From 6b1f506b618e0acbae133bd73524baff560a348f Mon Sep 17 00:00:00 2001 From: Liam Dennehy Date: Mon, 9 Sep 2019 10:10:39 +0200 Subject: [PATCH 1/4] Bad Operators: DE & EL --- BAD-OPERATORS.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/BAD-OPERATORS.md b/BAD-OPERATORS.md index 55ee919..2001cf0 100644 --- a/BAD-OPERATORS.md +++ b/BAD-OPERATORS.md @@ -19,6 +19,13 @@ services... ``` - DE: Changes their MimeType namespace from ``ns3:MimeType`` to ``ns4:MimeType`` +- DE: Changed signature type to new algorithm not supported by most popular PHP XMLSig library: + +``` + +``` + +- EL: LOTL name `EL: EETT` doesn't match TL name `EL: Hellenic Telecommunications and Post Commission, EETT` - HU: Network unreachable From aefaa3a765c0e317a17a724f1a8e8e8b6205e573 Mon Sep 17 00:00:00 2001 From: Liam Dennehy Date: Mon, 9 Sep 2019 11:36:49 +0200 Subject: [PATCH 2/4] TrustedList: Emit self-name for SchemeOperator TL addition --- src/TrustedList.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/TrustedList.php b/src/TrustedList.php index d81c07a..22e4f8c 100644 --- a/src/TrustedList.php +++ b/src/TrustedList.php @@ -158,7 +158,9 @@ public static function newTLFromXML($tslXml, $tslPointer) */ public function verifyTSL($certificates = null) { - if (! is_array($certificates)) { + if (empty($certificates)) { + $certificates = []; + } elseif (! is_array($certificates)) { $certificates = [$certificates]; }; $xmlSig = new XMLSig($this->xml, $certificates, $this->getName()); @@ -413,8 +415,9 @@ public function addTrustedListXML($title, $xml) if (! array_key_exists($title, $this->tslPointers['xml'])) { throw new TrustedListException("No pointer for Trusted List '".$title."'", 1); } + $stlPointer = $this->tslPointers['xml'][$title]; $certificates = []; - foreach ($this->tslPointers['xml'][$title]->getServiceDigitalIdentities() as $tslDI) { + foreach ($stlPointer->getServiceDigitalIdentities() as $tslDI) { foreach ($tslDI->getX509Certificates() as $certificate) { $certificates[] = $certificate; } @@ -426,6 +429,16 @@ public function addTrustedListXML($title, $xml) throw $e; } $this->trustedLists[$trustedList->getName()] = $trustedList; + + // ARGH!!!! + // if ($trustedList->getName() != $title) { + // throw new TrustedListException( + // "Provided SchemeOperatorName '". + // $title. + // "' does not match TL SchemeOperatorName '". + // $trustedList->getName()."'", 1); + // } + return $trustedList->getName(); } public function getTrustedListPointer($schemeTerritory) From 518d9b38f41c428f1033380c40aab0df25c3bc5d Mon Sep 17 00:00:00 2001 From: Liam Dennehy Date: Mon, 9 Sep 2019 11:37:19 +0200 Subject: [PATCH 3/4] XMLSig: Move to untrusted XML-supplied keys and external key material --- src/Signature/XMLSig.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/Signature/XMLSig.php b/src/Signature/XMLSig.php index 64f8091..93cbd71 100644 --- a/src/Signature/XMLSig.php +++ b/src/Signature/XMLSig.php @@ -28,8 +28,11 @@ class XMLSig */ public function __construct($xml, $certificates, $docName = '') { - $this->doc = new DOMDocument(); - $this->doc->loadXML($xml); + // if (empty($certificates)) { + // throw new CertificateException( + // "No certificates supplied for XML Signature Validation", 1 + // ); + // } elseif (! is_array($certificates)) { if (! is_array($certificates)) { $certificates = [$certificates]; } @@ -49,6 +52,8 @@ public function __construct($xml, $certificates, $docName = '') $this->certificates[] = $signingCertificate; }; }; + $this->doc = new DOMDocument(); + $this->doc->loadXML($xml); $this->docName = $docName; } @@ -81,7 +86,6 @@ public function verifySignature() ); } $key = $secDsig->locateKey(); - // var_dump($key); exit; if ($key === null) { throw new SignatureException( 'Could not find signing key in signature block', @@ -89,6 +93,8 @@ public function verifySignature() ); } $keyInfo = XMLSecEnc::staticLocateKeyInfo($key, $dsig); + // TODO: Only use supplied key/certificate instead of parsing XMLSig + // TODO: Function to extract certificate to self-validate XML // Unknown Purpose... // if (!$keyInfo->key) { // $key->loadKey($certificate); @@ -97,6 +103,7 @@ public function verifySignature() $signedBy = Certificate\X509Certificate::emit( $key->getX509Certificate() ); + $validThumbs = []; if ($signedBy) { $foundThumb = openssl_x509_fingerprint($signedBy, 'sha256'); $validThumbs = $this->getX509Thumbprints('sha256'); From 69461ab0ea38fc87ddbad59bd1a37e5169ad795d Mon Sep 17 00:00:00 2001 From: Liam Dennehy Date: Mon, 9 Sep 2019 11:38:02 +0200 Subject: [PATCH 4/4] LOTLRootTest: Handle different SchemeOperatorName on TL and LOTL --- tests/LOTLRootTest.php | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/tests/LOTLRootTest.php b/tests/LOTLRootTest.php index 7e357e4..01db18e 100644 --- a/tests/LOTLRootTest.php +++ b/tests/LOTLRootTest.php @@ -63,12 +63,12 @@ public function testParseLOTL() } } - public function testVerifyLOTLSelfSignedFails() - { - $lotl = new TrustedList($this->lotlXML); - $this->expectException(CertificateException::class); - $lotl->verifyTSL(); - } + // public function testVerifyLOTLSelfSignedFails() + // { + // $lotl = new TrustedList($this->lotlXML); + // $this->expectException(CertificateException::class); + // $lotl->verifyTSL(); + // } public function testVerifyLOTLExplicitSigned() { @@ -178,13 +178,15 @@ public function testAddTLstoLOTL() file_put_contents($localFile, $pointedTLs[$title]['xml']); } try { - $lotl->addTrustedListXML($title, $pointedTLs[$title]['xml']); - // TODO: Figure out why EL is not added - // $this->assertEquals( - // [$title, true], - // [$title, array_key_exists($title, $lotl->getTrustedLists())] - // ); - $verifiedTLs[] = $title; + $schemeOperatorName = + $lotl->addTrustedListXML($title, $pointedTLs[$title]['xml']); + // It seems that some ScheOperatorNames can differ between + // LOTL and country TL + $verifiedTLs[] = $schemeOperatorName; + $this->assertEquals( + [$verifiedTLs], + [array_keys($lotl->getTrustedLists())] + ); } catch (SignatureException $e) { $unVerifiedTLs[] = $title; } @@ -195,7 +197,7 @@ public function testAddTLstoLOTL() // throw new \Exception(json_encode($e->getOut()), 1); // } $this->assertEquals( - ['DE: Federal Network Agency'], // Bad player, obscure algorithm + [], // Bad player, obscure algorithm $unVerifiedTLs ); }