Fix trust path denormalization for x5c data validation (#694)

Ensure the 'x5c' key contains an array before creating a CertificateTrustPath. This prevents potential errors caused by invalid 'x5c' data structures during denormalization.

Author: Spomky

phpstan-baseline.neon

@@ -2011,7 +2011,7 @@ parameters:
 			path: src/webauthn/src/Denormalizer/TrustPathDenormalizer.php
 
 		-
-			message: '#^Parameter \#1 \$certificates of static method Webauthn\\TrustPath\\CertificateTrustPath\:\:create\(\) expects array\<string\>, array given\.$#'
+			message: '#^Parameter \#1 \$certificates of static method Webauthn\\TrustPath\\CertificateTrustPath\:\:create\(\) expects array\<string\>, array\<mixed, mixed\> given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/webauthn/src/Denormalizer/TrustPathDenormalizer.php

src/webauthn/src/Denormalizer/TrustPathDenormalizer.php

@@ -12,13 +12,14 @@
 use Webauthn\TrustPath\TrustPath;
 use function array_key_exists;
 use function assert;
+use function is_array;
 
 final class TrustPathDenormalizer implements DenormalizerInterface, NormalizerInterface
 {
     public function denormalize(mixed $data, string $type, ?string $format = null, array $context = []): mixed
     {
         return match (true) {
-            array_key_exists('x5c', $data) => CertificateTrustPath::create($data),
+            array_key_exists('x5c', $data) && is_array($data['x5c']) => CertificateTrustPath::create($data['x5c']),
             $data === [], isset($data['type']) && $data['type'] === EmptyTrustPath::class => EmptyTrustPath::create(),
             default => throw new InvalidTrustPathException('Unsupported trust path type'),
         };

tests/framework/ComposerJsonTest.php

@@ -56,7 +56,7 @@ public function packageDependenciesEqualRootDependencies(): void
             'Dependencies declared in root composer.json, which are not declared in any sub-package: %s',
             implode('', $unusedDependencies)
         );
-        static::assertCount(0, $unusedDependencies, $message);
+        static::assertEmpty($unusedDependencies, $message);
     }
 
     #[Test]

tests/library/Unit/SerializerTest.php

@@ -4,6 +4,7 @@
 
 namespace Webauthn\Tests\Unit;
 
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Symfony\Component\Serializer\Encoder\JsonEncode;
 use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
@@ -13,13 +14,65 @@
 use Webauthn\PublicKeyCredentialRpEntity;
 use Webauthn\PublicKeyCredentialUserEntity;
 use Webauthn\Tests\AbstractTestCase;
+use Webauthn\TrustPath\CertificateTrustPath;
+use Webauthn\TrustPath\EmptyTrustPath;
+use Webauthn\TrustPath\TrustPath;
 use const JSON_THROW_ON_ERROR;
 
 /**
  * @internal
  */
 final class SerializerTest extends AbstractTestCase
 {
+    public static function provideTrustPath(): iterable
+    {
+        yield [
+            CertificateTrustPath::create(['X509_KEY_1', 'X509_KEY_2', 'X509_KEY_3']),
+            '{"x5c":["X509_KEY_1","X509_KEY_2","X509_KEY_3"]}',
+        ];
+        yield [EmptyTrustPath::create(), '[]'];
+    }
+
+    #[Test]
+    #[DataProvider('provideTrustPath')]
+    public function theTrustPathCanBeSerialized(TrustPath $trustPath, string $expected): void
+    {
+        //When
+        $json = $this->getSerializer()
+            ->serialize(
+                $trustPath,
+                'json',
+                [
+                    JsonEncode::OPTIONS => JSON_THROW_ON_ERROR,
+                    AbstractObjectNormalizer::SKIP_NULL_VALUES => true,
+                    AbstractObjectNormalizer::SKIP_UNINITIALIZED_VALUES => true,
+                ],
+            );
+
+        //Then
+        static::assertJsonStringEqualsJsonString($expected, $json);
+    }
+
+    #[Test]
+    #[DataProvider('provideTrustPath')]
+    public function theTrustPathCanBeDeserialized(TrustPath $trustPath, string $expected): void
+    {
+        //When
+        $deserialized = $this->getSerializer()
+            ->deserialize(
+                $expected,
+                TrustPath::class,
+                'json',
+                [
+                    AbstractObjectNormalizer::SKIP_NULL_VALUES => true,
+                    AbstractObjectNormalizer::SKIP_UNINITIALIZED_VALUES => true,
+                ],
+            );
+
+        //Then
+        static::assertEquals($trustPath, $deserialized);
+    }
+
     #[Test]
     public function theCredentialCanBeDeserialized(): void
     {

tests/symfony/functional/Attestation/AttestationTest.php

@@ -247,7 +247,7 @@ public function aPublicKeyCredentialCreationOptionsCanBeCreatedFromProfile(): vo
         );
         static::assertSame(32, strlen($options->challenge));
         static::assertSame([], $options->excludeCredentials);
-        static::assertCount(0, $options->pubKeyCredParams);
+        static::assertEmpty($options->pubKeyCredParams);
         static::assertSame('none', $options->attestation);
         static::assertNull($options->timeout);
     }