashFunction;
+    }
+
+    public function getPaddingScheme(): string
+    {
+        return $this->paddingScheme;
+    }
+
+    public function setPaddingScheme(string $paddingScheme): void
+    {
+        $this->paddingScheme = $paddingScheme;
+    }
+
+    public static function fromArray(array $data): self
+    {
+        return new self(
+            $data['cryptoAlgorithm'] ?? '',
+            $data['hashFunction'] ?? '',
+            $data['paddingScheme'] ?? ''
+        );
+    }
+
+    public function toArray(): array
+    {
+        return [
+            'cryptoAlgorithm' => $this->cryptoAlgorithm,
+            'hashFunction' => $this->hashFunction,
+            'paddingScheme' => $this->paddingScheme,
+        ];
+    }
+}

src/authtoken/WebEidAuthToken.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (c) 2022-2024 Estonian Information System Authority
+ * Copyright (c) 2022-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -48,6 +48,13 @@ class WebEidAuthToken
      * @var string Format
      */
     private ?string $format = null;
+    /**
+     * @var string Unverfied signing certificate
+     */
+    private ?string $unverifiedSigningCertificate = null;
+
+    /** @var SupportedSignatureAlgorithm[] */
+    private array $supportedSignatureAlgorithms = [];
 
     public function __construct(string $authenticationTokenJSON)
     {
@@ -72,6 +79,17 @@ public function __construct(string $authenticationTokenJSON)
         if (isset($jsonDecoded['format'])) {
             $this->format = $this->filterString('format', $jsonDecoded['format']);
         }
+        // unverifiedSigningCertificate
+        if (isset($jsonDecoded['unverifiedSigningCertificate'])) {
+            $this->unverifiedSigningCertificate =
+                $this->filterString('unverifiedSigningCertificate', $jsonDecoded['unverifiedSigningCertificate']);
+        }
+        // supportedSignatureAlgorithms
+        if (isset($jsonDecoded['supportedSignatureAlgorithms'])) {
+            $this->supportedSignatureAlgorithms = $this->parseSupportedSignatureAlgorithms(
+                $jsonDecoded['supportedSignatureAlgorithms']
+            );
+        }
     }
 
     public function getUnverifiedCertificate(): ?string
@@ -94,6 +112,16 @@ public function getFormat(): ?string
         return $this->format;
     }
 
+    public function getUnverifiedSigningCertificate(): ?string
+    {
+        return $this->unverifiedSigningCertificate;
+    }
+
+    public function getSupportedSignatureAlgorithms(): array
+    {
+        return $this->supportedSignatureAlgorithms;
+    }
+
     private function filterString(string $key, $data): string
     {
         $type = gettype($data);
@@ -102,4 +130,21 @@ private function filterString(string $key, $data): string
         }
         return $data;
     }
+
+    private function parseSupportedSignatureAlgorithms(array $list): array
+    {
+        $result = [];
+
+        foreach ($list as $item) {
+            if (!is_array($item)) {
+                throw new UnexpectedValueException(
+                    "Error parsing supportedSignatureAlgorithms: each item must be an object"
+                );
+            }
+
+            $result[] = SupportedSignatureAlgorithm::fromArray($item);
+        }
+
+        return $result;
+    }
 }

src/certificate/CertificateLoader.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (c) 2022-2024 Estonian Information System Authority
+ * Copyright (c) 2022-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -59,4 +59,24 @@ public static function loadCertificatesFromResources(string ...$resourceNames):
         }
         return $caCertificates;
     }
+
+    /**
+     * @throws CertificateDecodingException
+     */
+    public static function decodeCertificateFromBase64(string $base64): X509
+    {
+        $cert = new X509();
+
+        if (!str_starts_with($base64, '-----BEGIN CERTIFICATE-----')) {
+            $base64 = "-----BEGIN CERTIFICATE-----\n" .
+                chunk_split($base64, 64) .
+                "-----END CERTIFICATE-----\n";
+        }
+
+        if (!$cert->loadX509($base64)) {
+            throw new CertificateDecodingException("unverifiedSigningCertificate is not base64 encoded");
+        }
+
+        return $cert;
+    }
 }

src/validator/AuthTokenValidator.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (c) 2022-2024 Estonian Information System Authority
+ * Copyright (c) 2022-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -34,8 +34,6 @@
  */
 interface AuthTokenValidator
 {
-    public const CURRENT_TOKEN_FORMAT_VERSION = 'web-eid:1';
-
     /**
      * Parses the Web eID authentication token signed by the subject.
      *