Complete certificate chain verification (#137)

Root certificates Untrusted certificates CRL fixed
web-auth · Dec 6, 2020 · 9b70c49 · 9b70c49
1 parent 20972ac
commit 9b70c49
Show file tree

Hide file tree

Showing 196 changed files with 2,104 additions and 1,818 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -8,6 +8,9 @@ about: Create a report to help us improve
 A clear and concise description of what the bug is.
 
 **To Reproduce**
+
+*Please provide a script that can be used to reproduce the bug.*
+
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
@@ -21,15 +24,13 @@ A clear and concise description of what you expected to happen.
 If applicable, add screenshots to help explain your problem.
 
 **Desktop (please complete the following information):**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Version [e.g. 22]
+ - OS (+version): [e.g. iOS (Big Sure)]
+ - Browser (+version) [e.g. Chrome (85)]
 
 **Smartphone (please complete the following information):**
  - Device: [e.g. iPhone6]
- - OS: [e.g. iOS8.1]
- - Browser [e.g. stock browser, safari]
- - Version [e.g. 22]
+ - OS (+version): [e.g. Android (10)]
+ - Browser (+version) [e.g. Firefox Android (65)]
 
 **Additional context**
 Add any other context about the problem here.
diff --git a/.github/workflows/bc-break-test.yml b/.github/workflows/bc-break-test.yml
@@ -1,6 +1,7 @@
 name: Backwards compatibility verification
 
-on: [push]
+on:
+  pull_request:
 
 jobs:
   bc-check:
@@ -14,21 +15,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-        with:
-          ref: ${{ github.head_ref }}
-
-      - name: Setup PHP, with composer and extensions
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: ${{ matrix.php-versions }}
-          extensions: json, mbstring, openssl
-          coverage: xdebug
-
-      - name: Install Composer dependencies
-        run: |
-          composer update --no-progress --no-suggest --prefer-dist --optimize-autoloader
+
+      - name: Fetch tags
+        run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
 
       - name: BC Break verification
         uses: docker://nyholm/roave-bc-check-ga
-        with:
-          args: --from=${{ github.event.pull_request.base.sha }}
diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml
@@ -7,24 +7,26 @@ jobs:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
-        operating-system: [ windows-latest, ubuntu-latest, macos-latest ]
-        php-versions: [ '7.3', '7.4' ]
+        operating-system: [ubuntu-latest]
+        php-versions: ['7.2', '7.3', '7.4']
     name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v2
         with:
           ref: ${{ github.head_ref }}
 
-      - name: Setup PHP, with composer and extensions
+      - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
           extensions: json, mbstring, openssl
           coverage: xdebug
 
-      - name: Install Composer dependencies
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Install dependencies
         run: |
           composer update --no-progress --no-suggest --prefer-dist --optimize-autoloader
 

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -8,7 +8,7 @@ jobs:
     strategy:
       matrix:
         operating-system: [ windows-latest, ubuntu-latest, macos-latest ]
-        php-versions: [ '7.3', '7.4' ]
+        php-versions: [ '7.2', '7.3', '7.4' ]
     name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}
 
     steps:

diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .phpunit.result.cache
 report.md
 composer.lock
+vendor
diff --git a/.sonarcloud.properties b/.sonarcloud.properties
@@ -9,7 +9,7 @@ sonar.sources=src
 #sonar.test.inclusions=
 
 # Source encoding
-#sonar.sourceEncoding=UTF-8
+sonar.sourceEncoding=UTF-8
 
 # Exclusions for copy-paste detection
 #sonar.cpd.exclusions=
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ Webauthn Framework
 ![Build Status](https://github.com/web-auth/webauthn-framework/workflows/Functional%20Tests/badge.svg)
 ![Build Status](https://github.com/web-auth/webauthn-framework/workflows/Lowest%20versions%20tests/badge.svg)
 
-![Build Status](https://github.com/web-auth/webauthn-framework/workflows/Mutation20Testing/badge.svg)
+![Build Status](https://github.com/web-auth/webauthn-framework/workflows/Mutation%20Testing/badge.svg)
 
 [![Latest Stable Version](https://poser.pugx.org/web-auth/webauthn-framework/v/stable.png)](https://packagist.org/packages/web-auth/webauthn-framework)
 [![Total Downloads](https://poser.pugx.org/web-auth/webauthn-framework/downloads.png)](https://packagist.org/packages/web-auth/webauthn-framework)

diff --git a/composer.json b/composer.json
@@ -17,7 +17,8 @@
     "scripts": {
         "test:unit": "./vendor/bin/phpunit --color",
         "test:typing": "./vendor/bin/phpstan analyse",
-        "test:syntax": "./vendor/bin/php-cs-fixer fix --dry-run --stop-on-violation --using-cache=no"
+        "test:syntax": "./vendor/bin/php-cs-fixer fix --dry-run --stop-on-violation --using-cache=no",
+        "test:mutations": "./vendor/bin/infection --logger-github --git-diff-filter=AM -s --threads=$(nproc) --min-msi=0 --min-covered-msi=0"
     },
     "autoload": {
         "psr-4": {
@@ -30,13 +31,14 @@
     },
     "autoload-dev": {
         "psr-4": {
-            "Webauthn\\Tests\\": "tests/",
-            "Cose\\Tests\\Unit\\": "src/cose/tests/unit/",
-            "Webauthn\\Tests\\Functional\\": "src/webauthn/tests/functional/",
-            "Webauthn\\Tests\\Unit\\": "src/webauthn/tests/unit/",
-            "Webauthn\\Bundle\\Tests\\Functional\\": "src/symfony/tests/functional/",
-            "Webauthn\\MetadataService\\Tests\\Functional\\": "src/metadata-service/tests/functional/",
-            "Webauthn\\MetadataService\\Tests\\Unit\\": "src/metadata-service/tests/unit/"
+            "Cose\\Tests\\Unit\\": "tests/cose/unit/",
+            "Webauthn\\Tests\\": [
+                "tests/framework",
+                "tests/library/"
+            ],
+            "Webauthn\\Tests\\Functional\\": "tests/library/",
+            "Webauthn\\Bundle\\Tests\\Functional\\": "tests/symfony/functional/",
+            "Webauthn\\Tests\\MetadataService\\Unit\\": "tests/MDS/unit/"
         }
     },
     "require": {
@@ -85,26 +87,25 @@
     },
     "require-dev": {
         "doctrine/annotations": "^1.7",
-        "doctrine/dbal": "^2.9",
+        "doctrine/dbal": "^2.9|^3.0",
         "doctrine/doctrine-bundle": "^2.0",
         "doctrine/orm": "^2.6",
         "friendsofphp/php-cs-fixer": "^2.16",
-        "infection/infection": "^0.18||^0.19||^0.20",
+        "infection/infection": "^0.15||^0.16||^0.17||^0.18||^0.19||^0.20",
         "monolog/monolog": "^2.0",
         "nyholm/psr7": "^1.1",
         "php-http/curl-client": "^2.0",
         "php-http/mock-client": "^1.3",
-        "phpspec/prophecy-phpunit": "^2.0",
         "phpstan/phpstan": "^0.12",
         "phpstan/phpstan-beberlei-assert": "^0.12",
         "phpstan/phpstan-deprecation-rules": "^0.12",
         "phpstan/phpstan-phpunit": "^0.12",
         "phpstan/phpstan-strict-rules": "^0.12",
-        "phpunit/phpunit": "^9.4",
+        "phpunit/phpunit": "^8.0||^9.0",
         "symfony/browser-kit": "^4.4|^5.0",
         "symfony/http-client": "^4.4|^5.0",
         "symfony/monolog-bundle": "^3.5",
-        "symfony/phpunit-bridge": "*",
+        "symfony/phpunit-bridge": "^5.1",
         "symfony/security-bundle": "^4.4|^5.0",
         "symfony/serializer": "^4.4|^5.0",
         "symfony/translation": "^4.4|^5.0",

diff --git a/phpstan.neon b/phpstan.neon
@@ -2,9 +2,6 @@ parameters:
     level: 7
     paths:
         - src
-    excludes_analyse:
-        - %currentWorkingDirectory%/src/*/tests/*
-        - %currentWorkingDirectory%/src/*/var/*
     ignoreErrors:
         - '#Method .* should return Webauthn\\PublicKeyCredential(Creation|Request)Options but returns Webauthn\\PublicKeyCredentialOptions\.#'
         - '#Parameter .* of class .* expects Webauthn\\PublicKeyCredential(Creation|Request)Options\, Webauthn\\PublicKeyCredentialOptions given\.#'

diff --git a/phpunit.xml.dist b/phpunit.xml.dist
@@ -1,25 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" backupGlobals="false" backupStaticAttributes="false" convertErrorsToExceptions="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false" stopOnFailure="false" bootstrap="vendor/autoload.php" colors="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" executionOrder="default" backupGlobals="false" backupStaticAttributes="false" convertErrorsToExceptions="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" processIsolation="false" stopOnFailure="false" bootstrap="vendor/autoload.php" colors="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
   <coverage>
     <include>
-      <directory suffix=".php">./</directory>
+      <directory suffix=".php">./src</directory>
     </include>
-    <exclude>
-      <directory>./vendor</directory>
-      <directory>./src/*/var/</directory>
-      <directory>./src/*/tests/</directory>
-      <directory suffix="Test.php">./src</directory>
-    </exclude>
   </coverage>
   <testsuites>
     <testsuite name="Test Suite">
-      <directory>./src/tests/</directory>
-      <directory>./src/cose/tests/</directory>
-      <directory>./src/u2f/tests/</directory>
-      <directory>./src/webauthn/tests/</directory>
-      <directory>./src/metadata-service/tests/</directory>
-      <directory>./src/symfony/tests/</directory>
-      <directory>./src/conformance-toolset/tests/</directory>
+      <directory>tests/</directory>
     </testsuite>
   </testsuites>
   <php>
@@ -36,6 +24,7 @@
       <arguments>
         <array>
           <element key="time-sensitive"><string>Webauthn</string></element>
+          <element key="time-sensitive"><string>Webauthn\CertificateChainChecker</string></element>
         </array>
       </arguments>
     </listener>

diff --git a/src/conformance-toolset/.gitattributes b/src/conformance-toolset/.gitattributes
@@ -2,5 +2,4 @@
 
 /.github export-ignore
 /.gitattributes export-ignore
-/.gitignore export-ignore
-/phpunit.xml.dist export-ignore
+/README.md export-ignore
diff --git a/src/conformance-toolset/.gitignore b/src/conformance-toolset/.gitignore
diff --git a/src/conformance-toolset/phpunit.xml.dist b/src/conformance-toolset/phpunit.xml.dist
diff --git a/src/cose/.gitattributes b/src/cose/.gitattributes
@@ -1,7 +1,5 @@
 * text=auto
 
 /.github export-ignore
-/tests export-ignore
 /.gitattributes export-ignore
-/.gitignore export-ignore
-/phpunit.xml.dist export-ignore
+/README.md export-ignore
diff --git a/src/cose/.gitignore b/src/cose/.gitignore
diff --git a/src/cose/phpunit.xml.dist b/src/cose/phpunit.xml.dist
diff --git a/src/cose/src/Algorithm/Signature/ECDSA/ECSignature.php b/src/cose/src/Algorithm/Signature/ECDSA/ECSignature.php
@@ -13,8 +13,14 @@
 
 namespace Cose\Algorithm\Signature\ECDSA;
 
+use function bin2hex;
+use function dechex;
+use function hexdec;
 use InvalidArgumentException;
+use function mb_strlen;
+use function mb_substr;
 use function Safe\hex2bin;
+use function str_pad;
 use const STR_PAD_LEFT;
 
 /**
@@ -58,13 +64,14 @@ public static function toAsn1(string $signature, int $length): string
     public static function fromAsn1(string $signature, int $length): string
     {
         $message = bin2hex($signature);
+        $position = 0;
 
-        if (0 !== mb_strpos($message, self::ASN1_SEQUENCE, 0, '8bit')) {
+        if (self::ASN1_SEQUENCE !== self::readAsn1Content($message, $position, self::BYTE_SIZE)) {
             throw new InvalidArgumentException('Invalid data. Should start with a sequence.');
         }
 
-        $position = 2;
-        if (0 !== mb_strpos($message, self::ASN1_LENGTH_2BYTES, 2, '8bit')) {
+        // @phpstan-ignore-next-line
+        if (self::ASN1_LENGTH_2BYTES === self::readAsn1Content($message, $position, self::BYTE_SIZE)) {
             $position += self::BYTE_SIZE;
         }
 
@@ -85,8 +92,10 @@ private static function preparePositiveInteger(string $data): string
             return self::ASN1_NEGATIVE_INTEGER.$data;
         }
 
-        while (0 === mb_strpos($data, self::ASN1_NEGATIVE_INTEGER, 0, '8bit')
-            && mb_substr($data, 2, self::BYTE_SIZE, '8bit') <= self::ASN1_BIG_INTEGER_LIMIT) {
+        while (
+            self::ASN1_NEGATIVE_INTEGER === mb_substr($data, 0, self::BYTE_SIZE, '8bit')
+            && mb_substr($data, 2, self::BYTE_SIZE, '8bit') <= self::ASN1_BIG_INTEGER_LIMIT
+        ) {
             $data = mb_substr($data, 2, null, '8bit');
         }
 
@@ -114,8 +123,10 @@ private static function readAsn1Integer(string $message, int &$position): string
 
     private static function retrievePositiveInteger(string $data): string
     {
-        while (0 === mb_strpos($data, self::ASN1_NEGATIVE_INTEGER, 0, '8bit')
-            && mb_substr($data, 2, self::BYTE_SIZE, '8bit') > self::ASN1_BIG_INTEGER_LIMIT) {
+        while (
+            self::ASN1_NEGATIVE_INTEGER === mb_substr($data, 0, self::BYTE_SIZE, '8bit')
+            && mb_substr($data, 2, self::BYTE_SIZE, '8bit') > self::ASN1_BIG_INTEGER_LIMIT
+        ) {
             $data = mb_substr($data, 2, null, '8bit');
         }
 

diff --git a/src/metadata-service/.gitattributes b/src/metadata-service/.gitattributes
@@ -1,7 +1,5 @@
 * text=auto
 
 /.github export-ignore
-/tests export-ignore
 /.gitattributes export-ignore
-/.gitignore export-ignore
-/phpunit.xml.dist export-ignore
+/README.md export-ignore
diff --git a/src/metadata-service/.gitignore b/src/metadata-service/.gitignore