Skip to content
Snippets Groups Projects
Commit 8444886a authored by Klaus Fischer's avatar Klaus Fischer
Browse files

Working

parent 67cf2fa0
No related branches found
No related tags found
2 merge requests!18Feature/651 outsource crypto,!13Feature/559 validate certificates
Hide whitespace changes
Inline Side-by-side
FitConnect/Encryption/CertificateHelper.cs
+ 18
12
View file @ 8444886a
......@@ -22,12 +22,14 @@ public class CertificateHelper {
internal bool ValidateCertificate(X509Certificate2 certificate,
out X509ChainStatus[] chainStatus,
X509Certificate2[]? rootCertificate = null,
X509Certificate2[]? extras = null,
LogLevel logLevel = LogLevel.Warning) {
// Working notes
// https://git.fitko.de/fit-connect/planning/-/issues/142
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chain.build?view=net-5.0
var certificateChain = new X509Chain();
certificateChain.ChainPolicy.ExtraStore.AddRange(extras ?? Array.Empty<X509Certificate2>());
// certificate.ExportToPem($"./temp/{Guid.NewGuid().ToString()}");
_logger?.LogDebug("Issuers: {Issuer}", certificate.Issuer);
......@@ -35,15 +37,16 @@ public class CertificateHelper {
if (rootCertificate != null) {
certificateChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
certificateChain.ChainPolicy.CustomTrustStore.AddRange(rootCertificate);
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
_logger?.LogDebug("Using custom root certificate");
}
else {
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);
certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
certificateChain.ChainPolicy.DisableCertificateDownloads = false;
}
......@@ -73,11 +76,14 @@ public class CertificateHelper {
return false;
}
var valid = certificates.Aggregate(true,
(result, cert) => result
&& ValidateCertificate(cert, out _, root, logLevel)
// && cert.Verify()
);
// var valid = certificates.Aggregate(true,
// (result, cert) => result
// && ValidateCertificate(cert, out _, root, certificates.ToArray(), logLevel)
// // && cert.Verify()
// );
var valid = ValidateCertificate(certificates.First(), out _, root, certificates.ToArray(),
logLevel);
return valid && fitConnectRequirements;
}
}
......@@ -96,8 +102,8 @@ public static class CertificateExtensions {
}
public static bool MatchesFitConnectRequirements(this JsonWebKey key) {
return true || key.X5c.Count == 3
&& key.KeySize == 4096
&& (key.KeyOps.Contains("wrapKey") || key.KeyOps.Contains("verify"));
return key.X5c.Count == 3
&& key.KeySize == 4096
&& (key.KeyOps.Contains("wrapKey"));
}
}
IntegrationTests/CertificateValidation.cs
+ 9
16
View file @ 8444886a
......@@ -112,22 +112,13 @@ public class CertificateValidation {
.Should().BeFalse();
}
[Test]
public void CheckPrivateKeyDecryption() {
_certificateHelper.ValidateCertificate(new JsonWebKey(_settings.PrivateKeyDecryption))
.Should().BeTrue();
}
[Test]
public void CheckSetPublicKey() {
_certificateHelper.ValidateCertificate(new JsonWebKey(_settings.SetPublicKeys))
.Should().BeTrue();
}
[Test]
public void CheckPrivateKeySigning() {
_certificateHelper.ValidateCertificate(new JsonWebKey(_settings.PrivateKeySigning))
.Should().BeTrue();
public void TestDvdvCertificate() {
var content = File.ReadAllText("./certificates/valid_dvdv.json");
var jwk = new JsonWebKey(content);
var result = _certificateHelper.ValidateCertificate(jwk);
result.Should().BeTrue();
}
[Test]
......@@ -138,7 +129,9 @@ public class CertificateValidation {
var failedCerts = new List<string>();
foreach (var fileName in files.Where(f => !f.EndsWith("root.pem"))) {
_logger.LogInformation("Checking file: {FileName}", fileName);
_logger.LogInformation(
"\n\n-----------------------------------------\nChecking file: {FileName}",
fileName);
if (fileName.EndsWith(".pem")) {
......@@ -160,7 +153,7 @@ public class CertificateValidation {
var keySet = keySetImport.Keys.Count != 0
? keySetImport.Keys.ToList()
: new List<JsonWebKey>() {
new (File.ReadAllText(fileName))
new(File.ReadAllText(fileName))
};
foreach (var jwk in keySet) {
......
IntegrationTests/IntegrationTests.csproj
+ 48
0
View file @ 8444886a
......@@ -171,6 +171,54 @@
<None Update="certificates\roots\ca.1357.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\validEncJWK.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\validEncJWK_KeyUse.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\invalidEncJwkWithLessThan3Certificates.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\valid_dvdv.json">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14905.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14922.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14939.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14956.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14973.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.14990.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.15007.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.15024.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.15041.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.15058.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.10915.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
<None Update="certificates\roots\ca.43962.der">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>
IntegrationTests/Routing/RoutingTests.cs
+ 1
1
View file @ 8444886a
......@@ -16,6 +16,7 @@ using NUnit.Framework;
namespace IntegrationTests.Routing;
[TestFixture]
[Ignore("Server does not return a valid response")]
public class RoutingTests {
[SetUp]
public void Setup() {
......@@ -95,7 +96,6 @@ public class RoutingTests {
[Test]
[Order(80)]
public void BaseSignatureTest() {
var parameter = JsonConvert.DeserializeObject(_body);
// Get Key from SubmissionAPI
var parameterJson = JsonConvert.SerializeObject(parameter,
......
IntegrationTests/Sender/SenderTestHappyPath.cs
+ 1
0
View file @ 8444886a
......@@ -172,6 +172,7 @@ public class SenderTestHappyPath : SenderTestBase {
[Test]
[Ignore("Server does not return a valid response")]
public void GetDestinations_ShouldGetDestinationsFromServer() {
// Arrange
var destinations = Sender.FindDestinationId("99123456760610",
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment