Also validate revocation reasons in attestation

OpenConext · Apr 19, 2024 · 1e2cd4a · 1e2cd4a
1 parent 4f42611
commit 1e2cd4a
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/src/Service/AuthenticatorStatusValidator.php b/src/Service/AuthenticatorStatusValidator.php
@@ -30,6 +30,11 @@ class AuthenticatorStatusValidator
      * @var string[]
      */
     private readonly array $allowedStatus;
+    /**
+     * @var string[]
+     */
+    private readonly array $deniedStatus;
+
 
     public function __construct()
     {
@@ -44,6 +49,13 @@ public function __construct()
             AuthenticatorStatus::FIDO_CERTIFIED_L2plus,
             AuthenticatorStatus::FIDO_CERTIFIED_L3plus,
         ];
+        $this->deniedStatus = [
+            AuthenticatorStatus::REVOKED,
+            AuthenticatorStatus::ATTESTATION_KEY_COMPROMISE,
+            AuthenticatorStatus::USER_KEY_PHYSICAL_COMPROMISE,
+            AuthenticatorStatus::USER_KEY_REMOTE_COMPROMISE,
+            AuthenticatorStatus::USER_VERIFICATION_BYPASS
+        ];
     }
 
     /**
@@ -57,18 +69,29 @@ public function validate(array $statusReports): void
         $meetsRequirement = false;
         $reportsProcessed = 0;
         $reportLog = [];
+        /* The status of the attestation can be multivalued, containing both a certification as a revocation.
+           First test for valid certification, then for reasons to deny
+        */
         foreach ($statusReports as $report) {
             if (in_array($report->status, $this->allowedStatus)) {
                 $meetsRequirement = true;
             }
             $reportsProcessed++;
             $reportLog[] = $report->status;
         }
+        if ($meetsRequirement) {
+            foreach ($statusReports as $report) {
+                if (in_array($report->status, $this->deniedStatus)) {
+                    $meetsRequirement = false;
+                }
+            }
+        }
 
         if (!$meetsRequirement) {
             throw new AuthenticatorStatusNotSupportedException(
                 sprintf(
-                    'Of the %d StatusReports tested, none met one of the required FIDO Certified statuses. ' .
+                    'Of the %d StatusReports tested, none met one of the required FIDO Certified statuses,
+                        or the status was explicitly denied. ' .
                     'Reports tested: "%s"',
                     $reportsProcessed,
                     implode(', ', $reportLog)