Validate certificate next certificate from chain

metsma · metsma · commit 66047111fd1b · 2026-03-09T11:06:50.000+02:00
WE2-1174, Fixes #45 Signed-off-by: Raul Metsma <raul@metsma.ee>
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -12,7 +12,7 @@ jobs:
       TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
       PROJECTNAME: 'web-eid/web-eid-authtoken-validation-php'
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Download Coverity Build Tool
       run: |
         curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/linux64
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - uses: shivammathur/setup-php@v2
       with:
@@ -26,7 +26,7 @@ jobs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: vendor
         key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
diff --git a/src/certificate/CertificateValidator.php b/src/certificate/CertificateValidator.php
@@ -79,7 +79,7 @@ public static function validateIsValidAndSignedByTrustedCA(
 
         if ($certificate->validateSignature()) {
             $chain = $certificate->getChain();
-            $trustedCACert = end($chain);
+            $trustedCACert = next($chain);
 
             // Verify that the trusted CA cert is presently valid before returning the result.
             self::certificateIsValidOnDate($trustedCACert, $now, "Trusted CA");
diff --git a/tests/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.php b/tests/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.php
@@ -56,7 +56,7 @@ public static function setUpBeforeClass(): void
     protected function setUp(): void
     {
         AsnUtil::loadOIDs();
-        $this->trustedValidator = new SubjectCertificateTrustedValidator(new TrustedCertificates([]), new Logger());
+        $this->trustedValidator = new SubjectCertificateTrustedValidator(new TrustedCertificates([Certificates::getTestEsteid2018CAGov()]), new Logger());
         self::setSubjectCertificateIssuerCertificate($this->trustedValidator);
         $this->estEid2018Cert = Certificates::getJaakKristjanEsteid2018Cert();
         $this->configuration = new AuthTokenValidationConfiguration();

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public static function setUpBeforeClass(): void`
`56`	`56`	`protected function setUp(): void`
`57`	`57`	`{`
`58`	`58`	`AsnUtil::loadOIDs();`
`59`		`- $this->trustedValidator = new SubjectCertificateTrustedValidator(new TrustedCertificates([]), new Logger());`
	`59`	`+ $this->trustedValidator = new SubjectCertificateTrustedValidator(new TrustedCertificates([Certificates::getTestEsteid2018CAGov()]), new Logger());`
`60`	`60`	`self::setSubjectCertificateIssuerCertificate($this->trustedValidator);`
`61`	`61`	`$this->estEid2018Cert = Certificates::getJaakKristjanEsteid2018Cert();`
`62`	`62`	`$this->configuration = new AuthTokenValidationConfiguration();`