From 44bdf300da2000b6de046bd58e3c64f6294ca91b Mon Sep 17 00:00:00 2001
From: Klaus Fischer <klaus.fischer@eloware.com>
Date: Wed, 7 Sep 2022 13:23:00 +0200
Subject: [PATCH] WIP: Revocation Status unclear
---
FitConnect/Encryption/CertificateHelper.cs | 19 ++++----
IntegrationTests/IntegrationTests.csproj | 54 ++++++++++++++++++----
2 files changed, 56 insertions(+), 17 deletions(-)
diff --git a/FitConnect/Encryption/CertificateHelper.cs b/FitConnect/Encryption/CertificateHelper.cs
index 132dad52..0db9b3c3 100644
--- a/FitConnect/Encryption/CertificateHelper.cs
+++ b/FitConnect/Encryption/CertificateHelper.cs
@@ -4,6 +4,7 @@ using System.Text.Unicode;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Win32.SafeHandles;
+using Newtonsoft.Json;
namespace FitConnect.Encryption;
@@ -24,25 +25,27 @@ public class CertificateHelper {
LogLevel logLevel = LogLevel.Warning) {
var certificateChain = new X509Chain();
- // certificate.ExportToPem($"./temp/{Guid.NewGuid().ToString()}.pem");
+// certificate.ExportToPem($"./temp/{Guid.NewGuid().ToString()}");
_logger?.LogDebug("Issuers: {Issuer}", certificate.Issuer);
if (rootCertificate != null) {
certificateChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
certificateChain.ChainPolicy.CustomTrustStore.AddRange(rootCertificate);
- certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
- certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+ certificateChain.ChainPolicy.ExtraStore.AddRange(rootCertificate);
+ certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+ certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
certificateChain.ChainPolicy.DisableCertificateDownloads = false;
- certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
+ certificateChain.ChainPolicy.VerificationFlags =
+ X509VerificationFlags.IgnoreEndRevocationUnknown;
_logger?.LogDebug("Using custom root certificate");
}
else {
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
+ certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
+ certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);
}
- certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
- certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);
var result = certificateChain.Build(certificate);
@@ -71,7 +74,6 @@ public class CertificateHelper {
// }
// root ??= new X509Certificate2(Convert.FromBase64String(key.X5t));
-
var valid = certificates.Aggregate(true,
(result, cert) => result
&& ValidateCertificate(cert, out _, root, logLevel)
@@ -90,6 +92,7 @@ public static class X509Certificate2Extensions {
builder.AppendLine("-----END CERTIFICATE-----");
var content = builder.ToString();
- File.WriteAllText(fileName, content);
+ File.WriteAllText(fileName + ".pem", content);
+ File.WriteAllText(fileName + ".json", JsonConvert.SerializeObject(certificate));
}
}
diff --git a/IntegrationTests/IntegrationTests.csproj b/IntegrationTests/IntegrationTests.csproj
index 567f9503..99182c0c 100644
--- a/IntegrationTests/IntegrationTests.csproj
+++ b/IntegrationTests/IntegrationTests.csproj
@@ -48,21 +48,12 @@
<None Update="certificates\revokedEncJWK.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
- <None Update="certificates\ca.30244.der">
- <CopyToOutputDirectory>Always</CopyToOutputDirectory>
- </None>
<None Update="temp\readme.md">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\invalidEncJwkWithLessThan3Certificates.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
- <None Update="certificates\ca.26281.der">
- <CopyToOutputDirectory>Always</CopyToOutputDirectory>
- </None>
- <None Update="certificates\ca.26305.der">
- <CopyToOutputDirectory>Always</CopyToOutputDirectory>
- </None>
<None Update="certificates\roots\ca.21636.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
@@ -102,6 +93,51 @@
<None Update="certificates\roots\ca.29387.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
+ <None Update="certificates\root\ca.26281.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\root\ca.26305.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\root\ca.30244.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\root\root.pem">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1534.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1553.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1570.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1587.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1604.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1622.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1639.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1656.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.1673.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.26281.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\roots\ca.26305.der">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
</ItemGroup>
</Project>
--
GitLab