Unrelated expired trusted CA certificate should not throw an exception (#45)

Unrelated expired certificate should not throw an exception

WE2-913

Signed-off-by: Mihkel Kivisild [email protected]

Author: rabadashTheFool

src/WebEid.Security.Tests/TestUtils/AuthTokenValidators.cs

@@ -57,6 +57,13 @@ public static IAuthTokenValidator GetAuthTokenValidatorWithWrongTrustedCa() =>
             GetAuthTokenValidator(TokenOriginUrl,
                 Certificates.CertificateLoader.LoadCertificatesFromResources("ESTEID2018.cer"));
 
+        public static IAuthTokenValidator GetAuthTokenValidatorWthJuly2024ExpiredUnrelatedTrustedCA() =>
+            GetAuthTokenValidatorBuilder(TokenOriginUrl,
+                Certificates.CertificateLoader
+                .LoadCertificatesFromResources("TEST_of_ESTEID2018.cer", "TEST_of_SK_OCSP_RESPONDER_2020.cer"))
+                .WithoutUserCertificateRevocationCheckWithOcsp()
+                .Build();
+
         public static IAuthTokenValidator GetAuthTokenValidatorWithDisallowedEsteidPolicy() =>
             GetAuthTokenValidatorBuilder(TokenOriginUrl, GetCaCertificates())
                 .WithDisallowedCertificatePolicies(EstIdemiaPolicy)

src/WebEid.Security.Tests/Validator/AuthTokenCertificateTest.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -45,6 +45,11 @@ public class AuthTokenCertificateTest : AbstractTestWithValidator
         private const string ExpiredEcdsaCert = "MIIF0TCCA7mgAwIBAgIQMBVFXroEt3hZ8FHcKKE65TANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVTVEVJRC1TSyAyMDE1MB4XDTE3MTAyNTA4NTcwMFoXDTIxMDIxMDIxNTk1OVowgYsxCzAJBgNVBAYTAkVFMQ8wDQYDVQQKDAZFU1RFSUQxFzAVBgNVBAsMDmF1dGhlbnRpY2F0aW9uMR4wHAYDVQQDDBVUT09NLE1BUlQsMzc2MDIwNDAzMzQxDTALBgNVBAQMBFRPT00xDTALBgNVBCoMBE1BUlQxFDASBgNVBAUTCzM3NjAyMDQwMzM0MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAExS1YQQBDLVvOi0a2GA5Y34AXODpx0AL8eKDOB7BjwBc/FAyVExhfb6O+lT5Tnaec3GnT4JNRyeV8d82L8cyOgFn4PWc+5cjFdmcZjJbtCvgyBOQQ831tteIDL2XSrvZEo4ICBDCCAgAwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCA4gwUwYDVR0gBEwwSjA+BgkrBgEEAc4fAQEwMTAvBggrBgEFBQcCARYjaHR0cHM6Ly93d3cuc2suZWUvcmVwb3NpdG9vcml1bS9DUFMwCAYGBACPegECMB8GA1UdEQQYMBaBFG1hcnQudG9vbS4zQGVlc3RpLmVlMB0GA1UdDgQWBBSzneoLqtqbvHvJ19cjhp2XR5ovQTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUs6uIvJnVYqSFKgjNtB1yO4NyR1EwYQYIKwYBBQUHAQMEVTBTMFEGBgQAjkYBBTBHMEUWP2h0dHBzOi8vc2suZWUvZW4vcmVwb3NpdG9yeS9jb25kaXRpb25zLWZvci11c2Utb2YtY2VydGlmaWNhdGVzLxMCRU4wagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vYWlhLnNrLmVlL2VzdGVpZDIwMTUwMQYIKwYBBQUHMAKGJWh0dHA6Ly9jLnNrLmVlL0VTVEVJRC1TS18yMDE1LmRlci5jcnQwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3dy5zay5lZS9jcmxzL2VzdGVpZC9lc3RlaWQyMDE1LmNybDANBgkqhkiG9w0BAQsFAAOCAgEAOXTvktUXqPgaK/uxzgH0xSEYClBAWIQaNgpqY5lwsQtgQnpfKlsADqMZxCp7UuuMvQmpDbBxv1kIr0oG1uUXrUtPw81XOH1ClwPPXWpg9VRTAetNbHTBbHDyzuXQMNeDmrntChs+BteletejGD+aYG39HGMlrMbGQZOgvQrpYHMDek0ckCPEsZRXqUP0g7Ie7uBQhz5At7l4EDAeOW8xGoI6t+Ke4GedccXKef60w2ZIIDzvOFHPTc6POCsIlFtF/nCKwVi7GoQKjbUbM5OdBLZ0jyLq2LvzZuT86Jo8wObziuSzApGlBexHAqLrR83q+/Xl61yPnFf3w2kAfS9kBjeunzTH7Jm3pNT3Zq9JRLvEDqtpOPqr4zm9nG6OSghFU6tySkpQ5HiakGpMcnt5o5KuXhQ+Dg317tdXPyQkSiuJ9NfEBW0ijrwO12SVRzYo/jRl4ZQUkAEEUSMEsC6gTsZypPdIsLDVoQWTytHDU89s1xJDn4HulPl12dFnrhlLeX4RxOjDxppZxdjBU0FoJoDB0qwEAN2TMAPJWh+Pp9mFuS/u0dht9sKvAkpx+o0Z7v7QMz03XlzCHOLTIK+f81Rjokl8f+wiog5Ojj0wZkDe6DuQC9L5uDey3PJHv3naVovhs7jrEJu+yrsLue/OHhAgWRh2S75/wlVPHPEE44k=";
         private const string RevokedCert = "MIIERDCCA6agAwIBAgIQSs8/WoDixVxbKRhNnF/GEzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MDYxOTE0NTA1M1oXDTIwMDEwMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR/jopNG3KL0ZQUvO4OGSvcaqUtFDm3azOtsM2VRp666r0d36Zh0Zx/xej8f+SzEfWvvDT1HQLo3USiSbYn1FyNHTNxifV+Zvf6StXJAkdu24d1UvKbf+LylglO/yS7o4ijggIEMIICADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5F/AQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFEQA6/1GXJtp+6czUzorhEJ7B95pMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezB/BggrBgEFBQcBAQRzMHEwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MEEGCCsGAQUFBzAChjVodHRwczovL3NrLmVlL3VwbG9hZC9maWxlcy9URVNUX29mX0VTVEVJRDIwMTguZGVyLmNydDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vYy5zay5lZS90ZXN0X2VzdGVpZDIwMTguY3JsMAoGCCqGSM49BAMEA4GLADCBhwJBcmcfLC+HcSJ6BuRrDGL+K+7BAW8BfAiiWWAuBV4ebLkbbAWmkc9dSKgr4BEGEt90xDTQ85yW4SjGulFXu9C3yQsCQgETaXTs3Hp6vDAcQYL8Bx4BO3DwJbDuD4BUJyT0+9HQiFCQmTQ4xrNjeaeOwRWyMOM9z5ORMeJCiQUyil1x4YPIbg==";
 
+        private const string ValidUntil2026TokenStr = "{\"algorithm\":\"ES384\"," +
+        "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
+        "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.5.0+0\"," +
+        "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +
+        "\"format\":\"web-eid:1.0\"}";
 
         [Test]
         public void WhenCertificateFieldIsMissingThenParsingFailsAsync()
@@ -164,30 +169,46 @@ public void WhenUserCertificateIsNotYetValidThenValidationFailsAsync()
         }
 
         [Test]
-        public void WhenTrustedCACertificateIsNotYetValidThenValidationFailsAsync()
+        public void WhenTrustedCACertificateIsNotYetValidThenUserCertValidationFailsAsync()
         {
             using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2018, 8, 17));
-            Assert.ThrowsAsync<CertificateNotYetValidException>(() => this.Validator.Validate(this.ValidAuthToken, ValidChallengeNonce))
-                .WithMessage("Trusted CA certificate is not yet valid");
+            Assert.ThrowsAsync<CertificateNotYetValidException>(() => this.Validator
+                .Validate(this.ValidAuthToken, ValidChallengeNonce))
+                .WithMessage("User certificate is not yet valid");
         }
 
         [Test]
         public void WhenUserCertificateIsNoLongerValidThenValidationFailsAsync()
         {
-            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2024, 10, 17));
+            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2026, 10, 19));
             Assert.ThrowsAsync<CertificateExpiredException>(() => this.Validator.Validate(this.ValidAuthToken, ValidChallengeNonce))
                 .WithMessage("User certificate has expired");
         }
 
+        // In this case both CA and user certificate have expired, we expect the user certificate to be checked first.
         [Test]
-        public void WhenTrustedCACertificateIsNoLongerValidThenValidationFailsAsync()
+        public void WhenTrustedCACertificateIsNoLongerValidThenUserCertValidationFailsAsync()
         {
-            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2033, 10, 17));
-            Assert.ThrowsAsync<CertificateExpiredException>(() => this.Validator.Validate(this.ValidAuthToken, ValidChallengeNonce))
-                .WithMessage("Trusted CA certificate has expired");
+            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2033, 10, 19));
+            Assert.ThrowsAsync<CertificateExpiredException>(() => this.Validator
+                .Validate(this.ValidAuthToken, ValidChallengeNonce))
+                .WithMessage("User certificate has expired");
+        }
+
+        // The certificate validation process must only check the expiration of the CA certificate that is directly part of
+        // the user's certificate chain. Expired but unrelated CA certificates must not cause exceptions.
+        [Test]
+        public void WhenUnrelatedCACertificateIsExpiredThenValidationSucceeds()
+        {
+            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2024, 7, 1));
+            var authToken = this.Validator.Parse(ValidUntil2026TokenStr);
+            var validatorWithExpiredUnrelatedTrustedCA = AuthTokenValidators.GetAuthTokenValidatorWthJuly2024ExpiredUnrelatedTrustedCA();
+
+            Assert.DoesNotThrowAsync(() => validatorWithExpiredUnrelatedTrustedCA.Validate(authToken, ValidChallengeNonce));
         }
 
         [Test]
+        [Ignore("A new designated test OCSP responder certificate was issued whose validity period no longer overlaps with the revoked certificate")]
         public void WhenCertificateIsRevokedThenOcspCheckFailsAsync()
         {
             var authTokenValidator = AuthTokenValidators.GetAuthTokenValidatorWithOcspCheck();

src/WebEid.Security.Tests/Validator/Validators/SubjectCertificateNotRevokedValidatorTests.cs

@@ -46,7 +46,6 @@ public sealed class SubjectCertificateNotRevokedValidatorTests : IDisposable
         private X509Certificate2 esteid2018Cert;
 
         private AuthTokenValidationConfiguration configuration;
-        private DateTimeProvider dateTimeProvider;
 
         public SubjectCertificateNotRevokedValidatorTests() => this.ocspClient = new OcspClient(TimeSpan.FromSeconds(5));
 
@@ -99,12 +98,12 @@ public void WhenOcspUrlIsInvalidThenThrows()
         public void WhenOcspRequestFailsThenThrows()
         {
             var ocspServiceProvider =
-                OcspServiceMaker.GetDesignatedOcspServiceProvider("https://web-eid-test.free.beeceptor.com");
+                OcspServiceMaker.GetDesignatedOcspServiceProvider("http://demo.sk.ee/ocsps");
             var validator = GetSubjectCertificateNotRevokedValidatior(ocspServiceProvider);
             Assert.ThrowsAsync<UserCertificateOcspCheckFailedException>(() =>
                     validator.Validate(this.esteid2018Cert))
                 .InnerException
-                .HasMessageStartingWith("OCSP request was not successful, response:");
+                .HasMessageStartingWith("OCSP request was not successful, response: StatusCode: 404");
         }
 
         [Test]
@@ -198,7 +197,7 @@ public void WhenOcspResponseHas2ResponderCertsThenThrows()
         [Test]
         public void WhenOcspResponseRevokedThenThrows()
         {
-            this.dateTimeProvider = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 9, 18));
+            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 9, 18));
             var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(
                     new OcspClientMock(Certificates.ResourceReader.ReadFromResource("ocsp_response_revoked.der")));
             Assert.ThrowsAsync<UserCertificateOcspCheckFailedException>(() =>
@@ -228,6 +227,7 @@ public void WhenOcspResponseUnknownThenThrows()
         [Test]
         public void WhenOcspResponseCaNotTrustedThenThrows()
         {
+            using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 3, 1));
             var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(
                 new OcspClientMock(Certificates.ResourceReader.ReadFromResource("ocsp_response_unknown.der")));
             var ex = Assert.ThrowsAsync<UserCertificateOcspCheckFailedException>(() =>

src/WebEid.Security/Util/DateTimeProvider.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -29,7 +29,6 @@ namespace WebEid.Security.Util
     /// </summary>
     public sealed class DateTimeProvider : IDisposable
     {
-        [ThreadStatic]
         private static DateTime? overridenUtcNow;
 
         /// <summary>

src/WebEid.Security/Util/X509CertificateExtensions.cs

@@ -67,8 +67,10 @@ public static void ValidateCertificateExpiry(this Org.BouncyCastle.X509.X509Cert
             }
         }
 
-        public static X509Certificate2 ValidateIsSignedByTrustedCa(this X509Certificate2 certificate, ICollection<X509Certificate2> trustedCaCertificates)
+        public static X509Certificate2 ValidateIsValidAndSignedByTrustedCa(this X509Certificate2 certificate, ICollection<X509Certificate2> trustedCaCertificates)
         {
+            ValidateCertificateExpiry(certificate, DateTimeProvider.UtcNow, "User");
+
             var chain = new X509Chain
             {
                 ChainPolicy =
@@ -80,6 +82,7 @@ public static X509Certificate2 ValidateIsSignedByTrustedCa(this X509Certificate2
                     UrlRetrievalTimeout = TimeSpan.Zero
                 }
             };
+
             foreach (var cert in trustedCaCertificates)
             {
                 chain.ChainPolicy.ExtraStore.Add(cert);
@@ -110,6 +113,8 @@ public static X509Certificate2 ValidateIsSignedByTrustedCa(this X509Certificate2
                 {
                     throw new CertificateNotTrustedException(certificate);
                 }
+                // Verify that the trusted CA cert is presently valid before returning the result.
+                ValidateCertificateExpiry(chainElement.Certificate, DateTimeProvider.UtcNow, "Trusted CA");
 
                 return chainElement.Certificate;
             }

src/WebEid.Security/Validator/AuthTokenValidator.cs

@@ -55,7 +55,6 @@ public AuthTokenValidator(AuthTokenValidationConfiguration configuration, ILogge
             this.authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.SiteOrigin);
 
             this.simpleSubjectCertificateValidators = SubjectCertificateValidatorBatch.CreateFrom(
-                new SubjectCertificateExpiryValidator(configuration.TrustedCaCertificates, this.logger),
                 new SubjectCertificatePurposeValidator(this.logger),
                 new SubjectCertificatePolicyValidator(configuration.DisallowedSubjectCertificatePolicies
                     .Select(policy => new Oid(policy))

src/WebEid.Security/Validator/CertValidators/SubjectCertificateExpiryValidator.cs

@@ -1,4 +1,4 @@
-/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -26,6 +26,7 @@ namespace WebEid.Security.Validator.CertValidators
     using System.Threading.Tasks;
     using Microsoft.Extensions.Logging;
     using Util;
+    using WebEid.Security.Exceptions;
 
     internal sealed class SubjectCertificateTrustedValidator : ISubjectCertificateValidator
     {
@@ -39,14 +40,18 @@ public SubjectCertificateTrustedValidator(ICollection<X509Certificate2> trustedC
         }
 
         /// <summary>
-        /// Validates that the user certificate from the authentication token is signed by a trusted certificate authority.
+        /// Checks that the user certificate from the authentication token is valid and signed by
+        /// a trusted certificate authority. Also checks the validity of the user certificate's
+        /// trusted CA certificate.
         /// </summary>
-        /// <param name="subjectCertificate">the user certificate.</param>
-        /// <exception cref="UserCertificateNotTrustedException">when user certificate is not signed by a trusted CA or is valid after CA certificate.</exception>
+        /// <param name="subjectCertificate">the user certificate to be validated</param>
+        /// <exception cref="CertificateNotTrustedException">when user certificate is not signed by a trusted CA</exception>
+        /// <exception cref="CertificateNotYetValidException">when a CA certificate in the chain or the user certificate is not yet valid</exception>
+        /// <exception cref="CertificateExpiredException">when a CA certificate in the chain or the user certificate is expired</exception>
         public Task Validate(X509Certificate2 subjectCertificate)
         {
-            this.SubjectCertificateIssuerCertificate = subjectCertificate.ValidateIsSignedByTrustedCa(this.trustedCaCertificates);
-            this.logger?.LogDebug("Subject certificate is signed by a trusted CA");
+            this.SubjectCertificateIssuerCertificate = subjectCertificate.ValidateIsValidAndSignedByTrustedCa(this.trustedCaCertificates);
+            this.logger?.LogDebug("Subject certificate is valid and signed by a trusted CA");
 
             return Task.CompletedTask;
         }