Allow id-card authentication when Extended Key Usage is not present in certificate

src/validator/AuthTokenSignatureValidator.php

@@ -27,6 +27,7 @@
 namespace web_eid\web_eid_authtoken_validation_php\validator;
 
 use GuzzleHttp\Psr7\Uri;
+use phpseclib3\Crypt\RSA;
 use web_eid\web_eid_authtoken_validation_php\exceptions\AuthTokenParseException;
 use web_eid\web_eid_authtoken_validation_php\exceptions\ChallengeNullOrEmptyException;
 use InvalidArgumentException;
@@ -36,6 +37,10 @@
 class AuthTokenSignatureValidator
 {
 
+    private const ECDSA_ALGORITHMS = ['ES256', 'ES384', 'ES512'];
+
+    private const RSASSA_PSS_ALGORITHMS = ['PS256', 'PS384', 'PS512'];
+
     /** Supported subset of JSON Web Signature algorithms as defined in RFC 7518, sections 3.3, 3.4, 3.5.
      * See https://github.com/web-eid/libelectronic-id/blob/main/include/electronic-id/enums.hpp#L176.
      */
@@ -72,10 +77,17 @@ public function validate(string $algorithm, string $signature, $publicKey, strin
         $decodedSignature = base64_decode($signature);
 
         // Note that in case of ECDSA, some eID cards output raw R||S, so we need to trascode it to DER
-        if (in_array($algorithm, ["ES256", "ES384", "ES512"]) && !AsnUtil::isSignatureInAsn1Format($decodedSignature)) {
+        if (in_array($algorithm, self::ECDSA_ALGORITHMS) && !AsnUtil::isSignatureInAsn1Format($decodedSignature)) {
             $decodedSignature = AsnUtil::transcodeSignatureToDER($decodedSignature);
         }
 
+        if (in_array($algorithm, self::RSASSA_PSS_ALGORITHMS)) {
+            $publicKey = openssl_get_publickey($publicKey->withPadding(RSA::SIGNATURE_PSS)->toString('PSS'));
+            if (!$publicKey) {
+                throw new AuthTokenParseException();
+            }
+        }
+
         $hashAlgorithm = $this->hashAlgorithmForName($algorithm);
 
         $originHash = openssl_digest($this->siteOrigin->jsonSerialize(), $hashAlgorithm, true);

src/validator/certvalidators/SubjectCertificatePurposeValidator.php

@@ -32,6 +32,9 @@
 final class SubjectCertificatePurposeValidator implements SubjectCertificateValidator
 {
 
+    private const KEY_USAGE = 'id-ce-keyUsage';
+    private const KEY_USAGE_DIGITAL_SIGNATURE = 0;
+    private const EXTENDED_KEY_USAGE = 'id-ce-extKeyUsage';
     // oid 1.3.6.1.5.5.7.3.2
     private const EXTENDED_KEY_USAGE_CLIENT_AUTHENTICATION = "id-kp-clientAuth";
     private $logger;
@@ -44,22 +47,33 @@ public function __construct(LoggerInterface $logger = null)
     /**
      * Validates that the purpose of the user certificate from the authentication token contains client authentication.
      *
-     * @copyright 2022 Petr Muzikant [email protected]
-     * 
-     * @param subjectCertificate user certificate to be validated
+     * @param X509 $subjectCertificate user certificate to be validated
      * @throws UserCertificateMissingPurposeException
+     * @throws UserCertificateWrongPurposeException
+     * @copyright 2022 Petr Muzikant [email protected]
+     *
      */
     public function validate(X509 $subjectCertificate): void
     {
-        $usages = $subjectCertificate->getExtension('id-ce-extKeyUsage');
-        if (!$usages || empty($usages)) {
+        $keyUsage = $subjectCertificate->getExtension(self::KEY_USAGE);
+        if (!$keyUsage || empty($keyUsage)) {
             throw new UserCertificateMissingPurposeException();
         }
+        if (!$keyUsage[self::KEY_USAGE_DIGITAL_SIGNATURE]) {
+            throw new UserCertificateWrongPurposeException();
+        }
+        $usages = $subjectCertificate->getExtension(self::EXTENDED_KEY_USAGE);
+        if (!$usages || empty($usages)) {
+            // Digital Signature extension present, but Extended Key Usage extension not present,
+            // assume it is an authentication certificate (e.g. Luxembourg eID).
+            return;
+        }
         // Extended usages must contain TLS Web Client Authentication
         if (!in_array(self::EXTENDED_KEY_USAGE_CLIENT_AUTHENTICATION, $usages)) {
             throw new UserCertificateWrongPurposeException();
         }
 
         $this->logger?->debug("User certificate can be used for client authentication.");
     }
+
 }

tests/_resources/eID TEST EC Citizen CA.cer

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAq+gAwIBAgIIcND8I1qptLUwCgYIKoZIzj0EAwMwKzELMAkGA1UEBhMC
+QkUxHDAaBgNVBAMME2VJRCBURVNUIEVDIFJvb3QgQ0EwIBcNMDcwNDMwMjIwMDIw
+WhgPMjA4NzA0MTAyMjAwMjBaMC4xCzAJBgNVBAYTAkJFMR8wHQYDVQQDDBZlSUQg
+VEVTVCBFQyBDaXRpemVuIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJAiNoOQf
+Y0r8N6JVPMLedXyRZ7MwppGwQ9ZxFzLjVsbeKuUvqEFR0yKKyEidXc875m4UF5lR
+pf/FSWagg2IXGWrypnRZkgnNVP6s5W2LzKdV09hd6v7O8j/8knfHOj+No4IBmTCC
+AZUwHQYDVR0OBBYEFN2zf+OaGY5ZyRFWAi31+p1v3oRLMB8GA1UdIwQYMBaAFCHA
+clfKHAQEGR3ZjH4+tYPrrBwCMA4GA1UdDwEB/wQEAwIBBjBIBgNVHSAEQTA/MD0G
+BmA4DAEBAjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNj
+YXJkcy5iZS9jZXJ0MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDBCBgNV
+HR8EOzA5MDegNaAzhjFodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZS9j
+cmwvcm9vdGNhRUMuY3JsMIGBBggrBgEFBQcBAQR1MHMwPgYIKwYBBQUHMAKGMmh0
+dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlL2NlcnQvcm9vdGNhRUMuY3J0
+MDEGCCsGAQUFBzABhiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZTo4
+ODg4MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwMDaAAwZQIxAOMiiByF
+0aLEA6zUrobMw7aSH5o2u1hGVMe0AL4ezYztRdfxvXVU+m1JosBVBDDjeAIwYJJN
+7bLWw8BVi/lkxRjKL/+zAJP6djGywXI1pVh4HKb0D+tipq5StO+QnM8cnPmg
+-----END CERTIFICATE-----

tests/testutil/AuthTokenValidators.php

@@ -89,6 +89,27 @@ public static function getAuthTokenValidatorWithDisallowedESTEIDPolicy(): AuthTo
             ->build();
     }
 
+    public static function getAuthTokenValidatorForBelgianIdCard(): AuthTokenValidator
+    {
+        return self::getAuthTokenValidator(
+            "https://47f0-46-131-86-189.ngrok-free.app",
+            ...CertificateLoader::loadCertificatesFromResources(
+            __DIR__ . "/../_resources/eID TEST EC Citizen CA.cer"
+        )
+        );
+    }
+
+    public static function getAuthTokenValidatorForFinnishIdCard(): AuthTokenValidator
+    {
+        return self::getAuthTokenValidator(
+            "https://47f0-46-131-86-189.ngrok-free.app",
+            ...CertificateLoader::loadCertificatesFromResources(
+            __DIR__ . "/../_resources/DVV TEST Certificates - G5E.crt",
+            __DIR__ . "/../_resources/VRK TEST CA for Test Purposes - G4.crt"
+        )
+        );
+    }
+
     public static function getAuthTokenValidatorWithWrongTrustedCertificate(): AuthTokenValidator
     {
         return self::getAuthTokenValidator(

tests/validator/AuthTokenCertificateBelgianIdCardTest.php

@@ -0,0 +1,102 @@
+<?php
+
+/*
+ * Copyright (c) 2022-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+
+namespace web_eid\web_eid_authtoken_validation_php\validator;
+
+use DateTime;
+use UnexpectedValueException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\AuthTokenParseException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateDecodingException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateExpiredException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotTrustedException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotYetValidException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateDisallowedPolicyException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateMissingPurposeException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateWrongPurposeException;
+use web_eid\web_eid_authtoken_validation_php\testutil\AbstractTestWithValidator;
+use web_eid\web_eid_authtoken_validation_php\testutil\AuthTokenValidators;
+use web_eid\web_eid_authtoken_validation_php\testutil\Dates;
+
+class AuthTokenCertificateBelgianIdCardTest extends AbstractTestWithValidator
+{
+
+    private const BELGIAN_TEST_ID_CARD_AUTH_TOKEN_ECC =
+        '{' .
+        '  "action": "web-eid:authenticate-success",' .
+        '  "algorithm": "ES384",' .
+        '  "appVersion": "https://web-eid.eu/web-eid-app/releases/2.7.0+965",' .
+        '  "format": "web-eid:1.0",' .
+        '  "signature": "VWCxJ+NrWpNsLJwLbJ1IXuJkkrRsxhfZ1uVmaoY3gBMPrvULaLAp+A1VYGJ2QWobL9FvhMyEQpVlO99ytovux3pX75gHkf3Z0sBjtNqr/QS0ac+qI2hEccFnU0H7deO7",' .
+        '  "unverifiedCertificate": "MIIDQDCCAsegAwIBAgIQEAAAAAAA8evx/gAAAAGKYTAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJCRTEfMB0GA1UEAwwWZUlEIFRFU1QgRUMgQ2l0aXplbiBDQTAeFw0yMDEwMjIyMjAwMDBaFw0zMDEwMjIyMjAwMDBaMHYxCzAJBgNVBAYTAkJFMScwJQYDVQQDDB5Ob3JhIFNwZWNpbWVuIChBdXRoZW50aWNhdGlvbikxETAPBgNVBAQMCFNwZWNpbWVuMRUwEwYDVQQqDAxOb3JhIEFuZ8OobGUxFDASBgNVBAUTCzAxMDUwMzk5ODY0MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPybypdwlvczyuKQtJ87s/RmB+hRFaP4BdtR/Sc8jfQTmKUYVn0KDYZPBllh928yMPxU7F+Za3FtFrAPCnDH75IquYsn0oc5olVO7Uas5gn61Y2EA5askyCljNVLA0Gquo4IBYDCCAVwwHwYDVR0jBBgwFoAU3bN/45oZjlnJEVYCLfX6nW/ehEswDgYDVR0PAQH/BAQDAgeAMEkGA1UdIARCMEAwPgYHYDgMAQECAjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZS9jZXJ0MBMGA1UdJQQMMAoGCCsGAQUFBwMCMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlL2NybC9jaXRpemVuY2FFQy5jcmwwgYEGCCsGAQUFBwEBBHUwczA+BggrBgEFBQcwAoYyaHR0cDovL2VpZGRldmNhcmRzLnpldGVzY2FyZHMuYmUvY2VydC9yb290Y2FFQy5jcnQwMQYIKwYBBQUHMAGGJWh0dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlOjg4ODgwCgYIKoZIzj0EAwMDZwAwZAIwE7uLOjrhXbid+tRKe/5wgE/R3rFVsE6HkpHJg+9+mqlBToLrLWvckmiPRmUot85BAjBNyxy48pVF+azJEnt0Z/hipToVhgJLlMkPFwZiL2+4B3w2WtNeSphEl3gjClos+Wg="' .
+        '}';
+
+    private const BELGIAN_TEST_ID_CARD_AUTH_TOKEN_RSA =
+        '{' .
+        '  "action": "web-eid:authenticate-success",' .
+        '  "algorithm": "RS256",' .
+        '  "appVersion": "https://web-eid.eu/web-eid-app/releases/2.7.0+965",' .
+        '  "format": "web-eid:1.0",' .
+        '  "signature": "KQsMoSj3lWz1H3NZ2LYtV27oIi2LdiBonYVjxZrRUt7qFBmepRRHY+vtM0qOZ0J8i9DwR25hmVi60S2yNAkYMIdYp3g2o8FamSpdz5MZBAGCpxF0yqK74sHN+87qjqj4qMv2rUIKMluhvjuwLSzZHaJzJyels/jdOHTQNgZ8S3ufEoCvLYcVU19TFryoo7ZWKfSB8qTWIv3UdOBTWG7fcU/fOwQmw9YAGrfKTJevTDIwcdLccqKXc1JzDWx6eargAx9Pa3Ehwa1SwB0aTXYVsfO+9awlFzjTXAnCudzKLoYBmNJedmv0MXlxNHSFQ9sNZDVgV4Sb5nQSlXE0st9uoQ==",' .
+        '  "unverifiedCertificate": "MIID7zCCA3WgAwIBAgIQEAAAAAAA8evx/gAAAAHu2TAKBggqhkjOPQQDAzAuMQswCQYDVQQGEwJCRTEfMB0GA1UEAwwWZUlEIFRFU1QgRUMgQ2l0aXplbiBDQTAeFw0yMzA5MjYyMjAwMDBaFw0zMzA5MjYyMjAwMDBaMHYxCzAJBgNVBAYTAkJFMScwJQYDVQQDDB5Ob3JhIFNwZWNpbWVuIChBdXRoZW50aWNhdGlvbikxETAPBgNVBAQMCFNwZWNpbWVuMRUwEwYDVQQqDAxOb3JhIEFuZ8OobGUxFDASBgNVBAUTCzAxMDUwMzk5ODY0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/JkeHwt4rQhx/QrpPSCLUd98YxiZRvtKyo1glLiByNvDu7D6Jgg70tj2wlrwn3X0c8Rz/Yy3SgLIPzc92ptvaJG0H52cecRKABzDKwn9Qf/ZwsasDkKnprx0KUbiTaBU9Se1AEim5hyG4naahcfQJo+SwvIMhjIVPk1l1B+fbwRBlYG+LoJXdLSwoYRWArnf+4vx2PXR1nrmfLDw0NrtuNQy637O58DSL2XGd0+jKpQfYCBrqN0B26zA2RU0Uzb0ztEf4VXYH26dmv+bqwpXdPQYPQ7elNFXzFCRnmgJfxt4aKSkGZ2sQFWrKeIRxzVizLFDnfW8TSV5S4tuwYSMwIDAQABo4IBYDCCAVwwHwYDVR0jBBgwFoAU3bN/45oZjlnJEVYCLfX6nW/ehEswDgYDVR0PAQH/BAQDAgeAMEkGA1UdIARCMEAwPgYHYDgMAQECAjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZS9jZXJ0MBMGA1UdJQQMMAoGCCsGAQUFBwMCMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlL2NybC9jaXRpemVuY2FFQy5jcmwwgYEGCCsGAQUFBwEBBHUwczA+BggrBgEFBQcwAoYyaHR0cDovL2VpZGRldmNhcmRzLnpldGVzY2FyZHMuYmUvY2VydC9yb290Y2FFQy5jcnQwMQYIKwYBBQUHMAGGJWh0dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlOjg4ODgwCgYIKoZIzj0EAwMDaAAwZQIwL3Mp3pSlxfjUQ6zlsAwLHBbs1//7vPiqx//IcyUZYuVXZ00KG8MelmaMNbmzDVxaAjEAnqHxkwV5sSDwQCUbb6Tofaypm+DO6C2LriHS5r+s84x2Eq+s+lAJ1L4WkcgsKxns"' .
+        '}';
+
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        // Ensure that the certificates do not expire.
+        $this->mockDate("2024-12-24");
+    }
+
+    protected function tearDown(): void
+    {
+        Dates::resetMockedCertificateValidatorDate();
+    }
+
+    public function testWhenIdCardWithECCSignatureCertificateIsValidatedThenValidationSucceeds(): void
+    {
+        $this->expectNotToPerformAssertions();
+        $validator = AuthTokenValidators::getAuthTokenValidatorForBelgianIdCard();
+        $token = $validator->parse(self::BELGIAN_TEST_ID_CARD_AUTH_TOKEN_ECC);
+
+        $validator->validate($token, 'iMeEwP2cgUINY2XoO/lqEpOUn7z/ysHRqGXkGKC4VXE=');
+    }
+
+    public function testWhenIdCardWithRSASignatureCertificateIsValidatedThenValidationSucceeds(): void
+    {
+        $this->expectNotToPerformAssertions();
+        $validator = AuthTokenValidators::getAuthTokenValidatorForBelgianIdCard();
+        $token = $validator->parse(self::BELGIAN_TEST_ID_CARD_AUTH_TOKEN_RSA);
+
+        $validator->validate($token, 'YPVgYc7Qds0qmK/RilPLffnsIg7IIovM4BAWqGZWwiY=');
+    }
+
+    private function mockDate(string $date)
+    {
+        Dates::setMockedCertificateValidatorDate(new DateTime($date));
+    }
+
+}