Changed validation strategy

9cf6e882 · Klaus Fischer · 5e058be7 · 5e058be7 · 9cf6e882 · 9cf6e882
Commit 9cf6e882 authored 2 years ago by Klaus Fischer
--- a/.idea/.idea.FitConnect/.idea/.name
+++ b/.idea/.idea.FitConnect/.idea/.name
-FitConnect
\ No newline at end of file
--- a/FitConnect/Encryption/CertificateHelper.cs
+++ b/FitConnect/Encryption/CertificateHelper.cs
@@ -14,16 +14,15 @@ public class CertificateHelper {
        _logger = logger;
    }

-    internal bool ValidateCertificate(string keyJson, LogLevel logLevel) =>
-        ValidateCertificate(new JsonWebKey(keyJson), logLevel);
+    internal bool ValidateCertificate(string keyJson, LogLevel logLevel,
+        X509Certificate2? rootCertificate = null) =>
+        ValidateCertificate(new JsonWebKey(keyJson), logLevel, rootCertificate);

-    internal bool ValidateCertificate(JsonWebKey key, LogLevel logLevel = LogLevel.Error) {
+    internal bool ValidateCertificate(JsonWebKey key, LogLevel logLevel = LogLevel.Error,
+        X509Certificate2? root = null) {
        var certificates = key.X5c.Select(s => new X509Certificate2(Convert.FromBase64String(s)))
            .ToList();

-        X509Certificate2? root = null; //new X509Certificate2("./certificates/root.pem");
-
-
        _logger?.LogTrace("Found {Count} certificate(s)", certificates.Count);

        var valid = certificates.Aggregate(true,
@@ -44,13 +43,23 @@ public class CertificateHelper {


        if (rootCertificate != null) {
-            certificateChain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
            certificateChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+            certificateChain.ChainPolicy.CustomTrustStore.Add(rootCertificate);
+            certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+            certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+            certificateChain.ChainPolicy.DisableCertificateDownloads = true;
+            certificateChain.ChainPolicy.VerificationFlags =
+                X509VerificationFlags.IgnoreRootRevocationUnknown |
+                X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
+                X509VerificationFlags.IgnoreCtlSignerRevocationUnknown;
+            _logger?.LogDebug("Using custom root certificate");
+        }
+        else {
+            certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+            certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
        }

-        certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
-        certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
-        certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
+        certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
        certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 30);

        var result = certificateChain.Build(certificate);

--- a/IntegrationTests/CertificateValidation.cs
+++ b/IntegrationTests/CertificateValidation.cs
@@ -40,6 +40,7 @@ public class CertificateValidation {
    }

    [Test]
+    [Ignore("No credentials for dev environment")]
    public void CheckCertificateInEnvironment_Dev() {
        var environment = FitConnectEnvironment.Develop;
        var sender = Client.GetSender(environment, _settings.SenderClientId,
@@ -64,8 +65,10 @@ public class CertificateValidation {
        new CertificateHelper(_logger).ValidateCertificate(JsonWebKey.Create(certificate),
            LogLevel.Trace);
    }
+    

    [Test]
+    [Ignore("No credentials for staging environment")]
    public void CheckCertificateInEnvironment_Staging() {
        var environment = FitConnectEnvironment.Staging;
        var sender = Client.GetSender(environment, _settings.SenderClientId,
@@ -81,6 +84,7 @@ public class CertificateValidation {
    }

    [Test]
+    [Ignore("No credentials for production environment")]
    public void CheckCertificateInEnvironment_Production() {
        var environment = FitConnectEnvironment.Production;
        var sender = Client.GetSender(environment, _settings.SenderClientId,
@@ -150,10 +154,10 @@ public class CertificateValidation {

            if (fileName.EndsWith(".json")) {
                var shouldFail = !fileName.Contains("/valid");
-
+                var root = new X509Certificate2("./certificates/root.pem");
                var jwk = new JsonWebKey(File.ReadAllText(fileName));
                var valid = _certificateHelper.ValidateCertificate(jwk,
-                    shouldFail ? LogLevel.Trace : LogLevel.Critical);
+                    shouldFail ? LogLevel.Trace : LogLevel.Critical, root);

                if (shouldFail)
                    valid = !valid;