-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate only the relevant CA in certificate chain
WE2-913 Signed-off-by: Mihkel Kivisild [email protected]
- Loading branch information
Mihkel Kivisild
committed
Jul 15, 2024
1 parent
506a6ec
commit 3e2c92b
Showing
10 changed files
with
66 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,6 +33,7 @@ | |
use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateExpiredException; | ||
use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotYetValidException; | ||
use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotTrustedException; | ||
use web_eid\web_eid_authtoken_validation_php\util\DefaultClock; | ||
|
||
final class CertificateValidator | ||
{ | ||
|
@@ -59,18 +60,17 @@ public static function certificateIsValidOnDate(X509 $subjectCertificate, DateTi | |
} | ||
} | ||
|
||
public static function trustedCACertificatesAreValidOnDate(TrustedCertificates $trustedCertificates, DateTime $date): void | ||
{ | ||
foreach ($trustedCertificates->getCertificates() as $cert) { | ||
self::certificateIsValidOnDate($cert, $date, "Trusted CA"); | ||
} | ||
} | ||
|
||
/** | ||
* @copyright 2022 Petr Muzikant [email protected] | ||
*/ | ||
public static function validateIsSignedByTrustedCA(X509 $certificate, TrustedCertificates $trustedCertificates): X509 | ||
public static function validateIsValidAndSignedByTrustedCA( | ||
X509 $certificate, | ||
TrustedCertificates $trustedCertificates, | ||
): X509 | ||
{ | ||
$now = DefaultClock::getInstance()->now(); | ||
self::certificateIsValidOnDate($certificate, $now, "User"); | ||
|
||
foreach ($trustedCertificates->getCertificates() as $trustedCertificate) { | ||
$certificate->loadCA( | ||
$trustedCertificate->saveX509($trustedCertificate->getCurrentCert(), X509::FORMAT_PEM) | ||
|
@@ -79,7 +79,11 @@ public static function validateIsSignedByTrustedCA(X509 $certificate, TrustedCer | |
|
||
if ($certificate->validateSignature()) { | ||
$chain = $certificate->getChain(); | ||
return end($chain); | ||
$trustedCACert = end($chain); | ||
|
||
// Verify that the trusted CA cert is presently valid before returning the result. | ||
self::certificateIsValidOnDate($trustedCACert, $now, "Trusted CA"); | ||
return $trustedCACert; | ||
} | ||
|
||
throw new CertificateNotTrustedException($certificate); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 0 additions & 53 deletions
53
src/validator/certvalidators/SubjectCertificateExpiryValidator.php
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,18 +24,20 @@ | |
|
||
namespace web_eid\web_eid_authtoken_validation_php\validator\certvalidators; | ||
|
||
use DateTime; | ||
use ReflectionProperty; | ||
use phpseclib3\File\X509; | ||
use PHPUnit\Framework\TestCase; | ||
use ReflectionProperty; | ||
use web_eid\ocsp_php\OcspResponse; | ||
use web_eid\ocsp_php\util\AsnUtil; | ||
use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\Certificates; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\Dates; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\Logger; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\OcspServiceMaker; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\Certificates; | ||
use web_eid\web_eid_authtoken_validation_php\util\TrustedCertificates; | ||
use web_eid\web_eid_authtoken_validation_php\testutil\OcspServiceMaker; | ||
use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspClient; | ||
use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspClientImpl; | ||
use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException; | ||
|
||
class SubjectCertificateNotRevokedValidatorTest extends TestCase | ||
{ | ||
|
@@ -56,6 +58,11 @@ protected function setUp(): void | |
$this->estEid2018Cert = Certificates::getJaakKristjanEsteid2018Cert(); | ||
} | ||
|
||
protected function tearDown(): void | ||
{ | ||
Dates::resetMockedCertificateValidatorDate(); | ||
} | ||
|
||
public function testWhenValidAiaOcspResponderConfigurationThenSucceeds(): void | ||
{ | ||
$this->expectNotToPerformAssertions(); | ||
|
@@ -99,7 +106,7 @@ public function testWhenOcspRequestFailsThenThrows(): void | |
$this->expectException(UserCertificateOCSPCheckFailedException::class); | ||
$this->expectExceptionMessage("User certificate revocation check has failed: The requested URL returned error: 404"); | ||
|
||
$ocspServiceProvider = OcspServiceMaker::getDesignatedOcspServiceProvider(true, "https://web-eid-test.free.beeceptor.com"); | ||
$ocspServiceProvider = OcspServiceMaker::getDesignatedOcspServiceProvider(true, "http://demo.sk.ee/ocsps"); | ||
$validator = new SubjectCertificateNotRevokedValidator($this->trustedValidator, self::$ocspClient, $ocspServiceProvider); | ||
$validator->validate($this->estEid2018Cert); | ||
} | ||
|
@@ -214,6 +221,8 @@ public function request($url, $request): OcspResponse | |
|
||
public function testWhenOcspResponseCaNotTrustedThenThrows(): void | ||
{ | ||
Dates::setMockedCertificateValidatorDate(new DateTime("2021-03-01")); | ||
|
||
$this->expectException(UserCertificateOCSPCheckFailedException::class); | ||
$this->expectExceptionMessage("User certificate revocation check has failed: Exception: Certificate C=EE, O=AS Sertifitseerimiskeskus, OU=OCSP, CN=TEST of SK OCSP RESPONDER 2020/[email protected] is not trusted"); | ||
|
||
|