Merge pull request #108 from niscy-eudiw/feature/x509-updates

x509 verification addtion and updates.

Author: dtsiflit

Sources/Entities/Trust/X509CertificateChainVerifier.swift

@@ -23,6 +23,15 @@ public enum ChainTrustResult: Equatable {
   case failure
 }
 
+enum CertificateValidationError: Error {
+  case invalidCertificateData
+  case insufficientCertificates
+  case signatureValidationFailed
+  case certificateExpired
+  case untrustedRoot
+  case invalidChain([VerificationResult.PolicyFailure])
+}
+
 public enum DataConversionError: Error {
   case conversionFailed(String)
 }
@@ -96,7 +105,7 @@ public struct X509CertificateChainVerifier {
         // Evaluate the trust
         var trustResult: SecTrustResultType = .invalid
         if SecTrustEvaluate(trust!, &trustResult) == errSecSuccess {
-          if trustResult == .proceed || trustResult == .unspecified {
+          if trustResult == .proceed || trustResult == .unspecified || trustResult == .recoverableTrustFailure {
             return true
           } else if trustResult == .deny || trustResult == .fatalTrustFailure {
             return false
@@ -173,3 +182,69 @@ private extension X509CertificateChainVerifier {
     }
   }
 }
+
+public extension X509CertificateChainVerifier {
+  
+  /// Converts a `SecCertificate` to `X509.Certificate`
+  private func convertToX509Certificate(_ secCert: SecCertificate) throws -> Certificate {
+    let derData = SecCertificateCopyData(secCert) as Data
+    return try Certificate(derEncoded: [UInt8](derData))
+  }
+  
+  func verifyChain(
+    rootBase64Certificates: [Base64Certificate],
+    intermediateBase64Certificates: [Base64Certificate] = [],
+    leafBase64Certificate: Base64Certificate,
+    date: Date = Date(),
+    showDiagnostics: Bool = false
+  ) async throws -> ChainTrustResult {
+    
+    func decodeBase64Certificates(
+      _ base64s: [Base64Certificate]
+    ) throws -> [Certificate] {
+      return try convertStringsToData(base64Strings: base64s)
+        .compactMap { SecCertificateCreateWithData(nil, $0 as CFData) }
+        .compactMap { SecCertificateContainer(certificate: $0).certificate }
+        .map { try convertToX509Certificate($0) }
+    }
+    
+    let rootX509Certs = try decodeBase64Certificates(rootBase64Certificates)
+    let intermediateX509Certs = try decodeBase64Certificates(intermediateBase64Certificates)
+    let leafX509Certs = try decodeBase64Certificates([leafBase64Certificate])
+    
+    guard let leafCert = leafX509Certs.first else {
+      throw CertificateValidationError.insufficientCertificates
+    }
+    
+    let roots = CertificateStore(rootX509Certs)
+    var verifier = Verifier(
+      rootCertificates: roots
+    ) {
+      AnyPolicy {
+        RFC5280Policy(
+          validationTime: date
+        )
+      }
+    }
+    
+    let result = await verifier.validate(
+      leafCertificate: leafCert,
+      intermediates: .init(
+        intermediateX509Certs
+      )
+    ) { diagnostic in
+      if showDiagnostics {
+        print(diagnostic.multilineDescription)
+      }
+    }
+    
+    switch result {
+    case .validCertificate:
+      return .success
+    case .couldNotValidate(let policyFailures):
+      throw CertificateValidationError.invalidChain(
+        policyFailures
+      )
+    }
+  }
+}

Sources/Entities/Trust/X509CertificateTrust.swift

@@ -17,7 +17,7 @@ import Foundation
 
 public typealias Base64Certificate = String
 
-public typealias CertificateTrust = ([Base64Certificate]) -> Bool
+public typealias CertificateTrust = ([Base64Certificate]) async -> Bool
 
 public protocol X509CertificateTrustType {
   func isTrusted(chain: [Base64Certificate]) -> Bool

Sources/Main/Validators/AccessValidator.swift

@@ -113,7 +113,7 @@ public actor AccessValidator: AccessValidating {
     switch supportedClientIdScheme {
     case .x509SanDns(let trust),
          .x509SanUri(let trust):
-      let trust = trust(chain)
+      let trust = await trust(chain)
       if !trust {
         throw ValidationError.validationError("Could not trust certificate chain")
       }