Skip to content

Commit 522c280

Browse files
ArneHBArneHB
authored
Changes to Certificate Validation (#714)
* Changes to Certificate Validation - X509Chain is moved to be initated when certificate is being validated from the constructor of the class - X509ChainMock removed as X509Chain no longer can be mocked - Removed tests of X509Chain status as it no longer can be tested without a mock * Added link to migrate to rest in readme * Updated documentations and fixed tests
1 parent 469c7b6 commit 522c280

File tree

9 files changed

+42
-185
lines changed

9 files changed

+42
-185
lines changed

Directory.build.props

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
<Project>
22
<PropertyGroup>
33
<LangVersion>10.0</LangVersion>
4-
<Version>5.2.0</Version>
4+
<Version>5.2.1</Version>
55
</PropertyGroup>
66
<PropertyGroup>
77
<Authors>Norsk Helsenett SF</Authors>

Documentation/MigrateFromSoapToRest.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
## Migrere fra 5.0 til 5.2
1+
## Migrere fra SOAP til REST i 5.2 og senere versjoner
22

33
Hovedendringer for 5.2 er nytt endepunkt for CPPA tjenesten. Det gamle endepunktet vil fortsatt fungere, men
44
støtten for SOAP-endepunktet vil fjernes i en fremtidig versjon. Derfor anbefaler vi at alle oppgraderer

Documentation/Registre.md

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
## Registre
22
For å kunne kommunisere riktig med en mottpart, så er vi avhengig av å vite en del om protokoller, sertifikater, og kønavn. All denne informasjonen ligger i adresseregisteret og CPA-registeret.
33

4-
Meldingsutvekslingen er ekstremt avhengig av adresseregisteret og CPA-registeret.
4+
Meldingsutvekslingen er avhengig av adresseregisteret og CPA-registeret.
55

66
### Registerintegrasjon
77

8-
Før man kan sette opp infrastrukturen for meldinger, så må man ha registerintegrasjonen på plass og HelseId klient.
9-
Denne koden bruker klasser fra andre Microsoft.Extensions.* pakkker.
8+
Før man kan sette opp infrastrukturen for meldinger, så må man ha registerintegrasjonen på plass og HelseId.
9+
Denne koden bruker klasser fra andre Microsoft.Extensions.* pakkker. Se også Helsenorge.Messaging.Client prosjektet for eksempler på hvordan det kan settes opp.
1010

1111
```cs
1212
var loggerFactory = new LoggerFactory();

readme.md

+1
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ Dette biblioteket støtter oppunder basisbehovet for en kommunikasjonsløsning v
2121
12. [Biztalk](Documentation/Biztalk.md "Biztalk")
2222
13. [Migrere fra 3.0 til 4.0](Documentation/MigrateFrom3To4.md)
2323
14. [Migrere fra 4.0 til 5.0](Documentation/MigrateFrom4To5.md)
24+
14. [Migrere fra SOAP til REST for 5.2 og senere versjoner](Documentation/MigrateFromSoapToRest.md)
2425

2526

2627
## Contributing

src/Helsenorge.Registries/CertificateValidator.cs

+13-24
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@
99
using System;
1010
using System.Security.Cryptography.X509Certificates;
1111
using Helsenorge.Registries.Abstractions;
12-
using Helsenorge.Registries.Utilities;
1312
using Microsoft.Extensions.Logging;
1413

1514
namespace Helsenorge.Registries
@@ -21,7 +20,6 @@ public class CertificateValidator : ICertificateValidator
2120
{
2221
private readonly ILogger _logger;
2322
private readonly bool _useOnlineRevocationCheck;
24-
private readonly IX509Chain _chain;
2523

2624
/// <summary>
2725
/// CertificateValidator constructor
@@ -32,20 +30,6 @@ public CertificateValidator(ILogger logger, bool useOnlineRevocationCheck = true
3230
{
3331
_logger = logger;
3432
_useOnlineRevocationCheck = useOnlineRevocationCheck;
35-
_chain = new X509ChainWrapper();
36-
}
37-
38-
/// <summary>
39-
/// CertificateValidator constructor
40-
/// </summary>
41-
/// <param name="chain">You can set your own X509Chain.</param>
42-
/// <param name="logger">Default logger</param>
43-
/// <param name="useOnlineRevocationCheck">Should online certificate revocation list be used. Optional, default true.</param>
44-
internal CertificateValidator(IX509Chain chain, ILogger logger, bool useOnlineRevocationCheck = true)
45-
{
46-
_useOnlineRevocationCheck = useOnlineRevocationCheck;
47-
_chain = chain;
48-
_logger = logger;
4933
}
5034

5135
/// <summary>
@@ -73,17 +57,22 @@ public CertificateErrors Validate(X509Certificate2 certificate, X509KeyUsageFlag
7357
if (!certificate.HasKeyUsage(usage))
7458
result |= CertificateErrors.Usage;
7559

60+
var chain = new X509Chain
61+
{
62+
ChainPolicy =
63+
{
64+
RevocationMode = _useOnlineRevocationCheck ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
65+
RevocationFlag = X509RevocationFlag.EntireChain,
66+
UrlRetrievalTimeout = TimeSpan.FromSeconds(30),
67+
VerificationTime = DateTime.Now,
68+
}
69+
};
7670

77-
_chain.ChainPolicy.RevocationMode = _useOnlineRevocationCheck ? X509RevocationMode.Online : X509RevocationMode.NoCheck;
78-
_chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
79-
_chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(30);
80-
_chain.ChainPolicy.VerificationTime = DateTime.Now;
81-
82-
using (_chain)
71+
using (chain)
8372
{
84-
if (_chain.Build(certificate)) return result;
73+
if (chain.Build(certificate)) return result;
8574

86-
foreach (var status in _chain.ChainStatus)
75+
foreach (var status in chain.ChainStatus)
8776
{
8877
_logger.LogInformation("Certificate chain validation. " +
8978
$"Status Information: {status.StatusInformation} Status Flag: {status.Status}");

src/Helsenorge.Registries/Utilities/IX509Chain.cs

-12
This file was deleted.

src/Helsenorge.Registries/Utilities/X509ChainWrapper.cs

-28
This file was deleted.

test/Helsenorge.Registries.Tests/CertificateValidatorTests.cs

+23-82
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,10 @@
66
* available at https://raw.githubusercontent.com/helsenorge/Helsenorge.Messaging/master/LICENSE
77
*/
88

9+
using System.Security.Cryptography;
10+
using System;
911
using System.Security.Cryptography.X509Certificates;
1012
using Helsenorge.Registries.Abstractions;
11-
using Helsenorge.Registries.Tests.Mocks;
1213
using Microsoft.Extensions.DependencyInjection;
1314
using Microsoft.Extensions.Logging;
1415
using Microsoft.VisualStudio.TestTools.UnitTesting;
@@ -34,41 +35,49 @@ public void Setup()
3435
[TestMethod]
3536
public void CertificateValidation_ArgumentNullException()
3637
{
37-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
38+
var validator = new CertificateValidator(_logger);
3839
var error = validator.Validate(null, X509KeyUsageFlags.NonRepudiation);
3940
Assert.AreEqual(CertificateErrors.Missing, error);
4041
}
4142
[TestMethod]
4243
public void CertificateValidation_None()
4344
{
44-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
45+
var validator = new CertificateValidator(_logger);
4546
var error = validator.Validate(TestCertificates.CounterpartyPublicSignature,
4647
X509KeyUsageFlags.NonRepudiation);
47-
Assert.AreEqual(CertificateErrors.None, error);
48+
// Added RevokedUnknown as build server add this error
49+
Assert.IsTrue(error == CertificateErrors.None
50+
|| error == CertificateErrors.RevokedUnknown);
4851
}
4952
[TestMethod]
5053
public void CertificateValidation_StartDate()
5154
{
52-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
55+
var validator = new CertificateValidator(_logger);
5356
var error = validator.Validate(TestCertificates.CounterpartyPublicSignatureInvalidStart,
5457
X509KeyUsageFlags.NonRepudiation);
55-
Assert.AreEqual(CertificateErrors.StartDate, error);
58+
// Added RevokedUnknown as build server add this error
59+
Assert.IsTrue(error == CertificateErrors.StartDate
60+
|| error == (CertificateErrors.StartDate | CertificateErrors.RevokedUnknown));
5661
}
5762
[TestMethod]
5863
public void CertificateValidation_EndDate()
5964
{
60-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
65+
var validator = new CertificateValidator(_logger);
6166
var error = validator.Validate(TestCertificates.CounterpartyPublicSignatureInvalidEnd,
6267
X509KeyUsageFlags.NonRepudiation);
63-
Assert.AreEqual(CertificateErrors.EndDate, error);
68+
// Added RevokedUnknown as build server add this error
69+
Assert.IsTrue(error == CertificateErrors.EndDate
70+
|| error == (CertificateErrors.EndDate | CertificateErrors.RevokedUnknown));
6471
}
6572
[TestMethod]
6673
public void CertificateValidation_Usage()
6774
{
68-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
75+
var validator = new CertificateValidator(_logger);
6976
var error = validator.Validate(TestCertificates.CounterpartyPublicSignature,
7077
X509KeyUsageFlags.KeyEncipherment);
71-
Assert.AreEqual(CertificateErrors.Usage, error);
78+
// Added RevokedUnknown as build server add this error
79+
Assert.IsTrue(error == CertificateErrors.Usage
80+
|| error == (CertificateErrors.Usage | CertificateErrors.RevokedUnknown));
7281
}
7382
[TestMethod]
7483
public void X509Certificate2Extensions_KeyUsage()
@@ -80,80 +89,12 @@ public void X509Certificate2Extensions_KeyUsage()
8089
[TestMethod]
8190
public void CertificateValidation_Multiple()
8291
{
83-
var validator = new CertificateValidator(new MockX509Chain(), _logger);
92+
var validator = new CertificateValidator(_logger);
8493
var error = validator.Validate(TestCertificates.CounterpartyPublicSignatureInvalidStart,
8594
X509KeyUsageFlags.KeyEncipherment);
86-
Assert.AreEqual(CertificateErrors.StartDate | CertificateErrors.Usage, error);
87-
}
88-
89-
[TestMethod]
90-
public void CertificateValidation_RevokeOffline()
91-
{
92-
var usage = X509KeyUsageFlags.NonRepudiation;
93-
var testCertificate = TestCertificates.CounterpartyPublicSignature;
94-
95-
var mockChain = new MockX509Chain();
96-
mockChain.SetChainStatus(new[]
97-
{
98-
new X509ChainStatus
99-
{
100-
Status = X509ChainStatusFlags.OfflineRevocation,
101-
StatusInformation = "Offline revocation"
102-
}
103-
});
104-
var validator = new CertificateValidator(mockChain, _logger);
105-
var error = validator.Validate(testCertificate, usage);
106-
Assert.AreEqual(CertificateErrors.RevokedOffline, error);
107-
}
108-
109-
[TestMethod]
110-
public void CertificateValidation_RevokeMultiple()
111-
{
112-
var usage = X509KeyUsageFlags.NonRepudiation;
113-
var testCertificate = TestCertificates.CounterpartyPublicSignature;
114-
115-
var mockChain = new MockX509Chain();
116-
mockChain.SetChainStatus(new[]
117-
{
118-
new X509ChainStatus
119-
{
120-
Status = X509ChainStatusFlags.OfflineRevocation,
121-
StatusInformation = "Offline revocation"
122-
},
123-
new X509ChainStatus
124-
{
125-
Status = X509ChainStatusFlags.Revoked,
126-
StatusInformation = "Revoked"
127-
}
128-
});
129-
var validator = new CertificateValidator(mockChain, _logger);
130-
var error = validator.Validate(testCertificate, usage);
131-
Assert.AreEqual(CertificateErrors.RevokedOffline | CertificateErrors.Revoked, error);
132-
}
133-
134-
[TestMethod]
135-
public void CertificateValidation_ChainStatusOther()
136-
{
137-
var usage = X509KeyUsageFlags.NonRepudiation;
138-
var testCertificate = TestCertificates.CounterpartyPublicSignature;
139-
140-
var mockChain = new MockX509Chain();
141-
mockChain.SetChainStatus(new[]
142-
{
143-
new X509ChainStatus
144-
{
145-
Status = X509ChainStatusFlags.HasWeakSignature,
146-
StatusInformation = "Has weak signature"
147-
},
148-
new X509ChainStatus
149-
{
150-
Status = X509ChainStatusFlags.InvalidExtension,
151-
StatusInformation = "Invalid extension"
152-
}
153-
});
154-
var validator = new CertificateValidator(mockChain, _logger);
155-
var error = validator.Validate(testCertificate, usage);
156-
Assert.AreEqual(CertificateErrors.None, error);
95+
// Added RevokedUnknown as build server add this error
96+
Assert.IsTrue(error == (CertificateErrors.StartDate | CertificateErrors.Usage)
97+
|| error == (CertificateErrors.StartDate | CertificateErrors.Usage | CertificateErrors.RevokedUnknown));
15798
}
15899
}
159100
}

test/Helsenorge.Registries.Tests/Mocks/MockX509Chain.cs

-34
This file was deleted.

0 commit comments

Comments
 (0)