fix: use system time in OcspResponseValidator.validateCertificateStatusUpdateTime()

WE2-868

Signed-off-by: Mihkel Kivisild [email protected]

Author: Mihkel Kivisild

README.md

@@ -298,6 +298,11 @@ The following additional configuration options are available in `AuthTokenValida
 
 - `withNonceDisabledOcspUrls(URI ...$urls)` – adds the given URLs to the list of OCSP responder access location URLs for which the nonce protocol extension will be disabled. Some OCSP responders don't support the nonce extension.
 
+- `withAllowedOcspResponseTimeSkew(int $allowedTimeSkew)` – sets the allowed time skew for OCSP response's `thisUpdate` and `nextUpdate` times to allow discrepancies between the system clock and the OCSP responder's clock or revocation updates that are not published in real time. The default allowed time skew is 15 minutes. The relatively long default is specifically chosen to account for one particular OCSP responder that used CRLs for authoritative revocation info, these CRLs were updated every 15 minutes.
+
+- `withMaxOcspResponseThisUpdateAge(int $maxThisUpdateAge)` – sets the maximum age for the OCSP response's `thisUpdate` time before it is considered too old to rely on. The default maximum age is 2 minutes.
+
+
 Extended configuration example:  
 
 ```php

src/validator/AuthTokenValidationConfiguration.php

@@ -39,7 +39,9 @@ final class AuthTokenValidationConfiguration
     private ?Uri $siteOrigin = null;
     private array $trustedCACertificates = [];
     private bool $isUserCertificateRevocationCheckWithOcspEnabled = true;
-    private int $ocspRequestTimeout = 5;
+    private int $ocspRequestTimeout = 5; // In seconds
+    private int $allowedOcspResponseTimeSkew = 15; // In minutes
+    private int $maxOcspResponseThisUpdateAge = 2; // In minutes
     private array $disallowedSubjectCertificatePolicies;
     private UriCollection $nonceDisabledOcspUrls;
     private ?DesignatedOcspServiceConfiguration $designatedOcspServiceConfiguration = null;
@@ -94,6 +96,26 @@ public function setOcspRequestTimeout(int $ocspRequestTimeout): void
         $this->ocspRequestTimeout = $ocspRequestTimeout;
     }
 
+    public function getAllowedOcspResponseTimeSkew(): int
+    {
+        return $this->allowedOcspResponseTimeSkew;
+    }
+
+    public function setAllowedOcspResponseTimeSkew(int $allowedOcspResponseTimeSkew): void
+    {
+        $this->allowedOcspResponseTimeSkew = $allowedOcspResponseTimeSkew;
+    }
+
+    public function getMaxOcspResponseThisUpdateAge(): int
+    {
+        return $this->maxOcspResponseThisUpdateAge;
+    }
+
+    public function setMaxOcspResponseThisUpdateAge(int $maxOcspResponseThisUpdateAge): void
+    {
+        $this->maxOcspResponseThisUpdateAge = $maxOcspResponseThisUpdateAge;
+    }
+
     public function getDesignatedOcspServiceConfiguration(): ?DesignatedOcspServiceConfiguration
     {
         return $this->designatedOcspServiceConfiguration;
@@ -132,6 +154,8 @@ public function validate(): void
         }
 
         DateAndTime::requirePositiveDuration($this->ocspRequestTimeout, "OCSP request timeout");
+        DateAndTime::requirePositiveDuration($this->allowedOcspResponseTimeSkew, "Allowed OCSP response time-skew");
+        DateAndTime::requirePositiveDuration($this->maxOcspResponseThisUpdateAge, "Max OCSP response thisUpdate age");
     }
 
     /**

src/validator/AuthTokenValidatorBuilder.php

@@ -126,6 +126,40 @@ public function withOcspRequestTimeout(int $ocspRequestTimeout): AuthTokenValida
         $this->logger?->debug("OCSP request timeout set to " . $ocspRequestTimeout);
         return $this;
     }
+    
+    /**
+     * Sets the allowed time skew for OCSP response's thisUpdate and nextUpdate times.
+     * This parameter is used to allow discrepancies between the system clock and the OCSP responder's clock,
+     * which may occur due to clock drift, network delays or revocation updates that are not published in real time.
+     * <p>
+     * This is an optional configuration parameter, the default is 15 minutes.
+     * The relatively long default is specifically chosen to account for one particular OCSP responder that used
+     * CRLs for authoritative revocation info, these CRLs were updated every 15 minutes.
+     * 
+     * @param integer $allowedTimeSkew the allowed time skew
+     * @return AuthTokenValidatorBuilder the builder instance for method chaining.
+     */
+    public function withAllowedOcspResponseTimeSkew(int $allowedTimeSkew) : AuthTokenValidatorBuilder
+    {
+        $this->configuration->setAllowedOcspResponseTimeSkew($allowedTimeSkew);
+        $this->logger?->debug("Allowed OCSP response time skew set to " . $allowedTimeSkew);
+        return $this;
+    }
+
+    /**
+     * Sets the maximum age of the OCSP response's thisUpdate time before it is considered too old.
+     * <p>
+     * This is an optional configuration parameter, the default is 2 minutes.
+     * 
+     * @param integer $maxThisUpdateAge the maximum age of the OCSP response's thisUpdate time
+     * @return AuthTokenValidatorBuilder the builder instance for method chaining.
+     */
+    public function withMaxOcspResponseThisUpdateAge(int $maxThisUpdateAge) : AuthTokenValidatorBuilder
+    {
+        $this->configuration->setMaxOcspResponseThisUpdateAge($maxThisUpdateAge);
+        $this->logger?->debug("Maximum OCSP response thisUpdate age set to " . $maxThisUpdateAge);
+        return $this;
+    }
 
     /**
      * Adds the given URLs to the list of OCSP URLs for which the nonce protocol extension will be disabled.

src/validator/AuthTokenValidatorImpl.php

@@ -172,7 +172,12 @@ private function getCertTrustValidators(): SubjectCertificateValidatorBatch
         if ($this->configuration->isUserCertificateRevocationCheckWithOcspEnabled()) {
             $validatorBatch->addOptional(
                 $this->configuration->isUserCertificateRevocationCheckWithOcspEnabled(),
-                new SubjectCertificateNotRevokedValidator($certTrustedValidator, $this->ocspClient, $this->ocspServiceProvider, $this->logger)
+                new SubjectCertificateNotRevokedValidator($certTrustedValidator, 
+                    $this->ocspClient, 
+                    $this->ocspServiceProvider,
+                    $this->configuration->getAllowedOcspResponseTimeSkew(),
+                    $this->configuration->getMaxOcspResponseThisUpdateAge(), 
+                    $this->logger)
             );
         }
 

src/validator/certvalidators/SubjectCertificateNotRevokedValidator.php

@@ -45,13 +45,22 @@ final class SubjectCertificateNotRevokedValidator implements SubjectCertificateV
     private SubjectCertificateTrustedValidator $trustValidator;
     private OcspClient $ocspClient;
     private OcspServiceProvider $ocspServiceProvider;
-
-    public function __construct(SubjectCertificateTrustedValidator $trustValidator, OcspClient $ocspClient, OcspServiceProvider $ocspServiceProvider, LoggerInterface $logger = null)
+    private int $allowedOcspResponseTimeSkew;
+    private int $maxOcspResponseThisUpdateAge;
+
+    public function __construct(SubjectCertificateTrustedValidator $trustValidator, 
+        OcspClient $ocspClient, 
+        OcspServiceProvider $ocspServiceProvider, 
+        int $allowedOcspResponseTimeSkew,
+        int $maxOcspResponseThisUpdateAge,
+        LoggerInterface $logger = null)
     {
         $this->logger = $logger;
         $this->trustValidator = $trustValidator;
         $this->ocspClient = $ocspClient;
         $this->ocspServiceProvider = $ocspServiceProvider;
+        $this->allowedOcspResponseTimeSkew = $allowedOcspResponseTimeSkew;
+        $this->maxOcspResponseThisUpdateAge = $maxOcspResponseThisUpdateAge;
     }
 
     public function validate(X509 $subjectCertificate): void
@@ -130,15 +139,14 @@ private function verifyOcspResponse(OcspResponse $response, OcspService $ocspSer
 
         $producedAt = $basicResponse->getProducedAt();
         $ocspService->validateResponderCertificate($responderCert, $producedAt);
-
         //   5. The time at which the status being indicated is known to be
         //      correct (thisUpdate) is sufficiently recent.
         //
         //   6. When available, the time at or before which newer information will
         //      be available about the status of the certificate (nextUpdate) is
         //      greater than the current time.
 
-        OcspResponseValidator::validateCertificateStatusUpdateTime($basicResponse, $producedAt);
+        OcspResponseValidator::validateCertificateStatusUpdateTime($basicResponse, $this->allowedOcspResponseTimeSkew, $this->maxOcspResponseThisUpdateAge);
 
         // Now we can accept the signed response as valid and validate the certificate status.
         OcspResponseValidator::validateSubjectCertificateStatus($response);

src/validator/ocsp/OcspClientImpl.php

@@ -75,6 +75,8 @@ public function request(Uri $uri, string $encodedOcspRequest): OcspResponse
         $responseJson = json_encode($response->getResponse(), JSON_INVALID_UTF8_IGNORE);
         $this->logger?->debug("OCSP response: " . $responseJson);
 
+        echo $uri;
+
         if ($info["content_type"] !== self::OCSP_RESPONSE_TYPE) {
             throw new UserCertificateOCSPCheckFailedException("OCSP response content type is not " . self::OCSP_RESPONSE_TYPE);
         }

src/validator/ocsp/OcspResponseValidator.php

@@ -34,6 +34,7 @@
 use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateOCSPCheckFailedException;
 use web_eid\web_eid_authtoken_validation_php\exceptions\UserCertificateRevokedException;
 use web_eid\web_eid_authtoken_validation_php\util\DateAndTime;
+use web_eid\web_eid_authtoken_validation_php\util\DefaultClock;
 
 final class OcspResponseValidator
 {
@@ -44,9 +45,7 @@ final class OcspResponseValidator
      * https://oidref.com/1.3.6.1.5.5.7.3.9.
      */
     private const OCSP_SIGNING = "id-kp-OCSPSigning";
-
-    private const ALLOWED_TIME_SKEW = 15;
-
+    private const ERROR_PREFIX = "Certificate status update time check failed: ";
     public function __construct()
     {
         throw new BadFunctionCallException("Utility class");
@@ -72,7 +71,7 @@ public static function validateResponseSignature(OcspBasicResponse $basicRespons
         }
     }
 
-    public static function validateCertificateStatusUpdateTime(OcspBasicResponse $basicResponse, DateTime $producedAt): void
+    public static function validateCertificateStatusUpdateTime(OcspBasicResponse $basicResponse, int $allowedOcspResponseTimeSkew, int $maxOcspResponseThisUpdateAge): void
     {
         // From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:
         // 4.2.2.  Notes on OCSP Responses
@@ -83,20 +82,37 @@ public static function validateCertificateStatusUpdateTime(OcspBasicResponse $ba
         //   SHOULD be considered unreliable.
         //   If nextUpdate is not set, the responder is indicating that newer
         //   revocation information is available all the time.
-
-        $notAllowedBefore = (clone $producedAt)->sub(new DateInterval('PT' . self::ALLOWED_TIME_SKEW . 'S'));
-        $notAllowedAfter = (clone $producedAt)->add(new DateInterval('PT' . self::ALLOWED_TIME_SKEW . 'S'));
+        $now = DefaultClock::getInstance()->now();
+        $earliestAcceptableTimeSkew = (clone $now)->sub(new DateInterval('PT' . $allowedOcspResponseTimeSkew . 'M'));
+        $latestAcceptableTimeSkew = (clone $now)->add(new DateInterval('PT' . $allowedOcspResponseTimeSkew . 'M'));
+        $minimumValidThisUpdateTime = (clone $now)->sub(new DateInterval('PT' . $maxOcspResponseThisUpdateAge . 'M'));
 
         $thisUpdate = $basicResponse->getThisUpdate();
+        if ($thisUpdate > $latestAcceptableTimeSkew) {
+            throw new UserCertificateOCSPCheckFailedException(self::ERROR_PREFIX .
+                "thisUpdate '" . DateAndTime::toUtcString($thisUpdate) . "' is too far in the future, " .
+                "latest allowed: '" . DateAndTime::toUtcString($latestAcceptableTimeSkew) . "'");
+        }
+
+        if ($thisUpdate < $minimumValidThisUpdateTime) {
+            throw new UserCertificateOCSPCheckFailedException(self::ERROR_PREFIX .
+                "thisUpdate '" . DateAndTime::toUtcString($thisUpdate) . "' is too old, " .
+                "minimum time allowed: '" . DateAndTime::toUtcString($minimumValidThisUpdateTime) . "'");
+        }
+
         $nextUpdate = $basicResponse->getNextUpdate();
+        if (is_null($nextUpdate)) {
+            return;
+        }
 
-        if ($notAllowedAfter < $thisUpdate || $notAllowedBefore > (!is_null($nextUpdate) ? $nextUpdate : $thisUpdate)) {
+        if ($nextUpdate < $earliestAcceptableTimeSkew) {
+            throw new UserCertificateOCSPCheckFailedException(self::ERROR_PREFIX .
+                "nextUpdate '" . DateAndTime::toUtcString($nextUpdate) . "' is in the past");
+        }
 
-            throw new UserCertificateOCSPCheckFailedException("Certificate status update time check failed: " .
-                "notAllowedBefore: " . DateAndTime::toUtcString($notAllowedBefore) .
-                ", notAllowedAfter: " . DateAndTime::toUtcString($notAllowedAfter) .
-                ", thisUpdate: " . DateAndTime::toUtcString($thisUpdate) .
-                ", nextUpdate: " . DateAndTime::toUtcString($nextUpdate));
+        if ($nextUpdate < $thisUpdate) {
+            throw new UserCertificateOCSPCheckFailedException(self::ERROR_PREFIX .
+                "nextUpdate '" . DateAndTime::toUtcString($nextUpdate) . "' is before thisUpdate '" . DateAndTime::toUtcString($thisUpdate) . "'");
         }
     }
 

tests/testutil/AuthTokenValidators.php

@@ -58,6 +58,11 @@ public static function getAuthTokenValidatorWithDesignatedOcspCheck()
         return (self::getAuthTokenValidatorBuilder(self::TOKEN_ORIGIN_URL, self::getCACertificates()))->withDesignatedOcspServiceConfiguration(OcspServiceMaker::getDesignatedOcspServiceConfiguration())->build();
     }
 
+    public static function getDefaultAuthTokenValidatorBuilder(): AuthTokenValidatorBuilder
+    {
+        return self::getAuthTokenValidatorBuilder(self::TOKEN_ORIGIN_URL, self::getCACertificates());
+    }
+
     private static function getAuthTokenValidatorBuilder(string $uri, array $certificates): AuthTokenValidatorBuilder
     {
         return (new AuthTokenValidatorBuilder(new Logger()))

tests/validator/AuthTokenValidatorBuilderTest.php

@@ -24,12 +24,12 @@
 
 namespace web_eid\web_eid_authtoken_validation_php\validator;
 
-use GuzzleHttp\Psr7\Exception\MalformedUriException;
-use PHPUnit\Framework\TestCase;
-use InvalidArgumentException;
 use GuzzleHttp\Psr7\Uri;
-use web_eid\web_eid_authtoken_validation_php\testutil\AuthTokenValidators;
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+use GuzzleHttp\Psr7\Exception\MalformedUriException;
 use web_eid\web_eid_authtoken_validation_php\testutil\Logger;
+use web_eid\web_eid_authtoken_validation_php\testutil\AuthTokenValidators;
 
 class AuthTokenValidatorBuilderTest extends TestCase
 {
@@ -90,4 +90,28 @@ public function testValidatorOriginNotValidSyntax(): void
         $this->expectExceptionMessage("Unable to parse URI: https:///ria.ee");
         AuthTokenValidators::getAuthTokenValidator("https:///ria.ee");
     }
+
+    public function testInvalidOcspResponseTimeSkew() : void
+    {
+        $builderWithInvalidResponseTimeSkew = AuthTokenValidators::getDefaultAuthTokenValidatorBuilder()->withAllowedOcspResponseTimeSkew(-1);
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage("Allowed OCSP response time-skew must be greater than zero");
+        $builderWithInvalidResponseTimeSkew->build();
+    }
+
+    public function testInvalidMaxOcspResponseThisUpdateAge() : void
+    {
+        $builderWithInvalidMaxOcspResponseThisUpdateAge = AuthTokenValidators::getDefaultAuthTokenValidatorBuilder()->withMaxOcspResponseThisUpdateAge(0);
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage("Max OCSP response thisUpdate age must be greater than zero");
+        $builderWithInvalidMaxOcspResponseThisUpdateAge->build();
+    }
+
+    public function testInvalidOcspRequestTimeout() : void
+    {
+        $builderWithInvalidOcspRequestTimeout = AuthTokenValidators::getDefaultAuthTokenValidatorBuilder()->withOcspRequestTimeout(-1);
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage("OCSP request timeout must be greater than zero");
+        $builderWithInvalidOcspRequestTimeout->build();
+    }
 }