From 79de70c66702d52bd2c55813186535a6221df84d Mon Sep 17 00:00:00 2001 From: Morten Jacobsen Date: Thu, 16 Mar 2023 13:16:34 +0100 Subject: [PATCH] NH-3208: Fix certificate lookup to be in line with OIORASP java library wrt. NemID/MitID certificate infrastructure --- .../security/ldap/LdapCertificateLookup.cs | 2 +- .../ldap/LdapCertificateLookupTest.cs | 2 +- .../ldap/LdapCertificateLookupTest.cs | 66 +++++++++++++++++++ 3 files changed, 68 insertions(+), 2 deletions(-) diff --git a/src/dk.gov.oiosi/security/ldap/LdapCertificateLookup.cs b/src/dk.gov.oiosi/security/ldap/LdapCertificateLookup.cs index 1c7a1a8d..73d32d37 100644 --- a/src/dk.gov.oiosi/security/ldap/LdapCertificateLookup.cs +++ b/src/dk.gov.oiosi/security/ldap/LdapCertificateLookup.cs @@ -162,7 +162,7 @@ namespace dk.gov.oiosi.security.ldap { // NemId is a FOCES-certificate, MitId VOCES var certificateInfrastructure = - subject.SubjectString.Contains("FID") ? _settings.HostPortForNemId : _settings.HostPortForMitId; + subject.SubjectString.Contains("-FID:") ? _settings.HostPortForNemId : _settings.HostPortForMitId; try { diff --git a/src/dk.gov.oiosi/security/ldap/LdapCertificateLookupTest.cs b/src/dk.gov.oiosi/security/ldap/LdapCertificateLookupTest.cs index 02fed1d8..8d615ef5 100644 --- a/src/dk.gov.oiosi/security/ldap/LdapCertificateLookupTest.cs +++ b/src/dk.gov.oiosi/security/ldap/LdapCertificateLookupTest.cs @@ -68,7 +68,7 @@ namespace dk.gov.oiosi.security.ldap { // NemId is a FOCES-certificate, MitId VOCES var certificateInfrastructure = - certificateSubject.SubjectString.Contains("FID") ? settings.HostPortForNemId : settings.HostPortForMitId; + certificateSubject.SubjectString.Contains("-FID:") ? settings.HostPortForNemId : settings.HostPortForMitId; throw new ConnectingToLdapServerFailedException(certificateInfrastructure, new Exception(this.ToString()), "E-RSP19111"); diff --git a/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs b/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs index 5c127103..a49819b0 100644 --- a/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs +++ b/test/dk.gov.oiosi.test.unit/security/ldap/LdapCertificateLookupTest.cs @@ -74,6 +74,38 @@ namespace dk.gov.oiosi.test.unit.security.ldap Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong end date found..."); } + [Test] + public void TestLdapTestServerFoces2SubjectWithFIDInAliasAndName() + { + var ldapCertificateLookup = new LdapCertificateLookup(this._ldapSettings); + var certSubject = new CertificateSubject("SERIALNUMBER=CVR:30808460-FID:94731315 + CN=FOO-FID-bar (funktionscertifikat), O=TESTFID A/S // CVR:30808460, C=DK"); + + X509Certificate2 cert = null; + + try + { + cert = ldapCertificateLookup.GetCertificate(certSubject); + } + catch (CertificateValidationException ex) + { + // We managed to connect and get a certificate. For some (possibly local) reason it didn't + // pass validation but that is not important for this test. + cert = (X509Certificate2)ex.Data["Certificate"]; + } + + // NOTE: These asserts correspond to certificate "SERIALNUMBER=CVR:30808460-FID:94731315 + CN=TU GENEREL FOCES gyldig (funktionscertifikat), O=NETS DANID A/S // CVR:30808460, C=DK" + // The lookup will still resolve this even though we used a modified certSubject above, since the actual lookup uses the SERIALNUMBER, not the other parts + // java: assertEquals("Wrong cert. found...", BigInteger.valueOf(1538079514), cert.getSerialNumber()); + var actualSerialNumber = cert.GetSerialNumberString(); + Assert.AreEqual("5FA69907", actualSerialNumber.ToUpperInvariant(), + message: "Wrong cert. found..."); + + // java: assertEquals("Wrong end date found...", "2022-12-16T14:31:07 UTC", DateUtil.formatDate(cert.getNotAfter())); + var expectedEndDate = "2025-12-11T12:47:33.0000000Z"; + var actualEndDate = cert.NotAfter.ToUniversalTime().ToString("o"); + Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong end date found..."); + } + [Test] public void TestGetMitIdCertificateFromTestLdap() { @@ -105,5 +137,39 @@ namespace dk.gov.oiosi.test.unit.security.ldap var actualEndDate = cert.NotAfter.ToUniversalTime().ToString("o"); Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong expiration date found..."); } + + [Test] + public void TestGetMitIdCertificateFromTestLdapWithFIDInName() + { + var ldapCertificateLookup = new LdapCertificateLookup(this._ldapSettings); + var certSubject = "C = DK, 2.5.4.97 = NTRDK-10150817, O = TestFID, SERIALNUMBER = UI:DK-O:G:fa43df71-4c0b-4eb9-af64-6c90c92bcb7c, CN = NH TestFID"; + + X509Certificate2 cert = null; + + try + { + cert = ldapCertificateLookup.GetCertificate(new CertificateSubject(certSubject)); + } + catch (CertificateValidationException ex) + { + // We managed to connect and get a certificate. For some (possibly local) reason it didn't + // pass validation but that is not important for this test. + cert = (X509Certificate2)ex.Data["Certificate"]; + } + + // java: assertEquals("Wrong cert. found...", "344676415080031272949370873805706101461479077746", result.getSerialNumber().toString()); + + var actualSerialNumber = cert.GetSerialNumberString(); + + // NOTE: These asserts correspond to certificate "C = DK, 2.5.4.97 = NTRDK-10150817, O = Erhvervsstyrelsen, SERIALNUMBER = UI:DK-O:G:fa43df71-4c0b-4eb9-af64-6c90c92bcb7c, CN = NH Referenceklient - PROD" + // The lookup will still resolve this even though we used a modified certSubject above, since the actual lookup uses the SERIALNUMBER, not the other parts + Assert.AreEqual("402330A6F7E70CF65F00E61FA08C64B28D7B8DBD", actualSerialNumber.ToUpperInvariant(), + message: "Wrong cert. found..."); + + // java: assertEquals("Wrong expire date found...", "2024-02-16T08:57:31 UTC", DateUtil.formatDate(result.getNotAfter())); + var expectedEndDate = "2025-10-12T11:30:29.0000000Z"; + var actualEndDate = cert.NotAfter.ToUniversalTime().ToString("o"); + Assert.AreEqual(expectedEndDate, actualEndDate, message: "Wrong expiration date found..."); + } } } -- GitLab