@sphereon/ssi-sdk-ext.x509-utils 0.26.1-next.3 → 0.26.1-next.31

package/src/x509/x509-validator.ts

@@ -1,16 +1,14 @@
+import { AsnParser } from '@peculiar/asn1-schema'
+import { SubjectPublicKeyInfo } from '@peculiar/asn1-x509'
+import { AlgorithmProvider, X509Certificate } from '@peculiar/x509'
+// import {calculateJwkThumbprint} from "@sphereon/ssi-sdk-ext.key-utils";
+import { JWK } from '@sphereon/ssi-types'
 import x509 from 'js-x509-utils'
-import {
-  AltName,
-  AttributeTypeAndValue,
-  Certificate,
-  CertificateChainValidationEngine,
-  CryptoEngine,
-  getCrypto,
-  id_SubjectAltName,
-  setEngine,
-} from 'pkijs'
+import { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'
+import { container } from 'tsyringe'
 import * as u8a from 'uint8arrays'
-import { derToPEM, pemOrDerToX509Certificate } from './x509-utils'
+import { globalCrypto } from './crypto'
+import { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'
 
 export type DNInfo = {
   DN: string
@@ -35,8 +33,10 @@ export type X509ValidationResult = {
   error: boolean
   critical: boolean
   message: string
+  detailMessage?: string
   verificationTime: Date
   certificateChain?: Array<CertificateInfo>
+  trustAnchor?: CertificateInfo
   client?: {
     // In case client id and scheme were passed in we return them for easy access. It means they are validated
     clientId: string
@@ -45,23 +45,9 @@ export type X509ValidationResult = {
 }
 
 const defaultCryptoEngine = () => {
-  if (typeof self !== 'undefined') {
-    if ('crypto' in self) {
-      let engineName = 'webcrypto'
-      if ('webkitSubtle' in self.crypto) {
-        engineName = 'safari'
-      }
-      setEngine(engineName, new CryptoEngine({ name: engineName, crypto: crypto }))
-    }
-  } else if (typeof crypto !== 'undefined' && 'webcrypto' in crypto) {
-    const name = 'NodeJS ^15'
-    const nodeCrypto = crypto.webcrypto
-    // @ts-ignore
-    setEngine(name, new CryptoEngine({ name, crypto: nodeCrypto }))
-  } else if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
-    const name = 'crypto'
-    setEngine(name, new CryptoEngine({ name, crypto: crypto }))
-  }
+  const name = 'crypto'
+  setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))
+  return getCrypto(true)
 }
 
 export const getCertificateInfo = async (
@@ -70,14 +56,17 @@ export const getCertificateInfo = async (
     sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]
   }
 ): Promise<CertificateInfo> => {
-  const publicKeyJWK = await getCertificateSubjectPublicKeyJWK(certificate)
+  let publicKeyJWK: JWK | undefined
+  try {
+    publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK
+  } catch (e) {}
   return {
     issuer: { dn: getIssuerDN(certificate) },
     subject: {
       dn: getSubjectDN(certificate),
       subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),
     },
-    publicKeyJWK: publicKeyJWK,
+    publicKeyJWK,
     notBefore: certificate.notBefore.value,
     notAfter: certificate.notAfter.value,
     // certificate
@@ -85,6 +74,9 @@ export const getCertificateInfo = async (
 }
 
 export type X509CertificateChainValidationOpts = {
+  // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
+  allowNoTrustAnchorsFound?: boolean
+
   // Trust the supplied root from the chain, when no anchors are being passed in.
   trustRootWhenNoAnchors?: boolean
   // Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer
@@ -93,6 +85,8 @@ export type X509CertificateChainValidationOpts = {
   // Similar to regular trust anchors, but no validation is performed whatsoever. Do not use in production settings! Can be handy with self generated certificates as we perform many validations, making it hard to test with self-signed certs. Only applied in case a chain with 1 element is passed in to really make sure people do not abuse this option
   blindlyTrustedAnchors?: string[]
 
+  disallowReversedChain?: boolean
+
   client?: {
     // If provided both are required. Validates the leaf certificate against the clientId and scheme
     clientId: string
@@ -100,21 +94,17 @@ export type X509CertificateChainValidationOpts = {
   }
 }
 
-/**
- *
- * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
- * @param trustedPEMs
- * @param verificationTime
- * @param opts
- */
 export const validateX509CertificateChain = async ({
   chain: pemOrDerChain,
   trustAnchors,
   verificationTime = new Date(),
   opts = {
+    // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
+    allowNoTrustAnchorsFound: false,
     trustRootWhenNoAnchors: false,
     allowSingleNoCAChainElement: true,
     blindlyTrustedAnchors: [],
+    disallowReversedChain: false,
   },
 }: {
   chain: (Uint8Array | string)[]
@@ -122,7 +112,37 @@ export const validateX509CertificateChain = async ({
   verificationTime?: Date
   opts?: X509CertificateChainValidationOpts
 }): Promise<X509ValidationResult> => {
-  const { trustRootWhenNoAnchors = false, allowSingleNoCAChainElement = true, blindlyTrustedAnchors = [], client } = opts
+  // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain
+  return await validateX509CertificateChainImpl({
+    reversed: false,
+    chain: [...pemOrDerChain].reverse(),
+    trustAnchors,
+    verificationTime,
+    opts,
+  })
+}
+const validateX509CertificateChainImpl = async ({
+  reversed,
+  chain: pemOrDerChain,
+  trustAnchors,
+  verificationTime: verifyAt,
+  opts,
+}: {
+  reversed: boolean
+  chain: (Uint8Array | string)[]
+  trustAnchors?: string[]
+  verificationTime: Date | string // string for REST API
+  opts: X509CertificateChainValidationOpts
+}): Promise<X509ValidationResult> => {
+  const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt
+  const {
+    allowNoTrustAnchorsFound = false,
+    trustRootWhenNoAnchors = false,
+    allowSingleNoCAChainElement = true,
+    blindlyTrustedAnchors = [],
+    disallowReversedChain = false,
+    client,
+  } = opts
   const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
 
   if (pemOrDerChain.length === 0) {
@@ -133,94 +153,323 @@ export const validateX509CertificateChain = async ({
       verificationTime,
     }
   }
-
-  const certs = pemOrDerChain.map(pemOrDerToX509Certificate)
-  const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
   defaultCryptoEngine()
 
-  if (pemOrDerChain.length === 1) {
-    const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
-    const cert = pemOrDerToX509Certificate(singleCert)
-    if (client) {
-      const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)
-      if (validation.error) {
-        return validation
-      }
-    }
-    if (blindlyTrustedAnchors.includes(singleCert)) {
+  // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered
+  const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))
+  const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()
+
+  const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined
+  const blindlyTrusted =
+    (
+      await Promise.all(
+        blindlyTrustedAnchors.map((raw) => {
+          try {
+            return parseCertificate(raw)
+          } catch (e) {
+            // @ts-ignore
+            console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)
+            return undefined
+          }
+        })
+      )
+    ).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []
+  const leafCert = x5cOrdereredChain[0]
+
+  const chainLength = chain.length
+  var foundTrustAnchor: ParsedCertificate | undefined = undefined
+  for (let i = 0; i < chainLength; i++) {
+    const currentCert = chain[i]
+    const previousCert = i > 0 ? chain[i - 1] : undefined
+    const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate))
+    if (blindlyTrustedCert) {
       console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
       return {
         error: false,
-        critical: true,
+        critical: false,
         message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
+        detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,
+        trustAnchor: blindlyTrustedCert?.certificateInfo,
         verificationTime,
-        certificateChain: [await getCertificateInfo(cert)],
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
         ...(client && { client }),
       }
     }
-    if (allowSingleNoCAChainElement) {
-      const subjectDN = getSubjectDN(cert).DN
-      if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {
-        const passed = await cert.verify()
+    if (previousCert) {
+      if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {
+        if (!reversed && !disallowReversedChain) {
+          return await validateX509CertificateChainImpl({
+            reversed: true,
+            chain: [...pemOrDerChain].reverse(),
+            opts,
+            verificationTime,
+            trustAnchors,
+          })
+        }
         return {
-          error: !passed,
+          error: true,
           critical: true,
-          message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
+          certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+          message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+          detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,
           verificationTime,
-          certificateChain: [await getCertificateInfo(cert)],
           ...(client && { client }),
         }
       }
     }
-  }
-
-  const validationEngine = new CertificateChainValidationEngine({
-    certs /*crls: [crl1],   ocsps: [ocsp1], */,
-    checkDate: verificationTime,
-    trustedCerts,
-  })
+    const result = await currentCert.x509Certificate.verify(
+      {
+        date: verificationTime,
+        publicKey: previousCert?.x509Certificate?.publicKey,
+      },
+      getCrypto()?.crypto ?? crypto ?? global.crypto
+    )
+    if (!result) {
+      // First cert needs to be self signed
+      if (i == 0 && !reversed && !disallowReversedChain) {
+        return await validateX509CertificateChainImpl({
+          reversed: true,
+          chain: [...pemOrDerChain].reverse(),
+          opts,
+          verificationTime,
+          trustAnchors,
+        })
+      }
 
-  try {
-    const verification = await validationEngine.verify()
-    if (!verification.result || !verification.certificatePath) {
       return {
         error: true,
         critical: true,
-        message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
+        message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+        detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${
+          currentCert.x509Certificate.issuer
+        } failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,
         verificationTime,
         ...(client && { client }),
       }
     }
-    const certPath = verification.certificatePath
-    if (client) {
-      const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)
-      if (clientIdValidation.error) {
-        return clientIdValidation
+
+    foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))
+
+    if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {
+      return {
+        error: false,
+        critical: false,
+        message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+        trustAnchor: foundTrustAnchor?.certificateInfo,
+        verificationTime,
+        ...(client && { client }),
       }
     }
-    const certInfos: Array<CertificateInfo> = await Promise.all(
-      certPath.map(async (certificate) => {
-        return getCertificateInfo(certificate)
-      })
-    )
+  }
+
+  if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {
     return {
       error: false,
       critical: false,
       message: `Certificate chain was valid`,
-      verificationTime,
-      certificateChain: certInfos,
-      ...(client && { client }),
-    }
-  } catch (error: any) {
-    return {
-      error: true,
-      critical: true,
-      message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
+      certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+      detailMessage: foundTrustAnchor
+        ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`
+        : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,
+      trustAnchor: foundTrustAnchor?.certificateInfo,
       verificationTime,
       ...(client && { client }),
     }
   }
+
+  return {
+    error: true,
+    critical: true,
+    message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+    certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+    detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${
+      x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN
+    } and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,
+    verificationTime,
+    ...(client && { client }),
+  }
+}
+
+const isSameCertificate = (cert1: X509Certificate, cert2: X509Certificate): boolean => {
+  return cert1.rawData.toString() === cert2.rawData.toString()
+}
+
+const algorithmProvider: AlgorithmProvider = container.resolve(AlgorithmProvider)
+export const getX509AlgorithmProvider = (): AlgorithmProvider => {
+  return algorithmProvider
+}
+
+export type ParsedCertificate = {
+  publicKeyInfo: SubjectPublicKeyInfo
+  publicKeyJwk?: JWK
+  publicKeyRaw: Uint8Array
+  publicKeyAlgorithm: Algorithm
+  certificateInfo: CertificateInfo
+  certificate: Certificate
+  x509Certificate: X509Certificate
+}
+
+export const parseCertificate = async (rawCert: string | Uint8Array): Promise<ParsedCertificate> => {
+  const x509Certificate = new X509Certificate(rawCert)
+  const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)
+  const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)
+  let publicKeyJwk: JWK | undefined = undefined
+  try {
+    publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK
+  } catch (e: any) {
+    console.error(e.message)
+  }
+  const certificate = pemOrDerToX509Certificate(rawCert)
+  const certificateInfo = await getCertificateInfo(certificate)
+  const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)
+  return {
+    publicKeyAlgorithm,
+    publicKeyInfo,
+    publicKeyJwk,
+    publicKeyRaw,
+    certificateInfo,
+    certificate,
+    x509Certificate,
+  }
 }
+/*
+
+/!**
+ *
+ * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on
+ * @param trustedPEMs
+ * @param verificationTime
+ * @param opts
+ *!/
+export const validateX509CertificateChainOrg = async ({
+                                                          chain: pemOrDerChain,
+                                                          trustAnchors,
+                                                          verificationTime = new Date(),
+                                                          opts = {
+                                                              trustRootWhenNoAnchors: false,
+                                                              allowSingleNoCAChainElement: true,
+                                                              blindlyTrustedAnchors: [],
+                                                          },
+                                                      }: {
+    chain: (Uint8Array | string)[]
+    trustAnchors?: string[]
+    verificationTime?: Date
+    opts?: X509CertificateChainValidationOpts
+}): Promise<X509ValidationResult> => {
+    const {
+        trustRootWhenNoAnchors = false,
+        allowSingleNoCAChainElement = true,
+        blindlyTrustedAnchors = [],
+        client
+    } = opts
+    const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors
+
+    if (pemOrDerChain.length === 0) {
+        return {
+            error: true,
+            critical: true,
+            message: 'Certificate chain in DER or PEM format must not be empty',
+            verificationTime,
+        }
+    }
+
+    // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around
+    const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()
+    const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined
+    defaultCryptoEngine()
+
+    if (pemOrDerChain.length === 1) {
+        const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')
+        const cert = pemOrDerToX509Certificate(singleCert)
+        if (client) {
+            const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)
+            if (validation.error) {
+                return validation
+            }
+        }
+        if (blindlyTrustedAnchors.includes(singleCert)) {
+            console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)
+            return {
+                error: false,
+                critical: true,
+                message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
+                verificationTime,
+                certificateChain: [await getCertificateInfo(cert)],
+                ...(client && {client}),
+            }
+        }
+        if (allowSingleNoCAChainElement) {
+            const subjectDN = getSubjectDN(cert).DN
+            if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {
+                const passed = await cert.verify()
+                return {
+                    error: !passed,
+                    critical: true,
+                    message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,
+                    verificationTime,
+                    certificateChain: [await getCertificateInfo(cert)],
+                    ...(client && {client}),
+                }
+            }
+        }
+    }
+
+    const validationEngine = new CertificateChainValidationEngine({
+        certs /!*crls: [crl1],   ocsps: [ocsp1], *!/,
+        checkDate: verificationTime,
+        trustedCerts,
+    })
+
+    try {
+        const verification = await validationEngine.verify()
+        if (!verification.result || !verification.certificatePath) {
+            return {
+                error: true,
+                critical: true,
+                message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,
+                verificationTime,
+                ...(client && {client}),
+            }
+        }
+        const certPath = verification.certificatePath
+        if (client) {
+            const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)
+            if (clientIdValidation.error) {
+                return clientIdValidation
+            }
+        }
+        let certInfos: Array<CertificateInfo> | undefined
+
+        for (const certificate of certPath) {
+            try {
+                certInfos?.push(await getCertificateInfo(certificate))
+            } catch (e: any) {
+                console.log(`Error getting certificate info ${e.message}`)
+            }
+        }
+
+
+        return {
+            error: false,
+            critical: false,
+            message: `Certificate chain was valid`,
+            verificationTime,
+            certificateChain: certInfos,
+            ...(client && {client}),
+        }
+    } catch (error: any) {
+        return {
+            error: true,
+            critical: true,
+            message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,
+            verificationTime,
+            ...(client && {client}),
+        }
+    }
+}
+*/
 
 const rdnmap: Record<string, string> = {
   '2.5.4.6': 'C',
@@ -264,7 +513,7 @@ const getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {
     .join(',')
 }
 
-export const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JsonWebKey> => {
+export const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {
   const pemOrDerStr =
     typeof pemOrDerCert === 'string'
       ? pemOrDerCert
@@ -273,14 +522,25 @@ export const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | U
       : pemOrDerCert.toString('base64')
   const pem = derToPEM(pemOrDerStr)
   const certificate = pemOrDerToX509Certificate(pem)
+  var jwk: JWK | undefined
   try {
     const subtle = getCrypto(true).subtle
-    const pk = await certificate.getPublicKey()
-    return await subtle.exportKey('jwk', pk)
+    const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())
+    jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined
   } catch (error: any) {
     console.log(`Error in primary get JWK from cert:`, error?.message)
   }
-  return await x509.toJwk(pem, 'pem')
+  if (!jwk) {
+    try {
+      jwk = (await x509.toJwk(pem, 'pem')) as JWK
+    } catch (error: any) {
+      console.log(`Error in secondary get JWK from cert as well:`, error?.message)
+    }
+  }
+  if (!jwk) {
+    throw Error(`Failed to get JWK from certificate ${pem}`)
+  }
+  return jwk
 }
 
 /**