From 0da3e543de4857dea9413118726f92e1a86a3a26 Mon Sep 17 00:00:00 2001
From: Eric Stern <eric@ericstern.com>
Date: Sat, 18 Nov 2023 15:41:00 -0800
Subject: [PATCH] Improve logic matching key type to curve

---
 src/COSEKey.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/COSEKey.php b/src/COSEKey.php
index 9ed4062..48a82b3 100644
--- a/src/COSEKey.php
+++ b/src/COSEKey.php
@@ -61,7 +61,17 @@ public function __construct(public readonly BinaryString $cbor)
         }
 
         $curve = COSE\Curve::tryFrom($decodedCbor[self::INDEX_CURVE]);
-        if ($curve !== COSE\Curve::P256) {
+        // https://www.w3.org/TR/webauthn-3/#sctn-alg-identifier
+        // 5.8.5 - curve must match algorithm
+        $expectedCurve = match ($algorithm) {
+            COSE\Algorithm::EcdsaSha256 => COSE\Curve::P256,
+            // Permit more later.
+            // COSE\Algorithm::EcdsaSha384 => COSE\Curve::P384,
+            // COSE\Algorithm::EcdsaSha512 => COSE\Curve::P521,
+            // COSE\Algorithm::EdDSA  => COSE\Curve::ED25519,
+        };
+
+        if ($curve !== $expectedCurve) {
             throw new DomainException('Only curve P-256 (secp256r1) supported');
         }