NFC-169 Fix PHP auth cert chain, format, SSRF, cookie and OCSP checks

example/public/index.php

@@ -26,6 +26,16 @@
 
 ini_set('display_errors', '0');
 
+session_name('__Host-PHPSESSID');
+
+session_set_cookie_params([
+    'lifetime' => 0,
+    'path' => '/',
+    'secure' => true,
+    'httponly' => true,
+    'samesite' => 'Lax',
+]);
+
 session_start();
 
 // Uncomment following line to define the custom log location (by default the server log is used)

src/certificate/CertificateValidator.php

@@ -73,6 +73,10 @@ public static function validateIsValidAndSignedByTrustedCA(
         $now = DefaultClock::getInstance()->now();
         self::certificateIsValidOnDate($certificate, $now, "User");
 
+        // Prevent SSRF via CA Issuers URI from user-provided certificate AIA.
+        // All trusted/intermediate CA certificates must be provided by configuration.
+        X509::disableURLFetch();
+
         foreach ($trustedCertificates->getCertificates() as $trustedCertificate) {
             $certificate->loadCA(
                 $trustedCertificate->saveX509($trustedCertificate->getCurrentCert(), X509::FORMAT_PEM)

src/validator/ocsp/OcspClientImpl.php

@@ -66,7 +66,9 @@ public function request(Uri $uri, string $encodedOcspRequest): OcspResponse
 
         $info = curl_getinfo($curl);
         if ($info["http_code"] !== 200) {
-            throw new UserCertificateOCSPCheckFailedException("OCSP request was not successful, response: " + $result);
+            throw new UserCertificateOCSPCheckFailedException(
+                "OCSP request was not successful, response: " . (is_string($result) ? $result : '')
+            );
         }
 
         $response = new OcspResponse($result);

src/validator/versionvalidators/AuthTokenVersion11Validator.php

@@ -57,8 +57,7 @@ class AuthTokenVersion11Validator extends AuthTokenVersion1Validator
 
     public function supports(?string $format): bool
     {
-        return $format !== null &&
-            str_starts_with($format, self::V11_SUPPORTED_TOKEN_FORMAT_PREFIX);
+        return $format === self::V11_SUPPORTED_TOKEN_FORMAT_PREFIX;
     }
 
     /**
@@ -84,6 +83,7 @@ public function validate(
             $this->validateSameIssuer($subjectCertificate, $signingCertificate);
             $this->validateSigningCertificateValidity($signingCertificate);
             $this->validateKeyUsage($signingCertificate);
+            $this->validateSigningCertificateChain($signingCertificate);
         }
 
         return $subjectCertificate;
@@ -239,6 +239,21 @@ private function validateKeyUsage(X509 $signingCertificate): void
         }
     }
 
+    /**
+     * @throws AuthTokenParseException
+     */
+    private function validateSigningCertificateChain(X509 $signingCertificate): void
+    {
+        try {
+            $this->buildTrustValidatorBatch()->executeFor($signingCertificate);
+        } catch (AuthTokenException $e) {
+            throw new AuthTokenParseException(
+                "Signing certificate chain validation failed",
+                $e,
+            );
+        }
+    }
+
     /**
      * @throws AuthTokenException
      */

src/validator/versionvalidators/AuthTokenVersion1Validator.php

@@ -73,8 +73,8 @@ public function __construct(
 
     public function supports(?string $format): bool
     {
-        return $format !== null &&
-            str_starts_with($format, self::V1_SUPPORTED_TOKEN_FORMAT_PREFIX);
+        return $format === self::V1_SUPPORTED_TOKEN_FORMAT_PREFIX ||
+            $format === "web-eid:1.0";
     }
 
     public function validate(
@@ -135,7 +135,7 @@ public function validate(
         return $subjectCertificate;
     }
 
-    private function buildTrustValidatorBatch(): SubjectCertificateValidatorBatch
+    protected function buildTrustValidatorBatch(): SubjectCertificateValidatorBatch
     {
         $trustedValidator = new SubjectCertificateTrustedValidator(
             $this->trustedCACertificates,