Merge pull request #679 from JoeShook/develop

New .NET 9.0 package version.  Dropping .NET 6.0 and 7.0

.github/workflows/codeql.yml

@@ -44,9 +44,8 @@ jobs:
       uses: actions/setup-dotnet@v3
       with:
         dotnet-version: |
-          6.0.x
-          7.0.x
           8.0.x
+          9.0.x
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v2

.github/workflows/develop.yml

@@ -17,9 +17,8 @@ jobs:
     - uses: actions/setup-dotnet@v3
       with:
         dotnet-version: |
-          6.0.x
-          7.0.x  
           8.0.x
+          9.0.x
         source-url: ${{ env.REPOSITORY_URL }}
       env:
         NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/dotnet.yml

@@ -22,9 +22,8 @@ jobs:
       uses: actions/setup-dotnet@v3
       with:
         dotnet-version: |
-          6.0.x
-          7.0.x
           8.0.x
+          9.0.x
     - name: Generate PKI
       run: dotnet test -c Release _tests/Udap.PKI.Generator/Udap.PKI.Generator.csproj
     - name: Build

.github/workflows/prerelease.yml

@@ -15,9 +15,8 @@ jobs:
     - uses: actions/setup-dotnet@v3
       with:
         dotnet-version: |
-          6.0.x
-          7.0.x   
           8.0.x
+          9.0.x
       env:
         NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
     - name: Set VERSION variable from tag

.github/workflows/release.yml

@@ -15,9 +15,8 @@ jobs:
     - uses: actions/setup-dotnet@v3
       with:
         dotnet-version: |
-          6.0.x
-          7.0.x  
           8.0.x
+          9.0.x
       env:
         NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
     - name: Set VERSION variable from tag

Directory.Packages.props

@@ -7,17 +7,17 @@
     <PackageVersion Include="Duende.IdentityServer.Storage" Version="7.0.8" />
     <PackageVersion Include="Google.Apis.Auth" Version="1.68.0" />
     <PackageVersion Include="Hl7.Fhir.Base" Version="5.10.3" />
-    <PackageVersion Include="Hl7.Fhir.R4B" Version="5.10.3" />
+    <PackageVersion Include="Hl7.Fhir.R4B" Version="5.11.1" />
     <PackageVersion Include="LazyCache" Version="2.4.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="[6.0.32,8.0.10]" />
     <PackageVersion Include="AspNetCoreRateLimit" Version="5.0.0" />
-    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.10.3" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.10" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.10" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.10" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
-    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.2" />
+    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.11.1" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="[8.0.10,9.0.0]" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="[8.0.10,9.0.0]" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.0" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageVersion Include="IdentityModel" Version="7.0.0" />
@@ -28,28 +28,27 @@
     <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.8" />
     <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc" Version="2.2.0" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.10" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="[7.0.13,8.0.1]" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="[7.0.13,8.0.0]" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.0" />
     <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="[7.0.14,8.0.1]" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="[6.0.0,7.0.0]" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="[6.0.0,7.0.1]" />
-    <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
-    <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.0" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.3.0" />
     <PackageVersion Include="OpenTelemetry" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.SqlClient" Version="1.0.0-rc9.14" />
-    <PackageVersion Include="Serilog.AspNetCore" Version="[6.1.0,7.0.0]" />
-    <PackageVersion Include="Serilog.Extensions.Logging" Version="[3.1.0,7.0.0]" />
+
     <PackageVersion Include="Portable.BouncyCastle" Version="1.9.0" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.2.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.3.0" />
     <PackageVersion Include="Udap.Metadata.Server" Version="0.3.24" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.1.0" />
   </ItemGroup>

Udap.CdsHooks.Endpoint/Udap.CdsHooks.Endpoint.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <RepositoryType>git</RepositoryType>
@@ -20,14 +20,15 @@
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
 
+    <PackageReference Include="Hl7.Fhir.Specification.R4B" />
     <PackageReference Include="Microsoft.Extensions.Configuration" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" />
     <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" />
     <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" />
   </ItemGroup>
 
   <ItemGroup>
-    <None Include="docs/README.md" Pack="true" PackagePath="\"/>
+    <None Include="docs/README.md" Pack="true" PackagePath="\" />
     <None Include="../artwork/UDAP_Ecosystem_Gears 48X48.jpg" Pack="true" PackagePath="\" />
   </ItemGroup>
 

Udap.CdsHooks.Model/Udap.CdsHooks.Model.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0;net7.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <RepositoryType>git</RepositoryType>

Udap.Client/Udap.Client.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0;net7.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <LangVersion>latest</LangVersion>

Udap.Common/Certificates/TrustChainValidator.cs

@@ -69,10 +69,7 @@ private static X509ChainStatusFlags BuildDefaultProblemFlags()
                    X509ChainStatusFlags.InvalidBasicConstraints |
                    X509ChainStatusFlags.CtlNotTimeValid |
                    X509ChainStatusFlags.OfflineRevocation |
-                   X509ChainStatusFlags.CtlNotSignatureValid |
-                   X509ChainStatusFlags.RevocationStatusUnknown | // can't trust the chain to check revocation.
-                   X509ChainStatusFlags.PartialChain |
-                   X509ChainStatusFlags.UntrustedRoot;
+                   X509ChainStatusFlags.CtlNotSignatureValid;
         }
 
         /// <summary>
@@ -81,7 +78,11 @@ private static X509ChainStatusFlags BuildDefaultProblemFlags()
         public TrustChainValidator(ILogger<TrustChainValidator> logger)
             : this(new X509ChainPolicy(), BuildDefaultProblemFlags(), logger)
         {
-            _validationPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;
+            _validationPolicy.VerificationFlags = X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
+                                                  X509VerificationFlags.IgnoreEndRevocationUnknown |
+                                                  X509VerificationFlags.AllowUnknownCertificateAuthority |
+                                                  X509VerificationFlags.IgnoreWrongUsage;
+
             _validationPolicy.RevocationFlag = DefaultX509RevocationFlag;
             _validationPolicy.RevocationMode = DefaultX509RevocationMode;
         }
@@ -134,7 +135,7 @@ public bool IsTrustedCertificate(string clientName,
             chainElements = null;
 
             // Let's avoid complex state and/or race conditions by making copies of these collections.
-            var roots = new X509Certificate2Collection(anchorCertificates); 
+            var roots = new X509Certificate2Collection(anchorCertificates);
             X509Certificate2Collection? intermediatesCloned = null;
 
             if (intermediateCertificates != null)
@@ -144,7 +145,7 @@ public bool IsTrustedCertificate(string clientName,
 
             // ReSharper disable once RedundantAssignment
             intermediateCertificates = null;
-            
+
 
             // if there are no anchors we should always fail
             if (roots.IsNullOrEmpty())
@@ -183,7 +184,12 @@ public bool IsTrustedCertificate(string clientName,
                 {
                     chainBuilder.ChainPolicy.ExtraStore.AddRange(intermediatesCloned);
                 }
-                var result = chainBuilder.Build(certificate);
+                var passedChainBuild = chainBuilder.Build(certificate);
+
+                _logger.LogDebug(string.Join(",", chainBuilder.ChainElements
+                    .ToList().Select(cs =>
+                        $"{Environment.NewLine}{cs.Certificate.Thumbprint} :: " +
+                        $"CN = {cs.Certificate.GetNameInfo(X509NameType.SimpleName, false)}")));
 
                 // We're using the system class as a helper to build the chain
                 // However, we will review each item in the chain ourselves, because we have our own rules...
@@ -203,13 +209,6 @@ public bool IsTrustedCertificate(string clientName,
                 {
                     bool isAnchor = roots?.FindByThumbprint(chainElement.Certificate.Thumbprint) != null;
 
-                    if (this.ChainElementHasProblems(chainElement))
-                    {
-                        this.NotifyProblem(chainElement);                        
-                        this.NotifyUntrusted(chainElement.Certificate);
-                        return false;
-                    }
-
                     if (isAnchor)
                     {
                         // Found a valid anchor!
@@ -221,19 +220,28 @@ public bool IsTrustedCertificate(string clientName,
                         {
                             communityId = anchorList.First(a => a.Thumbprint == chainElement.Certificate.Thumbprint).CommunityId;
                         }
-
-                        continue;
                     }
 
-                    if (this.ChainElementHasProblems(chainElement))
+                    if (!passedChainBuild && this.ChainElementHasProblems(chainElement))
                     {
+                        // chain statuses can still be subscribed too.  There may be data to share with the consumer
+                        // that do not mean the chain is invalid.  passedChainBuild is the final arbiter of trust
+                        // for a x509Chain.
                         this.NotifyProblem(chainElement);
-                        this.NotifyUntrusted(chainElement.Certificate);
-                        return false;
+
+                        if (!passedChainBuild)
+                        {
+                            this.NotifyUntrusted(chainElement.Certificate);
+                        }
+
+                        if (passedChainBuild && foundAnchor)
+                        {
+                            return true;
+                        }
                     }
                 }
 
-                if (foundAnchor && !result)
+                if (foundAnchor && !passedChainBuild)
                 {
                     //
                     // Can end up here if problem flags exist that we do not care about.
@@ -249,7 +257,7 @@ public bool IsTrustedCertificate(string clientName,
                     this.NotifyUntrusted(certificate);
                 }
 
-                return foundAnchor;  
+                return passedChainBuild;
             }
             catch (Exception ex)
             {
@@ -258,6 +266,7 @@ public bool IsTrustedCertificate(string clientName,
             }
 
             this.NotifyUntrusted(certificate);
+
             return false;
         }
 

Udap.Common/Udap.Common.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <!-- https://docs.microsoft.com/en-us/dotnet/standard/frameworks -->
-    <TargetFrameworks>net6.0;net7.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <LangVersion>latest</LangVersion>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>

Udap.Metadata.Server/Udap.Metadata.Server.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <RepositoryType>git</RepositoryType>

Udap.Model/Registration/UdapCertificationsAndEndorsementBuilder.cs

@@ -32,12 +32,14 @@ public class UdapCertificationsAndEndorsementBuilder
 
     protected UdapCertificationsAndEndorsementBuilder(string certificationName, X509Certificate2 certificate) : this(certificationName)
     {
+
+        _now = DateTime.Now;
         this.WithCertificate(certificate);
     }
 
     protected UdapCertificationsAndEndorsementBuilder(string certificationName)
     {
-        _now = DateTime.UtcNow;
+        _now = DateTime.Now;
         _document = new UdapCertificationAndEndorsementDocument(certificationName);
     }
 
@@ -81,7 +83,7 @@ public UdapCertificationsAndEndorsementBuilder WithAudience(string? audience)
     /// <returns></returns>
     public UdapCertificationsAndEndorsementBuilder WithExpiration(TimeSpan expirationOffset)
     {
-        if (expirationOffset > TimeSpan.FromDays(365 * 3)) //ignoring leap year
+        if (expirationOffset > _now.AddYears(3) - _now)
         {
             throw new ArgumentOutOfRangeException(nameof(expirationOffset), "Expiration limit to 3 years");
         }
@@ -91,7 +93,7 @@ public UdapCertificationsAndEndorsementBuilder WithExpiration(TimeSpan expiratio
             throw new Exception("Certificate required");
         }
 
-        if (_certificate.NotAfter.ToUniversalTime() < (_now + expirationOffset))
+        if (_certificate.NotAfter.ToUniversalTime() < (_now.ToUniversalTime() + expirationOffset))
         {
             throw new ArgumentOutOfRangeException(nameof(expirationOffset), "Expiration must not expire after certificate");
         }
@@ -107,7 +109,7 @@ public UdapCertificationsAndEndorsementBuilder WithExpiration(TimeSpan expiratio
     /// <returns></returns>
     public UdapCertificationsAndEndorsementBuilder WithExpiration(DateTime expiration)
     {
-        return WithExpiration(expiration.ToUniversalTime() - _now);
+        return WithExpiration(expiration - _now);
     }
 
     /// <summary>
@@ -117,7 +119,7 @@ public UdapCertificationsAndEndorsementBuilder WithExpiration(DateTime expiratio
     /// <returns></returns>
     public UdapCertificationsAndEndorsementBuilder WithExpiration(long secondsSinceEpoch)
     {
-        return WithExpiration(EpochTime.DateTime(secondsSinceEpoch));
+        return WithExpiration(EpochTime.DateTime(secondsSinceEpoch).ToLocalTime());
     }
 
     /// <summary>

Udap.Model/Udap.Model.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0;net7.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <LangVersion>latest</LangVersion>
     <Nullable>enable</Nullable>