Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
183 changes: 170 additions & 13 deletions composer.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions example/public/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,16 @@

ini_set('display_errors', '0');

session_name('__Host-PHPSESSID');

session_set_cookie_params([
'lifetime' => 0,
'path' => '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax',
]);

session_start();

// Uncomment following line to define the custom log location (by default the server log is used)
Expand Down
4 changes: 4 additions & 0 deletions src/certificate/CertificateValidator.php
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ public static function validateIsValidAndSignedByTrustedCA(
$now = DefaultClock::getInstance()->now();
self::certificateIsValidOnDate($certificate, $now, "User");

// Prevent SSRF via CA Issuers URI from user-provided certificate AIA.
// All trusted/intermediate CA certificates must be provided by configuration.
X509::disableURLFetch();

foreach ($trustedCertificates->getCertificates() as $trustedCertificate) {
$certificate->loadCA(
$trustedCertificate->saveX509($trustedCertificate->getCurrentCert(), X509::FORMAT_PEM)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ public function __construct(
OcspServiceProvider $ocspServiceProvider,
int $allowedOcspResponseTimeSkew,
int $maxOcspResponseThisUpdateAge,
?LoggerInterface $logger = null)
{
?LoggerInterface $logger = null
) {
$this->logger = $logger;
$this->trustValidator = $trustValidator;
$this->ocspClient = $ocspClient;
Expand Down
4 changes: 3 additions & 1 deletion src/validator/ocsp/OcspClientImpl.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,9 @@ public function request(Uri $uri, string $encodedOcspRequest): OcspResponse

$info = curl_getinfo($curl);
if ($info["http_code"] !== 200) {
throw new UserCertificateOCSPCheckFailedException("OCSP request was not successful, response: " + $result);
throw new UserCertificateOCSPCheckFailedException(
"OCSP request was not successful, response: " . (is_string($result) ? $result : '')
);
}

$response = new OcspResponse($result);
Expand Down
94 changes: 94 additions & 0 deletions src/validator/versionvalidators/AuthTokenVersion.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
<?php

/*
* Copyright (c) 2025-2025 Estonian Information System Authority
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

declare(strict_types=1);

namespace web_eid\web_eid_authtoken_validation_php\validator\versionvalidators;

/**
* Utility for matching Web eID authentication token format version strings of the form
* 'web-eid:<major>[.<minor>]', e.g. 'web-eid:1' or 'web-eid:1.1'.
*/
final class AuthTokenVersion
{
// Matches 'web-eid:<major>' with an optional canonical '.<minor>', where both numbers have no leading
// zeros ('0' or '[1-9]\d*') and are at most 9 digits so that they always fit in an int. Non-canonical
// spellings such as 'web-eid:1.00' or 'web-eid:01' are rejected so that ambiguous version numbers cannot
// bypass the more specific validators.
private const TOKEN_FORMAT_PATTERN =
'/^web-eid:(0|[1-9]\d{0,8})(?:\.(0|[1-9]\d{0,8}))?$/';

private function __construct()
{
}

/**
* Returns whether the given token format has exactly the required major version and a minor version that
* is greater than or equal to the required minor version. A missing minor version is treated as 0.
* Backwards-compatible minor version changes are supported within the same major version, while an
* incompatible major version change is not.
*/
public static function supports(
?string $format,
int $requiredExactMajorVersion,
int $requiredMinimalMinorVersion,
): bool {
$version = self::parse($format);
return $version !== null &&
$version["major"] === $requiredExactMajorVersion &&
$version["minor"] >= $requiredMinimalMinorVersion;
}

/**
* Returns whether the given token format has exactly the required major version and exactly the required
* minor version. A missing minor version is treated as 0.
*/
public static function supportsExactly(
?string $format,
int $requiredExactMajorVersion,
int $requiredExactMinorVersion,
): bool {
$version = self::parse($format);
return $version !== null &&
$version["major"] === $requiredExactMajorVersion &&
$version["minor"] === $requiredExactMinorVersion;
}

/**
* @return array{major: int, minor: int}|null
*/
private static function parse(?string $format): ?array
{
if ($format === null) {
return null;
}
if (preg_match(self::TOKEN_FORMAT_PATTERN, $format, $matches) !== 1) {
return null;
}
return [
"major" => (int) $matches[1],
"minor" => isset($matches[2]) ? (int) $matches[2] : 0,
];
}
}
Loading