WE2-685 Added SubjectCertificateExpirityValidator

WE2-685 Added SubjectCertificatePolicyValidator and phpunit tests
WE2-685 Added SubjectCertificatePurposeValidator and phpunit tests
WE2-684 Added AuthTokenValidatorBuilder
WE2-684 Added initial AuthTokenValidatorImpl class
WE2-688 Added CertificateData class for read certificate properties and phpunit test
WE2-688 Added initial CertificateValidator and phpunit tests
WE2-688 Added initial X509 class for encode and decode X.509 certificates

Author: Guido Gröön

.gitignore

@@ -1,3 +1,4 @@
 vendor
 composer.lock
-.DS_Store
+.DS_Store
+.phpunit.result.cache

composer.json

@@ -19,5 +19,11 @@
         "psr-4": {
             "web_eid\\web_eid_authtoken_validation_php\\": ["src"]
         }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "web_eid\\web_eid_authtoken_validation_php\\": ["tests"]
+        }
     }    
+
 }

phpunit.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" backupGlobals="false" backupStaticAttributes="false" colors="true" verbose="true" convertErrorsToExceptions="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false" stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
+	<coverage>
+		<include>
+			<directory suffix=".php">src/</directory>
+		</include>
+	</coverage>
+	<testsuites>
+		<testsuite name="Web-eID PHP Test Suite">
+			<directory>tests</directory>
+		</testsuite>
+	</testsuites>
+</phpunit>

src/certificate/CertificateData.php

@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\certificate;
+
+use web_eid\web_eid_authtoken_validation_php\util\X509;
+use UnexpectedValueException;
+use BadFunctionCallException;
+
+final class CertificateData
+{
+
+    public function __construct()
+    {
+        throw new BadFunctionCallException('Utility class');
+    }
+
+    /**
+     * Get commonName from x509 certificate
+     *
+     * @throws UnexpectedValueException
+     */    
+    public static function getSubjectCN(X509 $certificate): string
+    {
+        return self::getField($certificate, 'CN');
+    }
+
+    /**
+     * Get surname from x509 certificate
+     *
+     * @throws UnexpectedValueException
+     */    
+    public static function getSubjectSurname(X509 $certificate): string
+    {
+        return self::getField($certificate, 'SN');
+    }
+
+    /**
+     * Get given name from x509 certificate
+     *
+     * @throws UnexpectedValueException
+     */    
+    public static function getSubjectGivenName(X509 $certificate): string
+    {
+        return self::getField($certificate, 'GN');
+    }
+
+    /**
+     * Get serialNumber (ID-code) from x509 certificate
+     *
+     * @throws UnexpectedValueException
+     */    
+    public static function getSubjectIdCode(X509 $certificate): string
+    {
+        return self::getField($certificate, 'serialNumber');
+    }
+
+    /**
+     * Get country code from x509 certificate
+     *
+     * @throws UnexpectedValueException
+     */    
+    public static function getSubjectCountryCode(X509 $certificate): string
+    {
+        return self::getField($certificate, 'C');
+    }
+
+    /**
+     * Get specified subject field from x509 certificate
+     *
+     * @throws UnexpectedValueException field identifier not found
+     * @return string
+     */    
+    private static function getField(X509 $certificate, string $fieldId): string
+    {
+        $result = $certificate->getSubjectProp($fieldId);
+        if ($result) {
+            return $result;
+        } 
+        throw new UnexpectedValueException('fieldId '.$fieldId.' not found in certificate subject');
+    }
+
+
+}

src/certificate/CertificateLoader.php

@@ -24,10 +24,37 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\certificate;
 
-class CertificateLoader
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateDecodingException;
+use web_eid\web_eid_authtoken_validation_php\util\X509;
+use BadFunctionCallException;
+
+final class CertificateLoader
 {
-    public function loadCertificatesFromPath(string $path): array
+
+    public function __construct()
+    {
+        throw new BadFunctionCallException('Utility class');
+    }
+
+    /**
+     * Loads certificate files from paths into array of OpenSSLCertificate
+     * @param string ...$resourceNames array of certificate paths
+     * 
+     * @return array
+     * @throws CertificateDecodingException
+     */
+    public static function loadCertificatesFromResources(string ...$resourceNames): array
     {
-        return [];
+        $caCertificates = [];
+        foreach ($resourceNames as $resourceName) {
+            $x509 = new X509();
+            $certificate = $x509->loadX509(file_get_contents($resourceName));
+            if ($certificate) {
+                $caCertificates[] = $certificate;
+            } else {
+                throw new CertificateDecodingException($resourceName);
+            }
+        }
+        return $caCertificates;
     }
 }

src/certificate/CertificateValidator.php

@@ -0,0 +1,82 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\certificate;
+
+use web_eid\web_eid_authtoken_validation_php\util\X509;
+use web_eid\web_eid_authtoken_validation_php\util\TrustedCertificates;
+use BadFunctionCallException;
+use DateTime;
+use Exception;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateExpiredException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotYetValidException;
+
+final class CertificateValidator
+{
+
+    public function __construct()
+    {
+        throw new BadFunctionCallException('Utility class');
+    }    
+
+    public static function certificateIsValidOnDate(X509 $subjectCertificate, DateTime $date, string $subject): void
+    {
+        try {
+            $subjectCertificate->checkValidity($date);
+        } catch (Exception $e) {
+            switch($e->getCode()) {
+                // Not valid yet
+                case 1:
+                    throw new CertificateNotYetValidException($subject);
+                    break;
+                // Certificate is expired
+                case 2:
+                    throw new CertificateExpiredException($subject);
+                    break;
+                default:
+                    throw new Exception($e->getMessage());    
+            }
+        }
+    }
+
+    public static function trustedCACertificatesAreValidOnDate(TrustedCertificates $trustedCertificates, DateTime $date): void
+    {
+        foreach($trustedCertificates->getCertificates() as $cert) {
+            self::certificateIsValidOnDate($cert, $date, "Trusted CA");
+        }
+    }
+
+    public static function validateIsSignedByTrustedCA(X509 $certificate, TrustedCertificates $trustedCertificates)
+    {
+        foreach ($trustedCertificates->getCertificates() as $trustedCertificate) {
+            //
+        }
+    }
+
+    public function buildTrustedCertificates(array $certificates): TrustedCertificates
+    {
+        return new TrustedCertificates($certificates);
+    }
+
+}

src/exceptions/AuthTokenParseException.php

@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\exceptions;
+
+class AuthTokenParseException extends AuthTokenException
+{
+    public function __construct(string $message)
+    {
+        parent::__construct($message);
+    }
+}

src/exceptions/CertificateDecodingException.php

@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\exceptions;
+
+class CertificateDecodingException extends AuthTokenException
+{
+    public function __construct(string $resource)
+    {
+        parent::__construct('Certificate decoding from Base64 or parsing failed for '.$resource);
+    }
+}

src/exceptions/CertificateExpiredException.php

@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace web_eid\web_eid_authtoken_validation_php\exceptions;
+
+/**
+ * Thrown when the certificate's valid until date is in the past.
+ */
+class CertificateExpiredException extends AuthTokenException
+{
+    public function __construct(string $subject)
+    {
+        parent::__construct($subject.' certificate has expired');
+    }
+}