Use system time in OcspService.validateResponderCertificate()

Mihkel Kivisild · mrts · commit 7e76f09470f4 · 2024-07-25T15:16:03.000+03:00
WE2-868

Signed-off-by: Mihkel Kivisild mihkel.kivisild@cgi.com
diff --git a/src/WebEid.Security.Tests/Validator/Validators/SubjectCertificateNotRevokedValidatorTests.cs b/src/WebEid.Security.Tests/Validator/Validators/SubjectCertificateNotRevokedValidatorTests.cs
@@ -225,7 +225,7 @@ public void WhenOcspResponseUnknownThenThrows()
         }
 
         [Test]
-        public void WhenOcspResponseCaNotTrustedThenThrows()
+        public void WhenOcspResponseCaCertNotTrustedThenThrows()
         {
             using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 3, 1));
             var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(
@@ -239,6 +239,17 @@ public void WhenOcspResponseCaNotTrustedThenThrows()
                     ));
         }
 
+        [Test]
+        public void WhenOcspResponseCACertExpiredThenThrows()
+        {
+            var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(
+                new OcspClientMock(Certificates.ResourceReader.ReadFromResource("ocsp_response_unknown.der")));
+            var ex = Assert.ThrowsAsync<UserCertificateOcspCheckFailedException>(() =>
+                    validator.Validate(this.esteid2018Cert));
+            Assert.That(ex.InnerException, Is.TypeOf<CertificateExpiredException>());
+            Assert.That(ex.InnerException.Message,
+                Does.StartWith("AIA OCSP responder certificate has expired"));
+        }
 
         private static byte[] BuildOcspResponseBodyWithInternalErrorStatus()
         {
diff --git a/src/WebEid.Security/Validator/CertValidators/SubjectCertificateNotRevokedValidator.cs b/src/WebEid.Security/Validator/CertValidators/SubjectCertificateNotRevokedValidator.cs
@@ -33,6 +33,7 @@ namespace WebEid.Security.Validator.CertValidators
     using Org.BouncyCastle.Asn1.Ocsp;
     using Org.BouncyCastle.Ocsp;
     using Org.BouncyCastle.Security;
+    using WebEid.Security.Util;
 
     internal sealed class SubjectCertificateNotRevokedValidator : ISubjectCertificateValidator
     {
@@ -154,8 +155,7 @@ private void VerifyOcspResponse(BasicOcspResp basicResponse,
             //   4. The signer is currently authorized to provide a response for the
             //      certificate in question.
 
-            var producedAt = basicResponse.ProducedAt;
-            ocspService.ValidateResponderCertificate(responderCert, producedAt);
+            ocspService.ValidateResponderCertificate(responderCert, DateTimeProvider.UtcNow);
 
             //   5. The time at which the status being indicated is known to be
             //      correct (thisUpdate) is sufficiently recent.
diff --git a/src/WebEid.Security/Validator/Ocsp/Service/AiaOcspService.cs b/src/WebEid.Security/Validator/Ocsp/Service/AiaOcspService.cs
@@ -1,4 +1,4 @@
-﻿/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -60,17 +60,17 @@ private Uri GetOcspAiaUrlFromCertificate(Org.BouncyCastle.X509.X509Certificate c
                                                                      "from the certificate failed");
         }
 
-        public void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime producedAt)
+        public void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime now)
         {
             try
             {
-                responderCertificate.ValidateCertificateExpiry(producedAt, "AIA OCSP responder");
+                responderCertificate.ValidateCertificateExpiry(now, "AIA OCSP responder");
                 // Trusted certificates validity has been already verified in ValidateCertificateExpiry().
                 OcspResponseValidator.ValidateHasSigningExtension(responderCertificate);
                 _ = new X509Certificate2(DotNetUtilities.ToX509Certificate(responderCertificate))
                     .ValidateIsValidAndSignedByTrustedCa(this.trustedCaCertificates);
             }
-            catch (Exception ex) when (!(ex is CertificateNotTrustedException))
+            catch (Exception ex) when (!(ex is CertificateNotTrustedException) && !(ex is CertificateExpiredException))
             {
                 throw new OcspCertificateException("Invalid certificate", ex);
             }
diff --git a/src/WebEid.Security/Validator/Ocsp/Service/DesignatedOcspService.cs b/src/WebEid.Security/Validator/Ocsp/Service/DesignatedOcspService.cs
@@ -1,4 +1,4 @@
-﻿/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -44,7 +44,7 @@ public DesignatedOcspService(DesignatedOcspServiceConfiguration configuration)
 
         public bool SupportsIssuerOf(X509Certificate certificate) => this.configuration.SupportsIssuerOf(certificate);
 
-        public void ValidateResponderCertificate(X509Certificate responderCertificate, DateTime producedAt)
+        public void ValidateResponderCertificate(X509Certificate responderCertificate, DateTime now)
         {
             // Certificate pinning is implemented simply by comparing the certificates or their public keys,
             // see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
@@ -53,7 +53,7 @@ public void ValidateResponderCertificate(X509Certificate responderCertificate, D
                 throw new OcspCertificateException(
                     "Responder certificate from the OCSP response is not equal to the configured designated OCSP responder certificate");
             }
-            responderCertificate.ValidateCertificateExpiry(producedAt, "Designated OCSP responder");
+            responderCertificate.ValidateCertificateExpiry(now, "Designated OCSP responder");
         }
     }
 }
diff --git a/src/WebEid.Security/Validator/Ocsp/Service/IOcspService.cs b/src/WebEid.Security/Validator/Ocsp/Service/IOcspService.cs
@@ -1,4 +1,4 @@
-﻿/*
+/*
  * Copyright © 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -27,6 +27,7 @@ public interface IOcspService
     {
         bool DoesSupportNonce { get; }
         Uri AccessLocation { get; }
-        void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime producedAt);
+
+        void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime now);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,7 @@ public void WhenOcspResponseUnknownThenThrows()`
`225`	`225`	`}`
`226`	`226`
`227`	`227`	`[Test]`
`228`		`- public void WhenOcspResponseCaNotTrustedThenThrows()`
	`228`	`+ public void WhenOcspResponseCaCertNotTrustedThenThrows()`
`229`	`229`	`{`
`230`	`230`	`using var _ = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 3, 1));`
`231`	`231`	`var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(`
`@@ -239,6 +239,17 @@ public void WhenOcspResponseCaNotTrustedThenThrows()`
`239`	`239`	`));`
`240`	`240`	`}`
`241`	`241`
	`242`	`+ [Test]`
	`243`	`+ public void WhenOcspResponseCACertExpiredThenThrows()`
	`244`	`+ {`
	`245`	`+ var validator = this.GetSubjectCertificateNotRevokedValidatorWithAiaOcsp(`
	`246`	`+ new OcspClientMock(Certificates.ResourceReader.ReadFromResource("ocsp_response_unknown.der")));`
	`247`	`+ var ex = Assert.ThrowsAsync<UserCertificateOcspCheckFailedException>(() =>`
	`248`	`+ validator.Validate(this.esteid2018Cert));`
	`249`	`+ Assert.That(ex.InnerException, Is.TypeOf<CertificateExpiredException>());`
	`250`	`+ Assert.That(ex.InnerException.Message,`
	`251`	`+ Does.StartWith("AIA OCSP responder certificate has expired"));`
	`252`	`+ }`
`242`	`253`
`243`	`254`	`private static byte[] BuildOcspResponseBodyWithInternalErrorStatus()`
`244`	`255`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/*`
	`1`	`+/*`
`2`	`2`	`* Copyright © 2020-2024 Estonian Information System Authority`
`3`	`3`	`*`
`4`	`4`	`* Permission is hereby granted, free of charge, to any person obtaining a copy`
`@@ -60,17 +60,17 @@ private Uri GetOcspAiaUrlFromCertificate(Org.BouncyCastle.X509.X509Certificate c`
`60`	`60`	`"from the certificate failed");`
`61`	`61`	`}`
`62`	`62`
`63`		`- public void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime producedAt)`
	`63`	`+ public void ValidateResponderCertificate(Org.BouncyCastle.X509.X509Certificate responderCertificate, DateTime now)`
`64`	`64`	`{`
`65`	`65`	`try`
`66`	`66`	`{`
`67`		`- responderCertificate.ValidateCertificateExpiry(producedAt, "AIA OCSP responder");`
	`67`	`+ responderCertificate.ValidateCertificateExpiry(now, "AIA OCSP responder");`
`68`	`68`	`// Trusted certificates validity has been already verified in ValidateCertificateExpiry().`
`69`	`69`	`OcspResponseValidator.ValidateHasSigningExtension(responderCertificate);`
`70`	`70`	`_ = new X509Certificate2(DotNetUtilities.ToX509Certificate(responderCertificate))`
`71`	`71`	`.ValidateIsValidAndSignedByTrustedCa(this.trustedCaCertificates);`
`72`	`72`	`}`
`73`		`- catch (Exception ex) when (!(ex is CertificateNotTrustedException))`
	`73`	`+ catch (Exception ex) when (!(ex is CertificateNotTrustedException) && !(ex is CertificateExpiredException))`
`74`	`74`	`{`
`75`	`75`	`throw new OcspCertificateException("Invalid certificate", ex);`
`76`	`76`	`}`