Allow id-card authentication when Extended Key Usage is not present in certificate

svenzik · mrts · commit 30c248764a99 · 2025-05-20T16:26:50.000+03:00
WE2-1027

Signed-off-by: Sven Mitt &lt;svenzik@users.noreply.github.com&gt;
diff --git a/src/WebEid.Security/Validator/CertValidators/SubjectCertificatePurposeValidator.cs b/src/WebEid.Security/Validator/CertValidators/SubjectCertificatePurposeValidator.cs
@@ -53,10 +53,21 @@ public Task Validate(X509Certificate2 subjectCertificate)
         {
             try
             {
+                var keyUsage = subjectCertificate.Extensions.OfType<X509KeyUsageExtension>().FirstOrDefault();
+                if (keyUsage == null)
+                {
+                    throw new UserCertificateMissingPurposeException();
+                }
+                if ((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.DigitalSignature)
+                {
+                    throw new UserCertificateWrongPurposeException();
+                }
                 var usages = subjectCertificate.Extensions.OfType<X509EnhancedKeyUsageExtension>().ToArray();
                 if (!usages.Any())
                 {
-                    throw new UserCertificateMissingPurposeException();
+                    // Digital Signature extension present, but Extended Key Usage extension not present,
+                    // assume it is an authentication certificate (e.g. Luxembourg eID).
+                    return Task.CompletedTask;
                 }
 
                 if (usages.SelectMany(oid => oid.EnhancedKeyUsages.OfType<Oid>())

Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,21 @@ public Task Validate(X509Certificate2 subjectCertificate)`
`53`	`53`	`{`
`54`	`54`	`try`
`55`	`55`	`{`
	`56`	`+ var keyUsage = subjectCertificate.Extensions.OfType<X509KeyUsageExtension>().FirstOrDefault();`
	`57`	`+ if (keyUsage == null)`
	`58`	`+ {`
	`59`	`+ throw new UserCertificateMissingPurposeException();`
	`60`	`+ }`
	`61`	`+ if ((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.DigitalSignature)`
	`62`	`+ {`
	`63`	`+ throw new UserCertificateWrongPurposeException();`
	`64`	`+ }`
`56`	`65`	`var usages = subjectCertificate.Extensions.OfType<X509EnhancedKeyUsageExtension>().ToArray();`
`57`	`66`	`if (!usages.Any())`
`58`	`67`	`{`
`59`		`- throw new UserCertificateMissingPurposeException();`
	`68`	`+ // Digital Signature extension present, but Extended Key Usage extension not present,`
	`69`	`+ // assume it is an authentication certificate (e.g. Luxembourg eID).`
	`70`	`+ return Task.CompletedTask;`
`60`	`71`	`}`
`61`	`72`
`62`	`73`	`if (usages.SelectMany(oid => oid.EnhancedKeyUsages.OfType<Oid>())`