From c4256cf464e8ef28b8fd8ba9cca50b9d580db678 Mon Sep 17 00:00:00 2001
From: Joshua Thijssen <jthijssen@noxlogic.nl>
Date: Tue, 7 Feb 2023 15:05:53 +0100
Subject: [PATCH] Reader and validator are separated (#20)

---
 .github/workflows/test.yml                    |   2 +-
 composer.json                                 |   2 +-
 src/UziReader.php                             |  47 ++----
 src/UziUser.php                               |  27 ++--
 src/UziValidator.php                          |  90 +++++++----
 tests/UziReaderTest.php                       |  92 +++++-------
 tests/UziValidatorTest.php                    | 141 ++++++++++++++----
 tests/certs/generate-mock-certs.sh            |  25 ++++
 tests/certs/mock-020-incorrect-oidca.cert     |  25 ++++
 .../certs/mock-021-incorrect-uzi-version.cert |  25 ++++
 10 files changed, 298 insertions(+), 178 deletions(-)
 create mode 100644 tests/certs/mock-020-incorrect-oidca.cert
 create mode 100644 tests/certs/mock-021-incorrect-uzi-version.cert

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cb71fe1..0b58320 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
     strategy:
       max-parallel: 3
       matrix:
-        php-versions: [ '7.3', '7.4', '8.0', '8.1', '8.2' ]
+        php-versions: [ '7.4', '8.0', '8.1', '8.2' ]
 
     steps:
     - uses: actions/checkout@v2
diff --git a/composer.json b/composer.json
index f4359cb..73c17d0 100644
--- a/composer.json
+++ b/composer.json
@@ -33,7 +33,7 @@
     }
   ],
   "require": {
-    "php": ">=7.3",
+    "php": ">=7.4",
     "phpseclib/phpseclib": "^3.0.5",
     "psr/http-message": "^1.0",
     "ext-json": "*"
diff --git a/src/UziReader.php b/src/UziReader.php
index 6b94316..10573e7 100644
--- a/src/UziReader.php
+++ b/src/UziReader.php
@@ -2,11 +2,7 @@
 
 namespace MinVWS\PUZI;
 
-use MinVWS\PUZI\Exceptions\UziCardExpired;
-use MinVWS\PUZI\Exceptions\UziCertificateException;
-use MinVWS\PUZI\Exceptions\UziCertificateNotUziException;
 use phpseclib3\File\X509;
-use MinVWS\PUZI\Exceptions\UziException;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
@@ -19,40 +15,19 @@
 class UziReader
 {
     /**
-     * @param Request $request      The request object
-     * @param array $caCerts        Additional CA certificates to check against
-     * @return UziUser
-     * @throws UziCardExpired
-     * @throws UziCertificateException
-     * @throws UziCertificateNotUziException
+     * @param Request $request
+     * @return UziUser|null
      */
-    public function getDataFromRequest(Request $request, array $caCerts = []): UziUser
+    public function getDataFromRequest(Request $request): ?UziUser
     {
-        if (!$request->server->has('SSL_CLIENT_VERIFY') || $request->server->get('SSL_CLIENT_VERIFY') !== 'SUCCESS') {
-            throw new UziCertificateException('Webserver client cert check not passed');
-        }
-        if (!$request->server->has('SSL_CLIENT_CERT')) {
-            throw new UziCertificateException('No client certificate presented');
-        }
-
         $x509 = new X509();
         $cert = $x509->loadX509($request->server->get('SSL_CLIENT_CERT'));
-        foreach ($caCerts as $caCert) {
-            $x509->loadCA($caCert);
-        }
-
-        // Check valid CA path
-        if (! $x509->validateSignature(count($caCerts) > 0)) {
-            throw new UziCertificateException('Invalid CA path');
-        }
-
-        // Check if the certificate is expired
-        if (! $x509->validateDate()) {
-            throw new UziCardExpired('Uzi card expired');
+        if (!$cert) {
+            return null;
         }
 
         if (!isset($cert['tbsCertificate']['subject']['rdnSequence'])) {
-            throw new UziCertificateNotUziException('No subject rdnSequence');
+            return null;
         }
 
         // Check if the certificate is a UZI certificate
@@ -82,9 +57,9 @@ public function getDataFromRequest(Request $request, array $caCerts = []): UziUs
                 }
 
                 if (!isset($value['otherName']['value']['ia5String'])) {
-                    throw new UziCertificateException('No ia5String');
+                    return null;
                 }
-                $subjectAltName = $value['otherName']['value']['ia5String'];
+
                 /**
                  * @var array $data
                  * Reference page 60
@@ -97,9 +72,11 @@ public function getDataFromRequest(Request $request, array $caCerts = []): UziUs
                  * [5] Role (reference page 89)
                  * [6] AGB code
                  */
+                $subjectAltName = $value['otherName']['value']['ia5String'];
+                /** @var string[]|false $data */
                 $data = explode('-', $subjectAltName);
                 if (!is_array($data) || count($data) < 6) {
-                    throw new UziCertificateException('Incorrect SAN found');
+                    return null;
                 }
 
                 $user = new UziUser();
@@ -117,6 +94,6 @@ public function getDataFromRequest(Request $request, array $caCerts = []): UziUs
             }
         }
 
-        throw new UziCertificateNotUziException('No valid UZI card found');
+        return null;
     }
 }
diff --git a/src/UziUser.php b/src/UziUser.php
index 600163f..6246864 100644
--- a/src/UziUser.php
+++ b/src/UziUser.php
@@ -9,24 +9,15 @@
  */
 class UziUser implements \JsonSerializable
 {
-    /** @var string */
-    protected $agb_code = "";
-    /** @var string */
-    protected $card_type = "";
-    /** @var string */
-    protected $given_name = "";
-    /** @var string */
-    protected $oid_ca = "";
-    /** @var string */
-    protected $role = "";
-    /** @var string */
-    protected $subscriber_number = "";
-    /** @var string */
-    protected $sur_name = "";
-    /** @var string */
-    protected $uzi_number = "";
-    /** @var string */
-    protected $uzi_version = "";
+    protected string $agb_code = "";
+    protected string $card_type = "";
+    protected string $given_name = "";
+    protected string $oid_ca = "";
+    protected string $role = "";
+    protected string $subscriber_number = "";
+    protected string $sur_name = "";
+    protected string $uzi_number = "";
+    protected string $uzi_version = "";
 
     /**
      * @return string
diff --git a/src/UziValidator.php b/src/UziValidator.php
index 3f71bc1..7a51458 100644
--- a/src/UziValidator.php
+++ b/src/UziValidator.php
@@ -5,8 +5,12 @@
 use MinVWS\PUZI\Exceptions\UziAllowedRoleException;
 use MinVWS\PUZI\Exceptions\UziAllowedTypeException;
 use MinVWS\PUZI\Exceptions\UziCaException;
+use MinVWS\PUZI\Exceptions\UziCardExpired;
+use MinVWS\PUZI\Exceptions\UziCertificateException;
 use MinVWS\PUZI\Exceptions\UziException;
 use MinVWS\PUZI\Exceptions\UziVersionException;
+use phpseclib3\File\X509;
+use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Class UziValidator
@@ -14,61 +18,83 @@
  */
 class UziValidator
 {
-    /** @var bool */
-    protected $strictCAcheck;
-    /** @var array */
-    protected $allowedTypes;
-    /** @var array */
-    protected $allowedRoles;
+    protected UziReader $reader;
+    protected bool $strictCAcheck;
+    protected array $allowedTypes;
+    protected array $allowedRoles;
+    protected array $caCerts = [];
 
-    /**
-     * UziValidator constructor.
-     *
-     * @param bool $strictCaCheck
-     * @param array $allowedTypes
-     * @param array $allowedRoles
-     */
-    public function __construct(bool $strictCaCheck, array $allowedTypes, array $allowedRoles)
-    {
+    public function __construct(
+        UziReader $reader,
+        bool $strictCaCheck,
+        array $allowedTypes,
+        array $allowedRoles,
+        array $caCerts = []
+    ) {
         $this->strictCAcheck = $strictCaCheck;
         $this->allowedTypes = $allowedTypes;
         $this->allowedRoles = $allowedRoles;
+        $this->reader = $reader;
+        $this->caCerts = $caCerts;
     }
 
-    /**
-     * @param UziUser $user
-     * @return bool
-     */
-    public function isValid(UziUser $user): bool
+    public function isValid(Request $request): bool
     {
         try {
-            $this->validate($user);
+            $this->validate($request);
         } catch (UziException $e) {
             return false;
         }
+
         return true;
     }
 
-    /**
-     * @param UziUser $user
-     * @throws UziException
-     */
-    public function validate(UziUser $user): void
+    public function validate(Request $request): void
     {
+        if (!$request->server->has('SSL_CLIENT_VERIFY') || $request->server->get('SSL_CLIENT_VERIFY') !== 'SUCCESS') {
+            throw new UziCertificateException('Webserver client cert check not passed');
+        }
+        if (!$request->server->has('SSL_CLIENT_CERT')) {
+            throw new UziCertificateException('No client certificate presented');
+        }
+
+        $x509 = new X509();
+        $x509->loadX509($request->server->get('SSL_CLIENT_CERT'));
+        foreach ($this->caCerts as $caCert) {
+            $x509->loadCA($caCert);
+        }
+
+        if ($this->strictCAcheck === false) {
+            $x509->disableURLFetch();
+        }
+
+        $uziInfo = $this->reader->getDataFromRequest($request);
+        if (!$uziInfo) {
+            throw new UziCertificateException('No UZI data found in certificate');
+        }
+
         if (
-            $this->strictCAcheck == true &&
-            $user->getOidCa() !== UziConstants::OID_CA_CARE_PROVIDER &&
-            $user->getOidCa() !== UziConstants::OID_CA_NAMED_EMPLOYEE
+            $this->strictCAcheck === true &&
+            $uziInfo->getOidCa() !== UziConstants::OID_CA_CARE_PROVIDER &&
+            $uziInfo->getOidCa() !== UziConstants::OID_CA_NAMED_EMPLOYEE
         ) {
             throw new UziCaException('CA OID not UZI register Care Provider or named employee');
         }
-        if ($user->getUziVersion() !== '1') {
+
+        if (! $x509->validateSignature(count($this->caCerts) > 0)) {
+            throw new UziCertificateException('Uzi certificate path not valid');
+        }
+        if (! $x509->validateDate()) {
+            throw new UziCardExpired('Uzi card expired');
+        }
+
+        if ($uziInfo->getUziVersion() !== '1') {
             throw new UziVersionException('UZI version not 1');
         }
-        if (!in_array($user->getCardType(), $this->allowedTypes)) {
+        if (!in_array($uziInfo->getCardType(), $this->allowedTypes)) {
             throw new UziAllowedTypeException('UZI card type not allowed');
         }
-        if (!in_array(substr($user->getRole(), 0, 3), $this->allowedRoles)) {
+        if (!in_array(substr($uziInfo->getRole(), 0, 3), $this->allowedRoles)) {
             throw new UziAllowedRoleException("UZI card role not allowed");
         }
     }
diff --git a/tests/UziReaderTest.php b/tests/UziReaderTest.php
index 27f9102..520173a 100644
--- a/tests/UziReaderTest.php
+++ b/tests/UziReaderTest.php
@@ -5,6 +5,7 @@
 use MinVWS\PUZI\Exceptions\UziCertificateException;
 use MinVWS\PUZI\Exceptions\UziCertificateNotUziException;
 use MinVWS\PUZI\UziReader;
+use MinVWS\PUZI\UziUser;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -19,124 +20,97 @@ public function testCheckRequestHasNoCert(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("Webserver client cert check not passed");
-
         $request = new Request();
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckSSLClientFailed(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("Webserver client cert check not passed");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "failed");
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckNoClientCert(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("No client certificate presented");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertWithoutValidData(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateNotUziException::class);
-        $this->expectExceptionMessage("No valid UZI card found");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-001-no-valid-uzi-data.cert'));
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertWithInvalidSAN(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateNotUziException::class);
-        $this->expectExceptionMessage("No valid UZI card found");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-002-invalid-san.cert'));
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertWithInvalidOtherName(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateNotUziException::class);
-        $this->expectExceptionMessage("No valid UZI card found");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-003-invalid-othername.cert'));
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertWithoutIa5string(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("No ia5String");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $cert = file_get_contents(__DIR__ . '/certs/mock-004-othername-without-ia5string.cert');
         $request->server->set('SSL_CLIENT_CERT', $cert);
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertIncorrectSanData(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("Incorrect SAN found");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $cert = file_get_contents(__DIR__ . '/certs/mock-005-incorrect-san-data.cert');
         $request->server->set('SSL_CLIENT_CERT', $cert);
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckCertIncorrectSanData2(): void
     {
         $uzi = new UziReader();
 
-        $this->expectException(UziCertificateException::class);
-        $this->expectExceptionMessage("Incorrect SAN found");
-
         $request = new Request();
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $cert = file_get_contents(__DIR__ . '/certs/mock-006-incorrect-san-data.cert');
         $request->server->set('SSL_CLIENT_CERT', $cert);
 
-        $uzi->getDataFromRequest($request);
+        $this->assertNull($uzi->getDataFromRequest($request));
     }
 
     public function testCheckValidCert(): void
@@ -147,17 +121,18 @@ public function testCheckValidCert(): void
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-011-correct.cert'));
 
-        $user = $uzi->getDataFromRequest($request);
-
-        $this->assertEquals('00000000', $user->getAgbCode());
-        $this->assertEquals('N', $user->getCardType());
-        $this->assertEquals('john', $user->getGivenName());
-        $this->assertEquals('2.16.528.1.1003.1.3.5.5.2', $user->getOidCa());
-        $this->assertEquals('30.015', $user->getRole());
-        $this->assertEquals('90000111', $user->getSubscriberNumber());
-        $this->assertEquals('doe-12345678', $user->getSurName());
-        $this->assertEquals('12345678', $user->getUziNumber());
-        $this->assertEquals('1', $user->getUziVersion());
+        /** @var UziUser $uziInfo */
+        $uziInfo = $uzi->getDataFromRequest($request);
+
+        $this->assertEquals('00000000', $uziInfo->getAgbCode());
+        $this->assertEquals('N', $uziInfo->getCardType());
+        $this->assertEquals('john', $uziInfo->getGivenName());
+        $this->assertEquals('2.16.528.1.1003.1.3.5.5.2', $uziInfo->getOidCa());
+        $this->assertEquals('30.015', $uziInfo->getRole());
+        $this->assertEquals('90000111', $uziInfo->getSubscriberNumber());
+        $this->assertEquals('doe-12345678', $uziInfo->getSurName());
+        $this->assertEquals('12345678', $uziInfo->getUziNumber());
+        $this->assertEquals('1', $uziInfo->getUziVersion());
     }
 
     public function testCheckValidAdminCert(): void
@@ -168,16 +143,17 @@ public function testCheckValidAdminCert(): void
         $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
         $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-012-correct-admin.cert'));
 
-        $user = $uzi->getDataFromRequest($request);
-
-        $this->assertEquals('00000000', $user->getAgbCode());
-        $this->assertEquals('N', $user->getCardType());
-        $this->assertEquals('john', $user->getGivenName());
-        $this->assertEquals('2.16.528.1.1003.1.3.5.5.2', $user->getOidCa());
-        $this->assertEquals('01.015', $user->getRole());
-        $this->assertEquals('90000111', $user->getSubscriberNumber());
-        $this->assertEquals('doe-11111111', $user->getSurName());
-        $this->assertEquals('11111111', $user->getUziNumber());
-        $this->assertEquals('1', $user->getUziVersion());
+        /** @var UziUser $uziInfo */
+        $uziInfo = $uzi->getDataFromRequest($request);
+
+        $this->assertEquals('00000000', $uziInfo->getAgbCode());
+        $this->assertEquals('N', $uziInfo->getCardType());
+        $this->assertEquals('john', $uziInfo->getGivenName());
+        $this->assertEquals('2.16.528.1.1003.1.3.5.5.2', $uziInfo->getOidCa());
+        $this->assertEquals('01.015', $uziInfo->getRole());
+        $this->assertEquals('90000111', $uziInfo->getSubscriberNumber());
+        $this->assertEquals('doe-11111111', $uziInfo->getSurName());
+        $this->assertEquals('11111111', $uziInfo->getUziNumber());
+        $this->assertEquals('1', $uziInfo->getUziVersion());
     }
 }
diff --git a/tests/UziValidatorTest.php b/tests/UziValidatorTest.php
index aa7018c..54ca64d 100644
--- a/tests/UziValidatorTest.php
+++ b/tests/UziValidatorTest.php
@@ -5,11 +5,14 @@
 use MinVWS\PUZI\Exceptions\UziAllowedRoleException;
 use MinVWS\PUZI\Exceptions\UziAllowedTypeException;
 use MinVWS\PUZI\Exceptions\UziCaException;
+use MinVWS\PUZI\Exceptions\UziCertificateException;
 use MinVWS\PUZI\Exceptions\UziVersionException;
 use MinVWS\PUZI\UziConstants;
+use MinVWS\PUZI\UziReader;
 use MinVWS\PUZI\UziValidator;
 use MinVWS\PUZI\UziUser;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Class UziValidatorTest
@@ -18,72 +21,144 @@
  */
 final class UziValidatorTest extends TestCase
 {
-    public function testValidateIncorectOID(): void
+    public function testSSLClientVerifyMissing(): void
+    {
+        $request = new Request();
+
+        $this->expectException(UziCertificateException::class);
+        $this->expectExceptionMessage("Webserver client cert check not passed");
+
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [], []);
+        $validator->validate($request);
+    }
+
+    public function testNoClientCertPresented(): void
+    {
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+
+        $this->expectException(UziCertificateException::class);
+        $this->expectExceptionMessage("No client certificate presented");
+
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [], []);
+        $validator->validate($request);
+    }
+
+    public function testInvalidCert(): void
+    {
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-001-no-valid-uzi-data.cert'));
+
+        $this->expectException(UziCertificateException::class);
+        $this->expectExceptionMessage("No UZI data found in certificate");
+
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [], []);
+        $validator->validate($request);
+    }
+
+    public function testValidateIncorectOIDca(): void
     {
         $user = new UziUser();
         $user->setOidCa("1.2.3.4");
 
         $this->expectException(UziCaException::class);
-        $this->expectExceptionMessage("CA OID not UZI register");
+        $this->expectExceptionMessage("CA OID not UZI register Care Provider or named employee");
+
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-020-incorrect-oidca.cert'));
 
-        $validator = new UziValidator(true, [], []);
-        $validator->validate($user);
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [], []);
+        $validator->validate($request);
     }
 
-    public function testIncorrectVersion(): void
+    public function testValidateIncorectOIDcaWithoutStrictCheck(): void
     {
         $user = new UziUser();
-        $user->setOidCa(UziConstants::OID_CA_CARE_PROVIDER);
-        $user->setUziVersion("123");
+        $user->setOidCa("1.2.3.4");
+
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-020-incorrect-oidca.cert'));
+
+        $reader = new UziReader();
+        $validator = new UziValidator(
+            $reader,
+            false,
+            [UziConstants::UZI_TYPE_NAMED_EMPLOYEE],
+            [UziConstants::UZI_ROLE_DOCTOR]
+        );
+        $this->assertTrue($validator->isValid($request));
+    }
+
+    public function testIncorrectVersion(): void
+    {
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set(
+            'SSL_CLIENT_CERT',
+            file_get_contents(__DIR__ . '/certs/mock-021-incorrect-uzi-version.cert')
+        );
 
         $this->expectException(UziVersionException::class);
         $this->expectExceptionMessage("UZI version not 1");
 
-        $validator = new UziValidator(true, [], []);
-        $validator->validate($user);
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [], []);
+        $validator->validate($request);
     }
 
     public function testNotAllowedType(): void
     {
-        $user = new UziUser();
-        $user->setOidCa(UziConstants::OID_CA_CARE_PROVIDER);
-        $user->setUziVersion("1");
-        $user->setCardType(UziConstants::UZI_TYPE_SERVER);
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-011-correct.cert'));
 
         $this->expectException(UziAllowedTypeException::class);
         $this->expectExceptionMessage("UZI card type not allowed");
 
-        $validator = new UziValidator(true, [UziConstants::UZI_TYPE_CARE_PROVIDER], []);
-        $validator->validate($user);
+        $reader = new UziReader();
+        $validator = new UziValidator($reader, true, [UziConstants::UZI_TYPE_CARE_PROVIDER], []);
+        $validator->validate($request);
     }
 
     public function testNotAllowedRole(): void
     {
-        $user = new UziUser();
-        $user->setOidCa(UziConstants::OID_CA_CARE_PROVIDER);
-        $user->setUziVersion("1");
-        $user->setCardType(UziConstants::UZI_TYPE_CARE_PROVIDER);
-        $user->setRole(UziConstants::UZI_ROLE_DENTIST);
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-011-correct.cert'));
 
         $this->expectException(UziAllowedRoleException::class);
         $this->expectExceptionMessage("UZI card role not allowed");
 
-        $validator = new UziValidator(true, [UziConstants::UZI_TYPE_CARE_PROVIDER], [UziConstants::UZI_ROLE_NURSE]);
-        $validator->validate($user);
+        $reader = new UziReader();
+        $validator = new UziValidator(
+            $reader,
+            true,
+            [UziConstants::UZI_TYPE_NAMED_EMPLOYEE],
+            [UziConstants::UZI_ROLE_PHARMACIST]
+        );
+        $validator->validate($request);
     }
 
     public function testIsValid(): void
     {
-        $user = new UziUser();
-        $user->setOidCa(UziConstants::OID_CA_CARE_PROVIDER);
-        $user->setUziVersion("1");
-        $user->setCardType(UziConstants::UZI_TYPE_CARE_PROVIDER);
-        $user->setRole(UziConstants::UZI_ROLE_DENTIST);
-
-        $validator = new UziValidator(true, [UziConstants::UZI_TYPE_CARE_PROVIDER], [UziConstants::UZI_ROLE_DENTIST]);
-        $this->assertTrue($validator->isValid($user));
-
-        $user->setRole(UziConstants::UZI_ROLE_PHARMACIST);
-        $this->assertFalse($validator->isValid($user));
+        $request = new Request();
+        $request->server->set('SSL_CLIENT_VERIFY', "SUCCESS");
+        $request->server->set('SSL_CLIENT_CERT', file_get_contents(__DIR__ . '/certs/mock-011-correct.cert'));
+
+        $reader = new UziReader();
+        $validator = new UziValidator(
+            $reader,
+            true,
+            [UziConstants::UZI_TYPE_NAMED_EMPLOYEE],
+            [UziConstants::UZI_ROLE_NURSE]
+        );
+        $this->assertTrue($validator->isValid($request));
     }
 }
diff --git a/tests/certs/generate-mock-certs.sh b/tests/certs/generate-mock-certs.sh
index 2ea36f7..b3a206d 100644
--- a/tests/certs/generate-mock-certs.sh
+++ b/tests/certs/generate-mock-certs.sh
@@ -94,3 +94,28 @@ openssl req -x509 \
     -days 3650 \
     -subj "/C=NL/O=MockTest Cert/title=physician/SN=doe-11111111/GN=john/CN=john doe-11111111" \
     -addext "subjectAltName = otherName:2.5.5.5;IA5STRING:2.16.528.1.1003.1.3.5.5.2-1-11111111-N-90000111-01.015-00000000"
+
+openssl req -x509 \
+    -nodes \
+    -keyout dummy.key \
+    -out mock-020-incorrect-oidca.cert \
+    -days 3650 \
+    -subj "/C=NL/O=MockTest Cert/title=physician/SN=doe-11111111/GN=john/CN=john doe-11111111" \
+    -addext "subjectAltName = otherName:2.5.5.5;IA5STRING:9.9.9.9.9.9.9.9.9.9-1-11111111-N-90000111-01.015-00000000"
+
+
+openssl req -x509 \
+    -nodes \
+    -keyout dummy.key \
+    -out mock-020-incorrect-oidca.cert \
+    -days 3650 \
+    -subj "/C=NL/O=MockTest Cert/title=physician/SN=doe-11111111/GN=john/CN=john doe-11111111" \
+    -addext "subjectAltName = otherName:2.5.5.5;IA5STRING:9.9.9.9.9.9.9.9.9.9-1-11111111-N-90000111-01.015-00000000"
+
+openssl req -x509 \
+    -nodes \
+    -keyout dummy.key \
+    -out mock-021-incorrect-uzi-version.cert \
+    -days 3650 \
+    -subj "/C=NL/O=MockTest Cert/title=physician/SN=doe-11111111/GN=john/CN=john doe-11111111" \
+    -addext "subjectAltName = otherName:2.5.5.5;IA5STRING:2.16.528.1.1003.1.3.5.5.2-1252-11111111-N-90000111-01.015-00000000"
diff --git a/tests/certs/mock-020-incorrect-oidca.cert b/tests/certs/mock-020-incorrect-oidca.cert
new file mode 100644
index 0000000..fcc4682
--- /dev/null
+++ b/tests/certs/mock-020-incorrect-oidca.cert
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIUDLTL5aFo21vvggNuCFmaVkCBmwowDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCTkwxFjAUBgNVBAoMDU1vY2tUZXN0IENlcnQxEjAQBgNV
+BAwMCXBoeXNpY2lhbjEVMBMGA1UEBAwMZG9lLTExMTExMTExMQ0wCwYDVQQqDARq
+b2huMRowGAYDVQQDDBFqb2huIGRvZS0xMTExMTExMTAeFw0yMzAyMDcxMTU0MjJa
+Fw0zMzAyMDQxMTU0MjJaMHsxCzAJBgNVBAYTAk5MMRYwFAYDVQQKDA1Nb2NrVGVz
+dCBDZXJ0MRIwEAYDVQQMDAlwaHlzaWNpYW4xFTATBgNVBAQMDGRvZS0xMTExMTEx
+MTENMAsGA1UEKgwEam9objEaMBgGA1UEAwwRam9obiBkb2UtMTExMTExMTEwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoNKVBtzAeaUdj+Fei212W48uo
+uQzu0bo/x7ZeRZTjqBjXPQslh+tt1KFkIt0pD4p+cpDxb5CDlspEDtPtvruOOSCp
+AwZWjFYF8w/3F2FlFLNreVLcVaeWq/cDjO1PDHZ4o3bME0dFFKTsCRqCjhyMLd+b
+mQTwSimhe7IohLdC3XlPNOfdzZA9tbZEYn7MewIXLfWKuFzwNYj3k400QQpAA9t8
+j5MKeGpqDlOiPm20BOMofdsDzkFgGTZwkDxGzSlSFDwvviqClVl6Oaqu713gBiTw
++zEuhNrcf/EocBvBPhgo41fWOx78r0rrHEvqglOB8ytRr38Ko6h7zRV1ZrRnAgMB
+AAGjgaMwgaAwHQYDVR0OBBYEFBqOtHZL7sI8hZqFLzAh34HnttjWMB8GA1UdIwQY
+MBaAFBqOtHZL7sI8hZqFLzAh34HnttjWMA8GA1UdEwEB/wQFMAMBAf8wTQYDVR0R
+BEYwRKBCBgNVBQWgOxY5OS45LjkuOS45LjkuOS45LjkuOS0xLTExMTExMTExLU4t
+OTAwMDAxMTEtMDEuMDE1LTAwMDAwMDAwMA0GCSqGSIb3DQEBCwUAA4IBAQCm021R
+9tFEr0WJ6yyA28xYyzTVuMrll024oMBYEkXDJyKx1e4SpiM+hUQ+zQvOUVCZUEm9
+8Rsj2cGUYulQtpC65NcHGqRYU5YK+wthTdIG1b3IYSsLbfhcsHqk2ZM7ug+BxQTJ
++oMRDmvi6V9JTiDTjJSz161yPthO/CwPjBu1h/mjYJanh6I/YqlCqK8NVPjVH/Uo
+IYExKrXLXApRXbZswdiSNLM6guL2pu43vI1Y91mItKumpjakB5/9lqry4YVZSVQ3
+sGpPyVC0bkQGCArftmYLX+rUVJh9e2d/UvDNzNPYbt/U1cGzngdx5f976GfjYsWl
+nbpFpt1jjQPEOVTl
+-----END CERTIFICATE-----
diff --git a/tests/certs/mock-021-incorrect-uzi-version.cert b/tests/certs/mock-021-incorrect-uzi-version.cert
new file mode 100644
index 0000000..a9cefdb
--- /dev/null
+++ b/tests/certs/mock-021-incorrect-uzi-version.cert
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMTCCAxmgAwIBAgIUQQCYO4qTbjqy0C2Jif4uv13Z0/cwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCTkwxFjAUBgNVBAoMDU1vY2tUZXN0IENlcnQxEjAQBgNV
+BAwMCXBoeXNpY2lhbjEVMBMGA1UEBAwMZG9lLTExMTExMTExMQ0wCwYDVQQqDARq
+b2huMRowGAYDVQQDDBFqb2huIGRvZS0xMTExMTExMTAeFw0yMzAyMDcxMzMwNTRa
+Fw0zMzAyMDQxMzMwNTRaMHsxCzAJBgNVBAYTAk5MMRYwFAYDVQQKDA1Nb2NrVGVz
+dCBDZXJ0MRIwEAYDVQQMDAlwaHlzaWNpYW4xFTATBgNVBAQMDGRvZS0xMTExMTEx
+MTENMAsGA1UEKgwEam9objEaMBgGA1UEAwwRam9obiBkb2UtMTExMTExMTEwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoWeXqnnsOXI5r6+dJ9k8nVq17
+WDUVFnt/niTO0izXh+Ju7WNStF/hRSGrJFGqRYu4qz2HQS7ivIJdA/theRnZmim5
+eODZ0Vn74pqo+dBuLX0Rxf3ekv6kCihfbosD3yRXlcUxGw8v20JhbdPbqhXwWUvs
+WgZ1mzU9OmQPHwxJySwXmqx4Ef4s5mVHeg+9EpUJh9ayYHU1icLyUv/BY/MCKCWd
+Co/j4DZ1NaJI0B7U6t2XGFRfNUhuxiJMItXMBut0r4B/6EI+Spy1j2a9oybaZE3p
+jbQzcixpXJlu86/v397m8nyUgxKk4z7lj57XQhUQaPDbMLT0euywFr2PQZXbAgMB
+AAGjgawwgakwHQYDVR0OBBYEFOA1ELvJCZsSLtN5GDN4m7VvqBmPMB8GA1UdIwQY
+MBaAFOA1ELvJCZsSLtN5GDN4m7VvqBmPMA8GA1UdEwEB/wQFMAMBAf8wVgYDVR0R
+BE8wTaBLBgNVBQWgRBZCMi4xNi41MjguMS4xMDAzLjEuMy41LjUuMi0xMjUyLTEx
+MTExMTExLU4tOTAwMDAxMTEtMDEuMDE1LTAwMDAwMDAwMA0GCSqGSIb3DQEBCwUA
+A4IBAQAz8E8fewBNIAuPbRm5YhR7r0gnOaScxT/Z8qiKS4+UJV+yrE8IE1HDu6h7
+VO76aeY8722Eo18MjVLZvwkaQyy1H+UJdk0GtHbPA8disvGofYFGd2CqZRxORXsZ
+FZVUxcD6w37qS+/asoUvin8aXujzDbGof20mS/bSb3KXbPaaoq30U6Aom98nLnA4
+o+Hvbp7/XoCgGnNfsJHqRHwr80HRChYXICmTuS3HMV/1DozpyCo3rcYzm/TjcvbG
+1k4BMkWTALVx88jnLQz+BoPP7VL/3VnLPf0/xVx0WpVdkw9ZSGbTTPVrVQP+48FN
+4TTnVKZKW5LfrfyuEnXh1/NOKcSc
+-----END CERTIFICATE-----