Added additional information to certificate check

09c2b305 · Klaus Fischer · 9cf6e882 · 09c2b305 · 09c2b305 · 09c2b305
Commit 09c2b305 authored 2 years ago by Klaus Fischer
--- a/FitConnect/Encryption/CertificateHelper.cs
+++ b/FitConnect/Encryption/CertificateHelper.cs
@@ -22,6 +22,7 @@ public class CertificateHelper {
        X509Certificate2? root = null) {
        var certificates = key.X5c.Select(s => new X509Certificate2(Convert.FromBase64String(s)))
            .ToList();
+        // root ??= new X509Certificate2(Convert.FromBase64String(key.X5t));

        _logger?.LogTrace("Found {Count} certificate(s)", certificates.Count);

@@ -30,7 +31,7 @@ public class CertificateHelper {
                              && ValidateCertificate(cert, out _,
                                  root,
                                  logLevel)
-                              && cert.Verify()
+            //&& cert.Verify()
        );
        return valid;
    }
@@ -48,10 +49,7 @@ public class CertificateHelper {
            certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
            certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
            certificateChain.ChainPolicy.DisableCertificateDownloads = true;
-            certificateChain.ChainPolicy.VerificationFlags =
-                X509VerificationFlags.IgnoreRootRevocationUnknown |
-                X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
-                X509VerificationFlags.IgnoreCtlSignerRevocationUnknown;
+            certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
            _logger?.LogDebug("Using custom root certificate");
        }
        else {
@@ -59,17 +57,18 @@ public class CertificateHelper {
            certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
        }

-        certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
+        certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
        certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);

        var result = certificateChain.Build(certificate);

-        chainStatus = certificateChain.ChainStatus;
+        chainStatus = certificateChain.ChainStatus
+            .Where(s => s.Status != X509ChainStatusFlags.PartialChain).ToArray();

        var statusAggregation = certificateChain.ChainStatus.Aggregate("",
            (r, s) => r + "\n\t - " + s.Status + ": " + s.StatusInformation);

-        if (!string.IsNullOrWhiteSpace(statusAggregation))
+        if (!result)
            _logger?.Log(logLevel, "Certificate status: {ObjStatusInformation}",
                statusAggregation);
        return result;

--- a/IntegrationTests/CertificateValidation.cs
+++ b/IntegrationTests/CertificateValidation.cs
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Net;
@@ -65,7 +66,7 @@ public class CertificateValidation {
        new CertificateHelper(_logger).ValidateCertificate(JsonWebKey.Create(certificate),
            LogLevel.Trace);
    }
-    
+

    [Test]
    [Ignore("No credentials for staging environment")]
@@ -135,6 +136,7 @@ public class CertificateValidation {
        var files = System.IO.Directory.GetFiles("./certificates");
        var success = 0;
        var failed = 0;
+        var failedCerts = new List<string>();

        foreach (var fileName in files.Where(f => !f.EndsWith("root.pem"))) {
            _logger.LogInformation("Checking file: {FileName}", fileName);
@@ -149,6 +151,7 @@ public class CertificateValidation {
                }
                else {
                    failed++;
+                    failedCerts.Add(fileName);
                }
            }

@@ -167,10 +170,12 @@ public class CertificateValidation {
                }
                else {
                    failed++;
+                    failedCerts.Add(fileName);
                }
            }
        }

+        _logger.LogWarning("Failed certificates: {certs}", failedCerts.Aggregate("\n", (a,b)=>a+"\n\t - "+b));
        _logger.LogInformation("Success: {Success}, Failed: {Failed}", success, failed);
        failed.Should().Be(0);
    }

--- a/IntegrationTests/IntegrationTests.csproj
+++ b/IntegrationTests/IntegrationTests.csproj
@@ -42,7 +42,7 @@
        <None Update="certificates\validEncJW_KeyUse.json">
          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
        </None>
-        <None Update="certificates\ValidEncJWK.json">
+        <None Update="certificates\validEncJWK.json">
          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
        </None>
        <None Update="certificates\validSigJWK.json">