WE2-689 Updated readme

WE2-687 Added is certificate revoked tests
WE2-687 Added more tests for OcspUrl
Changed ocsp dependency to main version

Author: Guido Gröön

README.md

@@ -389,7 +389,7 @@ The following additional configuration options are available in `ChallengeNonceG
 Extended configuration example:
 
 ```php  
-$generator = (new ChallengeNonceGeneratorBuilder)
+$generator = (new ChallengeNonceGeneratorBuilder())
   ->withNonceTtl(300) // 5 minutes
   ->withSecureRandom(customSecureRandom)  
   ->build();

composer.json

@@ -36,6 +36,6 @@
     ],
     "require": {
         "phpseclib/phpseclib": "3.0.14",
-        "web_eid/ocsp_php": "dev-development"
+        "web_eid/ocsp_php": "dev-main"
     }
 }

src/validator/certvalidators/SubjectCertificateNotRevokedValidator.php

@@ -88,7 +88,6 @@ public function validate(X509 $subjectCertificate): void
 
     }
 
-    // Todo, check ocspService
     private function verifyOcspResponse(OcspResponse $response, OcspService $ocspService, array $requestCertificateId): void
     {
         $basicResponse = $response->getBasicResponse();

tests/_resources/TEST_of_EE-GovCA2018.pem.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLDCCBI2gAwIBAgIQImvqKVwtGyZbh+ecdKPc7zAKBggqhkjOPQQDBDBiMQsw
+CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh
+DA5OVFJFRS0xMDc0NzAxMzEdMBsGA1UEAwwUVEVTVCBvZiBFRS1Hb3ZDQTIwMTgw
+HhcNMTgwODMwMTI0ODI4WhcNMzMwODMwMTI0ODI4WjBiMQswCQYDVQQGEwJFRTEb
+MBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0
+NzAxMzEdMBsGA1UEAwwUVEVTVCBvZiBFRS1Hb3ZDQTIwMTgwgZswEAYHKoZIzj0C
+AQYFK4EEACMDgYYABABZN0DFpEKsj3SzsySoR/bcwAUoLc+S2HrvHY0xIDkFFTtU
+QXfjxXyexNIx+ALe2IYJZLTl0T79C5by4/mO/5H7UgCxZZCRKtdcKqSGYJOVpT0X
+oA51yX8eBk8aPVrTcwABcBhU6nTNGEoNXfeS7mrZB6Gs3eFxEVdejIEjNObWVFYM
+bqOCAuAwggLcMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMDQG
+A1UdJQEB/wQqMCgGCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQGCCsGAQUF
+BwMBMB0GA1UdDgQWBBR/DHDY9OWPAXfux20pKbn0yfxqwDAfBgNVHSMEGDAWgBR/
+DHDY9OWPAXfux20pKbn0yfxqwDCCAiQGA1UdIASCAhswggIXMAgGBgQAj3oBAjAJ
+BgcEAIvsQAECMDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8v
+d3d3LnNrLmVlL0NQUzANBgsrBgEEAYORIQECAjANBgsrBgEEAYORfwECATANBgsr
+BgEEAYORIQECBTANBgsrBgEEAYORIQECBjANBgsrBgEEAYORIQECBzANBgsrBgEE
+AYORIQECAzANBgsrBgEEAYORIQECBDANBgsrBgEEAYORIQECCDANBgsrBgEEAYOR
+IQECCTANBgsrBgEEAYORIQECCjANBgsrBgEEAYORIQECCzANBgsrBgEEAYORIQEC
+DDANBgsrBgEEAYORIQECDTANBgsrBgEEAYORIQECDjANBgsrBgEEAYORIQECDzAN
+BgsrBgEEAYORIQECEDANBgsrBgEEAYORIQECETANBgsrBgEEAYORIQECEjANBgsr
+BgEEAYORIQECEzANBgsrBgEEAYORIQECFDANBgsrBgEEAYORfwECAjANBgsrBgEE
+AYORfwECAzANBgsrBgEEAYORfwECBDANBgsrBgEEAYORfwECBTANBgsrBgEEAYOR
+fwECBjBVBgorBgEEAYORIQoBMEcwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNr
+LmVlL0NQUzAiBggrBgEFBQcCAjAWGhRURVNUIG9mIEVFLUdvdkNBMjAxODAYBggr
+BgEFBQcBAwQMMAowCAYGBACORgEBMAoGCCqGSM49BAMEA4GMADCBiAJCAeTjfRrM
+t+4ecVYozAfdpTjCikf332XcuRkuJ6fbLqqMm7C3v/d5ebyOqvDG6wWAp8Z0GZA5
+ONIvS2rm8kJ7HR5tAkIAoFn7n5ZW62dXMmPk+LReR1hUyTpxrxC31QjqvMqM2AbM
+8luw0f/AaC5qsEdwKrKT+p1xvnjSyIVfcMiu6Q3T2EE=
+-----END CERTIFICATE-----

tests/testutil/AuthTokenValidators.php

@@ -55,7 +55,7 @@ public static function getAuthTokenValidatorWithOcspCheck(): AuthTokenValidator
 
     public static function getAuthTokenValidatorWithDesignatedOcspCheck()
     {
-        
+        return (self::getAuthTokenValidatorBuilder(self::TOKEN_ORIGIN_URL, self::getCACertificates()))->withDesignatedOcspServiceConfiguration(OcspServiceMaker::getDesignatedOcspServiceConfiguration())->build();
     }
 
     private static function getAuthTokenValidatorBuilder(string $uri, array $certificates): AuthTokenValidatorBuilder

tests/testutil/Certificates.php

@@ -39,13 +39,15 @@ class Certificates
     private static ?X509 $testEsteid2015CA = null;
     private static ?X509 $testEsteid2018CA = null;
     private static ?X509 $testSkOcspResponder2020 = null;
+    private static ?X509 $testEsteid2018CAGov = null;
 
     public static function loadCertificates(): void
     {
-        $certificates = CertificateLoader::loadCertificatesFromResources(__DIR__."/../_resources/TEST_of_ESTEID-SK_2015.cer", __DIR__."/../_resources/TEST_of_ESTEID2018.cer", __DIR__."/../_resources/TEST_of_SK_OCSP_RESPONDER_2020.cer");
+        $certificates = CertificateLoader::loadCertificatesFromResources(__DIR__."/../_resources/TEST_of_ESTEID-SK_2015.cer", __DIR__."/../_resources/TEST_of_ESTEID2018.cer", __DIR__."/../_resources/TEST_of_SK_OCSP_RESPONDER_2020.cer", __DIR__."/../_resources/TEST_of_EE-GovCA2018.pem.crt");
         self::$testEsteid2015CA = $certificates[0];
         self::$testEsteid2018CA = $certificates[1];
         self::$testSkOcspResponder2020 = $certificates[2];
+        self::$testEsteid2018CAGov = $certificates[3];
     }
 
     public static function getTestEsteid2018CA(): X509
@@ -72,6 +74,14 @@ public static function getTestSkOcspResponder2020(): X509
         return self::$testSkOcspResponder2020;
     }
 
+    public static function getTestEsteid2018CAGov(): X509
+    {
+        if (is_null(self::$testEsteid2018CAGov)) {
+            self::loadCertificates();
+        }
+        return self::$testEsteid2018CAGov;
+    }
+
     public static function getJaakKristjanEsteid2018Cert(): X509
     {
         if (self::$jaakKristjanEsteid2018Cert == null) {

tests/testutil/OcspServiceMaker.php

@@ -53,7 +53,7 @@ private static function getAiaOcspServiceConfiguration(): AiaOcspServiceConfigur
     {
         return new AiaOcspServiceConfiguration(
             new UriCollection(new Uri(OcspUrl::AIA_ESTEID_2015_URL), new Uri(self::TEST_ESTEID_2015)),
-            CertificateValidator::buildTrustFromCertificates([Certificates::getTestEsteid2015CA(), Certificates::getTestEsteid2018CA()])
+            CertificateValidator::buildTrustFromCertificates([Certificates::getTestEsteid2015CA(), Certificates::getTestEsteid2018CA(), Certificates::getTestEsteid2018CAGov()])
         );
     }
 

tests/validator/AuthTokenCertificateTest.php

@@ -38,6 +38,7 @@
 use web_eid\web_eid_authtoken_validation_php\exceptions\CertificateNotTrustedException;
 use DateTime;
 use UnexpectedValueException;
+use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
 
 class AuthTokenCertificateTest extends AbstractTestWithValidator
 {
@@ -241,15 +242,30 @@ public function testWhenTrustedCaCertificateIsNoLongerValidThenValidationFails()
         $this->validator->validate($this->validAuthToken, self::VALID_CHALLENGE_NONCE);
     }
 
-    /*
-        TODO
     public function testWhenCertificateIsRevokedThenOcspCheckFails(): void
     {
+        $this->mockDate("2020-01-01");
+        $validatorWithOcspCheck = AuthTokenValidators::getAuthTokenValidatorWithOcspCheck();
+        $token = $this->replaceTokenField(self::AUTH_TOKEN, "unverifiedCertificate", self::REVOKED_CERT);
+
+        $this->expectException(UserCertificateOCSPCheckFailedException::class);
+        $this->expectExceptionMessage("User certificate revocation check has failed: Exception: User certificate has been revoked: Revocation reason: unspecified");
+
+        $validatorWithOcspCheck->validate($token, self::VALID_CHALLENGE_NONCE);
     }
+
     public function testWhenCertificateIsRevokedThenOcspCheckWithDesignatedOcspServiceFails(): void
     {
+        $this->mockDate("2020-01-01");
+
+        $validatorWithOcspCheck = AuthTokenValidators::getAuthTokenValidatorWithDesignatedOcspCheck();
+        $token = $this->replaceTokenField(self::AUTH_TOKEN, "unverifiedCertificate", self::REVOKED_CERT);
+
+        $this->expectException(UserCertificateOCSPCheckFailedException::class);
+        $this->expectExceptionMessage("User certificate revocation check has failed: Exception: User certificate has been revoked");
+
+        $validatorWithOcspCheck->validate($token, self::VALID_CHALLENGE_NONCE);
     }
-    */
 
     public function testWhenCertificateCaIsNotPartOfTrustChainThenValidationFails(): void
     {

tests/validator/ocsp/OcspServiceProviderTest.php

@@ -55,19 +55,19 @@ public function testWhenDesignatedOcspServiceConfigurationProvidedThenCreatesDes
 
     public function testWhenAiaOcspServiceConfigurationProvidedThenCreatesAiaOcspService(): void
     {
-        // TODO
-        // Add correct cert to testutil/Certificates, because PHP does not validate certificates like Java
+        // In PHP validation is different
+        // we need to use TEST_of_EE-GovCA2018.pem.crt (getAiaOcspServiceConfiguration()) certificate for validation 
+
         $ocspServiceProvider = OcspServiceMaker::getAiaOcspServiceProvider();
 
-        /*
         $service2018 = $ocspServiceProvider->getService(Certificates::getJaakKristjanEsteid2018Cert());
 
         $this->assertEquals($service2018->getAccessLocation(), new Uri("http://aia.demo.sk.ee/esteid2018"));
         $this->assertTrue($service2018->doesSupportNonce());
 
-        $service2018->validateResponderCertificate(Certificates::getTestEsteid2018CA(), new DateTime("Thursday, August 26, 2021 5:46:40 PM"));
-        */
+        $service2018->validateResponderCertificate(Certificates::getTestEsteid2018CA(), new DateTime('Thursday, August 26, 2021 5:46:40 PM'));
 
+        // Responder certificate issuer is not in trusted certificates
         $service2015 = $ocspServiceProvider->getService(Certificates::getMariLiisEsteid2015Cert());
         $this->assertEquals($service2015->getAccessLocation(), new Uri("http://aia.demo.sk.ee/esteid2015"));
         $this->assertFalse($service2015->doesSupportNonce());

tests/validator/ocsp/OcspUrlTest.php

@@ -22,6 +22,8 @@
  * SOFTWARE.
  */
 
+declare(strict_types=1);
+
 namespace web_eid\web_eid_authtoken_validation_php\validator\ocsp;
 
 use phpseclib3\File\X509;
@@ -32,9 +34,45 @@ class OcspUrlTest extends TestCase
     public function testWhenExtensionValueIsNullThenReturnsNull()
     {
         $mockCertificate = $this->createMock(X509::class);
-        $mockCertificate->method('getExtension')->willReturn(null);
+        $mockCertificate->method("getExtension")->willReturn(null);
         $this->assertNull(OcspUrl::getOcspUri($mockCertificate));
     }
 
-    // TODO: Investigate two more tests
+    public function testWhenExtensionValueIsInvalidThenReturnsNull()
+    {
+        $mockCertificate = $this->createMock(X509::class);
+        $mockCertificate->method("getExtension")->willReturn([
+            [
+                "accessMethod" => "id-ad-ocsp",
+                'accessLocation' => ["uniformResourceIdentifier" => pack("c*", ...array(1, 2, 3))]
+            ]
+        ]);
+
+        // We will get empty uri parts
+        $url = OcspUrl::getOcspUri($mockCertificate);
+        $this->assertFalse($url->isAbsolute());
+        $this->assertEmpty($url->getScheme());
+        $this->assertEmpty($url->getHost());
+    }
+
+    public function testWhenExtensionValueIsNotAiaThenReturnsNull()
+    {
+        $mockCertificate = $this->createMock(X509::class);
+        $mockCertificate->method("getExtension")->willReturn([
+            [
+                "accessMethod" => "id-ad-ocsp",
+                'accessLocation' => ["uniformResourceIdentifier" => pack("c*", ...array(4, 64, 48, 62, 48, 50, 6, 11, 43, 6, 1, 4, 1, -125, -111, 33, 1, 2, 1, 48,
+                    35, 48, 33, 6, 8, 43, 6, 1, 5, 5, 7, 2, 1, 22, 21, 104, 116, 116, 112, 115,
+                    58, 47, 47, 119, 119, 119, 46, 115, 107, 46, 101, 101, 47, 67, 80, 83, 48,
+                    8, 6, 6, 4, 0, -113, 122, 1, 2))]
+            ]
+        ]);
+
+        // We will get empty uri parts
+        $url = OcspUrl::getOcspUri($mockCertificate);
+        $this->assertFalse($url->isAbsolute());
+        $this->assertEmpty($url->getScheme());
+        $this->assertEmpty($url->getHost());
+    }
+
 }