web-auth
diff --git a/‎CLAUDE.md‎
Lines changed: 187 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 187 additions & 0 deletions
diff --git a/‎src/webauthn/src/AttestationStatement/AndroidKeyAttestationStatementSupport.php‎
Lines changed: 28 additions & 17 deletions b/‎src/webauthn/src/AttestationStatement/AndroidKeyAttestationStatementSupport.php‎
Lines changed: 28 additions & 17 deletions
diff --git a/‎src/webauthn/src/AttestationStatement/AppleAttestationStatementSupport.php‎
Lines changed: 28 additions & 20 deletions b/‎src/webauthn/src/AttestationStatement/AppleAttestationStatementSupport.php‎
Lines changed: 28 additions & 20 deletions
@@ -0,0 +1,187 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+This is a **FIDO2/WebAuthn framework for PHP and Symfony**, providing passwordless authentication using security keys and biometric authenticators. It's organized as a monorepo that splits into multiple packages via git-split.
+
+## Development Commands
+
+All commands use **Castor** (PHP task runner) defined in `castor.php`.
+
+### Testing
+```bash
+# Run all tests
+castor phpunit
+
+# Run specific test(s)
+castor phpunit -- --filter=TestName
+
+# Run specific test file
+./bin/phpunit tests/library/Unit/SomeTest.php
+
+# JavaScript tests (Stimulus)
+castor js
+```
+
+### Code Quality
+```bash
+# Check code style (Easy Coding Standard)
+castor ecs
+
+# Fix code style issues
+castor ecs_fix
+
+# Check refactoring opportunities (Rector)
+castor rector
+
+# Apply refactorings
+castor rector_fix
+
+# Static analysis (PHPStan at max level)
+castor phpstan
+
+# Architecture layer validation (Deptrac)
+castor deptrac
+
+# PHP syntax check
+castor lint
+```
+
+### Before Submitting PR
+```bash
+# Run all fixes and checks in sequence
+castor prepare_pr
+```
+
+## Architecture
+
+### Monorepo Structure
+
+Three main packages in `src/`:
+
+1. **`webauthn/`** (`web-auth/webauthn-lib`) - Core PHP library
+   - Pure PHP FIDO2/WebAuthn implementation
+   - No framework dependencies (besides Symfony components)
+   - Handles attestation/assertion validation and cryptographic operations
+
+2. **`symfony/`** (`web-auth/webauthn-symfony-bundle`) - Symfony integration
+   - Controllers, repositories, DI configuration
+   - Security bundle integration
+   - Doctrine ORM credential storage
+
+3. **`stimulus/`** (`web-auth/ux`) - Frontend Stimulus controllers
+   - Browser WebAuthn API interaction
+
+Packages are split to separate repos via `.gitsplit.yml`.
+
+### Core Architectural Patterns
+
+**Ceremony Step Pattern** - Validation is decomposed into discrete steps:
+- Located in `src/webauthn/src/CeremonyStep/`
+- Each step implements specific WebAuthn specification requirements
+- Examples: `CheckChallenge`, `CheckSignature`, `CheckOrigin`, `CheckCounter`
+- Orchestrated by `CeremonyStepManager`
+- Steps are registered and executed in sequence during validation ceremonies
+
+**Attestation Statement Support Pattern** - Pluggable attestation format handlers:
+- Located in `src/webauthn/src/AttestationStatement/`
+- Supports: Android Key, Apple, FIDO U2F, Packed, TPM, None, Compound
+- Each format handler implements `AttestationStatementSupport` interface
+- Managed by `AttestationStatementSupportManager`
+
+**Repository Pattern**:
+- `PublicKeyCredentialSourceRepositoryInterface` - Credential storage
+- `PublicKeyCredentialUserEntityRepositoryInterface` - User entity management
+- Doctrine implementation: `DoctrineCredentialSourceRepository`
+
+**Event Dispatcher Pattern**:
+- PSR-14 event dispatcher for lifecycle hooks
+- Events in `src/webauthn/src/Event/`
+
+### Key Components
+
+**Core Validators** (entry points for validation logic):
+- `AuthenticatorAttestationResponseValidator` - Validates registration responses
+- `AuthenticatorAssertionResponseValidator` - Validates authentication responses
+
+**Ceremony Management**:
+- `CeremonyStepManager` in `src/webauthn/src/CeremonyStep/CeremonyStepManager.php`
+- Orchestrates ceremony steps for attestation and assertion validation
+- Steps can be registered/customized via dependency injection
+
+**Credential Management**:
+- `PublicKeyCredentialSource` - Represents stored credentials
+- `PublicKeyCredentialDescriptor` - References credentials
+- Counter validation to detect cloned authenticators
+
+**Symfony Bundle Integration**:
+- Controllers in `src/symfony/src/Controller/`
+- DI configuration in `src/symfony/src/DependencyInjection/`
+- Compiler passes for service registration
+- Security authenticator factory integration
+
+### Architectural Boundaries (Deptrac)
+
+Strict layer enforcement:
+- **Webauthn** (core) → Vendors + MetadataService only
+- **SymfonyBundle** → Vendors + Webauthn + MetadataService
+- **UX/Stimulus** → Vendors only
+- **MetadataService** → Vendors only
+
+Violations will fail CI checks via `castor deptrac`.
+
+## Development Workflow
+
+### Adding a New Ceremony Step
+
+1. Create class in `src/webauthn/src/CeremonyStep/` implementing `CeremonyStep` interface
+2. Register in `CeremonyStepManagerFactory` or via Symfony compiler pass
+3. Add unit tests in `tests/library/Unit/CeremonyStep/`
+4. Consider both attestation and assertion ceremony contexts
+
+### Adding a New Attestation Format
+
+1. Create support class in `src/webauthn/src/AttestationStatement/`
+2. Implement `AttestationStatementSupport` interface
+3. Register via Symfony bundle compiler pass
+4. Add comprehensive tests with real attestation examples in `tests/library/Unit/AttestationStatement/`
+
+### Test Structure
+
+Tests are in `tests/`:
+- `framework/` - Framework-level integration tests
+- `library/` - Core library unit tests (Unit & Functional subdirs)
+- `symfony/` - Symfony bundle functional tests
+- `MDS/` - Metadata Service tests
+
+## Important Context
+
+### Requirements
+- PHP 8.2+
+- Extensions: ext-json, ext-openssl
+- Symfony 6.4, 7.0, or 8.0
+
+### Code Standards
+- PSR-12 coding standard (enforced via ECS)
+- Strict types declared in all files
+- PHPStan at max level
+- Git-Flow branching strategy
+- Current development branch: **5.3.x**
+- Main branch for PRs: **5.2.x**
+
+### Key Dependencies
+- `spomky-labs/cbor-php` - CBOR encoding/decoding
+- `web-auth/cose-lib` - COSE cryptography
+- `spomky-labs/pki-framework` - PKI operations
+
+### Monorepo Development
+- Use `./link` script to link local packages for development
+- Changes in `src/*` affect corresponding split repositories
+- CI runs git-split automatically on push
+
+### Security
+- Private vulnerability reporting via GitHub Security Advisories
+- Contact: security@spomky-labs.com
+- **Never** file public issues for security vulnerabilities
@@ -14,6 +14,8 @@
 use SpomkyLabs\Pki\ASN1\Type\Constructed\Sequence;
 use SpomkyLabs\Pki\ASN1\Type\Primitive\OctetString;
 use SpomkyLabs\Pki\ASN1\Type\Tagged\ExplicitTagging;
+use SpomkyLabs\Pki\CryptoEncoding\PEM;
+use SpomkyLabs\Pki\X509\Certificate\Certificate;
 use Webauthn\AuthenticatorData;
 use Webauthn\Event\AttestationStatementLoaded;
 use Webauthn\Event\CanDispatchEvents;
@@ -117,6 +119,15 @@ public function isValid(
         ) === 1;
     }
 
+    /**
+     * @param string $certificate
+     * @param string $clientDataHash
+     * @param AuthenticatorData $authenticatorData
+     * @return void
+     * @throws AttestationStatementVerificationException
+     *
+     * @see https://www.w3.org/TR/webauthn-3/#sctn-android-key-attestation
+     */
     private function checkCertificate(
         string $certificate,
         string $clientDataHash,
@@ -157,27 +168,27 @@ private function checkCertificate(
         );
 
         /*---------------------------*/
-        $certDetails = openssl_x509_parse($certificate);
+        /**
+         * Check Android Key Attestation Statement Certificate requirements
+         *
+         * @see https://w3c.github.io/webauthn/#sctn-key-attstn-cert-requirements
+         */
+        $cert = Certificate::fromPEM(PEM::fromString($certificate));
+        $extensions = $cert->tbsCertificate()->extensions();
 
         //Find Android KeyStore Extension with OID "1.3.6.1.4.1.11129.2.1.17" in certificate extensions
-        is_array(
-            $certDetails
-        ) || throw AttestationStatementVerificationException::create('The certificate is not valid');
-        array_key_exists('extensions', $certDetails) || throw AttestationStatementVerificationException::create(
-            'The certificate has no extension'
-        );
-        is_array($certDetails['extensions']) || throw AttestationStatementVerificationException::create(
-            'The certificate has no extension'
-        );
-        array_key_exists(
-            '1.3.6.1.4.1.11129.2.1.17',
-            $certDetails['extensions']
-        ) || throw AttestationStatementVerificationException::create(
+        $extensions->has('1.3.6.1.4.1.11129.2.1.17') || throw AttestationStatementVerificationException::create(
             'The certificate extension "1.3.6.1.4.1.11129.2.1.17" is missing'
         );
-        $extension = $certDetails['extensions']['1.3.6.1.4.1.11129.2.1.17'];
-        $extensionAsAsn1 = Sequence::fromDER($extension);
-        $extensionAsAsn1->has(4);
+        $androidExtension = $extensions->get('1.3.6.1.4.1.11129.2.1.17');
+        // Get the extension ASN.1 structure: SEQUENCE { OID, [BOOLEAN], OCTET STRING }
+        $extensionAsn1 = $androidExtension->toASN1();
+        // The last element is the extnValue OCTET STRING containing the actual extension data
+        $extnValueOctetString = $extensionAsn1->at($extensionAsn1->count() - 1)->asOctetString();
+        $extensionData = $extnValueOctetString->string();
+
+        // Parse the Android extension value structure
+        $extensionAsAsn1 = Sequence::fromDER($extensionData);
 
         //Check that attestationChallenge is set to the clientDataHash.
         $extensionAsAsn1->has(4) || throw AttestationStatementVerificationException::create(
 
@@ -10,6 +10,9 @@
 use Cose\Key\Key;
 use Cose\Key\RsaKey;
 use Psr\EventDispatcher\EventDispatcherInterface;
+use SpomkyLabs\Pki\ASN1\Type\UnspecifiedType;
+use SpomkyLabs\Pki\CryptoEncoding\PEM;
+use SpomkyLabs\Pki\X509\Certificate\Certificate;
 use Webauthn\AuthenticatorData;
 use Webauthn\Event\AttestationStatementLoaded;
 use Webauthn\Event\CanDispatchEvents;
@@ -105,6 +108,15 @@ public function isValid(
         return true;
     }
 
+    /**
+     * @param string $certificate
+     * @param string $clientDataHash
+     * @param AuthenticatorData $authenticatorData
+     * @return void
+     * @throws AttestationStatementVerificationException
+     *
+     * @see https://www.w3.org/TR/webauthn-3/#sctn-apple-anonymous-attestation
+     */
     private function checkCertificateAndGetPublicKey(
         string $certificate,
         string $clientDataHash,
@@ -146,32 +158,28 @@ private function checkCertificateAndGetPublicKey(
         );
 
         /*---------------------------*/
-        $certDetails = openssl_x509_parse($certificate);
+        $cert = Certificate::fromPEM(PEM::fromString($certificate));
+        $extensions = $cert->tbsCertificate()->extensions();
 
         //Find Apple Extension with OID "1.2.840.113635.100.8.2" in certificate extensions
-        is_array(
-            $certDetails
-        ) || throw AttestationStatementVerificationException::create('The certificate is not valid');
-        array_key_exists('extensions', $certDetails) || throw AttestationStatementVerificationException::create(
-            'The certificate has no extension'
-        );
-        is_array($certDetails['extensions']) || throw AttestationStatementVerificationException::create(
-            'The certificate has no extension'
-        );
-        array_key_exists(
-            '1.2.840.113635.100.8.2',
-            $certDetails['extensions']
-        ) || throw AttestationStatementVerificationException::create(
+        $extensions->has('1.2.840.113635.100.8.2') || throw AttestationStatementVerificationException::create(
             'The certificate extension "1.2.840.113635.100.8.2" is missing'
         );
-        $extension = $certDetails['extensions']['1.2.840.113635.100.8.2'];
+        $appleExtension = $extensions->get('1.2.840.113635.100.8.2');
+// Get the extension ASN.1 structure: SEQUENCE { OID, [BOOLEAN], OCTET STRING }
+        $extensionAsn1 = $appleExtension->toASN1();
+// The last element is the extnValue OCTET STRING containing the actual extension data
+        $extnValueOctetString = $extensionAsn1->at($extensionAsn1->count() - 1)->asOctetString();
+        $extensionData = $extnValueOctetString->string();
 
         $nonceToHash = $authenticatorData->authData . $clientDataHash;
-        $nonce = hash('sha256', $nonceToHash);
+        $nonce = hash('sha256', $nonceToHash, true);
+
+// Parse the Apple extension value structure: SEQUENCE { [1] OCTET STRING(nonce) }
+        $extensionSeq = UnspecifiedType::fromDER($extensionData)->asSequence();
+        $taggedElement = $extensionSeq->at(0)->asTagged();
+        $nonceFromCert = $taggedElement->asExplicit()->asOctetString()->string();
 
-        //'3024a1220420' corresponds to the Sequence+Explicitly Tagged Object + Octet Object
-        '3024a1220420' . $nonce === bin2hex(
-            (string) $extension
-        ) || throw AttestationStatementVerificationException::create('The client data hash is not valid');
+        strcmp($nonce, $nonceFromCert) === 0 || throw AttestationStatementVerificationException::create('The client data hash is not valid');
     }
 }