WE2-687 Replaced OCSP dependency

WE2-687 Implemented SubjectCertificateNotRevokedValidator and added unit tests
WE2-687 Updated OcspClient, OcspRequestBuilder, OcspResponseValidator and OcspServiceProvider
WE2-687 Added OcspResponseValidator unit tests

Author: Guido Gröön

.gitattributes

@@ -0,0 +1,5 @@
+# Ignore all test and documentation with "export-ignore".
+/.gitattributes              export-ignore
+/.gitignore                  export-ignore
+/phpunit.xml.dist            export-ignore
+/tests                       export-ignore

.gitignore

@@ -2,4 +2,6 @@ vendor
 composer.lock
 .DS_Store
 .phpunit.result.cache
-web-eid-authtoken-validation-php.log
+web-eid-authtoken-validation-php.log
+build
+phpunit.xml

composer.json

@@ -28,8 +28,15 @@
             "web_eid\\web_eid_authtoken_validation_php\\": ["tests"]
         }
     },
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/web-eid/ocsp-php.git"
+        }
+    ],
     "require": {
         "lyquidity/requester": "^1.0",
-        "phpseclib/phpseclib": "3.0.14"
+        "phpseclib/phpseclib": "3.0.14",
+        "web_eid/ocsp_php": "dev-main"
     }
 }

phpunit.xml phpunit.xml.distphpunit.xml renamed to phpunit.xml.dist

@@ -4,6 +4,11 @@
 		<include>
 			<directory suffix=".php">src/</directory>
 		</include>
+		<report>
+			<clover outputFile="build/logs/clover.xml" />
+			<html outputDirectory="build/coverage" />
+			<text outputFile="build/coverage.txt" />
+		</report>		
 	</coverage>
 	<testsuites>
 		<testsuite name="Web-eID PHP Test Suite">

src/util/DateAndTime.php

@@ -67,6 +67,14 @@ public static function requirePositiveDuration(int $duration, string $fieldName)
         }
     }
 
+    public static function toUtcString(?DateTime $date): string
+    {
+        if (is_null($date)) {
+            return 'null';
+        }
+        return ((clone $date)->setTimezone(new DateTimeZone('UTC')))->format('Y-m-d H:i:s e');
+    }
+
 }
 
 final class DefaultClock

src/validator/certvalidators/SubjectCertificateNotRevokedValidator.php

@@ -24,17 +24,19 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\certvalidators;
 
-use lyquidity\OCSP\CertificateInfo;
-use lyquidity\OCSP\CertificateLoader;
-use lyquidity\OCSP\Response;
 use phpseclib3\File\X509;
 use web_eid\web_eid_authtoken_validation_php\util\Log;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspClient;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspServiceProvider;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspRequestBuilder;
 use web_eid\web_eid_authtoken_validation_php\validator\ocsp\OcspResponseValidator;
 use Throwable;
+use web_eid\ocsp_php\Ocsp;
+use web_eid\ocsp_php\OcspBasicResponse;
+use web_eid\ocsp_php\OcspRequest;
+use web_eid\ocsp_php\OcspResponse;
 use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
+use web_eid\web_eid_authtoken_validation_php\validator\ocsp\service\OcspService;
 
 final class SubjectCertificateNotRevokedValidator implements SubjectCertificateValidator
 {
@@ -62,45 +64,100 @@ public function validate(X509 $subjectCertificate): void
                 $this->logger->debug("Disabling OCSP nonce extension");
             }
 
-            $certificateLoader = new CertificateLoader();
+            $certificateId = (new Ocsp())->generateCertificateId($subjectCertificate, $this->trustValidator->getSubjectCertificateIssuerCertificate());
+            $request = (new OcspRequestBuilder())->withCertificateId($certificateId)->enableOcspNonce($ocspService->doesSupportNonce())->build();
 
-            // PEM encoded
-            $certPem = $subjectCertificate->saveX509($subjectCertificate->getCurrentCert(), X509::FORMAT_PEM);
-            $iss = $this->trustValidator->getSubjectCertificateIssuerCertificate();
-            $issuerPem = $iss->saveX509($iss->getCurrentCert(), X509::FORMAT_PEM);
-
-            $certificate = $certificateLoader->fromString($certPem);
-            $issuerCertificate = $certificateLoader->fromString($issuerPem);
-    
-            // Extract the relevant data from the two certificates
-            $certificateInfo = new CertificateInfo();
-            $requestInfo = $certificateInfo->extractRequestInfo($certificate, $issuerCertificate);
-    
-            $request = (new OcspRequestBuilder())
-                ->withCertificateId($requestInfo)
-                ->enableOcspNonce($ocspService->doesSupportNonce())
-                ->build();
-    
-            
             $this->logger->debug("Sending OCSP request");
 
-            // TODO
-            // Replace faulty OCSP library
-            return;
-    
-            $response = $this->ocspClient->request($ocspService->getAccessLocation(), $request);
-            $this->verifyOcspResponse($response);
-            //$ocspResponderUrl = $certificateLoader->extractOcspResponderUrl($certificate);
+            $response = $this->ocspClient->request($ocspService->getAccessLocation(), $request->getEncodeDer());
+
+            // When status is not successful
+            if ($response->getStatus() != "successful") {
+                throw new UserCertificateOCSPCheckFailedException("OCSP response status: " . $response->getStatus());
+            }
+
+            $this->verifyOcspResponse($response, $ocspService, $certificateId);
+
+            if ($ocspService->doesSupportNonce()) {
+                $this->checkNonce($request, $response->getBasicResponse());
+            }
 
         } catch (Throwable $e) {
             throw new UserCertificateOCSPCheckFailedException("Exception: " . $e->getMessage(), $e);
         }
 
     }
 
-    private function verifyOcspResponse(Response $response): void
+    // Todo, check ocspService
+    private function verifyOcspResponse(OcspResponse $response, OcspService $ocspService, array $requestCertificateId): void
     {
+        $basicResponse = $response->getBasicResponse();
+
+        // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
+        //
+        // 3.2.  Signed Response Acceptance Requirements
+        //   Prior to accepting a signed response for a particular certificate as
+        //   valid, OCSP clients SHALL confirm that:
+        //
+        //   1. The certificate identified in a received response corresponds to
+        //      the certificate that was identified in the corresponding request.
+
+        // As we sent the request for only a single certificate, we expect only a single response.
+        if (count($basicResponse->getResponses()) != 1) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP response must contain one response, received " . count($basicResponse->getResponses()) . " responses instead");
+        }
+
+        if ($requestCertificateId != $basicResponse->getCertID()) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP responded with certificate ID that differs from the requested ID");
+        }
+
+        //   2. The signature on the response is valid.
+
+        // We assume that the responder includes its certificate in the certs field of the response
+        // that helps us to verify it. According to RFC 2560 this field is optional, but including it
+        // is standard practice.
+
+        if (count($basicResponse->getCertificates()) < 1) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP response must contain the responder certificate, but none was provided");
+        }
+
+        // The first certificate is the responder certificate, other certificates, if given, are the certificate's chain.
+        $responderCert = $basicResponse->getCertificates()[0];
+
+        OcspResponseValidator::validateResponseSignature($basicResponse, $responderCert);
+
+        //   3. The identity of the signer matches the intended recipient of the
+        //      request.
+        //
+        //   4. The signer is currently authorized to provide a response for the
+        //      certificate in question.
+        
+        $producedAt = $basicResponse->getProducedAt();
+        $ocspService->validateResponderCertificate($responderCert, $producedAt);
+
+        //   5. The time at which the status being indicated is known to be
+        //      correct (thisUpdate) is sufficiently recent.
+        //
+        //   6. When available, the time at or before which newer information will
+        //      be available about the status of the certificate (nextUpdate) is
+        //      greater than the current time.
+
+        OcspResponseValidator::validateCertificateStatusUpdateTime($basicResponse, $producedAt);
+
+        // Now we can accept the signed response as valid and validate the certificate status.
         OcspResponseValidator::validateSubjectCertificateStatus($response);
+        $this->logger->debug("OCSP check result is GOOD");
+
+    }
+
+    private static function checkNonce(OcspRequest $request, OcspBasicResponse $basicResponse): void
+    {
+        $requestNonce = $request->getNonceExtension();
+        $responseNonce = $basicResponse->getNonceExtension();
+
+        if ($requestNonce != $responseNonce) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP request and response nonces differ, possible replay attack");
+        }
     }
 
 }

src/validator/ocsp/OcspClient.php

@@ -25,9 +25,9 @@
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
 use web_eid\web_eid_authtoken_validation_php\util\Uri;
-use lyquidity\OCSP\Response;
+use web_eid\ocsp_php\OcspResponse;
 
 interface OcspClient
 {
-    public function request(Uri $url, string $requestBody): Response;
+    public function request(Uri $url, string $requestBody): OcspResponse;
 }

src/validator/ocsp/OcspClientImpl.php

@@ -24,51 +24,61 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
-use lyquidity\OCSP\Ocsp;
-use lyquidity\OCSP\Response;
 use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
+use web_eid\web_eid_authtoken_validation_php\util\Log;
 use web_eid\web_eid_authtoken_validation_php\util\Uri;
+use web_eid\ocsp_php\OcspResponse;
 
 class OcspClientImpl implements OcspClient
 {
 
     private const OCSP_REQUEST_TYPE = "application/ocsp-request";
     private const OCSP_RESPONSE_TYPE = "application/ocsp-response";
     private int $requestTimeout;
+    private Log $logger;
 
     public function __construct(int $ocspRequestTimeout)
     {
         $this->requestTimeout = $ocspRequestTimeout;
+        $this->logger = Log::getLogger(self::class);
     }
 
     public static function build(int $ocspRequestTimeout): OcspClient
     {
         return new OcspClientImpl($ocspRequestTimeout);
     }
 
-    public function request(Uri $uri, string $ocspReq): Response
+    public function request(Uri $uri, string $encodedOcspRequest): OcspResponse
     {
         $curl = curl_init();
         curl_setopt($curl, CURLOPT_URL, $uri->getUrl());
         curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($curl, CURLOPT_FAILONERROR, true);        
         curl_setopt($curl, CURLOPT_POST, true);
         curl_setopt($curl, CURLOPT_HTTPHEADER, ["Content-Type: " . self::OCSP_REQUEST_TYPE]);
-        curl_setopt($curl, CURLOPT_POSTFIELDS, $ocspReq);
+        curl_setopt($curl, CURLOPT_POSTFIELDS, $encodedOcspRequest);
         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, $this->requestTimeout); 
         curl_setopt($curl, CURLOPT_TIMEOUT, $this->requestTimeout);
         $result = curl_exec($curl);
+
+        if (curl_errno($curl)) {
+            throw new UserCertificateOCSPCheckFailedException(curl_error($curl));
+        }
+        
         $info = curl_getinfo($curl);
         if ($info["http_code"] !== 200) {
             throw new UserCertificateOCSPCheckFailedException("OCSP request was not successful, response: " + $result);
         }
+
+        $response = new OcspResponse($result);
+
+        $responseJson = json_encode($response->getResponse(), JSON_INVALID_UTF8_IGNORE);
+        $this->logger->debug("OCSP response: ", json_encode($responseJson));
 
         if ($info["content_type"] !== self::OCSP_RESPONSE_TYPE) {
             throw new UserCertificateOCSPCheckFailedException("OCSP response content type is not ". self::OCSP_RESPONSE_TYPE);
         }
 
-        $ocsp = new Ocsp();
-        // Decode the raw response from the OCSP Responder
-        $response = $ocsp->decodeOcspResponseSingle($result);
         return $response;
     }
 }

src/validator/ocsp/OcspRequestBuilder.php

@@ -26,16 +26,14 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
-use lyquidity\OCSP\CertificateInfo;
-use lyquidity\OCSP\Ocsp;
-use lyquidity\OCSP\Request;
+use web_eid\ocsp_php\OcspRequest;
 
 final class OcspRequestBuilder
 {
 
     private $secureRandom;
     private bool $ocspNonceEnabled = true;
-    private $certificateId;
+    private array $certificateId;
 
     public function __construct()
     {
@@ -44,9 +42,9 @@ public function __construct()
         };
     }
 
-    public function withCertificateId(Request $certInfo): OcspRequestBuilder
+    public function withCertificateId(array $certificateId): OcspRequestBuilder
     {
-        $this->certificateId = $certInfo;
+        $this->certificateId = $certificateId;
         return $this;
     }
 
@@ -56,10 +54,17 @@ public function enableOcspNonce(bool $ocspNonceEnabled): OcspRequestBuilder
         return $this;
     }
 
-    public function build()
+    public function build(): OcspRequest
     {
-        $ocsp = new Ocsp();
-        return $ocsp->buildOcspRequestBodySingle($this->certificateId);
+        $ocspRequest = new OcspRequest();
+        $ocspRequest->addCertificateId($this->certificateId);
+
+        if ($this->ocspNonceEnabled) {
+            $nonceBytes = call_user_func($this->secureRandom, 8);
+            $ocspRequest->addNonceExtension($nonceBytes);
+        }
+
+        return $ocspRequest;
     }
 
     private function generateSecureRandom(int $nounce_length): string {