Add KeyPairResolver

cicnavi · cicnavi · commit ec1c2fd3caf8 · 2026-01-30T11:10:55.000+01:00
diff --git a/src/Federation.php b/src/Federation.php
@@ -40,6 +40,7 @@
 use SimpleSAML\OpenID\Jws\JwsVerifierDecorator;
 use SimpleSAML\OpenID\Serializers\JwsSerializerManagerDecorator;
 use SimpleSAML\OpenID\Utils\ArtifactFetcher;
+use SimpleSAML\OpenID\Utils\KeyPairResolver;
 
 class Federation
 {
@@ -111,6 +112,8 @@ class Federation
 
     protected ?TrustMarkStatusResponseFetcher $trustMarkStatusResponseFetcher = null;
 
+    protected ?KeyPairResolver $keyPairResolver = null;
+
 
     public function __construct(
         protected readonly SupportedAlgorithms $supportedAlgorithms = new SupportedAlgorithms(),
@@ -455,4 +458,13 @@ public function defaultTrustMarkStatusEndpointUsagePolicyEnum(): TrustMarkStatus
     {
         return $this->defaultTrustMarkStatusEndpointUsagePolicyEnum;
     }
+
+
+    public function keyPairResolver(): KeyPairResolver
+    {
+        return $this->keyPairResolver ??= new KeyPairResolver(
+            $this->helpers(),
+            $this->logger,
+        );
+    }
 }
diff --git a/src/Utils/KeyPairResolver.php b/src/Utils/KeyPairResolver.php
@@ -0,0 +1,139 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Utils;
+
+use Psr\Log\LoggerInterface;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Exceptions\OpenIdException;
+use SimpleSAML\OpenID\Helpers;
+use SimpleSAML\OpenID\ValueAbstracts\SignatureKeyPair;
+use SimpleSAML\OpenID\ValueAbstracts\SignatureKeyPairBag;
+
+class KeyPairResolver
+{
+    public function __construct(
+        protected readonly Helpers $helpers,
+        protected readonly ?LoggerInterface $logger = null,
+    ) {
+    }
+
+
+    /**
+     * @param mixed[] $receiverEntityMetadata
+     * @param mixed[] $senderEntityMetadata
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
+     */
+    public function resolveSignatureKeyPairByAlgorithm(
+        SignatureKeyPairBag $signatureKeyPairBag,
+        array $receiverEntityMetadata = [],
+        array $senderEntityMetadata = [],
+        ?string $receiverDesignatedSignatureAlgorithmMetadataKey = null,
+        ?string $receiverSupportedSignatureAlgorithmsMetadataKey = null,
+        ?string $senderDesignatedSignatureAlgorithmMetadataKey = null,
+        ?string $senderSupportedSignatureAlgorithmsMetadataKey = null,
+    ): SignatureKeyPair {
+        $signatureKeyPair = $signatureKeyPairBag->getFirstOrFail();
+        $this->logger?->debug(
+            'Default Signature Key Pair: ',
+            [
+                'algorithm' => $signatureKeyPair->getSignatureAlgorithm()->value,
+                'keyId' => $signatureKeyPair->getKeyPair()->getKeyId(),
+            ],
+        );
+
+        $targetAlgorithms = [];
+
+        // Designated algorithms take precedence.
+        if (
+            is_string($receiverDesignatedSignatureAlgorithmMetadataKey) &&
+            array_key_exists($receiverDesignatedSignatureAlgorithmMetadataKey, $receiverEntityMetadata) &&
+            is_string($receiverDesignatedAlg = $receiverEntityMetadata[
+            $receiverDesignatedSignatureAlgorithmMetadataKey
+            ])
+        ) {
+            $this->logger?->debug('Receiver designated signature algorithm: ' . $receiverDesignatedAlg);
+            $targetAlgorithms['receiver'] = $receiverDesignatedAlg;
+        }
+
+        if (
+            is_string($senderDesignatedSignatureAlgorithmMetadataKey) &&
+            array_key_exists($senderDesignatedSignatureAlgorithmMetadataKey, $senderEntityMetadata) &&
+            is_string($senderDesignatedAlg = $senderEntityMetadata[$senderDesignatedSignatureAlgorithmMetadataKey])
+        ) {
+            $this->logger?->debug('Sender designated signature algorithm: ' . $senderDesignatedAlg);
+            $targetAlgorithms['sender'] = $senderDesignatedAlg;
+        }
+
+        // If both sides have designated algorithms, they MUST match.
+        if (count($targetAlgorithms) === 2 && $targetAlgorithms['receiver'] !== $targetAlgorithms['sender']) {
+            $this->logger?->error(
+                'Conflict in designated signature algorithms between receiver and sender.',
+                $targetAlgorithms,
+            );
+            throw new OpenIdException('Conflict in designated signature algorithms between receiver and sender.');
+        }
+
+        if ($targetAlgorithms !== []) {
+            $algorithm = reset($targetAlgorithms);
+            return $signatureKeyPairBag->getFirstByAlgorithmOrFail(
+                SignatureAlgorithmEnum::from($algorithm),
+            );
+        }
+
+        // No designated algorithm, check supported ones.
+        $commonlySupportedAlgorithms = $signatureKeyPairBag->getAllAlgorithmNamesUnique();
+        $this->logger?->debug('Local supported signature algorithms: ' . implode(', ', $commonlySupportedAlgorithms));
+
+        if (
+            is_string($receiverSupportedSignatureAlgorithmsMetadataKey) &&
+            array_key_exists($receiverSupportedSignatureAlgorithmsMetadataKey, $receiverEntityMetadata) &&
+            is_array($receiverSupportedAlgs = $receiverEntityMetadata[$receiverSupportedSignatureAlgorithmsMetadataKey])
+        ) {
+            $receiverSupportedAlgs = $this->helpers->type()
+                ->enforceNonEmptyArrayWithValuesAsNonEmptyStrings($receiverSupportedAlgs);
+            $this->logger?->debug('Receiver supported signature algorithms: ' . implode(', ', $receiverSupportedAlgs));
+
+            $commonlySupportedAlgorithms = array_intersect($commonlySupportedAlgorithms, $receiverSupportedAlgs);
+        }
+
+        if (
+            is_string($senderSupportedSignatureAlgorithmsMetadataKey) &&
+            array_key_exists($senderSupportedSignatureAlgorithmsMetadataKey, $senderEntityMetadata) &&
+            is_array($senderSupportedAlgs = $senderEntityMetadata[$senderSupportedSignatureAlgorithmsMetadataKey])
+        ) {
+            $senderSupportedAlgs = $this->helpers->type()
+                ->ensureArrayWithValuesAsNonEmptyStrings($senderSupportedAlgs);
+            $this->logger?->debug('Sender supported signature algorithms: ' . implode(', ', $senderSupportedAlgs));
+
+            $commonlySupportedAlgorithms = array_intersect($commonlySupportedAlgorithms, $senderSupportedAlgs);
+        }
+
+        if ($commonlySupportedAlgorithms !== []) {
+            $commonlySupportedAlgorithms = $this->helpers->type()
+                ->enforceNonEmptyArrayWithValuesAsNonEmptyStrings($commonlySupportedAlgorithms);
+
+            $this->logger?->debug(
+                'Commonly supported signature algorithms found: ' . implode(', ', $commonlySupportedAlgorithms),
+            );
+
+            return $signatureKeyPairBag->getFirstByAlgorithmOrFail(
+                SignatureAlgorithmEnum::from(reset($commonlySupportedAlgorithms)),
+            );
+        }
+
+        $this->logger?->debug('No commonly supported signature algorithms found. Using default.');
+
+        $this->logger?->debug(
+            'Signature Key Pair after algorithm selection: ',
+            [
+                'algorithm' => $signatureKeyPair->getSignatureAlgorithm()->value,
+                'keyId' => $signatureKeyPair->getKeyPair()->getKeyId(),
+            ],
+        );
+
+        return $signatureKeyPair;
+    }
+}
diff --git a/tests/src/Utils/KeyPairResolverTest.php b/tests/src/Utils/KeyPairResolverTest.php
@@ -0,0 +1,185 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\OpenID\Utils;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\LoggerInterface;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Exceptions\OpenIdException;
+use SimpleSAML\OpenID\Helpers;
+use SimpleSAML\OpenID\Helpers\Type;
+use SimpleSAML\OpenID\Utils\KeyPairResolver;
+use SimpleSAML\OpenID\ValueAbstracts\SignatureKeyPair;
+use SimpleSAML\OpenID\ValueAbstracts\SignatureKeyPairBag;
+
+#[CoversClass(KeyPairResolver::class)]
+#[UsesClass(Type::class)]
+final class KeyPairResolverTest extends TestCase
+{
+    private MockObject $helpersMock;
+
+    private MockObject $loggerMock;
+
+    private MockObject $signatureKeyPairBagMock;
+
+    private MockObject $defaultKeyPairMock;
+
+
+    protected function setUp(): void
+    {
+        $this->helpersMock = $this->createMock(\SimpleSAML\OpenID\Helpers::class);
+        $typeHelper = new Type();
+        $this->helpersMock->method('type')->willReturn($typeHelper);
+        $this->loggerMock = $this->createMock(LoggerInterface::class);
+
+        $this->signatureKeyPairBagMock = $this->createMock(SignatureKeyPairBag::class);
+
+        $this->defaultKeyPairMock = $this->createMock(SignatureKeyPair::class);
+        $this->defaultKeyPairMock->method('getSignatureAlgorithm')
+            ->willReturn(SignatureAlgorithmEnum::RS256);
+
+        $this->signatureKeyPairBagMock->method('getFirstOrFail')
+            ->willReturn($this->defaultKeyPairMock);
+    }
+
+
+    protected function sut(
+        ?Helpers $helpers = null,
+        ?LoggerInterface $logger = null,
+    ): KeyPairResolver {
+        $helpers ??= $this->helpersMock;
+        $logger ??= $this->loggerMock;
+
+        return new KeyPairResolver($helpers, $logger);
+    }
+
+
+    public function testResolveWithReceiverDesignatedAlgorithm(): void
+    {
+        $receiverMetadata = [
+            'receiver_alg' => 'RS256',
+        ];
+
+        $keyPairMock = $this->createMock(SignatureKeyPair::class);
+        $keyPairMock->method('getSignatureAlgorithm')
+            ->willReturn(SignatureAlgorithmEnum::RS256);
+        $this->signatureKeyPairBagMock->expects($this->once())
+            ->method('getFirstByAlgorithmOrFail')
+            ->with(SignatureAlgorithmEnum::RS256)
+            ->willReturn($keyPairMock);
+
+        $result = $this->sut()->resolveSignatureKeyPairByAlgorithm(
+            $this->signatureKeyPairBagMock,
+            $receiverMetadata,
+            [],
+            'receiver_alg',
+        );
+
+        $this->assertSame($keyPairMock, $result);
+    }
+
+
+    public function testResolveWithSenderDesignatedAlgorithm(): void
+    {
+        $senderMetadata = [
+            'sender_alg' => 'ES256',
+        ];
+
+        $keyPairMock = $this->createMock(SignatureKeyPair::class);
+        $keyPairMock->method('getSignatureAlgorithm')
+            ->willReturn(SignatureAlgorithmEnum::ES256);
+
+        $this->signatureKeyPairBagMock->expects($this->once())
+            ->method('getFirstByAlgorithmOrFail')
+            ->with(SignatureAlgorithmEnum::ES256)
+            ->willReturn($keyPairMock);
+
+        $result = $this->sut()->resolveSignatureKeyPairByAlgorithm(
+            $this->signatureKeyPairBagMock,
+            [],
+            $senderMetadata,
+            null,
+            null,
+            'sender_alg',
+        );
+
+        $this->assertSame($keyPairMock, $result);
+    }
+
+
+    public function testResolveConflictDesignatedAlgorithmsThrows(): void
+    {
+        $receiverMetadata = ['alg' => 'RS256'];
+        $senderMetadata = ['alg' => 'ES256'];
+
+        $this->expectException(OpenIdException::class);
+        $this->expectExceptionMessage('Conflict in designated signature algorithms');
+
+        $this->sut()->resolveSignatureKeyPairByAlgorithm(
+            $this->signatureKeyPairBagMock,
+            $receiverMetadata,
+            $senderMetadata,
+            'alg',
+            null,
+            'alg',
+        );
+    }
+
+
+    public function testResolveCommonlySupportedAlgorithms(): void
+    {
+        $receiverMetadata = ['supported' => ['RS256', 'ES256']];
+        $senderMetadata = ['supported' => ['ES256', 'PS256']];
+
+        $this->signatureKeyPairBagMock->method('getAllAlgorithmNamesUnique')
+            ->willReturn(['RS256', 'ES256', 'PS256']);
+
+        $keyPairMock = $this->createMock(SignatureKeyPair::class);
+        $keyPairMock->method('getSignatureAlgorithm')
+            ->willReturn(SignatureAlgorithmEnum::ES256);
+        $this->signatureKeyPairBagMock->expects($this->once())
+            ->method('getFirstByAlgorithmOrFail')
+            ->with(SignatureAlgorithmEnum::ES256)
+            ->willReturn($keyPairMock);
+
+        $result = $this->sut()->resolveSignatureKeyPairByAlgorithm(
+            $this->signatureKeyPairBagMock,
+            $receiverMetadata,
+            $senderMetadata,
+            null,
+            'supported',
+            null,
+            'supported',
+        );
+
+        $this->assertSame($keyPairMock, $result);
+    }
+
+
+    public function testResolveFallbackToDefaultWhenNoMatch(): void
+    {
+        $receiverMetadata = ['supported' => ['RS256']];
+        $senderMetadata = ['supported' => ['ES256']];
+
+        $this->signatureKeyPairBagMock->method('getAllAlgorithmNamesUnique')
+            ->willReturn(['PS256']);
+
+
+        $result = $this->sut()->resolveSignatureKeyPairByAlgorithm(
+            $this->signatureKeyPairBagMock,
+            $receiverMetadata,
+            $senderMetadata,
+            null,
+            'supported',
+            null,
+            'supported',
+        );
+
+        $this->assertSame($this->defaultKeyPairMock, $result);
+    }
+}
