Squashed commit of the pr/18:

commit 230886b commit 78432a8
SK-EID · Nov 25, 2019 · 3c53267 · 3c53267
1 parent a4ea07c
commit 3c53267
Show file tree

Hide file tree

Showing 16 changed files with 236 additions and 6 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,11 +1,11 @@
 language: php
 
 php:
-- 5.6
+- 7.0.7
 
 before_script:
   - composer install
 
 # bacause used in composer
 script:
-  - vendor/bin/phpunit
+  - vendor/bin/phpunit
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,15 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## [1.5] - RELEASE_DATE_HERE
+
+### Added
+- Http public key pinning [(pull request)](https://github.com/SK-EID/smart-id-php-client/pull/18)
+
+### Fixed
+- Poller did not use specified network interface [#4](https://github.com/SK-EID/smart-id-php-client/issues/4)
+- Add exception message when user is not found [(commit)](https://github.com/SK-EID/smart-id-php-client/commit/053fe5f3b4bd715be305481e764d95aeddbe9d93)
+
+### Changed
+- php version 5.6 to 7.0.7
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ The Smart-ID PHP client can be used for easy integration of the Smart-ID solutio
 ## Features
 * Simple interface for user authentication
 
-Smart-ID PHP client works with PHP 5.6 or later.
+Smart-ID PHP client works with PHP 7.2 or later.
 
 **This PHP client cannot be used to create digitally signed containers because PHP does not have a library like DigiDoc4J..**
 
@@ -20,6 +20,55 @@ The recommended way to install Smart-ID PHP Client is through [Composer]:
 composer require sk-id-solutions/smart-id-php-client "~1.0"
 ```
 
+## Https pinning
+
+    The client automatically trusts sk demo and live env public keys
+
+    Examples of configuring
+
+    When not specified the client will trust SK live and demo env keys
+
+```PHP
+$this->client = new Client();
+$this->client
+  ->setRelyingPartyUUID( "YOUR UUID" )
+  ->setRelyingPartyName( "YOUR RP NAME" )
+  ->setHostUrl("HOST_URL");
+
+ ```
+
+    Trusting only live env public keys
+
+```PHP
+$this->client = new Client();
+$this->client
+  ->setRelyingPartyUUID( "YOUR UUID" )
+  ->setRelyingPartyName( "YOUR RP NAME" )
+  ->setHostUrl("HOST_URL")
+  ->useOnlyLivePublicKey();
+ ```
+
+    Trusting only demo env public keys
+
+```PHP
+$this->client = new Client();
+$this->client
+  ->setRelyingPartyUUID( "YOUR UUID" )
+  ->setRelyingPartyName( "YOUR RP NAME" )
+  ->setHostUrl("HOST_URL")
+  ->useOnlyDemoPublicKey();
+ ```
+
+   Trusting custom public keys
+
+```PHP
+$this->client = new Client();
+$this->client
+  ->setRelyingPartyUUID( "YOUR UUID" )
+  ->setRelyingPartyName( "YOUR RP NAME" )
+  ->setHostUrl("HOST_URL")
+  ->setPublicSslKeys("sha256//QLZIaH7Qx9Rjq3gyznQuNsvwMQb7maC5L4SLu/z5qNU=;sha256//R8b8SIj92sylUdok0DqfxJJN0yW2O3epE0B+5vpo2eM=);
+ ```
 ## How to use it
 Take a look at the [examples](https://github.com/SK-EID/smart-id-php-client/wiki/Examples-of-using-it)
 

diff --git a/src/Sk/SmartId/Api/Authentication.php b/src/Sk/SmartId/Api/Authentication.php
@@ -48,6 +48,7 @@ class Authentication extends AbstractApi
   public function createAuthentication()
   {
     $connector = new SmartIdRestConnector( $this->client->getHostUrl() );
+    $connector->setPublicSslKeys($this->client->getPublicSslKeys());
     $sessionStatusPoller = $this->createSessionStatusPoller( $connector );
     $builder = new AuthenticationRequestBuilder( $connector, $sessionStatusPoller );
     $this->populateBuilderFields( $builder );

diff --git a/src/Sk/SmartId/Api/SmartIdRestConnector.php b/src/Sk/SmartId/Api/SmartIdRestConnector.php
@@ -64,6 +64,8 @@ class SmartIdRestConnector implements SmartIdConnector
    */
   private $curl;
 
+  private $publicSslKeys;
+
   /**
    * @param string $endpointUrl
    */
@@ -154,6 +156,7 @@ private function postAuthenticationRequest( $url, AuthenticationSessionRequest $
   private function postRequest( $url, array $params, $responseType )
   {
     $this->curl = new Curl();
+    $this->curl->setPublicSslKeys($this->publicSslKeys);
     $this->setNetworkInterface( $params );
     $this->curl->curlPost( $url, array(), json_encode( $params ) );
     $this->curl->setCurlParam( CURLOPT_HTTPHEADER, array('content-type: application/json',) );
@@ -170,6 +173,7 @@ private function postRequest( $url, array $params, $responseType )
   private function getRequest( $url, array $params, $responseType )
   {
     $this->curl = new Curl();
+    $this->curl->setPublicSslKeys($this->publicSslKeys);
     $this->setNetworkInterface( $params );
     $this->curl->curlGet( $url, $params );
     return $this->request( $url, $responseType );
@@ -232,4 +236,9 @@ private function setNetworkInterface( array &$params )
       unset( $params[ 'networkInterface' ] );
     }
   }
+
+  public function setPublicSslKeys(string $sslKeys)
+  {
+      $this->publicSslKeys = $sslKeys;
+  }
 }
diff --git a/src/Sk/SmartId/Client.php b/src/Sk/SmartId/Client.php
@@ -33,7 +33,11 @@
 
 class Client
 {
-  const VERSION = '5.0';
+  const
+          DEMO_SID_PUBLIC_KEY = "sha256//QLZIaH7Qx9Rjq3gyznQuNsvwMQb7maC5L4SLu/z5qNU=",
+          RP_API_PUBLIC_KEY_VALID_FROM_2016_12_20_TO_2020_01_19 = "sha256//R8b8SIj92sylUdok0DqfxJJN0yW2O3epE0B+5vpo2eM=",
+          RP_API_PUBLIC_KEY_VALID_FROM_2019_11_01_TO_2021_11_05 = "sha256//l2uvq6ftLN4LZ+8Un+71J2vH1BT9wTbtrE5+Fj3Vc5g=",
+          VERSION = '5.0';
 
   /**
    * @var array
@@ -55,6 +59,11 @@ class Client
    */
   private $hostUrl;
 
+    /**
+     * @var string
+     */
+  private $sslKeys;
+
   /**
    * @param string $apiName
    * @throws InvalidArgumentException
@@ -145,4 +154,34 @@ public function getHostUrl()
   {
     return $this->hostUrl;
   }
+
+  public function setPublicSslKeys(string $sslKeys)
+  {
+      $this->sslKeys = $sslKeys;
+
+      return $this;
+  }
+
+    public function useOnlyDemoPublicKey()
+    {
+        $this->sslKeys = self::DEMO_SID_PUBLIC_KEY;
+
+        return $this;
+    }
+
+    public function useOnlyLivePublicKey()
+    {
+        $this->sslKeys = self::RP_API_PUBLIC_KEY_VALID_FROM_2016_12_20_TO_2020_01_19.";".self::RP_API_PUBLIC_KEY_VALID_FROM_2019_11_01_TO_2021_11_05;
+
+        return $this;
+    }
+
+  public function getPublicSslKeys()
+  {
+      if($this->sslKeys === null)
+      {
+          $this->sslKeys = self::DEMO_SID_PUBLIC_KEY.";".self::RP_API_PUBLIC_KEY_VALID_FROM_2016_12_20_TO_2020_01_19.";".self::RP_API_PUBLIC_KEY_VALID_FROM_2019_11_01_TO_2021_11_05;
+      }
+      return $this->sslKeys;
+  }
 }
diff --git a/src/Sk/SmartId/Util/Curl.php b/src/Sk/SmartId/Util/Curl.php
@@ -25,11 +25,13 @@
  * #L%
  */
 namespace Sk\SmartId\Util;
+defined('CURLOPT_PINNEDPUBLICKEY') || define('CURLOPT_PINNEDPUBLICKEY', 10230);
 
 use Exception;
 
 class Curl
 {
+
   const
       GET = 1,
       POST = 2,
@@ -44,7 +46,8 @@ class Curl
       $requestMethod = self::GET,
       $importCookies = false,
       $includeHeaders = false,
-      $curlTimeout = 600;
+      $curlTimeout = 600,
+      $publicSslKeys;
 
   /**
    * @throws Exception
@@ -195,6 +198,7 @@ protected function sendRequest()
     curl_setopt( $this->curl, CURLOPT_FOLLOWLOCATION, $this->followLocation );
     curl_setopt( $this->curl, CURLOPT_TIMEOUT, $this->curlTimeout );
     curl_setopt( $this->curl, CURLOPT_SSL_VERIFYPEER, false );
+    curl_setopt( $this->curl, CURLOPT_PINNEDPUBLICKEY, $this->publicSslKeys);
 
     if ( self::POST === $this->requestMethod )
     {
@@ -350,7 +354,12 @@ public function getError()
     return false;
   }
 
-  /**
+    public function setPublicSslKeys(string $public_keys)
+    {
+        $this->publicSslKeys = $public_keys;
+    }
+
+    /**
    * @param int $option
    * @return array|mixed
    */

diff --git a/src/resources/ssl_public_keys/demo.sid.public.key b/src/resources/ssl_public_keys/demo.sid.public.key
@@ -0,0 +1 @@
+sha256//QLZIaH7Qx9Rjq3gyznQuNsvwMQb7maC5L4SLu/z5qNU=
diff --git a/src/resources/ssl_public_keys/rp-api.smart-id.com.pem (1).cer b/src/resources/ssl_public_keys/rp-api.smart-id.com.pem (1).cer
@@ -0,0 +1 @@
+sha256//R8b8SIj92sylUdok0DqfxJJN0yW2O3epE0B+5vpo2eM=
diff --git a/src/resources/ssl_public_keys/rp-api_smart-id_com_2019.PEM.crt b/src/resources/ssl_public_keys/rp-api_smart-id_com_2019.PEM.crt
@@ -0,0 +1 @@
+sha256//l2uvq6ftLN4LZ+8Un+71J2vH1BT9wTbtrE5+Fj3Vc5g=
diff --git a/tests/Sk/SmartId/Tests/Setup.php b/tests/Sk/SmartId/Tests/Setup.php
@@ -29,6 +29,7 @@
 use PHPUnit\Framework\TestCase;
 use Sk\SmartId\Client;
 use Sk\SmartId\Tests\Api\DummyData;
+use Sk\SmartId\Util\Curl;
 
 class Setup extends TestCase
 {

diff --git a/tests/Sk/SmartId/Tests/SslTest.php b/tests/Sk/SmartId/Tests/SslTest.php
@@ -0,0 +1,100 @@
+<?php
+
+namespace Sk\SmartId\Tests;
+
+use Sk\SmartId\Api\Data\AuthenticationHash;
+use Sk\SmartId\Api\Data\AuthenticationSessionRequest;
+use Sk\SmartId\Api\Data\DigestCalculator;
+use Sk\SmartId\Api\Data\HashType;
+use Sk\SmartId\Api\SmartIdRestConnector;
+use Sk\SmartId\Exception\SmartIdException;
+use Sk\SmartId\Tests\Api\DummyData;
+use Sk\SmartId\Util\Curl;
+
+class SslTest extends Setup
+{
+    /**
+     * @test
+     */
+    public function authenticate_demoEnv_success()
+    {
+        $this->client->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+
+    /**
+     * @test
+     */
+    public function authenticate_demoEnvUseDemoEnvPublicKeys_success()
+    {
+        $this->client->useOnlyDemoPublicKey()->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+
+
+    /**
+     * @test
+     */
+    public function authenticate_demoEnvUseLiveEnvPublicKeys_shouldThrowException()
+    {
+        $this->expectException(SmartIdException::class);
+
+        $this->client->useOnlyLivePublicKey()->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+
+    /**
+ * @test
+ */
+    public function authenticate_demoEnvSetPublicKeysFromArray_success()
+    {
+        $this->client->setPublicSslKeys("sha256//QLZIaH7Qx9Rjq3gyznQuNsvwMQb7maC5L4SLu/z5qNU=;sha256//R8b8SIj92sylUdok0DqfxJJN0yW2O3epE0B+5vpo2eM=")->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+
+    /**
+     * @test
+     */
+    public function authenticate_demoEnvSetPublicKeysFromEmptyString_throwsException()
+    {
+        $this->expectException(SmartIdException::class);
+        $this->client->setPublicSslKeys("")->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+
+    /**
+     * @test
+     */
+    public function makeRequestToGoogle_demoPublicKeys_shouldThrowException()
+    {
+        $this->expectException(SmartIdException::class);
+        $this->client
+                ->setHostUrl("https://www.google.com")
+                ->useOnlyDemoPublicKey()->authentication()
+                ->createAuthentication()
+                ->withCertificateLevel(DummyData::CERTIFICATE_LEVEL)
+                ->withAuthenticationHash(new AuthenticationHash(DigestCalculator::calculateDigest( DummyData::SIGNABLE_TEXT, HashType::SHA512 )))
+                ->withDocumentNumber(DummyData::VALID_DOCUMENT_NUMBER)
+                ->authenticate();
+    }
+}
diff --git a/tests/resources/ssl_public_keys/demo.sid.public.key b/tests/resources/ssl_public_keys/demo.sid.public.key
@@ -0,0 +1 @@
+sha256//QLZIaH7Qx9Rjq3gyznQuNsvwMQb7maC5L4SLu/z5qNU=
diff --git a/tests/resources/ssl_public_keys/rp-api.smart-id.com.pem (1).cer b/tests/resources/ssl_public_keys/rp-api.smart-id.com.pem (1).cer
@@ -0,0 +1 @@
+sha256//R8b8SIj92sylUdok0DqfxJJN0yW2O3epE0B+5vpo2eM=
diff --git a/tests/resources/ssl_public_keys/rp-api_smart-id_com_2019.PEM.crt b/tests/resources/ssl_public_keys/rp-api_smart-id_com_2019.PEM.crt
@@ -0,0 +1 @@
+sha256//l2uvq6ftLN4LZ+8Un+71J2vH1BT9wTbtrE5+Fj3Vc5g=
diff --git a/tests/resources/ssl_public_keys/wrong.public.key b/tests/resources/ssl_public_keys/wrong.public.key
@@ -0,0 +1 @@
+sha256//fqp7yWK7iGGKj+3unYdm2DA3VCPDkwtyX+DrdZYSC6o=