Harmonizing the PHP library with Java library

WE2-971

Signed-off-by: Mihkel Kivisild <[email protected]>

Author: Mihkel Kivisild

example/src/Auth.php

@@ -87,9 +87,11 @@ public function getNonce()
 
     private function getPrincipalNameFromCertificate(X509 $userCertificate): string
     {
-        try {
-            return CertificateData::getSubjectGivenName($userCertificate) . " " . CertificateData::getSubjectSurname($userCertificate);
-        } catch (Exception $e) {
+        $givenName = CertificateData::getSubjectGivenName($userCertificate);
+        $surname = CertificateData::getSubjectSurname($userCertificate);
+        if ($givenName && $surname) {
+            return $givenName . " " . $surname;
+        } else {
             return CertificateData::getSubjectCN($userCertificate);
         }
     }

src/authtoken/WebEidAuthToken.php

@@ -48,10 +48,6 @@ class WebEidAuthToken
      * @var string Format
      */
     private ?string $format = null;
-    /**
-     * @var string App version
-     */
-    private ?string $appVersion = null;
 
     public function __construct(string $authenticationTokenJSON)
     {
@@ -76,10 +72,6 @@ public function __construct(string $authenticationTokenJSON)
         if (isset($jsonDecoded['format'])) {
             $this->format = $this->filterString('format', $jsonDecoded['format']);
         }
-        // appVersion
-        if (isset($jsonDecoded['appVersion'])) {
-            $this->appVersion = $this->filterString('appVersion', $jsonDecoded['appVersion']);
-        }
     }
 
     public function getUnverifiedCertificate(): ?string
@@ -102,11 +94,6 @@ public function getFormat(): ?string
         return $this->format;
     }
 
-    public function getAppVersion(): ?string
-    {
-        return $this->appVersion;
-    }
-
     private function filterString(string $key, $data): string
     {
         $type = gettype($data);

src/certificate/CertificateData.php

@@ -27,7 +27,6 @@
 namespace web_eid\web_eid_authtoken_validation_php\certificate;
 
 use phpseclib3\File\X509;
-use UnexpectedValueException;
 use BadFunctionCallException;
 
 final class CertificateData
@@ -40,66 +39,56 @@ public function __construct()
 
     /**
      * Get commonName from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectCN(X509 $certificate): string
+    public static function getSubjectCN(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-commonName');
     }
 
     /**
      * Get surname from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectSurname(X509 $certificate): string
+    public static function getSubjectSurname(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-surname');
     }
 
     /**
      * Get given name from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectGivenName(X509 $certificate): string
+    public static function getSubjectGivenName(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-givenName');
     }
 
     /**
      * Get serialNumber (ID-code) from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectIdCode(X509 $certificate): string
+    public static function getSubjectIdCode(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-serialNumber');
     }
 
     /**
      * Get country code from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectCountryCode(X509 $certificate): string
+    public static function getSubjectCountryCode(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-countryName');
     }
 
     /**
      * Get specified subject field from x509 certificate
      *
-     * @throws UnexpectedValueException field identifier not found
-     * @return string
+     * @return ?string
      */
-    private static function getField(X509 $certificate, string $fieldId): string
+    private static function getField(X509 $certificate, string $fieldId): ?string
     {
         $result = $certificate->getSubjectDNProp($fieldId);
         if ($result) {
-            return $result[0];
+            return join(", ", $result);
+        } else {
+            return null;
         }
-        throw new UnexpectedValueException("fieldId " . $fieldId . " not found in certificate subject");
     }
 }

src/validator/AuthTokenSignatureValidator.php

@@ -54,19 +54,19 @@ public function __construct(Uri $siteOrigin)
 
     public function validate(string $algorithm, string $signature, $publicKey, string $currentChallengeNonce): void
     {
-        $this->requireNotEmpty($algorithm, "algorithm");
-        $this->requireNotEmpty($signature, "signature");
-
-        if (is_null($publicKey)) {
-            throw new InvalidArgumentException("Public key is null");
-        }
-
         if (empty($currentChallengeNonce)) {
             throw new ChallengeNullOrEmptyException();
         }
+        
+        if (is_null($publicKey)) {
+            throw new InvalidArgumentException("Public key is null");
+        }
+        
+        $this->requireNotEmpty($algorithm, "algorithm");
+        $this->requireNotEmpty($signature, "signature");
 
         if (!in_array($algorithm, self::ALLOWED_SIGNATURE_ALGORITHMS)) {
-            throw new AuthTokenParseException("Invalid signature algorithm");
+            throw new AuthTokenParseException("Unsupported signature algorithm");
         }
 
         $decodedSignature = base64_decode($signature);

src/validator/ocsp/OcspRequestBuilder.php

@@ -26,6 +26,7 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
+use InvalidArgumentException;
 use web_eid\web_eid_authtoken_validation_php\ocsp\OcspRequest;
 use web_eid\web_eid_authtoken_validation_php\util\SecureRandom;
 
@@ -58,6 +59,9 @@ public function enableOcspNonce(bool $ocspNonceEnabled): OcspRequestBuilder
     public function build(): OcspRequest
     {
         $ocspRequest = new OcspRequest();
+        if (is_null($this->certificateId)) {
+            throw new InvalidArgumentException("Certificate Id must not be null");
+        }
         $ocspRequest->addCertificateId($this->certificateId);
 
         if ($this->ocspNonceEnabled) {

src/validator/ocsp/OcspServiceProvider.php

@@ -26,6 +26,7 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
+use InvalidArgumentException;
 use phpseclib3\File\X509;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspService;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\AiaOcspServiceConfiguration;
@@ -41,7 +42,8 @@ class OcspServiceProvider
     public function __construct(?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration, AiaOcspServiceConfiguration $aiaOcspServiceConfiguration)
     {
         $this->designatedOcspService = !is_null($designatedOcspServiceConfiguration) ? new DesignatedOcspService($designatedOcspServiceConfiguration) : null;
-        $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration;
+        $this->aiaOcspServiceConfiguration = $aiaOcspServiceConfiguration ?? throw new InvalidArgumentException("AIA Ocsp Service Configuration must not be null");
+
     }
 
     /**

src/validator/ocsp/OcspUrl.php

@@ -28,6 +28,7 @@
 use phpseclib3\File\X509;
 use GuzzleHttp\Psr7\Uri;
 use Exception;
+use InvalidArgumentException;
 
 final class OcspUrl
 {
@@ -43,6 +44,9 @@ public function __construct()
      */
     public static function getOcspUri(X509 $certificate): ?Uri
     {
+        if (is_null($certificate)) {
+            throw new InvalidArgumentException("Certificate must not be null");
+        }
         $authorityInformationAccess = $certificate->getExtension("id-pe-authorityInfoAccess");
         if ($authorityInformationAccess) {
             foreach ($authorityInformationAccess as $accessDescription) {

src/validator/ocsp/service/AiaOcspService.php

@@ -35,6 +35,7 @@
 use DateTime;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspResponseValidator;
 use Exception;
+use InvalidArgumentException;
 
 /**
  * An OCSP service that uses the responders from the Certificates' Authority Information Access (AIA) extension.
@@ -48,6 +49,9 @@ class AiaOcspService implements OcspService
 
     public function __construct(AiaOcspServiceConfiguration $configuration, X509 $certificate)
     {
+        if (is_null($configuration)) {
+            throw new InvalidArgumentException("Configuration cannot be null");
+        }
         $this->url = self::getOcspAiaUrlFromCertificate($certificate);
         $this->trustedCACertificates = $configuration->getTrustedCACertificates();
         $this->supportsNonce = !in_array($this->url->jsonSerialize(), $configuration->getNonceDisabledOcspUrls()->getUrlsArray());

tests/authtoken/WebEidAuthTokenTest.php

@@ -48,7 +48,6 @@ public function testValidateAuthTokenParameters(): void
         $this->assertEquals("RS256", $authToken->getAlgorithm());
         $this->assertEquals("HBjNXIaUskXbfhzYQHvwjKDUWfNu4yxXZh", $authToken->getSignature());
         $this->assertEquals("web-eid:1.0", $authToken->getFormat());
-        $this->assertEquals("https://web-eid.eu/web-eid-app/releases/v2.0.0", $authToken->getAppVersion());
     }
 
     public function testWhenNotAuthToken(): void

tests/certificate/CertificateDataTest.php

@@ -49,28 +49,24 @@ public function testWhenOrganizationCertificateThenSubjectCNAndIdCodeAndCountryC
         $this->assertEquals("EE", CertificateData::getSubjectCountryCode($cert));
     }
 
-    public function testWhenOrganizationCertificateThenSubjectGivenNameExtractionFails(): void
+    public function testWhenOrganizationCertificateThenSubjectGivenNameAndSurnameAreEmpty(): void
     {
         $cert = Certificates::getOrganizationCert();
-        $this->expectException(UnexpectedValueException::class);
-        $this->expectExceptionMessage("fieldId id-at-givenName not found in certificate subject");
-        CertificateData::getSubjectGivenName($cert);
-    }
-
-    public function testWhenOrganizationCertificateThenSubjectSurnameExtractionFails(): void
-    {
-        $cert = Certificates::getOrganizationCert();
-        $this->expectException(UnexpectedValueException::class);
-        $this->expectExceptionMessage("fieldId id-at-surname not found in certificate subject");
-        CertificateData::getSubjectSurname($cert);
+        $givenName = CertificateData::getSubjectGivenName($cert);
+        $surname = CertificateData::getSubjectSurname($cert);
+        $this->assertEmpty($givenName);
+        $this->assertEmpty($surname);
     }
 
     public function testWhenOrganizationCertificateThenSucceeds(): void
     {
         $cert = Certificates::getOrganizationCert();
-        try {
-            $principalName = CertificateData::getSubjectSurname($cert) . " " . CertificateData::getSubjectSurname($cert);
-        } catch (UnexpectedValueException $e) {
+
+        $givenName = CertificateData::getSubjectGivenName($cert);
+        $surname = CertificateData::getSubjectSurname($cert);
+        if ($givenName && $surname) {
+            $principalName = $givenName . " " . $surname;
+        } else {
             $principalName = CertificateData::getSubjectCN($cert);
         }
         $this->assertEquals("Testijad.ee isikutuvastus", $principalName);