OID Checkup (eu-digital-green-certificates#42)

* OID Services, Test Classes and Helper added.

* Testcases modified, Unknown Certificatetype added to validation, overload added for validation.

* Updated tests

* Updated formatting

* Updated tests

* Update

Co-authored-by: Oleksandr Sarapulov <[email protected]>

decoder/src/main/java/dgca/verifier/app/decoder/cose/CryptoService.kt

@@ -22,6 +22,7 @@
 
 package dgca.verifier.app.decoder.cose
 
+import dgca.verifier.app.decoder.model.CertificateType
 import dgca.verifier.app.decoder.model.VerificationResult
 import java.security.cert.Certificate
 
@@ -31,4 +32,5 @@ import java.security.cert.Certificate
 interface CryptoService {
 
     fun validate(cose: ByteArray, certificate: Certificate, verificationResult: VerificationResult)
+    fun validate(cose: ByteArray, certificate: Certificate, verificationResult: VerificationResult, certificateType: CertificateType)
 }

decoder/src/main/java/dgca/verifier/app/decoder/cose/VerificationCryptoService.kt

@@ -26,7 +26,9 @@ import com.upokecenter.cbor.CBORObject
 import dgca.verifier.app.decoder.ECDSA_256
 import dgca.verifier.app.decoder.RSA_PSS_256
 import dgca.verifier.app.decoder.convertToDer
+import dgca.verifier.app.decoder.model.CertificateType
 import dgca.verifier.app.decoder.model.VerificationResult
+import dgca.verifier.app.decoder.services.X509
 import dgca.verifier.app.decoder.verify
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
 import org.bouncycastle.jce.provider.BouncyCastleProvider
@@ -39,13 +41,32 @@ import java.security.spec.RSAPublicKeySpec
 /**
  * Verifies COSE signature
  */
-class VerificationCryptoService : CryptoService {
+class VerificationCryptoService(private val x509: X509) : CryptoService {
 
     init {
         Security.addProvider(BouncyCastleProvider()) // for SHA256withRSA/PSS
     }
 
-    override fun validate(cose: ByteArray, certificate: Certificate, verificationResult: VerificationResult) {
+    override fun validate(
+        cose: ByteArray,
+        certificate: Certificate,
+        verificationResult: VerificationResult,
+        certificateType: CertificateType
+    ) {
+        validate(cose, certificate, verificationResult)
+
+        verificationResult.coseVerified =
+            verificationResult.coseVerified && (certificateType == CertificateType.UNKNOWN || x509.isSuitable(
+                certificate.encoded,
+                certificateType
+            ))
+    }
+
+    override fun validate(
+        cose: ByteArray,
+        certificate: Certificate,
+        verificationResult: VerificationResult
+    ) {
         val verificationKey = certificate.publicKey
         verificationResult.coseVerified = try {
             val messageObject = CBORObject.DecodeFromBytes(cose)
@@ -66,7 +87,8 @@ class VerificationCryptoService : CryptoService {
                     )
                 }
                 RSA_PSS_256 -> {
-                    val bytes = SubjectPublicKeyInfo.getInstance(certificate.publicKey.encoded).publicKeyData.bytes
+                    val bytes =
+                        SubjectPublicKeyInfo.getInstance(certificate.publicKey.encoded).publicKeyData.bytes
                     val rsaPublicKey = org.bouncycastle.asn1.pkcs.RSAPublicKey.getInstance(bytes)
                     val spec = RSAPublicKeySpec(rsaPublicKey.modulus, rsaPublicKey.publicExponent)
                     val key = KeyFactory.getInstance("RSA").generatePublic(spec)

decoder/src/main/java/dgca/verifier/app/decoder/model/CertificateType.kt

@@ -0,0 +1,5 @@
+package dgca.verifier.app.decoder.model
+
+enum class CertificateType {
+    UNKNOWN,VACCINATION,RECOVERY,TEST
+}

decoder/src/main/java/dgca/verifier/app/decoder/model/GreenCertificate.kt

@@ -74,4 +74,12 @@ data class GreenCertificate(
     } catch (ex: Exception) {
         ""
     }.toLowerCase(Locale.ROOT)
-}
+
+    fun getType(): CertificateType {
+        if (vaccinations?.isNotEmpty() == true)
+            return CertificateType.VACCINATION
+        if (tests?.isNotEmpty() == true) return CertificateType.TEST
+        if (recoveryStatements?.isNotEmpty() == true) return CertificateType.RECOVERY
+        return CertificateType.UNKNOWN
+    }
+}

decoder/src/main/java/dgca/verifier/app/decoder/services/X509.kt

@@ -0,0 +1,61 @@
+package dgca.verifier.app.decoder.services
+
+import dgca.verifier.app.decoder.model.CertificateType
+import java.io.ByteArrayInputStream
+import java.security.cert.*
+
+
+class X509 {
+    private val OID_TEST = "1.3.6.1.4.1.1847.2021.1.1"
+    private val OID_ALT_TEST = "1.3.6.1.4.1.0.1847.2021.1.1"
+    private val OID_VACCINATION = "1.3.6.1.4.1.1847.2021.1.2"
+    private val OID_ALT_VACCINATION = "1.3.6.1.4.1.0.1847.2021.1.2"
+    private val OID_RECOVERY = "1.3.6.1.4.1.1847.2021.1.3"
+    private val OID_ALT_RECOVERY = "1.3.6.1.4.1.0.1847.2021.1.3"
+
+    fun checkIsSuitable(cert: String?, certType: CertificateType?): Boolean {
+        val b64: ByteArray = org.bouncycastle.util.encoders.Base64.decode(cert)
+        return isSuitable(b64, certType)
+    }
+
+    fun isSuitable(data: ByteArray?, certificateType: CertificateType?): Boolean {
+        try {
+            val cf: CertificateFactory = CertificateFactory.getInstance("X.509")
+            val cert: Certificate = cf.generateCertificate(ByteArrayInputStream(data))
+            if (isType(cert as X509Certificate)) {
+                val extendedKeys = cert.extendedKeyUsage
+                return when (certificateType) {
+                    CertificateType.TEST -> extendedKeys.contains(OID_TEST) || extendedKeys.contains(
+                        OID_ALT_TEST
+                    )
+                    CertificateType.VACCINATION -> extendedKeys.contains(OID_VACCINATION) || extendedKeys.contains(
+                        OID_ALT_VACCINATION
+                    )
+                    CertificateType.RECOVERY -> extendedKeys.contains(OID_RECOVERY) || extendedKeys.contains(
+                        OID_ALT_RECOVERY
+                    )
+                    CertificateType.UNKNOWN -> false
+                    else -> false
+                }
+            }
+        } catch (e: CertificateException) {
+            return false
+        }
+        return true
+    }
+
+    private fun isType(certificate: X509Certificate): Boolean {
+        return try {
+            val extendedKeyUsage: List<String> = certificate.extendedKeyUsage ?: return false
+
+            extendedKeyUsage.contains(OID_TEST)
+                    || extendedKeyUsage.contains(OID_ALT_TEST)
+                    || extendedKeyUsage.contains(OID_RECOVERY)
+                    || extendedKeyUsage.contains(OID_ALT_RECOVERY)
+                    || extendedKeyUsage.contains(OID_VACCINATION)
+                    || extendedKeyUsage.contains(OID_ALT_VACCINATION)
+        } catch (e: CertificateParsingException) {
+            false
+        }
+    }
+}

decoder/src/test/java/dgca/verifier/app/decoder/CertificateTestRunner.kt

@@ -17,6 +17,7 @@ import dgca.verifier.app.decoder.prefixvalidation.DefaultPrefixValidationService
 import dgca.verifier.app.decoder.prefixvalidation.PrefixValidationService
 import dgca.verifier.app.decoder.schema.DefaultSchemaValidator
 import dgca.verifier.app.decoder.schema.SchemaValidator
+import dgca.verifier.app.decoder.services.X509
 import org.hamcrest.CoreMatchers.equalTo
 import org.hamcrest.CoreMatchers.notNullValue
 import org.hamcrest.CoreMatchers.nullValue
@@ -45,7 +46,7 @@ class CertificateTestRunner {
         prefixValidationService = DefaultPrefixValidationService()
         base45Service = DefaultBase45Service()
         compressorService = DefaultCompressorService()
-        cryptoService = VerificationCryptoService()
+        cryptoService = VerificationCryptoService(X509())
         coseService = DefaultCoseService()
         schemaValidator = DefaultSchemaValidator()
         cborService = DefaultCborService()