fix: remove duplicate ValidateHasSigningExtension() call from AiaOcspService, negate DoesSupportNonce condition to fix debug log in SubjectCertificateNotRevokedValidator

WE2-416

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/WebEid.Security/Validator/AuthTokenParser.cs

@@ -94,7 +94,7 @@ private static void ValidateTokenSignature(string authToken,
             X509Certificate certificate,
             TimeSpan allowedClockSkew)
         {
-            using (var certificate2 = new X509Certificate2(certificate))
+            try
             {
                 var certificate2 = new X509Certificate2(certificate);
                 // Don't dispose the key, see: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1433

src/WebEid.Security/Validator/Ocsp/Service/AiaOcspService.cs

@@ -32,7 +32,7 @@ public AiaOcspService(AiaOcspServiceConfiguration configuration,
         private Uri GetOcspAiaUrlFromCertificate(Org.BouncyCastle.X509.X509Certificate certificate)
         {
             if (certificate == null) { throw new ArgumentNullException(nameof(certificate)); }
-            
+
             return certificate.GetOcspUri() ??
                    throw new UserCertificateRevocationCheckFailedException(
                        "Getting the AIA OCSP responder field from the certificate failed");
@@ -43,7 +43,6 @@ public void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate r
             try
             {
                 responderCertificate.ValidateCertificateExpiry(producedAt, "AIA OCSP responder");
-                OcspResponseValidator.ValidateHasSigningExtension(responderCertificate);
                 // Trusted certificates validity has been already verified in ValidateCertificateExpiry().
                 OcspResponseValidator.ValidateHasSigningExtension(responderCertificate);
                 new X509Certificate2(DotNetUtilities.ToX509Certificate(responderCertificate))

src/WebEid.Security/Validator/Validators/AuthTokenValidatorDataExtensions.cs

@@ -9,30 +9,6 @@ namespace WebEid.Security.Validator.Validators
 
     internal static class AuthTokenValidatorDataExtensions
     {
-            using (var cert2 = new X509Certificate2(actualTokenData.SubjectCertificate))
-            {
-                // Use JJWT Clock interface so that the date can be mocked in tests.
-                if (cert2.NotAfter <= DateTime.Now)
-                {
-                    throw new UserCertificateExpiredException();
-                }
-                if (cert2.NotBefore > DateTime.Now)
-                {
-                    throw new UserCertificateNotYetValidException();
-                }
-            }
-                using (var cert2 = new X509Certificate2(actualTokenData.SubjectCertificate))
-                {
-                    var usages = cert2.Extensions.OfType<X509EnhancedKeyUsageExtension>().ToArray();
-                    if (!usages.Any())
-                    {
-                        throw new UserCertificateMissingPurposeException();
-                    }
-                    if (usages.SelectMany(oid => oid.EnhancedKeyUsages.OfType<Oid>())
-                        .All(oid => oid.Value != ExtendedKeyUsageClientAuthentication))
-                    {
-                        throw new UserCertificateWrongPurposeException();
-                    }
 
     }
 }

src/WebEid.Security/Validator/Validators/SubjectCertificateNotRevokedValidator.cs

@@ -45,7 +45,7 @@ public async Task Validate(AuthTokenValidatorData actualTokenData)
                 var certificate = DotNetUtilities.FromX509Certificate(actualTokenData.SubjectCertificate);
                 var ocspService = this.ocspServiceProvider.GetService(certificate);
 
-                if (ocspService.DoesSupportNonce)
+                if (!ocspService.DoesSupportNonce)
                 {
                     this.logger?.LogDebug("Disabling OCSP nonce extension");
                 }