From e9e34a2bf66c12a63c8fbf33e959b63cfed677d8 Mon Sep 17 00:00:00 2001
From: Klaus Fischer <klaus.fischer@eloware.com>
Date: Wed, 31 Aug 2022 21:52:43 +0200
Subject: [PATCH] Validating amazon cert working
---
FitConnect/Encryption/CertificateHelper.cs | 19 +++++++------
IntegrationTests/CertificateValidation.cs | 31 ++++++++++++++++++++++
IntegrationTests/IntegrationTests.csproj | 6 +++++
3 files changed, 48 insertions(+), 8 deletions(-)
diff --git a/FitConnect/Encryption/CertificateHelper.cs b/FitConnect/Encryption/CertificateHelper.cs
index 2a27b156..3475b98f 100644
--- a/FitConnect/Encryption/CertificateHelper.cs
+++ b/FitConnect/Encryption/CertificateHelper.cs
@@ -14,26 +14,29 @@ public class CertificateHelper {
internal bool ValidateCertificate(JsonWebKey key) {
var certificates = key.X5c.Select(s => new X509Certificate2(Convert.FromBase64String(s)))
.ToList();
+
+ _logger?.LogWarning("Found {Count} certificate(s)", certificates.Count);
+
var valid = certificates.Aggregate(true,
(result, cert) => result
+ && ValidateCertificate(cert, out var _)
&& cert.Verify()
- && OcspCheck(cert, cert.Issuer)
);
return valid;
}
- private bool OcspCheck(X509Certificate2 certificateX509, string issuer) {
- var issuerBytes = Convert.FromBase64String(issuer);
-
- var issuerX509 = new X509Certificate2(issuerBytes);
+ public bool ValidateCertificate(X509Certificate2 certificateX509, out X509ChainStatus[] chainStatus) {
var certificateChain = new X509Chain();
- certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+ certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
- certificateChain.ChainPolicy.ExtraStore.Add(issuerX509);
certificateChain.Build(certificateX509);
-
+ chainStatus = certificateChain.ChainStatus;
+
+ _logger?.LogInformation("Certificate status: {ObjStatusInformation}",
+ certificateChain.ChainStatus.Aggregate("", (r,s)=>r+"\n\t - "+s.Status + ": "+ s.StatusInformation));
return certificateChain.ChainStatus.Length == 0;
}
+
}
diff --git a/IntegrationTests/CertificateValidation.cs b/IntegrationTests/CertificateValidation.cs
index 1fb92570..a330057a 100644
--- a/IntegrationTests/CertificateValidation.cs
+++ b/IntegrationTests/CertificateValidation.cs
@@ -1,3 +1,7 @@
+using System.IO;
+using System.Linq;
+using System.Net;
+using System.Security.Cryptography.X509Certificates;
using Autofac;
using FitConnect.Encryption;
using FluentAssertions;
@@ -34,9 +38,36 @@ public class CertificateValidation {
.Should().BeTrue();
}
+ [Test]
+ public void CheckPublicKeySignature() {
+ _certificateHelper.ValidateCertificate(new JsonWebKey(_settings.PublicKeySignatureVerification))
+ .Should().BeTrue();
+ }
+
[Test]
public void CheckPrivateKeyDecryption() {
_certificateHelper.ValidateCertificate(new JsonWebKey(_settings.PrivateKeyDecryption))
.Should().BeTrue();
}
+ [Test]
+ public void CheckSetPublicKey() {
+ _certificateHelper.ValidateCertificate(new JsonWebKey("{\"keys\":[{\"alg\":\"PS512\",\"e\":\"AQAB\",\"key_ops\":[\"verify\"],\"kid\":\"ti1Z0KkG1uAXvd2XnWb5wWu8slGylvsvz3nOSe7yuAc\",\"kty\":\"RSA\",\"n\":\"xZcHMixJpDROXgGMU53Y9Y0KqYzJkKp8G5XTa1VhRmZ8kMqCZ5YJr07MeJNhpxKFaVhpNX3msRXVzSIm7PI4aG4qKCl0glB7OgnkGtwoJcIYjhbamxBgeWsfDR47LiyQykPZC61SFUkdvPsB6elrKHc9zYK_ijd2wCJrSoVkDJuH4A5xwrh8tdNDuQrirySW7BnqLlBfVgsEjM_66oK3PLRtbA09lbqqTqWkdgKNkWOkFc4zvHBjFFLKR8gWt0EpifhJWgazj6LnkUPiswuP8gel3rGrwe9DLaKndaB01bCnXNRjX2W-K8h6TFdU2sDExCwvTHRRNDEEo3dtqYi6vArnY25I7Lw2S-W3c8Kha7hkAZRCMafCsRXbskrW5pkQl2uYlBMdWiKtaRiqkwfmIW_DjWitscaX3I_oDMHLvXrDIvrbR3sY14WeudoiVOOs_lHmNn_CH_QmOLRIouE5PIVxbDDoohvgvNug-JtuL32y8ePxmutP6qoAaJw01UzhiyoJ0uEAwr4_1z46gy1eIzDCPdd9PU3YsnvD8YVi1KqxWWh-QzZyr-L4aiPMkgbBh5sJqHO5FHnpgTCxNQX6z5N4m65t72XhXyUDwtIWuY2RRr67SlMlzlC4vEeR-JKfGyeSjAqpH_HdmokxRYXsa991ppvJ-nGOrDkwTS9t4-U\",\"x5c\":[\"MIIFCTCCAvECBAM+S80wDQYJKoZIhvcNAQENBQAwSTELMAkGA1UEBhMCREUxFTATBgNVBAoMDFRlc3RiZWhvZXJkZTEjMCEGA1UEAwwaRklUIENvbm5lY3QgVGVzdHplcnRpZmlrYXQwHhcNMjIwNjI4MTE1MzE2WhcNMzIwNjI1MTE1MzE2WjBJMQswCQYDVQQGEwJERTEVMBMGA1UECgwMVGVzdGJlaG9lcmRlMSMwIQYDVQQDDBpGSVQgQ29ubmVjdCBUZXN0emVydGlmaWthdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWXBzIsSaQ0Tl4BjFOd2PWNCqmMyZCqfBuV02tVYUZmfJDKgmeWCa9OzHiTYacShWlYaTV95rEV1c0iJuzyOGhuKigpdIJQezoJ5BrcKCXCGI4W2psQYHlrHw0eOy4skMpD2QutUhVJHbz7Aenpayh3Pc2Cv4o3dsAia0qFZAybh+AOccK4fLXTQ7kK4q8kluwZ6i5QX1YLBIzP+uqCtzy0bWwNPZW6qk6lpHYCjZFjpBXOM7xwYxRSykfIFrdBKYn4SVoGs4+i55FD4rMLj/IHpd6xq8HvQy2ip3WgdNWwp1zUY19lvivIekxXVNrAxMQsL0x0UTQxBKN3bamIurwK52NuSOy8Nkvlt3PCoWu4ZAGUQjGnwrEV27JK1uaZEJdrmJQTHVoirWkYqpMH5iFvw41orbHGl9yP6AzBy716wyL620d7GNeFnrnaIlTjrP5R5jZ/wh/0Jji0SKLhOTyFcWww6KIb4LzboPibbi99svHj8ZrrT+qqAGicNNVM4YsqCdLhAMK+P9c+OoMtXiMwwj3XfT1N2LJ7w/GFYtSqsVlofkM2cq/i+GojzJIGwYebCahzuRR56YEwsTUF+s+TeJuube9l4V8lA8LSFrmNkUa+u0pTJc5QuLxHkfiSnxsnkowKqR/x3ZqJMUWF7Gvfdaabyfpxjqw5ME0vbePlAgMBAAEwDQYJKoZIhvcNAQENBQADggIBAH31Bm9xhtAv7kTWH2fgsoQkYKwFhcd7sYtTaBljbHVf3lIxqT70/UpJ6oN2avreSdPf1gO+pB1AhOnfs3pqzPxKubXOda39CyG7jkbHEea+nYjnLxaSKze/rNKpuxj7ZnEXxxt6YIHaq1Ihy4qevDknpGiWEuX57YP6Ojfp9o/pk1VP90r3+KeT3leXKd6dIfN2z14nVe082lmZcMzI8CIrXVRVaxce/OKHIpePHDdDCuycpTOvUfLpQgkXkMAIg5ksT0k0kvk0IXDZAKiVe3lK+ciqAm3kCjXATto+6AFighIwIbTPK35bD9VVjd4BjQx+VAVcAOznp66YcPfdlA+zYQfC3BQ38bzjuEm0jZkhzn/B1SUWzboh6qOGHMxz9V/pROJwjQQ/acvwcN3dcAZFBjMfORMzxippP07U0KfpTJzB95P8wyKQJpgoQ0CZITzxprrW1XF9f/Rjibw6uDHC3Tj7ByBYWZIArCOWEmfKkup7c5bOwucaPRTd4zjF0dPM8jrvbZNItmroMrUQTZ/TRkLTD1x8JJoVLadtnINkNXAgc+ATa07BIAw8Vp/POVC1JHTSvjMVm+c1KAT2C98kMHGcMQjx356n3GjoTBhMtuRS8+BYrFfnWkdmwNRkRu4qrHwecL5eu0K2tosq2KM5KYEraeb9sDna3t3McOju\"]},{\"alg\":\"RSA-OAEP-256\",\"e\":\"AQAB\",\"key_ops\":[\"wrapKey\"],\"kid\":\"vr7cWKGl-g4Wa_CRGowNhAYW_gQb-akMbiigxN0EkDI\",\"kty\":\"RSA\",\"n\":\"zjG3Ic12-kGWiXqVE7CDjICyAb3MpDuhCSM1NTGduy6KqFE-meJjX9lu1MRmquwMu1LNv0Hjx4ksiB0ZL6YjlnqQVMbVdoxnjpcQnFk1j8t1_ndhOatbdCrEZXTm3v_KWpZBm1II8OweN9flLKgk4VM9YyoWMuIqWUnMGLaP8VNsnvcrWBVS_tXtSJG4BF-pJwNQfp6A0rNrsKm_MBF-3uTIXfNrdybjDWu1XrIGR25Y6r8kvNy0yynu9tfhLwBbqbgG8PYktIy6THspdja7QCC2afM0INci1Gj_48YfesLcLbv-jIjLKQn3h9mxKLPYV9-dsRSCZT7HpHPBZ9PcqiuAbfAjpwQKIGYUJkt0GGOhnM-ljKvosGsh4xsCKncJbE2drIHbM1kiGWuGQ_DVaTFxkMEslqqX8_t1AqSdTWD3gqI-02PGc7w1J-iUWQsZDfNPQsihJdg_Icw6IbzGApzNIyAFeSSgJNNJSpY5eXHZB4V0IoGTHFb3jt8wqkDycYiEiTgmLJylXVd_l5DlqXP47HdB5RKLbaZI3iGEMzK98vBl4qWkixDBxDzONa5eWUckB1-vdYYuPksKTqLk1Wlh9a2b75KsOJKcaBOXEHufVIBZy8a-GGbkg21rnGCYU5jmLcPBij0D03PFnD7u0RlPaTe5jWCbF3oYMmQ6Ehc\",\"x5c\":[\"MIIFCTCCAvECBAONrDowDQYJKoZIhvcNAQENBQAwSTELMAkGA1UEBhMCREUxFTATBgNVBAoMDFRlc3RiZWhvZXJkZTEjMCEGA1UEAwwaRklUIENvbm5lY3QgVGVzdHplcnRpZmlrYXQwHhcNMjIwNjI4MTE1MzE1WhcNMzIwNjI1MTE1MzE1WjBJMQswCQYDVQQGEwJERTEVMBMGA1UECgwMVGVzdGJlaG9lcmRlMSMwIQYDVQQDDBpGSVQgQ29ubmVjdCBUZXN0emVydGlmaWthdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM4xtyHNdvpBlol6lROwg4yAsgG9zKQ7oQkjNTUxnbsuiqhRPpniY1/ZbtTEZqrsDLtSzb9B48eJLIgdGS+mI5Z6kFTG1XaMZ46XEJxZNY/Ldf53YTmrW3QqxGV05t7/ylqWQZtSCPDsHjfX5SyoJOFTPWMqFjLiKllJzBi2j/FTbJ73K1gVUv7V7UiRuARfqScDUH6egNKza7CpvzARft7kyF3za3cm4w1rtV6yBkduWOq/JLzctMsp7vbX4S8AW6m4BvD2JLSMukx7KXY2u0AgtmnzNCDXItRo/+PGH3rC3C27/oyIyykJ94fZsSiz2FffnbEUgmU+x6RzwWfT3KorgG3wI6cECiBmFCZLdBhjoZzPpYyr6LBrIeMbAip3CWxNnayB2zNZIhlrhkPw1WkxcZDBLJaql/P7dQKknU1g94KiPtNjxnO8NSfolFkLGQ3zT0LIoSXYPyHMOiG8xgKczSMgBXkkoCTTSUqWOXlx2QeFdCKBkxxW947fMKpA8nGIhIk4JiycpV1Xf5eQ5alz+Ox3QeUSi22mSN4hhDMyvfLwZeKlpIsQwcQ8zjWuXllHJAdfr3WGLj5LCk6i5NVpYfWtm++SrDiSnGgTlxB7n1SAWcvGvhhm5INta5xgmFOY5i3DwYo9A9NzxZw+7tEZT2k3uY1gmxd6GDJkOhIXAgMBAAEwDQYJKoZIhvcNAQENBQADggIBAI2knmZldxsrJp6Lyk+eLEVbrZI3BuHdfs+9q5I8R2b/RoqEuI05ZxoFPMZGyOMUINsXpthWMGsyALs512nmzR4bD1NGu5Ada3P/UiK3zaZk+xpJ9qAJo9xATRlGkdPhW5HyztUap1M+UW0GA/fDZJLRDVAlF+8czCPahP8ZhP5pkZcPTL/xxvQwDmadmdDRAEObOQlx58SwqQYC/FnO6lEFRhY+Hak9W4E1MoegoG8KFwOvqVRiRx3IVy1vdMQZgRRLDLkZzKIlI8WwkJONObVqdSrF2HfnEk6jhsG7/4Prn16XBSRi7wdqLOnnUpxwKsvL7BZVqAPcJ821XLxZ8wmRVItMnO3qJPP6RqVj7wfB7hnUOLHDywbGGWSrk0gi3x81x3tYXf8S+AbEn59uGIiArZjKmErvgFdtCWS8ILd7EFGYaMSYCCaJxoM/N5LckxAQXmsCgiLeOxXez2+H/uTRbctc5XEgNuVt+k92bF8amaGi5gUO60v7k4hPsnSHFzIqhsfiiOE6Pewyt96teAx4Xc2vMULcc2MUOHeiqK77OzHj8jN+/nztVSnYSrbaPYhJuIXVW5UZExG8kCTSNKK3aS+4++El7sbIHsqBTKvTmQvOMaBrGbZZR5jy5RTZSPi4njBdkjzRogloZRBoOSLebbR4B+4LMeoidxoOQN6O\"]}]}"))
+ .Should().BeTrue();
+ }
+
+ [Test]
+ public void CheckPrivateKeySigning() {
+ _certificateHelper.ValidateCertificate(new JsonWebKey(_settings.PrivateKeySigning))
+ .Should().BeTrue();
+ }
+
+ [Test]
+ public void CheckPemFiles() {
+ var files = System.IO.Directory.GetFiles("./certificates");
+ foreach (var fileName in files) {
+ _logger.LogInformation(fileName);
+ var certificate = X509Certificate2.CreateFromPem(File.ReadAllText(fileName));
+ _certificateHelper.ValidateCertificate(certificate, out var states);
+ }
+ }
}
diff --git a/IntegrationTests/IntegrationTests.csproj b/IntegrationTests/IntegrationTests.csproj
index 03b4ca3e..a37d2d39 100644
--- a/IntegrationTests/IntegrationTests.csproj
+++ b/IntegrationTests/IntegrationTests.csproj
@@ -30,6 +30,12 @@
<None Update="Test.pdf">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
+ <None Update="certificates\www-amazon-de.pem">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
+ <None Update="certificates\www-amazon-de-zertifikatskette.pem">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </None>
</ItemGroup>
</Project>
--
GitLab