From 35270863307424ad1c552b0dbdb34572b871099e Mon Sep 17 00:00:00 2001 From: Sebastiaan Stok Date: Wed, 20 Dec 2023 16:25:19 +0100 Subject: [PATCH] Don't require pdb-symfony-bridge We only need a `PublicSuffixList` instance, requiring a Symfony specific implementation would defeat the purpose of using an interface --- README.md | 2 +- UPGRADE.md | 8 ++++++++ composer.json | 2 +- docs/index.md | 23 ++++++++++++++++------- src/CertificateValidator.php | 8 +++----- tests/CertificateValidatorTest.php | 12 ++++++------ 6 files changed, 35 insertions(+), 20 deletions(-) create mode 100644 UPGRADE.md diff --git a/README.md b/README.md index 3fd2262..d4363bc 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ to these validators with the Symfony Validator component. To install this package, add `rollerworks/x509-validator` to your composer.json: ```bash -$ php composer.phar require rollerworks/x509-validator +php composer.phar require rollerworks/x509-validator ``` Now, [Composer][composer] will automatically download all required files, diff --git a/UPGRADE.md b/UPGRADE.md new file mode 100644 index 0000000..d8ffc62 --- /dev/null +++ b/UPGRADE.md @@ -0,0 +1,8 @@ +UPGRADE +======= + +## Upgrade FROM 0.1.0 to 0.2.0 + +* The `CertificateValidator` now expects a `\Pdp\PublicSuffixList` instance + is passed as first argument, instead of a + `Rollerworks\Component\PdbSfBridge\PdpManager` instance; diff --git a/composer.json b/composer.json index b0994b7..a3ea5c0 100644 --- a/composer.json +++ b/composer.json @@ -23,7 +23,6 @@ "mlocati/ocsp": "^1.0", "psr/clock": "^1.0", "rollerworks/pdb-symfony-bridge": "^1.0", - "rollerworks/pdb-validator": "^1.0", "symfony/translation-contracts": "^2.5 || ^3.0" }, "require-dev": { @@ -31,6 +30,7 @@ "phpspec/prophecy-phpunit": "^2.0", "phpunit/phpunit": "^10.4.2", "rollerscapes/standards": "^1.0", + "rollerworks/pdb-symfony-bridge": "^1.0", "symfony/clock": "^6.3", "symfony/error-handler": "^6.3", "symfony/http-client": "^6.3", diff --git a/docs/index.md b/docs/index.md index 4adb357..45fe681 100644 --- a/docs/index.md +++ b/docs/index.md @@ -30,8 +30,12 @@ See [Working with validation Violations] below. ## Using the CertificateValidator -Note that `CertificateValidator` requires a `Rollerworks\Component\PdbSfBridge\PdpManager` -instance, see https://github.com/rollerworks/PdbSfBridge to set-up a new instance. +Note that `CertificateValidator` requires a `Pdp\PublicSuffixList` +instance, see https://github.com/jeremykendall/php-domain-parser#usage +to set-up a new instance. + +**Tip**: For Symfony use the https://github.com/rollerworks/PdbSfBridge +with out-of-the-box Framework integration. The `CertificateValidator` validates: @@ -42,13 +46,13 @@ The `CertificateValidator` validates: or public-suffix length violations; ```php -use Rollerworks\Component\PdbSfBridge\PdpManager; +use Pdp\PublicSuffixList; use Rollerworks\Component\X509Validator\CertificateValidator; -/** @var PdpManager $pdbManager */ -$pdbManager = ...; +/** @var PublicSuffixList $publicSuffixList */ +$publicSuffixList = ...; -$validator = new CertificateValidator($pdbManager, /*$dataExtractor*/); +$validator = new CertificateValidator($publicSuffixList, /*$dataExtractor*/); // PEM X509 encoded certificate string $certificate = ''; @@ -182,7 +186,12 @@ The `OCSPValidator` validates the revocation status of a certificate, for this to work internet access is required, and the certificate must have a CA. -First make sure the `` +First make sure the `symfony/http-client` package is installed, any +`Symfony\Contracts\HttpClient\HttpClientInterface` instance is accepted. + +```bash +php composer.phar require symfony/http-client +``` This validator should be called after general validation with the `CertificateValidator`. diff --git a/src/CertificateValidator.php b/src/CertificateValidator.php index 2ac44f5..268eab9 100644 --- a/src/CertificateValidator.php +++ b/src/CertificateValidator.php @@ -14,8 +14,8 @@ namespace Rollerworks\Component\X509Validator; use Pdp\Domain; +use Pdp\PublicSuffixList; use Psr\Clock\ClockInterface; -use Rollerworks\Component\PdbSfBridge\PdpManager as PublicSuffixManager; use Rollerworks\Component\X509Validator\Violation\CertificateHasExpired; use Rollerworks\Component\X509Validator\Violation\GlobalWildcard; use Rollerworks\Component\X509Validator\Violation\UnsupportedDomain; @@ -40,7 +40,7 @@ class CertificateValidator * @param CAResolver|null $caResolver Use a custom CAResolver that stores CAs */ public function __construct( - private readonly PublicSuffixManager $suffixManager, + private readonly PublicSuffixList $publicSuffixList, X509DataExtractor $dataExtractor = null, CAResolver $caResolver = null, private ?ClockInterface $clock = null @@ -94,8 +94,6 @@ private function validateSignatureAlgorithm(string $signatureType): void /** @param array $domains */ private function validateDomainsWildcard(array $domains): void { - $rules = $this->suffixManager->getPublicSuffixList(); - foreach ($domains as $domain) { if (! str_contains($domain, '*')) { continue; @@ -105,7 +103,7 @@ private function validateDomainsWildcard(array $domains): void throw new GlobalWildcard($domain, '*'); } - $domainInfo = $rules->resolve(Domain::fromIDNA2008($domain)); + $domainInfo = $this->publicSuffixList->resolve(Domain::fromIDNA2008($domain)); if (! $domainInfo->suffix()->isKnown()) { return; diff --git a/tests/CertificateValidatorTest.php b/tests/CertificateValidatorTest.php index e382599..511d5f6 100644 --- a/tests/CertificateValidatorTest.php +++ b/tests/CertificateValidatorTest.php @@ -13,12 +13,12 @@ namespace Rollerworks\Component\X509Validator\Tests; +use Pdp\PublicSuffixList; use PHPUnit\Framework\Attributes\DataProvider; use PHPUnit\Framework\Attributes\DoesNotPerformAssertions; use PHPUnit\Framework\Attributes\Test; use PHPUnit\Framework\TestCase; use Psr\Clock\ClockInterface; -use Rollerworks\Component\PdbSfBridge\PdpManager; use Rollerworks\Component\PdbSfBridge\PdpMockProvider; use Rollerworks\Component\X509Validator\CertificateValidator; use Rollerworks\Component\X509Validator\TranslatableArgument; @@ -38,7 +38,7 @@ final class CertificateValidatorTest extends TestCase { private ClockInterface $clock; private CertificateValidator $certificateValidator; - private PdpManager $pdpManager; + private PublicSuffixList $publicSuffixList; protected function setUp(): void { @@ -55,8 +55,8 @@ public function now(): \DateTimeImmutable } }; - $this->pdpManager = PdpMockProvider::getPdpManager(); - $this->certificateValidator = new CertificateValidator($this->pdpManager, clock: $this->clock); + $this->publicSuffixList = PdpMockProvider::getPdpManager()->getPublicSuffixList(); + $this->certificateValidator = new CertificateValidator($this->publicSuffixList, clock: $this->clock); } #[Test] @@ -143,7 +143,7 @@ public function validate_certificate_is_expired(): void #[DataProvider('provideValidate_certificate_host_contains_global_wildcardCases')] public function validate_certificate_host_contains_global_wildcard(array $domains, string $provided, string $suffixPattern): void { - $this->certificateValidator = new FakedCertificateValidator($this->pdpManager); + $this->certificateValidator = new FakedCertificateValidator($this->publicSuffixList); $this->certificateValidator->setFields([ '_domains' => $domains, '_validTo' => new \DateTimeImmutable('+1 year'), @@ -179,7 +179,7 @@ public static function provideValidate_certificate_host_contains_global_wildcard #[DoesNotPerformAssertions] public function validate_certificate_host_wildcard_without_known_prefix_does_not_fail(array $domains): void { - $this->certificateValidator = new FakedCertificateValidator($this->pdpManager); + $this->certificateValidator = new FakedCertificateValidator($this->publicSuffixList); $this->certificateValidator->setFields([ '_domains' => $domains, '_validTo' => new \DateTimeImmutable('+1 year'),