Add support for organization certificates

WE2-999 Signed-off-by: Mihkel Kivisild <[email protected]>
web-eid · Dec 10, 2024 · 1fc6155 · 1fc6155
1 parent 159c575
commit 1fc6155
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 86 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/example/composer.lock b/example/composer.lock
diff --git a/example/src/Auth.php b/example/src/Auth.php
@@ -38,15 +38,16 @@ class Auth
 {
     private $config;
 
-    public function __construct($config) {
+    public function __construct($config)
+    {
         $this->config = $config;
     }
 
     public function trustedIntermediateCACertificates(): array
     {
-        return CertificateLoader::loadCertificatesFromResources(
-            __DIR__ . "/../certificates/esteid2018.der.crt"
-        );
+        $directory = __DIR__ . "/../certificates/";
+        $certificates = glob($directory . "*.der.crt");
+        return CertificateLoader::loadCertificatesFromResources(...$certificates);
     }
 
     public function generator(): ChallengeNonceGenerator
@@ -87,11 +88,14 @@ public function getNonce()
 
     private function getPrincipalNameFromCertificate(X509 $userCertificate): string
     {
-        try {
-            return CertificateData::getSubjectGivenName($userCertificate) . " " . CertificateData::getSubjectSurname($userCertificate);
-        } catch (Exception $e) {
-            return CertificateData::getSubjectCN($userCertificate);
+        $surname = CertificateData::getSubjectSurname($userCertificate);
+        $givenname = CertificateData::getSubjectGivenName($userCertificate);
+        if ($surname && $givenname) {
+            $principalName = $givenname . " " . $surname;
+        } else {
+            $principalName = CertificateData::getSubjectCN($userCertificate);
         }
+        return $principalName;
     }
 
     /**
@@ -103,7 +107,7 @@ public function validate()
     {
         // Header names must be treated as case-insensitive (according to RFC2616) so we convert them to lowercase
         $headers = array_change_key_case(getallheaders(), CASE_LOWER);
-        
+
         if (!isset($headers["x-csrf-token"]) || ($headers["x-csrf-token"] != $_SESSION["csrf-token"])) {
             header("HTTP/1.0 405 Method Not Allowed");
             echo "CSRF token missing, unable to process your request";

diff --git a/src/certificate/CertificateData.php b/src/certificate/CertificateData.php
@@ -27,7 +27,6 @@
 namespace web_eid\web_eid_authtoken_validation_php\certificate;
 
 use phpseclib3\File\X509;
-use UnexpectedValueException;
 use BadFunctionCallException;
 
 final class CertificateData
@@ -40,66 +39,57 @@ public function __construct()
 
     /**
      * Get commonName from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectCN(X509 $certificate): string
+    public static function getSubjectCN(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-commonName');
     }
 
     /**
      * Get surname from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectSurname(X509 $certificate): string
+    public static function getSubjectSurname(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-surname');
     }
 
     /**
      * Get given name from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectGivenName(X509 $certificate): string
+    public static function getSubjectGivenName(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-givenName');
     }
 
     /**
      * Get serialNumber (ID-code) from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectIdCode(X509 $certificate): string
+    public static function getSubjectIdCode(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-serialNumber');
     }
 
     /**
      * Get country code from x509 certificate
-     *
-     * @throws UnexpectedValueException
      */
-    public static function getSubjectCountryCode(X509 $certificate): string
+    public static function getSubjectCountryCode(X509 $certificate): ?string
     {
         return self::getField($certificate, 'id-at-countryName');
     }
 
     /**
      * Get specified subject field from x509 certificate
      *
-     * @throws UnexpectedValueException field identifier not found
      * @return string
      */
-    private static function getField(X509 $certificate, string $fieldId): string
+    private static function getField(X509 $certificate, string $fieldId): ?string
     {
         $result = $certificate->getSubjectDNProp($fieldId);
         if ($result) {
-            return $result[0];
+            return join(" ", $result);
+        }
+        else {
+            return null;
         }
-        throw new UnexpectedValueException("fieldId " . $fieldId . " not found in certificate subject");
     }
 }