Move the Attestation Certificate verification code to trait

The purpose of this change is twofold:

1. The logic in the Server code is slightly easier to follow
2. Existing Registrations can easily be re-verified outside of the token
   registration process, allowing implementations to effectively revoke an
   entire vendor if it ever becomes necessary

Author: Firehed

src/AttestationCertificateTrait.php

@@ -29,4 +29,15 @@ public function setAttestationCertificate(string $cert): self {
         return $this;
     }
 
+    public function verifyIssuerAgainstTrustedCAs(array $trusted_cas): bool {
+        $result = openssl_x509_checkpurpose(
+            $this->getAttestationCertificatePem(),
+            \X509_PURPOSE_ANY,
+            $trusted_cas);
+        if ($result !== true) {
+            throw new SecurityException(SecurityException::NO_TRUSTED_CA);
+        }
+        return $result;
+    }
+
 }

src/Server.php

@@ -200,12 +200,7 @@ public function register(RegisterResponse $resp): Registration {
 
         $pem = $resp->getAttestationCertificatePem();
         if ($this->verifyCA) {
-            $check = openssl_x509_checkpurpose($pem,
-                \X509_PURPOSE_ANY,
-                $this->trustedCAs);
-            if ($check !== true) {
-                throw new SE(SE::NO_TRUSTED_CA);
-            }
+            $resp->verifyIssuerAgainstTrustedCAs($this->trustedCAs);
         }
 
         // Signature must validate against device issuer's public key

tests/AttestationCertificateTraitTest.php

@@ -40,4 +40,53 @@ public function testGetAttestationCertificatePem() {
         $this->assertSame($expected, $obj->getAttestationCertificatePem(),
             'PEM-formatted certificate was incorrect');
     }
+
+    /**
+     * @covers ::verifyIssuerAgainstTrustedCAs
+     */
+    public function testSuccessfulCAVerification() {
+        $class = $this->getObjectWithYubicoCert();
+        $certs = [dirname(__DIR__).'/CAcerts/yubico.pem'];
+        $this->assertTrue($class->verifyIssuerAgainstTrustedCAs($certs));
+    }
+
+    /**
+     * @covers ::verifyIssuerAgainstTrustedCAs
+     */
+    public function testFailedCAVerification() {
+        $class = $this->getObjectWithYubicoCert();
+        $certs = [__DIR__.'/verisign_only_for_unit_tests.pem'];
+        $this->expectException(SecurityException::class);
+        $this->expectExceptionCode(SecurityException::NO_TRUSTED_CA);
+        $class->verifyIssuerAgainstTrustedCAs($certs);
+    }
+
+    /**
+     * @covers ::verifyIssuerAgainstTrustedCAs
+     */
+    public function testFailedCAVerificationFromNoCAs() {
+        $class = $this->getObjectWithYubicoCert();
+        $certs = [];
+        $this->expectException(SecurityException::class);
+        $this->expectExceptionCode(SecurityException::NO_TRUSTED_CA);
+        $class->verifyIssuerAgainstTrustedCAs($certs);
+    }
+
+    // -(Helper methods)-------------------------------------------------------
+
+    /**
+     * Returns some concrete implementation of a class using
+     * AttestationCertificateTrait
+     *
+     * @return mixed Some class using AttestationCertificateTrait
+     */
+    private function getObjectWithYubicoCert() {
+        $response = RegisterResponse::fromJson(
+            file_get_contents(__DIR__.'/register_response.json'));
+        // Sanity check that the response actually imlements this trait, rather
+        // than doing all sorts of magic
+        $check = AttestationCertificateTrait::class;
+        $this->assertContains($check, class_uses($response));
+        return $response;
+    }
 }