Skip to content

Commit

Permalink
Use system time in OcspService.validateResponderCertificate()
Browse files Browse the repository at this point in the history 
WE2-868

Signed-off-by: Mihkel Kivisild [email protected]
  • Loading branch information
Mihkel Kivisild committed Aug 26, 2024
1 parent 188d4c3 commit 7d0ef60
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 7 deletions.
6 changes: 4 additions & 2 deletions src/validator/certvalidators/SubjectCertificateNotRevokedValidator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\OcspService;
use Psr\Log\LoggerInterface;
use web_eid\web_eid_authtoken_validation_php\util\DefaultClock;

final class SubjectCertificateNotRevokedValidator implements SubjectCertificateValidator
{
Expand Down Expand Up @@ -137,8 +138,9 @@ private function verifyOcspResponse(OcspResponse $response, OcspService $ocspSer
// 4. The signer is currently authorized to provide a response for the
// certificate in question.

$producedAt = $basicResponse->getProducedAt();
$ocspService->validateResponderCertificate($responderCert, $producedAt);
// Use the DefaultClock instance so that the date can be mocked in tests.
$now = DefaultClock::getInstance()->now();
$ocspService->validateResponderCertificate($responderCert, $now);
// 5. The time at which the status being indicated is known to be
// correct (thisUpdate) is sufficiently recent.
//
Expand Down
4 changes: 2 additions & 2 deletions src/validator/ocsp/service/AiaOcspService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ public function getAccessLocation(): Uri
return $this->url;
}

public function validateResponderCertificate(X509 $cert, DateTime $producedAt): void
public function validateResponderCertificate(X509 $cert, DateTime $now): void
{
CertificateValidator::certificateIsValidOnDate($cert, $producedAt, "AIA OCSP responder");
CertificateValidator::certificateIsValidOnDate($cert, $now, "AIA OCSP responder");
// Trusted certificates' validity has been already verified in validateCertificateExpiry().
OcspResponseValidator::validateHasSigningExtension($cert);
CertificateValidator::validateIsSignedByTrustedCA($cert, $this->trustedCACertificates);
Expand Down
4 changes: 2 additions & 2 deletions src/validator/ocsp/service/DesignatedOcspService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,13 @@ public function supportsIssuerOf(X509 $certificate): bool
return $this->configuration->supportsIssuerOf($certificate);
}

public function validateResponderCertificate(X509 $cert, DateTime $producedAt): void
public function validateResponderCertificate(X509 $cert, DateTime $now): void
{
// Certificate pinning is implemented simply by comparing the certificates or their public keys,
// see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
if ($this->configuration->getResponderCertificate()->getCurrentCert() != $cert->getCurrentCert()) {
throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to the configured designated OCSP responder certificate");
}
CertificateValidator::certificateIsValidOnDate($cert, $producedAt, "Designated OCSP responder");
CertificateValidator::certificateIsValidOnDate($cert, $now, "Designated OCSP responder");
}
}
18 changes: 17 additions & 1 deletion tests/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
use ReflectionProperty;
use web_eid\ocsp_php\OcspResponse;
use web_eid\ocsp_php\util\AsnUtil;
use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateExpiredException;
use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
use web_eid\web_eid_authtoken_validation_php\testutil\Certificates;
use web_eid\web_eid_authtoken_validation_php\testutil\Dates;
Expand Down Expand Up @@ -232,8 +233,10 @@ public function request($url, $request): OcspResponse
$validator->validate($this->estEid2018Cert);
}

public function testWhenOcspResponseCaNotTrustedThenThrows(): void
public function testWhenOcspResponseCACertNotTrustedThenThrows(): void
{
Dates::setMockedCertificateValidatorDate(new DateTime('2021-09-18 00:16:25'));

$this->expectException(UserCertificateOCSPCheckFailedException::class);
$this->expectExceptionMessage("User certificate revocation check has failed: Exception: Certificate C=EE, O=AS Sertifitseerimiskeskus, OU=OCSP, CN=TEST of SK OCSP RESPONDER 2020/[email protected] is not trusted");

Expand All @@ -243,6 +246,19 @@ public function testWhenOcspResponseCaNotTrustedThenThrows(): void
$validator->validate($this->estEid2018Cert);
}

public function testWhenOcspResponseCACertExpiredThenThrows(): void
{
Dates::setMockedCertificateValidatorDate(new DateTime('2024-09-18 00:16:25'));

$this->expectException(UserCertificateOCSPCheckFailedException::class);
$this->expectExceptionMessage("User certificate revocation check has failed: Exception: AIA OCSP responder certificate has expired");

$validator = self::getSubjectCertificateNotRevokedValidatorWithAiaOcspUsingResponse(
pack("c*", ...self::getOcspResponseBytesFromResources("ocsp_response_unknown.der"))
);
$validator->validate($this->estEid2018Cert);
}

public function testWhenNonceDiffersThenThrows(): void
{
Dates::setMockedCertificateValidatorDate(new DateTime('2021-09-17 18:25:24.000'));
Expand Down

0 comments on commit 7d0ef60

Please sign in to comment.