Direct call to ParagonIE\ConstantTime\Base64::decodeNoPadding().

src/webauthn/src/AttestationStatement/TPMAttestationStatementSupport.php

@@ -19,6 +19,7 @@
 use function is_array;
 use Lcobucci\Clock\Clock;
 use Lcobucci\Clock\SystemClock;
+use ParagonIE\ConstantTime\Base64UrlSafe;
 use RuntimeException;
 use Safe\DateTimeImmutable;
 use function Safe\openssl_verify;
@@ -28,7 +29,6 @@
 use Webauthn\StringStream;
 use Webauthn\TrustPath\CertificateTrustPath;
 use Webauthn\TrustPath\EcdaaKeyIdTrustPath;
-use Webauthn\Util\Base64;
 
 final class TPMAttestationStatementSupport implements AttestationStatementSupport
 {
@@ -268,7 +268,7 @@ private function getUnique(string $type, StringStream $stream): string
 
     private function getExponent(string $exponent): string
     {
-        return bin2hex($exponent) === '00000000' ? Base64::decodeUrlSafe('AQAB') : $exponent;
+        return bin2hex($exponent) === '00000000' ? Base64UrlSafe::decodeNoPadding('AQAB') : $exponent;
     }
 
     private function getTPMHash(string $nameAlg): string

src/webauthn/src/CollectedClientData.php

@@ -8,8 +8,8 @@
 use Assert\Assertion;
 use InvalidArgumentException;
 use const JSON_THROW_ON_ERROR;
+use ParagonIE\ConstantTime\Base64UrlSafe;
 use Webauthn\TokenBinding\TokenBinding;
-use Webauthn\Util\Base64;
 
 class CollectedClientData
 {
@@ -43,7 +43,7 @@ public function __construct(
 
         $challenge = $data['challenge'] ?? '';
         Assertion::string($challenge, 'Invalid parameter "challenge". Shall be a string.');
-        $challenge = Base64::decodeUrlSafe($challenge);
+        $challenge = Base64UrlSafe::decodeNoPadding($challenge);
         $this->challenge = $challenge;
         Assertion::notEmpty($challenge, 'Invalid parameter "challenge". Shall not be empty.');
 
@@ -61,7 +61,7 @@ public function __construct(
 
     public static function createFormJson(string $data): self
     {
-        $rawData = Base64::decodeUrlSafe($data);
+        $rawData = Base64UrlSafe::decodeNoPadding($data);
         $json = json_decode($rawData, true, 512, JSON_THROW_ON_ERROR);
         Assertion::isArray($json, 'Invalid collected client data');
 

src/webauthn/src/PublicKeyCredentialDescriptor.php

@@ -9,7 +9,6 @@
 use const JSON_THROW_ON_ERROR;
 use JsonSerializable;
 use ParagonIE\ConstantTime\Base64UrlSafe;
-use Webauthn\Util\Base64;
 
 class PublicKeyCredentialDescriptor implements JsonSerializable
 {
@@ -77,7 +76,7 @@ public static function createFromArray(array $json): self
         Assertion::keyExists($json, 'type', 'Invalid input. "type" is missing.');
         Assertion::keyExists($json, 'id', 'Invalid input. "id" is missing.');
 
-        $id = Base64::decodeUrlSafe($json['id']);
+        $id = Base64UrlSafe::decodeNoPadding($json['id']);
 
         return new self($json['type'], $id, $json['transports'] ?? []);
     }

src/webauthn/src/PublicKeyCredentialLoader.php

@@ -11,6 +11,7 @@
 use InvalidArgumentException;
 use const JSON_THROW_ON_ERROR;
 use function ord;
+use ParagonIE\ConstantTime\Base64UrlSafe;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
 use function Safe\unpack;
@@ -66,7 +67,7 @@ public function loadArray(array $json): PublicKeyCredential
             Assertion::isArray($json['response'], 'The parameter "response" shall be an array');
             Assertion::eq($json['type'], 'public-key', sprintf('Unsupported type "%s"', $json['type']));
 
-            $id = Base64::decodeUrlSafe($json['id']);
+            $id = Base64UrlSafe::decodeNoPadding($json['id']);
             $rawId = Base64::decode($json['rawId']);
             Assertion::true(hash_equals($id, $rawId));
 
@@ -128,7 +129,7 @@ private function createResponse(array $response): AuthenticatorResponse
                     $response['clientDataJSON']
                 ), $attestationObject);
             case array_key_exists('authenticatorData', $response) && array_key_exists('signature', $response):
-                $authData = Base64::decodeUrlSafe($response['authenticatorData']);
+                $authData = Base64UrlSafe::decodeNoPadding($response['authenticatorData']);
 
                 $authDataStream = new StringStream($authData);
                 $rp_id_hash = $authDataStream->read(32);

src/webauthn/src/PublicKeyCredentialSource.php

@@ -13,7 +13,6 @@
 use Throwable;
 use Webauthn\TrustPath\TrustPath;
 use Webauthn\TrustPath\TrustPathLoader;
-use Webauthn\Util\Base64;
 
 /**
  * @see https://www.w3.org/TR/webauthn/#iface-pkcredential
@@ -166,14 +165,14 @@ public static function createFromArray(array $data): self
 
         try {
             return new self(
-                Base64::decodeUrlSafe($data['publicKeyCredentialId']),
+                Base64UrlSafe::decodeNoPadding($data['publicKeyCredentialId']),
                 $data['type'],
                 $data['transports'],
                 $data['attestationType'],
                 TrustPathLoader::loadTrustPath($data['trustPath']),
                 $uuid,
-                Base64::decodeUrlSafe($data['credentialPublicKey']),
-                Base64::decodeUrlSafe($data['userHandle']),
+                Base64UrlSafe::decodeNoPadding($data['credentialPublicKey']),
+                Base64UrlSafe::decodeNoPadding($data['userHandle']),
                 $data['counter'],
                 $data['otherUI'] ?? null
             );

src/webauthn/src/TokenBinding/TokenBinding.php

@@ -6,7 +6,7 @@
 
 use function array_key_exists;
 use Assert\Assertion;
-use Webauthn\Util\Base64;
+use ParagonIE\ConstantTime\Base64UrlSafe;
 
 class TokenBinding
 {
@@ -45,7 +45,7 @@ public static function createFormArray(array $json): self
                 implode(', ', self::getSupportedStatus())
             )
         );
-        $id = array_key_exists('id', $json) ? Base64::decodeUrlSafe($json['id']) : null;
+        $id = array_key_exists('id', $json) ? Base64UrlSafe::decodeNoPadding($json['id']) : null;
 
         return new self($status, $id);
     }

src/webauthn/src/Util/Base64.php

@@ -4,20 +4,12 @@
 
 namespace Webauthn\Util;
 
-use Assert\Assertion;
 use InvalidArgumentException;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use Throwable;
 
 abstract class Base64
 {
-    public static function decodeUrlSafe(string $data): string
-    {
-        Assertion::regex($data, '/^[A-Za-z0-9\-_]*$/', 'Invalid Base 64 Url Safe character.');
-
-        return Base64UrlSafe::decode($data);
-    }
-
     public static function decode(string $data): string
     {
         try {

tests/library/Functional/AttestationTest.php

@@ -5,6 +5,7 @@
 namespace Webauthn\Tests\Functional;
 
 use ParagonIE\ConstantTime\Base64UrlSafe;
+use RangeException;
 use Webauthn\AttestedCredentialData;
 use Webauthn\AuthenticatorAttestationResponse;
 use Webauthn\AuthenticatorData;
@@ -20,9 +21,10 @@ final class AttestationTest extends AbstractTestCase
     /**
      * @test
      */
-    public function aResponseCannotBeLoaded()
+    public function aResponseCannotBeLoaded(): void
     {
-        static::expectExceptionMessage('Invalid Base 64 Url Safe character.');
+        static::expectException(RangeException::class);
+        static::expectExceptionMessage('Incorrect padding');
         $response = '{"id":"wHU13DaUWRqIQq94SAfCG8jqUZGdW0N95hnchI3rG7s===","rawId":"wHU13DaUWRqIQq94SAfCG8jqUZGdW0N95hnchI3rG7s","response":{"authenticatorData":"lgTqgoJOmKStoUtEYtDXOo7EaRMNqRsZMHRZIp90o1kBAAAAag","signature":"MEYCIQD4faYQG08_xpmAxFwp33OObSPavG7iUCJimHhH2QwyVAIhAMVRovz5DR_itNGYzTpKgO2urLgx5F2mZf3U4INTRR74","userHandle":"MDFHN0VEWUMxQ1QxSjBUUVBIWEY3QVlGNUs","clientDataJSON":"eyJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLnNwb21reS1sYWJzLmNvbSIsImNoYWxsZW5nZSI6IkhaaktrWURKTEgtVnF6bFgtaXpCcUc3Q1pvN0FVRmtobG12TnRHM1VKSjQiLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0"},"getClientExtensionResults":{},"type":"public-key"}';
 
         $this->getPublicKeyCredentialLoader()