From bbc8f2fb672e92656e0b88a0fbc39fdc5bc2b34e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Wed, 28 Apr 2021 14:21:54 +0200 Subject: [PATCH 01/15] Added MitId unit test to OcspLookupTest --- AssemblyInfoFileVersion.cs | 2 +- common | 2 +- .../RaspConfiguration.Live.xml | 2 +- .../RaspConfiguration.Test.xml | 2 +- .../security/revocation/ocsp/OcspLookup.cs | 2 +- test/dk.gov.oiosi.test.unit/TestConstants.cs | 1 + .../dk.gov.oiosi.test.unit.csproj | 25 +++--- .../communication/RaspRequestTest.cs | 2 +- .../security/revocation/LookupTest.cs | 2 + .../security/revocation/OcspLookupTest.cs | 78 +++++++++++++++---- 10 files changed, 87 insertions(+), 31 deletions(-) diff --git a/AssemblyInfoFileVersion.cs b/AssemblyInfoFileVersion.cs index 39934360..b028aaeb 100644 --- a/AssemblyInfoFileVersion.cs +++ b/AssemblyInfoFileVersion.cs @@ -10,5 +10,5 @@ using System.Reflection; // //------------------------------------------------------------------------------ -[assembly: AssemblyFileVersionAttribute("3.0.0.BETA")] +[assembly: AssemblyFileVersionAttribute("3.0.0.65534")] diff --git a/common b/common index 68cedda6..26c4e1bf 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit 68cedda61fcbc2e27b952e3d5ebacc8be5bbe3eb +Subproject commit 26c4e1bf2412ed6d98fc1b37d57ead9ee749a02d diff --git a/src/dk.gov.oiosi.resource/RaspConfiguration.Live.xml b/src/dk.gov.oiosi.resource/RaspConfiguration.Live.xml index 4e617a38..8177ff54 100644 --- a/src/dk.gov.oiosi.resource/RaspConfiguration.Live.xml +++ b/src/dk.gov.oiosi.resource/RaspConfiguration.Live.xml @@ -4564,7 +4564,7 @@ ​389 - ​ldap.ca1.gov.dk + ​ca1.gov.dk389 5000 diff --git a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml index 9eba5447..ebbc0be8 100644 --- a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml +++ b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml @@ -4565,7 +4565,7 @@ ​389 - ​ldap.ca1.cti-gov.dk + ​ca1.cti-gov.dk389 5000 diff --git a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs index c37a484f..100a2e70 100644 --- a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs +++ b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs @@ -228,7 +228,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { /// The certificate to check /// The RevocationResponse object that contains the result /// This exception is thrown, if an unexpected exception is thrown during the method - private RevocationResponse RevocationResponseOnline(X509Certificate2 x509Certificate2) + public RevocationResponse RevocationResponseOnline(X509Certificate2 x509Certificate2) { RevocationResponse revocationResponse = new RevocationResponse(); diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index 51431ec4..5c357dac 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -100,6 +100,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_DEVICE = "Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; public const string PASSWORD_CERTIFICATE_DEVICE = "Test1234"; + public const string PATH_CERTIFICATE_MITID_DEVICE = "Resources/Certificates/Nemhandel-DEV-OCES-cert-20210422.p12"; ////public const string PATH_CERTIFICATE_ROOT1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; ////public const string PATH_CERTIFICATE_ROOT2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index e093d502..9335ebea 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -151,11 +151,15 @@ Resources\Certificates\CVR30808460.Expire20131101.Test MOCES1 %28medarbejdercertificat 1%29.pfx PreserveNewest + + Resources\Certificates\Nemhandel-DEV-OCES-cert-20210422.p12 + PreserveNewest + Resources\Certificates\TDC OCES Systemtest CA II.cer PreserveNewest - + Resources\Certificates\TRUST2408 Systemtest VII Primary CA.cer PreserveNewest @@ -241,8 +245,8 @@ Resources\Documents\Examples\OIOUBL_Invoice_identifier_ean_5798009811561.xml PreserveNewest - - Resources\Documents\Examples\OIOUBL_Invoice_identifier_ean_v2p1.xml + + Resources\Documents\Examples\OIOUBL_Invoice_identifier_gln_v2p1.xml PreserveNewest @@ -680,6 +684,9 @@ + + + @@ -688,11 +695,11 @@ - \ No newline at end of file diff --git a/test/dk.gov.oiosi.test.unit/raspProfile/communication/RaspRequestTest.cs b/test/dk.gov.oiosi.test.unit/raspProfile/communication/RaspRequestTest.cs index 730bd92b..9700120d 100644 --- a/test/dk.gov.oiosi.test.unit/raspProfile/communication/RaspRequestTest.cs +++ b/test/dk.gov.oiosi.test.unit/raspProfile/communication/RaspRequestTest.cs @@ -58,7 +58,7 @@ namespace dk.gov.oiosi.test.unit.raspProfile.communication { } private OiosiMessage GetInvoiceOiosiMessage() { - var invoiceSourcePath = "Resources/Documents/Examples/OIOUBL_Invoice_identifier_ean_v2p1.xml"; + var invoiceSourcePath = "Resources/Documents/Examples/OIOUBL_Invoice_identifier_gln_v2p1.xml"; var invoiceFile = Settings.CreateRandomPath("invoice.xml"); Directory.CreateDirectory(invoiceFile.DirectoryName); File.Copy(invoiceSourcePath, invoiceFile.FullName); diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs index 0cb397d0..86843721 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs @@ -12,6 +12,8 @@ namespace dk.gov.oiosi.test.unit.security.revocation public const string foces2RevokedCertificate = "Resources/Certificates/CVR30808460.Expire20200313.TU GENEREL FOCES spaerret (Funktionscertifikat).pfx"; public const string foces2OkayCertificate = TestConstants.PATH_CERTIFICATE_DEVICE;//"Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; + + public const string mitIdFocesOkayCertificate = TestConstants.PATH_CERTIFICATE_MITID_DEVICE;//"Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; public const string oces1RootCertificate = TestConstants.PATH_CERTIFICATE_TEST_ROOT_OCES1; public const string oces2RootCertificate = TestConstants.PATH_CERTIFICATE_TEST_ROOT_OCES2; diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index 3d6a0039..cd5e3e8c 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -4,6 +4,8 @@ using NUnit.Framework; using System.Security.Cryptography.X509Certificates; using System.Collections.Generic; using System; +using Org.BouncyCastle.Pkcs; +using System.IO; namespace dk.gov.oiosi.test.unit.security.revocation { @@ -22,11 +24,11 @@ namespace dk.gov.oiosi.test.unit.security.revocation { OcspConfig ocspConfig = new OcspConfig(); ocspConfig.DefaultTimeoutMsec = 20000; - + X509Certificate2 oces2RootCertificate = new X509Certificate2(LookupTest.oces2RootCertificate); IList list = new List(); - + list.Add(oces2RootCertificate); OcspLookup ocspLookup = new OcspLookup(ocspConfig, list); @@ -76,29 +78,73 @@ namespace dk.gov.oiosi.test.unit.security.revocation // } //} - - /* - * Not the OCSP job to check for expired certificate - * [Test] - public void LookupTestExpiredFoces1() + + /* + * Not the OCSP job to check for expired certificate + * [Test] + public void LookupTestExpiredFoces1() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1ExpiredCertificate, "Test1234"); + Assert.IsNotNull(certificate, "Test certificate was null."); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ + /* + [Test] + public void testMitIdTestCertificate() throws Exception + { + KeyStore p12 = KeyStore.getInstance("pkcs12"); + p12.load(new FileInputStream(TestConstants.PATH_MITID_ORG_TEST), "?3ngCR4,gq86".toCharArray()); + Enumeration e = p12.aliases(); + Assert.True("No elements found", e.hasMoreElements()); + string alias = e.nextElement(); + X509Certificate certificate = (X509Certificate)p12.getCertificate(alias); + Assert.AreEqual("Wrong cert. subject found", "C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.getSubjectDN().TOString()); + + System.err.println(certificate.getIssuerX500Principal()); + System.err.println(certificate.getSubjectX500Principal()); + + //assertEquals("Wrong cert. found", "SERIALNUMBER=CVR:30808460-FID:94731315 + CN=TU GENEREL FOCES gyldig (funktionscertifikat), O=NETS DANID A/S // CVR:30808460, C=DK", c.getSubjectDN().toString()); + + RevocationResponse revocationResponse = CreateOcesLookup().revocationResponseOnline(certificate); + assertTrue("Certificate should be OCSP valid...", revocationResponse.isValid()); + + }*/ + + [Test] + public void testMitIdTestCertificate() { + try { - X509Certificate2 certificate = new X509Certificate2(LookupTest.foces1ExpiredCertificate, "Test1234"); - Assert.IsNotNull(certificate, "Test certificate was null."); + X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + + Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", cert.Subject, "Wrong cert. subject found"); + + var ocspLookup = CreateOcesLookup(); + RevocationResponse revocationResponse = ocspLookup.RevocationResponseOnline(cert); + Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); + - OcspLookup ocspLookup = this.CreateOcesLookup(); - RevocationResponse response = ocspLookup.CheckCertificate(certificate); - Assert.IsFalse(response.IsValid, "Certificate is not valid."); - Assert.IsNull(response.Exception, "The lookup return an exception."); - Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); } catch (Exception exception) { Assert.Fail(exception.ToString()); } - }*/ - + } + + [Test] public void LookupTestOkayFoces2() -- GitLab From 02d5763deabdb1558593a51012742b9b8dfa7415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Wed, 28 Apr 2021 14:57:44 +0200 Subject: [PATCH 02/15] X509KeyStorageFlags.MachineKeySet set in X809Certificate2 --- .../security/revocation/OcspLookupTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index cd5e3e8c..9313ec86 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -128,7 +128,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation try { - X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", cert.Subject, "Wrong cert. subject found"); -- GitLab From 4fa3fa3ff0e36a8d81b9c4862fe2208043364356 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Wed, 28 Apr 2021 15:11:48 +0200 Subject: [PATCH 03/15] Trying to fix OcspLookupTest. --- .../security/revocation/OcspLookupTest.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index 9313ec86..238b69f1 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -128,7 +128,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation try { - X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); + X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", cert.Subject, "Wrong cert. subject found"); -- GitLab From f4bc3e1e6f96f50fdc07684005477cbcf1ca6e5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 10:18:59 +0200 Subject: [PATCH 04/15] - Fixed issues with "self signed"-check. - Created unit test validating that the "self signed"-check works. - Added new test-root certificate (MitId) - Moved FindIssuerCertificate into CertificateUtil. --- .../DefaultLdapConfig.cs | 2 +- .../DefaultRootCertificateCollectionConfig.cs | 8 + .../revocation/crl/CertificateUtil.cs | 73 +++++ .../security/revocation/ocsp/OcspLookup.cs | 274 +++++++----------- test/dk.gov.oiosi.test.unit/TestConstants.cs | 1 + .../dk.gov.oiosi.test.unit.csproj | 4 + .../security/revocation/LookupTest.cs | 1 + .../security/revocation/OcspLookupTest.cs | 46 ++- 8 files changed, 237 insertions(+), 172 deletions(-) diff --git a/src/dk.gov.oiosi.raspProfile/DefaultLdapConfig.cs b/src/dk.gov.oiosi.raspProfile/DefaultLdapConfig.cs index 942b5ea9..b9b827a4 100644 --- a/src/dk.gov.oiosi.raspProfile/DefaultLdapConfig.cs +++ b/src/dk.gov.oiosi.raspProfile/DefaultLdapConfig.cs @@ -93,7 +93,7 @@ namespace dk.gov.oiosi.raspProfile ldapSettings.CertificateInfrastructures = new CertificateInfrastructure[] { new CertificateInfrastructure{Id = "NemID", Host = "crtdir.certifikat.dk", Port = 389 }, - new CertificateInfrastructure{Id = "MitID", Host = "ldap.ca1.gov.dk", Port = 389 } + new CertificateInfrastructure{Id = "MitID", Host = "ca1.cti-gov.dk", Port = 389 } }; ldapSettings.ConnectionTimeoutMsec = 5000; diff --git a/src/dk.gov.oiosi.raspProfile/DefaultRootCertificateCollectionConfig.cs b/src/dk.gov.oiosi.raspProfile/DefaultRootCertificateCollectionConfig.cs index 97c2afa2..c60ae352 100644 --- a/src/dk.gov.oiosi.raspProfile/DefaultRootCertificateCollectionConfig.cs +++ b/src/dk.gov.oiosi.raspProfile/DefaultRootCertificateCollectionConfig.cs @@ -70,6 +70,14 @@ namespace dk.gov.oiosi.raspProfile certificatLocation.StoreLocation = StoreLocation.LocalMachine; certificatLocation.StoreName = StoreName.Root; rootCertificateCollectionConfig.GetAsList().Add(certificatLocation); + + // MitId + certificatLocation = new RootCertificateLocation(); + certificatLocation.Description = "Den Danske Stat OCES rod-CA"; + certificatLocation.SerialNumber = "573f57e67530f1a0777dfbc69f090438d3360256"; + certificatLocation.StoreLocation = StoreLocation.LocalMachine; + certificatLocation.StoreName = StoreName.Root; + rootCertificateCollectionConfig.GetAsList().Add(certificatLocation); } /// diff --git a/src/dk.gov.oiosi/security/revocation/crl/CertificateUtil.cs b/src/dk.gov.oiosi/security/revocation/crl/CertificateUtil.cs index 6b0e447f..c27137ba 100644 --- a/src/dk.gov.oiosi/security/revocation/crl/CertificateUtil.cs +++ b/src/dk.gov.oiosi/security/revocation/crl/CertificateUtil.cs @@ -10,6 +10,79 @@ namespace dk.gov.oiosi.security.revocation.crl { public class CertificateUtil { + public X509Certificate2 FindIssuerCertificate(X509Certificate2 serverX509Certificate2) + { + X509Certificate2 issuerX509Certificate2 = null; + + // Find the issuer certificate + X509Chain x509Chain = new X509Chain(); + x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + x509Chain.Build(serverX509Certificate2); + + // Iterate though the chain, to validate if it contain a valid root vertificate + X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; + X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); + X509ChainElement x509ChainElement; + X509Certificate2 x509Certificate2 = null; + IDictionary map = new Dictionary(); + + // At this point, the certificate is not valid, until a + // it is proved that it has a valid root certificate + while (enumerator.MoveNext()) + { + x509ChainElement = enumerator.Current; + x509Certificate2 = x509ChainElement.Certificate; + map.Add(x509Certificate2.Subject, x509Certificate2); + } + + if (map.ContainsKey(serverX509Certificate2.Issuer)) + { + issuerX509Certificate2 = map[serverX509Certificate2.Issuer]; + } + + return issuerX509Certificate2; + } + + /* public X509Certificate2 FindRootCertificate(X509Certificate2 serverX509Certificate2, IDictionary rootCertificateDirectory) + { + bool rootCertificateFound = false; + X509Certificate2 desiredRootX509Certificate2 = null; + // Find the desired root certificate + X509Chain x509Chain = new X509Chain(); + x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + x509Chain.Build(serverX509Certificate2); + + // Iterate though the chain, to validate if it contain a valid root vertificate + X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; + X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); + X509ChainElement x509ChainElement; + X509Certificate2 x509Certificate2 = null; + string x509CertificateThumbprint; + // At this point, the certificate is not valid, until a + // it is proved that it has a valid root certificate + while (rootCertificateFound == false && enumerator.MoveNext()) + { + x509ChainElement = enumerator.Current; + x509Certificate2 = x509ChainElement.Certificate; + x509CertificateThumbprint = x509Certificate2.Thumbprint.ToLowerInvariant(); + if (rootCertificateDirectory.ContainsKey(x509CertificateThumbprint)) + { + // The current chain element is in the trusted rootCertificateDirectory + rootCertificateFound = true; + + // now the loop will break, as we have found a trusted root certificate + } + } + + if (rootCertificateFound) + { + // root certificate is found + desiredRootX509Certificate2 = x509Certificate2; + } + + return desiredRootX509Certificate2; + }*/ + /// /// Gets a list of URLs from the specified certificate. /// diff --git a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs index 100a2e70..d2095786 100644 --- a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs +++ b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs @@ -50,14 +50,17 @@ using Org.BouncyCastle.X509; using dk.gov.oiosi.security.revocation.crl; using Org.BouncyCastle.Security.Certificates; using dk.gov.oiosi.logging; +using System.Linq; +using dk.gov.oiosi.security.revocation.crl; //using Novell.Directory.Ldap.Asn1; -namespace dk.gov.oiosi.security.revocation.ocsp { +namespace dk.gov.oiosi.security.revocation.ocsp +{ /// /// Class for checking certificate revocation status against an OCSP (Online Certificate Status Protocol) server. /// - public class OcspLookup : IRevocationLookup + public class OcspLookup : IRevocationLookup { private ILogger logger; private OcspConfig _configuration; @@ -77,7 +80,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { /// Instantiates OcspLookup and loads the OCES default root certificate /// /// Configuration parameters - public OcspLookup(OcspConfig configuration) + public OcspLookup(OcspConfig configuration) { this.logger = LoggerFactory.Create(this); this.Init(configuration, null); @@ -103,7 +106,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { OcspConfig configuration = ConfigurationHandler.GetConfigurationSection(); this.Init(configuration, null); } - + /// /// Gets the configuration of the lookup client @@ -147,7 +150,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { foreach (X509Certificate2 x509Certificate2 in defaultRootCertificateList) { - this.rootCertificateDirectory.Add(x509Certificate2.Thumbprint.ToLowerInvariant(), x509Certificate2); + this.rootCertificateDirectory.Add(x509Certificate2.SerialNumber.ToLowerInvariant(), x509Certificate2); } } catch (UriFormatException) @@ -179,21 +182,21 @@ namespace dk.gov.oiosi.security.revocation.ocsp { throw; } } - + /// /// Checks a certificate status on a ocsp server /// /// The certificate to check /// The RevocationResponse object that contains the result /// This exception is thrown, if an unexpected exception is thrown during the method - private RevocationResponse RevocationResponse(X509Certificate2 x509Certificate2) + public RevocationResponse RevocationResponse(X509Certificate2 x509Certificate2) { // this method can be call requsiv, so check the cache first RevocationResponse revocationResponse; this.logger.Debug(string.Format("OCSP validation the certificate '{0}'.", x509Certificate2.SubjectName.Name)); - bool ocspResponseExistsInCache = this.ocspCache.TryGetValue(x509Certificate2.Thumbprint.ToLowerInvariant(), out revocationResponse); + bool ocspResponseExistsInCache = this.ocspCache.TryGetValue(x509Certificate2.SerialNumber.ToLowerInvariant(), out revocationResponse); if (ocspResponseExistsInCache) { // response already in cache. @@ -237,105 +240,116 @@ namespace dk.gov.oiosi.security.revocation.ocsp { throw new CheckCertificateOcspUnexpectedException(); } // http://bouncy-castle.1462172.n4.nabble.com/c-ocsp-verification-td3160243.html - X509Certificate2 issuerX509Certificate2 = this.FindIssuerCertificate(x509Certificate2); + X509Certificate2 issuerX509Certificate2 = new CertificateUtil().FindIssuerCertificate(x509Certificate2); if (issuerX509Certificate2 == null) { - throw new CheckCertificateOcspUnexpectedException("Issuer certificate '"+ x509Certificate2.Issuer +"' not found."); + throw new CheckCertificateOcspUnexpectedException("Issuer certificate '" + x509Certificate2.Issuer + "' not found."); } - if (issuerX509Certificate2.Thumbprint.Equals(x509Certificate2.Thumbprint, StringComparison.OrdinalIgnoreCase)) + Console.WriteLine("----"); + Console.WriteLine("CSN:" + x509Certificate2.SubjectName); + Console.WriteLine("ISN:" + issuerX509Certificate2.SubjectName); + Console.WriteLine("issuerX509Certificate2.SerialNumber.Equals(issuerX509Certificate2.SerialNumber, StringComparison.OrdinalIgnoreCase)"); + Console.WriteLine("CSN:" + x509Certificate2.SerialNumber); + Console.WriteLine("ISN:" + issuerX509Certificate2.SerialNumber); + Console.WriteLine("----"); + + if (issuerX509Certificate2.SerialNumber.Equals(x509Certificate2.SerialNumber, StringComparison.InvariantCultureIgnoreCase)) { + Console.WriteLine("Throw self-signed exception..."); + Console.WriteLine("----"); // the certificate and the issuer certificace is the same // this mean that the root certificate is not trusted - revocationResponse = null; - } + throw new CheckCertificateOcspUnexpectedException("E-RSP19442: Certificate not trusted, as the certificate is self-signed"); + } else { revocationResponse = this.RevocationResponseOnline(x509Certificate2, issuerX509Certificate2); - if (revocationResponse != null) + if (revocationResponse != null && revocationResponse.IsValid) { if (revocationResponse.Exception == null) { // no exception recorded - if (revocationResponse.IsValid) + + // now we know the certificate is valid. + // if the issuer is a trusted root certificate, all is good + if (this.rootCertificateDirectory.ContainsKey(issuerX509Certificate2.SerialNumber.ToLowerInvariant())) + { + // the root certificate is trusted, so the RevocationResponse can be put on the cache + this.ocspCache.Set(x509Certificate2.SerialNumber.ToLowerInvariant(), revocationResponse); + } + else { - // now we know the certificate is valid. - // if the issuer is a trusted root certificate, all is good - if (this.rootCertificateDirectory.ContainsKey(issuerX509Certificate2.Thumbprint.ToLowerInvariant())) + // we do not yet know if the certificate is valid. + // the certificate migth be good, but if the issueing certificate is revoked, + // then the certificate should also be revoked. + // Validate the issuer certificate + // this is required, because certificate can have a chain that is longer then 2 + + // The only problem is, that we can not ocsp validate the intermiddel certificate (the issuer certificate). + // acording to DanID - that certificate can only be validated with CRL + // Note : The crl list will be/should be very short. Only containing the issuer certificate that has been revoked. + // A good guess is that there at all time will be most 10 issuer certificate, so the list of revoked issuer certificate is short. + IList issuerUrl = this.GetAuthorityInformationAccessOcspUrls(issuerX509Certificate2); + RevocationResponse issuerRevocationResponse; + + if (issuerUrl.Count == 0) { - // the root certificate is trusted, so the RevocationResponse can be put on the cache - this.ocspCache.Set(x509Certificate2.Thumbprint.ToLowerInvariant(), revocationResponse); + // we need to validate with crl instead + // It does not contain the Authority Info Access, containng the rl to where the certificate must be validated + // We must therefore guess, that the certificate is valid. + CrlLookup crlLookupClient = new CrlLookup(); + issuerRevocationResponse = crlLookupClient.CheckCertificate(issuerX509Certificate2); } else { - // we do not yet know if the certificate is valid. - // the certificate migth be good, but if the issueing certificate is revoked, - // then the certificate should also be revoked. - // Validate the issuer certificate - // this is required, because certificate can have a chain that is longer then 2 - - // The only problem is, that we can not ocsp validate the intermiddel certificate (the issuer certificate). - // acording to DanID - that certificate can only be validated with CRL - // Note : The crl list will be/should be very short. Only containing the issuer certificate that has been revoked. - // A good guess is that there at all time will be most 10 issuer certificate, so the list of revoked issuer certificate is short. - IList issuerUrl = this.GetAuthorityInformationAccessOcspUrls(issuerX509Certificate2); - RevocationResponse issuerRevocationResponse; - - if (issuerUrl.Count == 0) - { - // we need to validate with crl instead - // It does not contain the Authority Info Access, containng the rl to where the certificate must be validated - // We must therefore guess, that the certificate is valid. - CrlLookup crlLookupClient = new CrlLookup(); - issuerRevocationResponse = crlLookupClient.CheckCertificate(issuerX509Certificate2); - } - else - { - // hey, wow some url exist - lets use that - // don't thing this will ever happens anyway - issuerRevocationResponse = this.RevocationResponse(issuerX509Certificate2); - } - - // now to handle the issuerRevocationResponse - if (issuerRevocationResponse == null) - { - revocationResponse.IsValid = false; - revocationResponse.Exception = new CheckCertificateOcspUnexpectedException("The issuing certificate could not be validated."); - } - else - { - // the issuer certificate is validated, the validity of the issuer certificate - // is copied to the revocationResponse - revocationResponse.IsValid = issuerRevocationResponse.IsValid; - revocationResponse.Exception = issuerRevocationResponse.Exception; - } + // hey, wow some url exist - lets use that + // don't thing this will ever happens anyway + issuerRevocationResponse = this.RevocationResponse(issuerX509Certificate2); + } - // update the cache - this.ocspCache.Set(x509Certificate2.Thumbprint.ToLowerInvariant(), revocationResponse); + // now to handle the issuerRevocationResponse + if (issuerRevocationResponse == null) + { + revocationResponse.IsValid = false; + revocationResponse.Exception = new CheckCertificateOcspUnexpectedException("The issuing certificate could not be validated."); } + else + { + // the issuer certificate is validated, the validity of the issuer certificate + // is copied to the revocationResponse + revocationResponse.IsValid = issuerRevocationResponse.IsValid; + revocationResponse.Exception = issuerRevocationResponse.Exception; + } + + // update the cache + this.ocspCache.Set(x509Certificate2.SerialNumber.ToLowerInvariant(), revocationResponse); } - else - { - // the certificate is NOT valid - // no need to check the issuer certificate - this.ocspCache.Set(x509Certificate2.Thumbprint.ToLowerInvariant(), revocationResponse); - } + } else { + // some exception returned. // do not add to cache } } + else + { + // the certificate is Not valid + // no need to check the issuer certificate + this.ocspCache.Set(x509Certificate2.SerialNumber.ToLowerInvariant(), revocationResponse); + } + } return revocationResponse; } - public RevocationResponse RevocationResponseOnline(X509Certificate2 serverX509Certificate2, X509Certificate2 issuerX509Certificate2) + public RevocationResponse RevocationResponseOnline(X509Certificate2 serverX509Certificate2, X509Certificate2 issuerX509Certificate2) { RevocationResponse revocationResponse = new RevocationResponse(); @@ -419,78 +433,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { return revocationResponse; } - public X509Certificate2 FindIssuerCertificate(X509Certificate2 serverX509Certificate2) - { - X509Certificate2 issuerX509Certificate2 = null; - - // Find the issuer certificate - X509Chain x509Chain = new X509Chain(); - x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - x509Chain.Build(serverX509Certificate2); - - // Iterate though the chain, to validate if it contain a valid root vertificate - X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; - X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); - X509ChainElement x509ChainElement; - X509Certificate2 x509Certificate2 = null; - IDictionary map = new Dictionary(); - - // At this point, the certificate is not valid, until a - // it is proved that it has a valid root certificate - while (enumerator.MoveNext()) - { - x509ChainElement = enumerator.Current; - x509Certificate2 = x509ChainElement.Certificate; - map.Add(x509Certificate2.Subject, x509Certificate2); - } - - if (map.ContainsKey(serverX509Certificate2.Issuer)) - { - issuerX509Certificate2 = map[serverX509Certificate2.Issuer]; - } - - return issuerX509Certificate2; - } - - /* public X509Certificate2 FindRootCertificate(X509Certificate2 serverX509Certificate2, IDictionary rootCertificateDirectory) - { - bool rootCertificateFound = false; - X509Certificate2 desiredRootX509Certificate2 = null; - // Find the desired root certificate - X509Chain x509Chain = new X509Chain(); - x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - x509Chain.Build(serverX509Certificate2); - - // Iterate though the chain, to validate if it contain a valid root vertificate - X509ChainElementCollection x509ChainElementCollection = x509Chain.ChainElements; - X509ChainElementEnumerator enumerator = x509ChainElementCollection.GetEnumerator(); - X509ChainElement x509ChainElement; - X509Certificate2 x509Certificate2 = null; - string x509CertificateThumbprint; - // At this point, the certificate is not valid, until a - // it is proved that it has a valid root certificate - while (rootCertificateFound == false && enumerator.MoveNext()) - { - x509ChainElement = enumerator.Current; - x509Certificate2 = x509ChainElement.Certificate; - x509CertificateThumbprint = x509Certificate2.Thumbprint.ToLowerInvariant(); - if (rootCertificateDirectory.ContainsKey(x509CertificateThumbprint)) - { - // The current chain element is in the trusted rootCertificateDirectory - rootCertificateFound = true; - - // now the loop will break, as we have found a trusted root certificate - } - } - - if (rootCertificateFound) - { - // root certificate is found - desiredRootX509Certificate2 = x509Certificate2; - } - - return desiredRootX509Certificate2; - }*/ + public List GetAuthorityInformationAccessOcspUrls(X509Certificate2 x509Certificate2) { @@ -498,7 +441,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { try { - // DanID test code shows how to do it + // DanID test code shows how to do it Org.BouncyCastle.Asn1.X509.X509Extensions x509Extensions = this.GetX509Extensions(x509Certificate2); Org.BouncyCastle.Asn1.X509.X509Extension x509Extension = x509Extensions.GetExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityInfoAccess); if (x509Extension == null) @@ -620,19 +563,19 @@ namespace dk.gov.oiosi.security.revocation.ocsp { Asn1InputStream aIn = new Asn1InputStream(bytes); return aIn.ReadObject(); - } + } - /* private OcspReq GenerateOcspRequest(X509Certificate2 rootX509Certificate2, BigInteger serialNumber) - { - X509Certificate rootX509Certificate = rootX509Certificate2.Export(X509ContentType.Cert); - return this.GenerateOcspRequest(rootX509Certificate, serialNumber); - }*/ + /* private OcspReq GenerateOcspRequest(X509Certificate2 rootX509Certificate2, BigInteger serialNumber) + { + X509Certificate rootX509Certificate = rootX509Certificate2.Export(X509ContentType.Cert); + return this.GenerateOcspRequest(rootX509Certificate, serialNumber); + }*/ - /* private OcspReq GenerateOcspRequest(X509Certificate rootX509Certificate, byte serialNumber) - { - BigInteger serialNumberBigInteger = new BigInteger(serialNumber); - return this.GenerateOcspRequest(rootX509Certificate, serialNumberBigInteger); - }*/ + /* private OcspReq GenerateOcspRequest(X509Certificate rootX509Certificate, byte serialNumber) + { + BigInteger serialNumberBigInteger = new BigInteger(serialNumber); + return this.GenerateOcspRequest(rootX509Certificate, serialNumberBigInteger); + }*/ private OcspReq GenerateOcspRequest(Org.BouncyCastle.X509.X509Certificate rootX509Certificate, BigInteger serialNumber) @@ -664,7 +607,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { return ocspRequestGenerator.Generate(); } - + private OcspResp GetOnlineBinaryHttpResponse(OcspReq req, string url, string contentType, string accept) { byte[] data = req.GetEncoded(); @@ -701,7 +644,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { } private RevocationResponse ProcessOcspResponse( - Org.BouncyCastle.X509.X509Certificate serverX509Certificate, + Org.BouncyCastle.X509.X509Certificate serverX509Certificate, Org.BouncyCastle.X509.X509Certificate rootX509Certificate, OcspResp ocspResponse) { @@ -718,14 +661,14 @@ namespace dk.gov.oiosi.security.revocation.ocsp { BasicOcspResp or = (BasicOcspResp)ocspResponse.GetResponseObject(); // ValidateResponse(or, issuerCert); - - string certificateSerial = Convert.ToUInt32(serverX509Certificate.SerialNumber.IntValue).ToString(); + + string certificateSerial = serverX509Certificate.SerialNumber.ToString(); bool found = false; foreach (SingleResp singleResp in or.Responses) { if (singleResp.GetCertID().SerialNumber.ToString().Equals(certificateSerial)) { - found = true; + found = true; this.ValidateCertificateId(serverX509Certificate, rootX509Certificate, singleResp.GetCertID()); @@ -804,7 +747,7 @@ namespace dk.gov.oiosi.security.revocation.ocsp { { throw new CheckCertificateOcspUnexpectedException("Invalid certificate Issuer in response"); } - } + } /// /// Checks a certificate status on a ocsp server @@ -812,11 +755,12 @@ namespace dk.gov.oiosi.security.revocation.ocsp { /// The certificate to check /// The RevocationResponse object that contains the result /// This exception is thrown, if an unexpected exception is thrown during the method - public RevocationResponse CheckCertificate(X509Certificate2 x509Certificate2) { + public RevocationResponse CheckCertificate(X509Certificate2 x509Certificate2) + { //To call the CheckCertificate asynchronously, we initialize the delegate and call it with IAsyncResult RevocationResponse revocationResponse; - bool ocspResponseExistsInCache = this.ocspCache.TryGetValue(x509Certificate2.Thumbprint.ToLowerInvariant(), out revocationResponse); + bool ocspResponseExistsInCache = this.ocspCache.TryGetValue(x509Certificate2.SerialNumber.ToLowerInvariant(), out revocationResponse); if (ocspResponseExistsInCache) { // response already in cache. @@ -851,7 +795,8 @@ namespace dk.gov.oiosi.security.revocation.ocsp { AsyncOcspCall asyncOcspCall = new AsyncOcspCall(this.RevocationResponse); IAsyncResult asyncResult = asyncOcspCall.BeginInvoke(certificate, null, null); - bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(Utilities.TimeSpanInMilliseconds(TimeSpan.FromMilliseconds(_configuration.DefaultTimeoutMsec)), false); + bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(_configuration.DefaultTimeoutMsec, false); + // bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(120000, false); if (ocspRepliedInTime) { // okay, the operation has finish. @@ -860,9 +805,10 @@ namespace dk.gov.oiosi.security.revocation.ocsp { else { // Note - The validation is still running, and is not closed - + // operation timeout throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(_configuration.DefaultTimeoutMsec)); + //throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(120000)); } return response; diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index 5c357dac..5345cf21 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -106,6 +106,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_TEST_ROOT_OCES1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; public const string PATH_CERTIFICATE_TEST_ROOT_OCES2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; + public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA1.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES1 = "Resources/Certificates/TDC OCES CA.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES2 = "Resources/Certificates/TRUST2408 OCES Primary CA.cer"; diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index 9335ebea..fee2205c 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -155,6 +155,10 @@ Resources\Certificates\Nemhandel-DEV-OCES-cert-20210422.p12 PreserveNewest + + Resources\Certificates\MitID_root_CA1.cer + PreserveNewest + Resources\Certificates\TDC OCES Systemtest CA II.cer PreserveNewest diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs index 86843721..972a645b 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/LookupTest.cs @@ -17,5 +17,6 @@ namespace dk.gov.oiosi.test.unit.security.revocation public const string oces1RootCertificate = TestConstants.PATH_CERTIFICATE_TEST_ROOT_OCES1; public const string oces2RootCertificate = TestConstants.PATH_CERTIFICATE_TEST_ROOT_OCES2; + public const string mitIdRootCertificate = TestConstants.PATH_CERTIFICATE_TEST_ROOT_MITID; } } \ No newline at end of file diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index 238b69f1..b55a135d 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -4,8 +4,10 @@ using NUnit.Framework; using System.Security.Cryptography.X509Certificates; using System.Collections.Generic; using System; +using System.Linq; using Org.BouncyCastle.Pkcs; using System.IO; +using dk.gov.oiosi.security.revocation.crl; namespace dk.gov.oiosi.test.unit.security.revocation { @@ -26,10 +28,12 @@ namespace dk.gov.oiosi.test.unit.security.revocation ocspConfig.DefaultTimeoutMsec = 20000; X509Certificate2 oces2RootCertificate = new X509Certificate2(LookupTest.oces2RootCertificate); + X509Certificate2 mitIdRootCertiticate = new X509Certificate2(LookupTest.mitIdRootCertificate); IList list = new List(); list.Add(oces2RootCertificate); + list.Add(mitIdRootCertiticate); OcspLookup ocspLookup = new OcspLookup(ocspConfig, list); @@ -121,22 +125,49 @@ namespace dk.gov.oiosi.test.unit.security.revocation assertTrue("Certificate should be OCSP valid...", revocationResponse.isValid()); }*/ - + /** + * Verify that our self-signed check functionality works. + */ [Test] - public void testMitIdTestCertificate() + public void TestMitIdTestCertificateRoot() { + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + + OcspLookup ocspLookup = this.CreateOcesLookup(); + + var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); + + var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); try { - X509Certificate2 cert = new X509Certificate2(mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); + ocspLookup.RevocationResponseOnline(rootCertificate); + Assert.Fail("Exception not thrown - as expected"); + //fail("Exception not thrown - as expected"); + } + catch (CheckCertificateOcspUnexpectedException ex) + { + Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); + } + } - Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", cert.Subject, "Wrong cert. subject found"); + [Test] + public void LookupMitIdTestCertificate() + { + try + { + X509Certificate2 certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); - var ocspLookup = CreateOcesLookup(); - RevocationResponse revocationResponse = ocspLookup.RevocationResponseOnline(cert); - Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); + Console.WriteLine("MitId Test Certifikat: " + certificate.Subject); + var ocspLookup = CreateOcesLookup(); + RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); + Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); + } catch (Exception exception) { @@ -144,6 +175,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation } } + [Test] -- GitLab From d583bc9dfc80a07823261e132e10d96a4e3ceb5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 10:35:35 +0200 Subject: [PATCH 05/15] Added MachineKeySet to X509Certificate2 import --- .../security/revocation/OcspLookupTest.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index b55a135d..bf32bd3e 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -131,7 +131,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation [Test] public void TestMitIdTestCertificateRoot() { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); OcspLookup ocspLookup = this.CreateOcesLookup(); @@ -158,7 +158,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - X509Certificate2 certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + X509Certificate2 certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); Console.WriteLine("MitId Test Certifikat: " + certificate.Subject); -- GitLab From e9530521a91b832da56e33e3acbb2d54d02ffa4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 10:55:24 +0200 Subject: [PATCH 06/15] Wrapped test in CryptographicException try/catch. For better debugging on Jenkins --- .../security/revocation/OcspLookupTest.cs | 63 ++++++++++++------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index bf32bd3e..c477f099 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -8,6 +8,7 @@ using System.Linq; using Org.BouncyCastle.Pkcs; using System.IO; using dk.gov.oiosi.security.revocation.crl; +using System.Security.Cryptography; namespace dk.gov.oiosi.test.unit.security.revocation { @@ -131,26 +132,35 @@ namespace dk.gov.oiosi.test.unit.security.revocation [Test] public void TestMitIdTestCertificateRoot() { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - - OcspLookup ocspLookup = this.CreateOcesLookup(); - - var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); - - var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); - try { - ocspLookup.RevocationResponseOnline(rootCertificate); - Assert.Fail("Exception not thrown - as expected"); - //fail("Exception not thrown - as expected"); + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); + OcspLookup ocspLookup = this.CreateOcesLookup(); + + var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); + + var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); + + try + { + ocspLookup.RevocationResponseOnline(rootCertificate); + Assert.Fail("Exception not thrown - as expected"); + //fail("Exception not thrown - as expected"); + } + catch (CheckCertificateOcspUnexpectedException ex) + { + Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); + } } - catch (CheckCertificateOcspUnexpectedException ex) + catch(CryptographicException ex) { - Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); - } + Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); + Assert.Fail(ex.ToString()); + } + + } [Test] @@ -158,15 +168,24 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - X509Certificate2 certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + try + { + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); + Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + - Console.WriteLine("MitId Test Certifikat: " + certificate.Subject); + var ocspLookup = CreateOcesLookup(); - var ocspLookup = CreateOcesLookup(); + RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); + Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); + Assert.Fail(ex.ToString()); + } - RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); - Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); + } catch (Exception exception) -- GitLab From e88379c60ea72c8898553d8e75d9cb1f4a0e3fc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 16:37:47 +0200 Subject: [PATCH 07/15] Unit tests now running locally. - Added unit test to check certificate accessibility --- .../RaspConfiguration.Test.xml | 4 +- .../security/revocation/ocsp/OcspLookup.cs | 15 +- .../validation/CertificateValidator.cs | 6 +- test/dk.gov.oiosi.test.unit/TestConstants.cs | 2 +- .../dk.gov.oiosi.test.unit.csproj | 4 + .../security/revocation/OcspLookupTest.cs | 177 ++++++++++++------ 6 files changed, 131 insertions(+), 77 deletions(-) diff --git a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml index ebbc0be8..ed20afea 100644 --- a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml +++ b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml @@ -4775,8 +4775,8 @@ LocalMachine Root - 4b ea 6e 94 - TRUST2408 Systemtest VII Primary CA + 573f57e67530f1a0777dfbc69f090438d3360256 + Den Danske Stat OCES rod-CA diff --git a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs index d2095786..1127ea63 100644 --- a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs +++ b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs @@ -51,7 +51,6 @@ using dk.gov.oiosi.security.revocation.crl; using Org.BouncyCastle.Security.Certificates; using dk.gov.oiosi.logging; using System.Linq; -using dk.gov.oiosi.security.revocation.crl; //using Novell.Directory.Ldap.Asn1; namespace dk.gov.oiosi.security.revocation.ocsp @@ -247,18 +246,8 @@ namespace dk.gov.oiosi.security.revocation.ocsp throw new CheckCertificateOcspUnexpectedException("Issuer certificate '" + x509Certificate2.Issuer + "' not found."); } - Console.WriteLine("----"); - Console.WriteLine("CSN:" + x509Certificate2.SubjectName); - Console.WriteLine("ISN:" + issuerX509Certificate2.SubjectName); - Console.WriteLine("issuerX509Certificate2.SerialNumber.Equals(issuerX509Certificate2.SerialNumber, StringComparison.OrdinalIgnoreCase)"); - Console.WriteLine("CSN:" + x509Certificate2.SerialNumber); - Console.WriteLine("ISN:" + issuerX509Certificate2.SerialNumber); - Console.WriteLine("----"); - if (issuerX509Certificate2.SerialNumber.Equals(x509Certificate2.SerialNumber, StringComparison.InvariantCultureIgnoreCase)) { - Console.WriteLine("Throw self-signed exception..."); - Console.WriteLine("----"); // the certificate and the issuer certificace is the same // this mean that the root certificate is not trusted throw new CheckCertificateOcspUnexpectedException("E-RSP19442: Certificate not trusted, as the certificate is self-signed"); @@ -765,6 +754,8 @@ namespace dk.gov.oiosi.security.revocation.ocsp { // response already in cache. // Check if the response still is valid + + if (revocationResponse.NextUpdate < DateTime.Now) { // the cached value is to old @@ -796,7 +787,6 @@ namespace dk.gov.oiosi.security.revocation.ocsp IAsyncResult asyncResult = asyncOcspCall.BeginInvoke(certificate, null, null); bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(_configuration.DefaultTimeoutMsec, false); - // bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(120000, false); if (ocspRepliedInTime) { // okay, the operation has finish. @@ -808,7 +798,6 @@ namespace dk.gov.oiosi.security.revocation.ocsp // operation timeout throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(_configuration.DefaultTimeoutMsec)); - //throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(120000)); } return response; diff --git a/src/dk.gov.oiosi/security/validation/CertificateValidator.cs b/src/dk.gov.oiosi/security/validation/CertificateValidator.cs index de54f23b..6186ed93 100644 --- a/src/dk.gov.oiosi/security/validation/CertificateValidator.cs +++ b/src/dk.gov.oiosi/security/validation/CertificateValidator.cs @@ -132,13 +132,13 @@ namespace dk.gov.oiosi.security.validation // Check if the certificate has the default root certificate as its root bool rootIsInChain = false; - string rootThumbprint = rootCertificate.Thumbprint.ToLower(); + string rootSerialNumber = rootCertificate.SerialNumber.ToLower(); - if (certificate.Thumbprint.ToLower() != rootThumbprint) + if (!certificate.SerialNumber.Equals(rootSerialNumber, StringComparison.InvariantCultureIgnoreCase)) { foreach (X509ChainElement chainElem in chain.ChainElements) { - if (chainElem.Certificate.Thumbprint.ToLower() == rootThumbprint) + if (chainElem.Certificate.SerialNumber.Equals(rootSerialNumber, StringComparison.InvariantCultureIgnoreCase)) { rootIsInChain = true; break; diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index 5345cf21..fe600e17 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -106,7 +106,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_TEST_ROOT_OCES1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; public const string PATH_CERTIFICATE_TEST_ROOT_OCES2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; - public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA1.cer"; + public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA2.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES1 = "Resources/Certificates/TDC OCES CA.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES2 = "Resources/Certificates/TRUST2408 OCES Primary CA.cer"; diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index fee2205c..8b22ae8d 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -159,6 +159,10 @@ Resources\Certificates\MitID_root_CA1.cer PreserveNewest + + Resources\Certificates\MitID_root_CA2.cer + PreserveNewest + Resources\Certificates\TDC OCES Systemtest CA II.cer PreserveNewest diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index c477f099..eac37105 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -129,38 +129,102 @@ namespace dk.gov.oiosi.test.unit.security.revocation /** * Verify that our self-signed check functionality works. */ + [Test] - public void TestMitIdTestCertificateRoot() + public void CheckCertificateResources() { + try { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - OcspLookup ocspLookup = this.CreateOcesLookup(); - - var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); - - var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); - - try - { - ocspLookup.RevocationResponseOnline(rootCertificate); - Assert.Fail("Exception not thrown - as expected"); - //fail("Exception not thrown - as expected"); - } - catch (CheckCertificateOcspUnexpectedException ex) - { - Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); - } + var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.IsNotNull(certificate1); } - catch(CryptographicException ex) + catch (CryptographicException ex) { Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); Assert.Fail(ex.ToString()); - } + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + + try + { + var certificate2 = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.IsNotNull(certificate2); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.foces2OkayCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + try + { + var oces2RootCertificate = new X509Certificate2(LookupTest.oces2RootCertificate); + Assert.IsNotNull(oces2RootCertificate); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.oces2RootCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + try + { + var mitIdRootCertiticate = new X509Certificate2(LookupTest.mitIdRootCertificate); + Assert.IsNotNull(mitIdRootCertiticate); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.mitIdRootCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + + } + + + [Test] + public void TestMitIdTestCertificateRoot() + { + + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + OcspLookup ocspLookup = this.CreateOcesLookup(); + + var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); + + var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); + + try + { + ocspLookup.RevocationResponseOnline(rootCertificate); + Assert.Fail("Exception not thrown - as expected"); + //fail("Exception not thrown - as expected"); + } + catch (CheckCertificateOcspUnexpectedException ex) + { + Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); + } + + - } [Test] @@ -168,25 +232,19 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - try - { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + + + var ocspLookup = CreateOcesLookup(); + + RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); + Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); - var ocspLookup = CreateOcesLookup(); - RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); - Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); - } - catch (CryptographicException ex) - { - Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); - Assert.Fail(ex.ToString()); - } - - } catch (Exception exception) { @@ -194,7 +252,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation } } - + [Test] @@ -202,7 +260,8 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); + + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); Assert.IsNotNull(certificate, "Test certificate was null."); OcspLookup ocspLookup = this.CreateOcesLookup(); @@ -210,12 +269,14 @@ namespace dk.gov.oiosi.test.unit.security.revocation Assert.IsTrue(response.IsValid, "Certificate is not valid."); Assert.IsNull(response.Exception, "The lookup return an exception."); Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + + } catch (Exception exception) { Assert.Fail(exception.ToString()); } - } + } [Test] [Ignore("Certificate expired - get a fresh one!!!")] @@ -262,22 +323,22 @@ namespace dk.gov.oiosi.test.unit.security.revocation /* */ - /* [Test] - public void LookupTestExpiredFoces2() - { - try - { - OcspLookup ocspLookup = this.CreateOcesLookup(); - X509Certificate2 certificate = new X509Certificate2(this.foces2ExpiredCertificate, "Test1234"); - RevocationResponse response = ocspLookup.CheckCertificate(certificate); - Assert.IsFalse(response.IsValid, "Certificate is not valid."); - Assert.IsNull(response.Exception, "The lookup return an exception."); - Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); - } - catch (Exception exception) - { - Assert.Fail(exception.ToString()); - } - }*/ + /* [Test] + public void LookupTestExpiredFoces2() + { + try + { + OcspLookup ocspLookup = this.CreateOcesLookup(); + X509Certificate2 certificate = new X509Certificate2(this.foces2ExpiredCertificate, "Test1234"); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ } } \ No newline at end of file -- GitLab From cc1581bf93b970f96e81206c971f1fe645574aa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 16:37:47 +0200 Subject: [PATCH 08/15] Added root certificateUnit tests now running locally. - Added unit test to check certificate accessibility --- .../RaspConfiguration.Test.xml | 4 +- .../security/revocation/ocsp/OcspLookup.cs | 15 +- .../validation/CertificateValidator.cs | 6 +- test/dk.gov.oiosi.test.unit/TestConstants.cs | 2 +- .../dk.gov.oiosi.test.unit.csproj | 4 + .../security/revocation/OcspLookupTest.cs | 177 ++++++++++++------ 6 files changed, 131 insertions(+), 77 deletions(-) diff --git a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml index ebbc0be8..ed20afea 100644 --- a/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml +++ b/src/dk.gov.oiosi.resource/RaspConfiguration.Test.xml @@ -4775,8 +4775,8 @@ LocalMachine Root - 4b ea 6e 94 - TRUST2408 Systemtest VII Primary CA + 573f57e67530f1a0777dfbc69f090438d3360256 + Den Danske Stat OCES rod-CA diff --git a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs index d2095786..1127ea63 100644 --- a/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs +++ b/src/dk.gov.oiosi/security/revocation/ocsp/OcspLookup.cs @@ -51,7 +51,6 @@ using dk.gov.oiosi.security.revocation.crl; using Org.BouncyCastle.Security.Certificates; using dk.gov.oiosi.logging; using System.Linq; -using dk.gov.oiosi.security.revocation.crl; //using Novell.Directory.Ldap.Asn1; namespace dk.gov.oiosi.security.revocation.ocsp @@ -247,18 +246,8 @@ namespace dk.gov.oiosi.security.revocation.ocsp throw new CheckCertificateOcspUnexpectedException("Issuer certificate '" + x509Certificate2.Issuer + "' not found."); } - Console.WriteLine("----"); - Console.WriteLine("CSN:" + x509Certificate2.SubjectName); - Console.WriteLine("ISN:" + issuerX509Certificate2.SubjectName); - Console.WriteLine("issuerX509Certificate2.SerialNumber.Equals(issuerX509Certificate2.SerialNumber, StringComparison.OrdinalIgnoreCase)"); - Console.WriteLine("CSN:" + x509Certificate2.SerialNumber); - Console.WriteLine("ISN:" + issuerX509Certificate2.SerialNumber); - Console.WriteLine("----"); - if (issuerX509Certificate2.SerialNumber.Equals(x509Certificate2.SerialNumber, StringComparison.InvariantCultureIgnoreCase)) { - Console.WriteLine("Throw self-signed exception..."); - Console.WriteLine("----"); // the certificate and the issuer certificace is the same // this mean that the root certificate is not trusted throw new CheckCertificateOcspUnexpectedException("E-RSP19442: Certificate not trusted, as the certificate is self-signed"); @@ -765,6 +754,8 @@ namespace dk.gov.oiosi.security.revocation.ocsp { // response already in cache. // Check if the response still is valid + + if (revocationResponse.NextUpdate < DateTime.Now) { // the cached value is to old @@ -796,7 +787,6 @@ namespace dk.gov.oiosi.security.revocation.ocsp IAsyncResult asyncResult = asyncOcspCall.BeginInvoke(certificate, null, null); bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(_configuration.DefaultTimeoutMsec, false); - // bool ocspRepliedInTime = asyncResult.AsyncWaitHandle.WaitOne(120000, false); if (ocspRepliedInTime) { // okay, the operation has finish. @@ -808,7 +798,6 @@ namespace dk.gov.oiosi.security.revocation.ocsp // operation timeout throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(_configuration.DefaultTimeoutMsec)); - //throw new CertificateRevokedTimeoutException(TimeSpan.FromMilliseconds(120000)); } return response; diff --git a/src/dk.gov.oiosi/security/validation/CertificateValidator.cs b/src/dk.gov.oiosi/security/validation/CertificateValidator.cs index de54f23b..6186ed93 100644 --- a/src/dk.gov.oiosi/security/validation/CertificateValidator.cs +++ b/src/dk.gov.oiosi/security/validation/CertificateValidator.cs @@ -132,13 +132,13 @@ namespace dk.gov.oiosi.security.validation // Check if the certificate has the default root certificate as its root bool rootIsInChain = false; - string rootThumbprint = rootCertificate.Thumbprint.ToLower(); + string rootSerialNumber = rootCertificate.SerialNumber.ToLower(); - if (certificate.Thumbprint.ToLower() != rootThumbprint) + if (!certificate.SerialNumber.Equals(rootSerialNumber, StringComparison.InvariantCultureIgnoreCase)) { foreach (X509ChainElement chainElem in chain.ChainElements) { - if (chainElem.Certificate.Thumbprint.ToLower() == rootThumbprint) + if (chainElem.Certificate.SerialNumber.Equals(rootSerialNumber, StringComparison.InvariantCultureIgnoreCase)) { rootIsInChain = true; break; diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index 5345cf21..fe600e17 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -106,7 +106,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_TEST_ROOT_OCES1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; public const string PATH_CERTIFICATE_TEST_ROOT_OCES2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; - public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA1.cer"; + public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA2.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES1 = "Resources/Certificates/TDC OCES CA.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES2 = "Resources/Certificates/TRUST2408 OCES Primary CA.cer"; diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index fee2205c..8b22ae8d 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -159,6 +159,10 @@ Resources\Certificates\MitID_root_CA1.cer PreserveNewest + + Resources\Certificates\MitID_root_CA2.cer + PreserveNewest + Resources\Certificates\TDC OCES Systemtest CA II.cer PreserveNewest diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index c477f099..eac37105 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -129,38 +129,102 @@ namespace dk.gov.oiosi.test.unit.security.revocation /** * Verify that our self-signed check functionality works. */ + [Test] - public void TestMitIdTestCertificateRoot() + public void CheckCertificateResources() { + try { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - OcspLookup ocspLookup = this.CreateOcesLookup(); - - var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); - - var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); - Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); - - try - { - ocspLookup.RevocationResponseOnline(rootCertificate); - Assert.Fail("Exception not thrown - as expected"); - //fail("Exception not thrown - as expected"); - } - catch (CheckCertificateOcspUnexpectedException ex) - { - Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); - } + var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.IsNotNull(certificate1); } - catch(CryptographicException ex) + catch (CryptographicException ex) { Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); Assert.Fail(ex.ToString()); - } + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + + try + { + var certificate2 = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.IsNotNull(certificate2); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.foces2OkayCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + try + { + var oces2RootCertificate = new X509Certificate2(LookupTest.oces2RootCertificate); + Assert.IsNotNull(oces2RootCertificate); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.oces2RootCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + try + { + var mitIdRootCertiticate = new X509Certificate2(LookupTest.mitIdRootCertificate); + Assert.IsNotNull(mitIdRootCertiticate); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde Foces2 test certifikat: " + LookupTest.mitIdRootCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } + + + } + + + [Test] + public void TestMitIdTestCertificateRoot() + { + + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + OcspLookup ocspLookup = this.CreateOcesLookup(); + + var issuerCertificate = new CertificateUtil().FindIssuerCertificate(certificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES udstedende-CA 1", issuerCertificate.SubjectName.Name, "Wrong issuer certificate found"); + + var rootCertificate = new CertificateUtil().FindIssuerCertificate(issuerCertificate); + Assert.AreEqual("C=DK, O=Den Danske Stat, OU=Test - cti, CN=Den Danske Stat OCES rod-CA", rootCertificate.SubjectName.Name, "Wrong root certificate found"); + + try + { + ocspLookup.RevocationResponseOnline(rootCertificate); + Assert.Fail("Exception not thrown - as expected"); + //fail("Exception not thrown - as expected"); + } + catch (CheckCertificateOcspUnexpectedException ex) + { + Assert.AreEqual("E-RSP19442: Certificate not trusted, as the certificate is self-signed", ex.Message, "Wrong error"); + } + + - } [Test] @@ -168,25 +232,19 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - try - { - var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet); - Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + + var certificate = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + Assert.AreEqual("C=DK, OID.2.5.4.97=NTRDK-90146280, O=Testorganisation nr. 90146280, SERIALNUMBER=UI:DK-O:G:3c0f8cbc-4abe-4c6b-b40f-7236a2f39c7c, CN=Nemhandel-DEV-OCES-cert-20210422", certificate.Subject, "Wrong cert. subject found"); + + + var ocspLookup = CreateOcesLookup(); + + RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); + Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); - var ocspLookup = CreateOcesLookup(); - RevocationResponse revocationResponse = ocspLookup.CheckCertificate(certificate); - Assert.IsTrue(revocationResponse.IsValid, "Certificate should be OCSP valid..."); - } - catch (CryptographicException ex) - { - Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); - Assert.Fail(ex.ToString()); - } - - } catch (Exception exception) { @@ -194,7 +252,7 @@ namespace dk.gov.oiosi.test.unit.security.revocation } } - + [Test] @@ -202,7 +260,8 @@ namespace dk.gov.oiosi.test.unit.security.revocation { try { - X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); + + X509Certificate2 certificate = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); Assert.IsNotNull(certificate, "Test certificate was null."); OcspLookup ocspLookup = this.CreateOcesLookup(); @@ -210,12 +269,14 @@ namespace dk.gov.oiosi.test.unit.security.revocation Assert.IsTrue(response.IsValid, "Certificate is not valid."); Assert.IsNull(response.Exception, "The lookup return an exception."); Assert.AreEqual(RevocationCheckStatus.AllChecksPassed, response.RevocationCheckStatus, "Not all check was performed."); + + } catch (Exception exception) { Assert.Fail(exception.ToString()); } - } + } [Test] [Ignore("Certificate expired - get a fresh one!!!")] @@ -262,22 +323,22 @@ namespace dk.gov.oiosi.test.unit.security.revocation /* */ - /* [Test] - public void LookupTestExpiredFoces2() - { - try - { - OcspLookup ocspLookup = this.CreateOcesLookup(); - X509Certificate2 certificate = new X509Certificate2(this.foces2ExpiredCertificate, "Test1234"); - RevocationResponse response = ocspLookup.CheckCertificate(certificate); - Assert.IsFalse(response.IsValid, "Certificate is not valid."); - Assert.IsNull(response.Exception, "The lookup return an exception."); - Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); - } - catch (Exception exception) - { - Assert.Fail(exception.ToString()); - } - }*/ + /* [Test] + public void LookupTestExpiredFoces2() + { + try + { + OcspLookup ocspLookup = this.CreateOcesLookup(); + X509Certificate2 certificate = new X509Certificate2(this.foces2ExpiredCertificate, "Test1234"); + RevocationResponse response = ocspLookup.CheckCertificate(certificate); + Assert.IsFalse(response.IsValid, "Certificate is not valid."); + Assert.IsNull(response.Exception, "The lookup return an exception."); + Assert.AreEqual(RevocationCheckStatus.CertificateRevoked, response.RevocationCheckStatus, "Not all check was performed."); + } + catch (Exception exception) + { + Assert.Fail(exception.ToString()); + } + }*/ } } \ No newline at end of file -- GitLab From 2828d6e1c0aa18faa3219fcc53f34788d1fbe3b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 18:08:19 +0200 Subject: [PATCH 09/15] Added new root certificate --- common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common b/common index 26c4e1bf..68cedda6 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit 26c4e1bf2412ed6d98fc1b37d57ead9ee749a02d +Subproject commit 68cedda61fcbc2e27b952e3d5ebacc8be5bbe3eb -- GitLab From 2fa0f3705f459af05769a78440f5a33b2b505e38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 18:28:37 +0200 Subject: [PATCH 10/15] Duplicate root certificate existed in common project - changed the linked reference to the other submitted certificate. --- common | 2 +- test/dk.gov.oiosi.test.unit/TestConstants.cs | 2 +- test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj | 8 ++------ 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/common b/common index 68cedda6..d4c903d2 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit 68cedda61fcbc2e27b952e3d5ebacc8be5bbe3eb +Subproject commit d4c903d23a845ee0a0f0f2141f65b05a8b93ee83 diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index fe600e17..0ac51a19 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -106,7 +106,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_TEST_ROOT_OCES1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; public const string PATH_CERTIFICATE_TEST_ROOT_OCES2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; - public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA2.cer"; + public const string PATH_CERTIFICATE_TEST_ROOT_MITID = "Resources/Certificates/MitID_root_CA.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES1 = "Resources/Certificates/TDC OCES CA.cer"; public const string PATH_CERTIFICATE_PROD_ROOT_OCES2 = "Resources/Certificates/TRUST2408 OCES Primary CA.cer"; diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index 8b22ae8d..b85e9916 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -155,12 +155,8 @@ Resources\Certificates\Nemhandel-DEV-OCES-cert-20210422.p12 PreserveNewest - - Resources\Certificates\MitID_root_CA1.cer - PreserveNewest - - - Resources\Certificates\MitID_root_CA2.cer + + Resources\Certificates\MitID_root_CA.cer PreserveNewest -- GitLab From 9a89be0a8badd90e6cb9b38675abf2b2aacce24f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 18:45:57 +0200 Subject: [PATCH 11/15] Potential fix to corrupt csproj file --- test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj | 3 +++ test/dk.gov.oiosi.test.unit/packages.config | 1 + 2 files changed, 4 insertions(+) diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index b85e9916..4565da9c 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -50,6 +50,9 @@ ..\..\packages\NUnit.3.12.0\lib\net45\nunit.framework.dll + + ..\..\packages\Saxon-HE.10.3.0\lib\net40\saxon-he-api-10.3.dll + diff --git a/test/dk.gov.oiosi.test.unit/packages.config b/test/dk.gov.oiosi.test.unit/packages.config index 208e09ad..75172e85 100644 --- a/test/dk.gov.oiosi.test.unit/packages.config +++ b/test/dk.gov.oiosi.test.unit/packages.config @@ -3,4 +3,5 @@ + \ No newline at end of file -- GitLab From 35193414d60a7ce41ac8c8818eb29246be82d9eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 20:04:15 +0200 Subject: [PATCH 12/15] another try --- AssemblyInfoFileVersion.cs | 2 +- .../security/revocation/OcspLookupTest.cs | 20 ++++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/AssemblyInfoFileVersion.cs b/AssemblyInfoFileVersion.cs index b028aaeb..39934360 100644 --- a/AssemblyInfoFileVersion.cs +++ b/AssemblyInfoFileVersion.cs @@ -10,5 +10,5 @@ using System.Reflection; // //------------------------------------------------------------------------------ -[assembly: AssemblyFileVersionAttribute("3.0.0.65534")] +[assembly: AssemblyFileVersionAttribute("3.0.0.BETA")] diff --git a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs index eac37105..3e215ffd 100644 --- a/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/revocation/OcspLookupTest.cs @@ -136,12 +136,12 @@ namespace dk.gov.oiosi.test.unit.security.revocation try { - var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); Assert.IsNotNull(certificate1); } catch (CryptographicException ex) { - Console.WriteLine("Kunne ikke finde MitId test certifikat: " + LookupTest.mitIdFocesOkayCertificate); + Console.WriteLine("Kunne ikke finde MitId test certifikat (MachineKeySet): " + LookupTest.mitIdFocesOkayCertificate); Assert.Fail(ex.ToString()); } catch (Exception ex) @@ -149,10 +149,24 @@ namespace dk.gov.oiosi.test.unit.security.revocation Assert.Fail(ex.ToString()); } + try + { + var certificate1 = new X509Certificate2(LookupTest.mitIdFocesOkayCertificate, "?3ngCR4,gq86"); + Assert.IsNotNull(certificate1); + } + catch (CryptographicException ex) + { + Console.WriteLine("Kunne ikke finde MitId test certifikat (Default): " + LookupTest.mitIdFocesOkayCertificate); + Assert.Fail(ex.ToString()); + } + catch (Exception ex) + { + Assert.Fail(ex.ToString()); + } try { - var certificate2 = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet); + var certificate2 = new X509Certificate2(LookupTest.foces2OkayCertificate, "Test1234"); Assert.IsNotNull(certificate2); } catch (CryptographicException ex) -- GitLab From 5532d4faab1c65b1e375a7093c3b4783931c42e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 21:56:24 +0200 Subject: [PATCH 13/15] Updated submodule head --- common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common b/common index d4c903d2..364cc319 160000 --- a/common +++ b/common @@ -1 +1 @@ -Subproject commit d4c903d23a845ee0a0f0f2141f65b05a8b93ee83 +Subproject commit 364cc3194f6e46accbd0025fc628898a4a55f4b8 -- GitLab From afc7605cc631ba2038401d145c38a1bd2aa93b27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 21:57:36 +0200 Subject: [PATCH 14/15] Testing Jenkins with .pfx version of MitId certificate --- test/dk.gov.oiosi.test.unit/TestConstants.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/dk.gov.oiosi.test.unit/TestConstants.cs b/test/dk.gov.oiosi.test.unit/TestConstants.cs index 0ac51a19..57e96470 100644 --- a/test/dk.gov.oiosi.test.unit/TestConstants.cs +++ b/test/dk.gov.oiosi.test.unit/TestConstants.cs @@ -100,7 +100,7 @@ namespace dk.gov.oiosi.test.unit public const string PATH_CERTIFICATE_DEVICE = "Resources/Certificates/CVR30808460.Expire20200130.TU GENEREL FOCES gyldig (Funktionscertifikat).pfx"; public const string PASSWORD_CERTIFICATE_DEVICE = "Test1234"; - public const string PATH_CERTIFICATE_MITID_DEVICE = "Resources/Certificates/Nemhandel-DEV-OCES-cert-20210422.p12"; + public const string PATH_CERTIFICATE_MITID_DEVICE = "Resources/Certificates/Nemhandel-DEV-OCES-cert-20210422.pfx"; ////public const string PATH_CERTIFICATE_ROOT1 = "Resources/Certificates/TDC OCES Systemtest CA II.cer"; ////public const string PATH_CERTIFICATE_ROOT2 = "Resources/Certificates/TRUST2408 Systemtest VII Primary CA.cer"; -- GitLab From e132b45817b77c646af2578bda2e008d224d2c54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20S=C3=B8rensen-Boll?= Date: Tue, 4 May 2021 22:22:11 +0200 Subject: [PATCH 15/15] Forgot to add the linked reference --- AssemblyInfoFileVersion.cs | 2 +- test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/AssemblyInfoFileVersion.cs b/AssemblyInfoFileVersion.cs index 39934360..b028aaeb 100644 --- a/AssemblyInfoFileVersion.cs +++ b/AssemblyInfoFileVersion.cs @@ -10,5 +10,5 @@ using System.Reflection; // //------------------------------------------------------------------------------ -[assembly: AssemblyFileVersionAttribute("3.0.0.BETA")] +[assembly: AssemblyFileVersionAttribute("3.0.0.65534")] diff --git a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj index 4565da9c..924f97a2 100644 --- a/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj +++ b/test/dk.gov.oiosi.test.unit/dk.gov.oiosi.test.unit.csproj @@ -158,6 +158,10 @@ Resources\Certificates\Nemhandel-DEV-OCES-cert-20210422.p12 PreserveNewest + + Resources\Certificates\Nemhandel-DEV-OCES-cert-20210422.pfx + PreserveNewest + Resources\Certificates\MitID_root_CA.cer PreserveNewest -- GitLab