sk-eid / smart-id-php-client Goto Github PK

The version has been updated but the examples linked to in README (in the wiki) are out of date.

Add Test CA root certificate to project, so validation won't fail on demo environment certificates

I'm not even trying to get the birthdate and I get the error when trying to authenticate the client.
This is the exception that comes externally from the request to SK - "Unable get birthdate from Latvian personal code 140400-2****"

Especially interested in checking the session in the new version?

Since SK uses IP whitelisting to authorize SmartID requests, it's important that in case of multiple IP addresses/interfaces on a server the request is made from the right IP.

In PHP/curl, this can be achieved by setting:
curl_setopt($ch,CURLOPT_INTERFACE,'1.2.3.4');

Would there be a possibility to add a setInterface() method to Sk\SmartId\Client that would then be passed on to the requests that set the correct interface?

Hi! Tring to use this library results in an "Undefined property (serialNumberHex)" exception.

Preconditions

"sk-id-solutions/smart-id-php-client": "~1.0"
php: 7.0.17

Steps to reproduce

1. Use test environment (https://sid.demo.sk.ee/smart-id-rp/v1/)
2. call SmartIdAuthenticationResponse::authenticate() having the parameters correctly set
3. get the "Undefined property (serialNumberHex)" exception thrown.

When SmartIdAuthenticationResponse::getCertificateInstance() is called after AuthenticationRequestBuilder::authenticate() then a new AuthenticationCertificate() is called and PropertyMapper:fromArray() tries to map serialNumberHex as a class propery whitch does not exist. I personally see two solutions to this:

1. Ignore attributes that does not exist in the class with a simple is_property() check
2. Add the missing serialNumberHex property to the AuthenticationCertificate class

Thanks in advance.

PHP 8 throws an exception:

Method ReflectionParameter::getClass() is deprecated
vendor/sk-id-solutions/smart-id-php-client/src/Sk/SmartId/Api/Data/PropertyMapper.php(134)

A new release to packagist.org would be great. The SID Demo SSL key pinning changes after v1.5.1 release have not reached there. Saves the other potential integrators a lot of time. Took me few hours to find out that the packagist and github latest do not match.

Lisage example "Example of configuring the client"
rida use Sk\SmartId\Exception\SmartIdException;

Is there a way to use Smart-ID in the same way as Mobile-ID, making polling calls from the frontend?

Mobile-ID works so that:

• We make a first API call to initialize the authentication/signing, get back either an error (such as user does not have Mobile ID enabled) or the verification code + session ID
• We then make polling calls via frontend every N seconds until we get back either a successful response or a final error

Currently, all examples like https://github.com/SK-EID/smart-id-php-client/wiki/Examples-of-using-it have implemented it so that the verification code is generated (and can then be shown to the user) and then a call is made to authenticate(), which ends up in SessionStatusPoller::pollForFinalSessionStatus(), which in turn implements a while loop until it gets back a success, error or a timeout.

This implementation has a dew drawbacks:

• At the time of calculating and showing the verification code to the user we don't really know yet if the user has Smart-ID at all. So if we show that to user and then make a followup Ajax call to init the blocking authenticate() call, the user will falsely see a "Success, your verification code is 1234" message for a brief moment.
• Since the request is sitting in a while loop, this will block the PHP default file-based session until completed, so in case the user will hit reload, the following request will wait for the session file until the authenticate() call times out.

The SessionStatusPoller has all the methods needed to implement a Mobile-ID like solution, but they are all either private or protected, so cannot be called from the client implementation.

Is this intentional?

Hello there.

So basically I use 2 calls to identify a customer

1st I call session id with startAuthenticationAndReturnSessionId and semanticsIdentifier
Then continuously i check for session with createSessionStatusFetcher but when i get response and i try to validate it with authenticationResponseValidator i get runtime exception

An uncaught Exception was encountered
Type: RuntimeException
Message: Error! Response is not valid! Error(s): Signature verification failed.

And $authenticationResponse->getDocumentNumber() is empty

Path to trusted certificates is defined and when i use authenticate method everything is working correctly

For me it seems strange when i try to validate the session no the user i get issue with this

Thanks

Smart ID documentation covers HTTPS pinning. Unfortunately it is a little bit tricky and would be nice to have in this package.

I see that @andrevka has created a pullrequest #18 to address the issue. It is create work but has one drawback. It breaks the backward compatibility. Currently package supports PHP >= 5.6 but with proposed pull request the new minimum requirement is >= 7.0.7

I had an idea how to make it work even with PHP 5.6 and created a branch for this development: https://github.com/raigu/smart-id-php-client/commits/pinning

I have a question for maintainer. Is it important to keep backward compatibility? If yes, should I continue with the referred branch?

My proposed package is not finished. I made this issue to share my thought with @andrevka and maintainer and see if we have mutual interests and can cooperate. What I have not done yet:

• documentation with samples
• simplified keys (currently uses PEM but I see @andrevka has used hases, it is shorter)
• think through how to avoid conditional statements in end application when switching between production and demo environment
• if detected PHP > 7.0.7 environment then use curl's native pinning functionality

Will wait feedback from maintainer or @andrevka. If there is interest I/we can continue.

Hi!

I updated to version 2.2 and after some modifications I got stuck with following error:

Uncaught TypeError: Return value of Sk\SmartId\Api\Data\SessionStatus::getInteractionFlowUsed() must be of the type string, null returned in ../sk-id-solutions/smart-id-php-client/src/Sk/SmartId/Api/Data/SessionStatus.php:154

My authenticate code is as follows:

$authenticationResponse = $client->authentication()
  ->createAuthentication()
  ->withSemanticsIdentifier( $identity )
  ->withAuthenticationHash( $authenticationHash )
  ->withAllowedInteractionsOrder([Interaction::ofTypeDisplayTextAndPIN("Text and pin")])
  ->withCertificateLevel( CertificateLevelCode::QUALIFIED )
  ->authenticate();

If I add
private $interactionFlowUsed = "displayTextAndPin";
as default to SessionStatus class, it works.

not sure if this is a bug or not but when using this library against the Demo environment @ https://sid.demo.sk.ee/smart-id-rp/v1/
the method \Sk\SmartId\Api\AuthenticationResponseValidator::isCertificateTrusted will fail

when replacing this foreach loop

foreach ( $this->trustedCACertificates as $trustedCACertificate )
    {
      if ( $this->verifyTrustedCACertificate( $certificateAsResource, $trustedCACertificate ) === true )
      {
        return true;
      }
    }

with the following code, will work and return true

if ( openssl_x509_checkpurpose( $certificateAsResource, X509_PURPOSE_ANY, $this->trustedCACertificates ) === true ) {
    return true;
}

why is there a foreach loop anyway when the openssl_x509_checkpurpose can handle a path to certificates or an array of certificate paths

the certificates in use are

• TEST_of_EE_Certification_Centre_Root_CA.pem.crt
• TEST_of_EID-SK_2016.pem.crt
• TEST_of_NQ-SK_2016.pem.crt

certificate returned from smart-id is

-----BEGIN CERTIFICATE-----
MIIHsDCCBZigAwIBAgIQAsVWZFnMDt1bVsjOrGXEDTANBgkqhkiG9w0BAQsFADBo
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxHDAaBgNVBAMME1RFU1Qgb2YgRUlE
LVNLIDIwMTYwHhcNMTgwNzI0MDYzNTU4WhcNMjEwNzI0MDYzNTU4WjBzMQswCQYD
VQQGEwJFRTEnMCUGA1UEAwweUEVOU0EsUk9OQUxELFBOT0VFLTM4NzAyMDQyNzU4
MQ4wDAYDVQQEDAVQRU5TQTEPMA0GA1UEKgwGUk9OQUxEMRowGAYDVQQFExFQTk9F
RS0zODcwMjA0Mjc1ODCCAyEwDQYJKoZIhvcNAQEBBQADggMOADCCAwkCggMAfuSS
hxudY2NtR0vYmJYiAvijFGYKhz3hQwOQo1K1J3HxjdsDtR8VRvrrr64X/AUTjpPk
FtD0ZL+THTSIo1lhRtW+5NyaqyNCAyL0sGXKkRb0q63xhensYT6ZNKNBOhLmYS5C
0wvabZih21jbJ31ewHAVbutVgNRkalNQDmkzJd8yiHXk3/0f3BZCWSMT85gZaFB9
S1mNqZFQkzFcCZMBWouRxUCYLx+7IIonItEfRXSgOf8YHnQtx1vFfnQp8Oix0rTL
UF+Cz9+1qnTiS3wX2ShB/iosch9HBty0UivIDFjvqgiyw+WuSZl4QiRYoK1aBEia
RlpXjNqiZf+qWu11D0dEKOeuQNpfkJ7KJZbl30vZcdgxpa/9mrNq4e02AefTaNRY
fK6vyfKLF1Ij+8R9LQHb4slLxczNoLt6X3wB87/Gk7p7t3mcOhRHHPc9Y+zcCBxN
fPxDLmHWn+V77Iz1p7We2sD/ZmFgHAhB3Pvreza3dJwyRq30n3q+/LK8UfEdDadT
5ENEaEvq0SFK65EJNk+lvSjlJQDnzWM3sailExxQDUF8ChyELtDWWvvB5CePxzN/
o3u8dCdzH5eyF4DFxstbkumBEO8bETi5tQGvOsnrv0+CV3Lg3um8Dw765sGLAb8j
Jm3Dj/oz4q35S0fLACrdczs2UjVokAdCbL10jtOV/1h+/Arzd9D75eJtGNth44Ac
dueG78oehA8N9ElP6sbuG1pJroZznK1VE9HI6Umsg1zjQXfk+LXDgYVzxJTA1lJL
l3WbddM0Ch5he28fc6edkaXx/o8TvyYWuyUUzPT+9co7A2YiBoBLjY080vsEDFLL
eHdD2AEvRcHtFMqk73K5Y5TJAmpT+QJVCSgEQzaRVLApJNxai3Q6b9Tum5rjsfRg
o2Caq16rqQNsECi+CHSfiF1YdeZWg8j3JAXH5mip7Y9QLzGPEs6wx9uzIn8UgUTe
eydTeE9b2onUZprcHiU6Y1cdV5r3bArQMrCzT9PwkMuyDD+J7TETeK3qejFvAgMB
AAGjggFKMIIBRjAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIEsDBVBgNVHSAETjBM
MEAGCisGAQQBzh8DEQIwMjAwBggrBgEFBQcCARYkaHR0cHM6Ly93d3cuc2suZWUv
ZW4vcmVwb3NpdG9yeS9DUFMvMAgGBgQAj3oBAjAdBgNVHQ4EFgQUusO3JVkj1/EY
MTg9ajd8m2TAXVYwHwYDVR0jBBgwFoAUrrDq4Tb4JqulzAtmVf46HQK/ErQwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwfQYIKwYBBQUHAQEEcTBvMCkGCCsGAQUFBzABhh1o
dHRwOi8vYWlhLmRlbW8uc2suZWUvZWlkMjAxNjBCBggrBgEFBQcwAoY2aHR0cHM6
Ly9zay5lZS91cGxvYWQvZmlsZXMvVEVTVF9vZl9FSUQtU0tfMjAxNi5kZXIuY3J0
MA0GCSqGSIb3DQEBCwUAA4ICAQBJY1Q1ZpW8FYlocMyn9mwrM5EvNV/5NandtHFw
cbngrw+moB0e8ExAWftm0sOAdTxYPvB411yJ/Rk+Tk4THZtUkVbiZv2iToBT1aAP
Oms/cG1i6UNminRPpQU//V7WTkus/97UlyXhfqiCf8DSCpX9yfRVI0h/gQwMKn1R
S6FgvEyV6r4T4TT9u/r2QjtdcmgdF/XyTohfqzCBgRTvOZW6ARZQDPgE70pmtu13
sYoqRBvgzIehkvCy//FriSBw48J052PVJN4t7Qvl1vQhR4X4FUZqCGMGsigMq399
nIzg3ZshEnfhThEoXJp0GTU4sPGQKFGfw0x+49GzR0UYtfjy7OGvvf42rcCFng1B
rJEDn/yXmey8nULgZoYEuebJNz4EuYKKCN1Z9aZGaqG0pRQxj5o3uDXvWSm+GLSN
DObtFzNI5FXSMsKwfIKEIuhdWwLWfT7Fmziw1bnEyq8QTRkrlZIyEYdCKhO8C1VW
gPyicSNWW5f+w0H6rtLrWi9RC5Yq8IisycjvJd8Oo+/NwvAhs4J5cNF5i7Cvvq3U
CCyyH7s2ZYYAv7wDPn89q/SeU2vFX21D1wn/jl0YUxiPTnoukvdPDE6X92fVGkl+
A32W+0r+VA4lxdxQvjt8HO4yUG8E6sNXFE9oSqMxsTBy/920fQMyM+R+5s1sh3wm
i4cDsw==
-----END CERTIFICATE-----

Hi. My team is currently trying to implement SmartId authentication but he have run into a problem with SemanticsIdentifier and LV (Latvia) personal codes.
Sk\SmartId\Api\Data\SemanticsIdentifier validate function wants $semanticsIdentifier to match this regex: /^[A-Z]{5}-[a-zA-Z\d]{5,30}$/ but this regex doesn't match LV code.

For example, taking this LV code 030303-10012 (demo account code) and PNO type, validation expects PNOLV-03030310012, but in reallity it is PNOLV-030303-10012 which fails. Going with PNOLV-03030310012 is not an option as that fails later on with user not found exception (as expected).

For now we are going with extending validate on our end to match LV code, but I think this should be fixed here. Or at least some config parameter added so this regex could be overwritten without extension.

The current example how to implement "Authenticating with semantics identifier" (https://github.com/SK-EID/smart-id-php-client#authenticating-with-semantics-identifier) merges 2 steps into a single flow which is a bit misleading when considering a real-world use case that IMHO is split into following steps:

1. First request is made to the backend to initialize the Smart-ID authentication process and get the verification code to show to the user.
2. Right after the verification code response has come back and shown to the user, a second request is made to the backend that responds when the user has gone through the process within Smart-ID app or some exception has been thrown. Then the user is either authenticated or an error will we sent as a response to the client.

It is not so straight-forward to split the example into 2 steps as objects are passed along, not simple data like strings (like authenticationHash, which would happen in a realistic use case when data is moving between the backend and the client between those steps).

I do understand that readme should show a simple use-case however it would make sense in my mind to make it more that can be used in a real application.