80 lines
3.6 KiB
PHP
80 lines
3.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/*
|
|
* The MIT License (MIT)
|
|
*
|
|
* Copyright (c) 2014-2019 Spomky-Labs
|
|
*
|
|
* This software may be modified and distributed under the terms
|
|
* of the MIT license. See the LICENSE file for details.
|
|
*/
|
|
|
|
namespace Webauthn\MetadataService;
|
|
|
|
use Assert\Assertion;
|
|
use Base64Url\Base64Url;
|
|
use Jose\Component\KeyManagement\JWKFactory;
|
|
use Jose\Component\Signature\Algorithm\ES256;
|
|
use Jose\Component\Signature\Serializer\CompactSerializer;
|
|
use Psr\Http\Client\ClientInterface;
|
|
use Psr\Http\Message\RequestFactoryInterface;
|
|
|
|
class MetadataStatementFetcher
|
|
{
|
|
public static function fetchTableOfContent(string $uri, ClientInterface $client, RequestFactoryInterface $requestFactory, array $additionalHeaders = []): MetadataTOCPayload
|
|
{
|
|
$content = self::fetch($uri, $client, $requestFactory, $additionalHeaders);
|
|
$payload = self::getJwsPayload($content);
|
|
$data = json_decode($payload, true);
|
|
Assertion::eq(JSON_ERROR_NONE, json_last_error(), 'Unable to decode the data');
|
|
|
|
return MetadataTOCPayload::createFromArray($data);
|
|
}
|
|
|
|
public static function fetchMetadataStatement(string $uri, bool $isBase64UrlEncoded, ClientInterface $client, RequestFactoryInterface $requestFactory, array $additionalHeaders = []): MetadataStatement
|
|
{
|
|
$payload = self::fetch($uri, $client, $requestFactory, $additionalHeaders);
|
|
$json = $isBase64UrlEncoded ? Base64Url::decode($payload) : $payload;
|
|
$data = json_decode($json, true);
|
|
Assertion::eq(JSON_ERROR_NONE, json_last_error(), 'Unable to decode the data');
|
|
|
|
return MetadataStatement::createFromArray($data);
|
|
}
|
|
|
|
private static function fetch(string $uri, ClientInterface $client, RequestFactoryInterface $requestFactory, array $additionalHeaders = []): string
|
|
{
|
|
$request = $requestFactory->createRequest('GET', $uri);
|
|
foreach ($additionalHeaders as $k => $v) {
|
|
$request = $request->withHeader($k, $v);
|
|
}
|
|
$response = $client->sendRequest($request);
|
|
Assertion::eq(200, $response->getStatusCode(), sprintf('Unable to contact the server. Response code is %d', $response->getStatusCode()));
|
|
$content = $response->getBody()->getContents();
|
|
Assertion::notEmpty($content, 'Unable to contact the server. The response has no content');
|
|
|
|
return $content;
|
|
}
|
|
|
|
private static function getJwsPayload(string $token): string
|
|
{
|
|
$jws = (new CompactSerializer())->unserialize($token);
|
|
Assertion::eq(1, $jws->countSignatures(), 'Invalid response from the metadata service. Only one signature shall be present.');
|
|
$signature = $jws->getSignature(0);
|
|
$payload = $jws->getPayload();
|
|
Assertion::notEmpty($payload, 'Invalid response from the metadata service. The token payload is empty.');
|
|
$header = $signature->getProtectedHeader();
|
|
Assertion::keyExists($header, 'alg', 'The "alg" parameter is missing.');
|
|
Assertion::eq($header['alg'], 'ES256', 'The expected "alg" parameter value should be "ES256".');
|
|
Assertion::keyExists($header, 'x5c', 'The "x5c" parameter is missing.');
|
|
Assertion::isArray($header['x5c'], 'The "x5c" parameter should be an array.');
|
|
$key = JWKFactory::createFromX5C($header['x5c']);
|
|
$algorithm = new ES256();
|
|
$isValid = $algorithm->verify($key, $signature->getEncodedProtectedHeader().'.'.$jws->getEncodedPayload(), $signature->getSignature());
|
|
Assertion::true($isValid, 'Invalid response from the metadata service. The token signature is invalid.');
|
|
|
|
return $jws->getPayload();
|
|
}
|
|
}
|