<TRANSIENT> NFC-46 Proposed changes during code review

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/main/java/eu/webeid/security/challenge/ChallengeNonceStore.java

@@ -22,8 +22,8 @@
 
 package eu.webeid.security.challenge;
 
-import eu.webeid.security.exceptions.ChallengeNonceExpiredException;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.ChallengeNonceExpiredException;
 import eu.webeid.security.exceptions.ChallengeNonceNotFoundException;
 
 import static eu.webeid.security.util.DateAndTime.utcNow;

src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -79,11 +79,11 @@ void setSiteOrigin(URI siteOrigin) {
         this.siteOrigin = siteOrigin;
     }
 
-    URI getSiteOrigin() {
+    public URI getSiteOrigin() {
         return siteOrigin;
     }
 
-    Collection<X509Certificate> getTrustedCACertificates() {
+    public Collection<X509Certificate> getTrustedCACertificates() {
         return trustedCACertificates;
     }
 
@@ -152,7 +152,7 @@ void validate() {
         requirePositiveDuration(maxOcspResponseThisUpdateAge, "Max OCSP response thisUpdate age");
     }
 
-    AuthTokenValidationConfiguration copy() {
+    public AuthTokenValidationConfiguration copy() {
         return new AuthTokenValidationConfiguration(this);
     }
 

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -22,26 +22,19 @@
 
 package eu.webeid.security.validator;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateData;
 import eu.webeid.security.exceptions.AuthTokenException;
-import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.util.Strings;
 
-import java.io.IOException;
 import java.security.cert.X509Certificate;
 
 /**
  * Parses and validates the provided Web eID authentication token.
  */
 public interface AuthTokenValidator {
-    String CURRENT_TOKEN_FORMAT_VERSION = "web-eid:1.1";
-    int TOKEN_MIN_LENGTH = 100;
-    int TOKEN_MAX_LENGTH = 10000;
 
-    ObjectReader TOKEN_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
+    String CURRENT_TOKEN_FORMAT_VERSION = "web-eid:1";
 
     /**
      * Parses the Web eID authentication token signed by the subject.
@@ -50,24 +43,7 @@ public interface AuthTokenValidator {
      * @return the Web eID authentication token
      * @throws AuthTokenException when parsing fails
      */
-    default WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        try {
-            if (authToken == null || authToken.length() < TOKEN_MIN_LENGTH) {
-                throw new AuthTokenParseException("Auth token is null or too short");
-            }
-            if (authToken.length() > TOKEN_MAX_LENGTH) {
-                throw new AuthTokenParseException("Auth token is too long");
-            }
-
-            WebEidAuthToken token = TOKEN_READER.readValue(authToken);
-            if (token == null) {
-                throw new AuthTokenParseException("Web eID authentication token is null");
-            }
-            return token;
-        } catch (IOException e) {
-            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
-        }
-    }
+    WebEidAuthToken parse(String authToken) throws AuthTokenException;
 
     /**
      * Validates the Web eID authentication token signed by the subject and returns

src/main/java/eu/webeid/security/validator/AuthTokenValidatorManager.java

@@ -22,13 +22,18 @@
 
 package eu.webeid.security.validator;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.versionvalidators.AuthTokenVersionValidatorFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.IOException;
 import java.security.cert.X509Certificate;
 
 /**
@@ -37,27 +42,66 @@
 final class AuthTokenValidatorManager implements AuthTokenValidator {
 
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenValidatorManager.class);
-    private final AuthTokenValidatorFactory tokenValidatorFactory;
+
+    private final AuthTokenVersionValidatorFactory tokenValidatorFactory;
+
+    // Use human-readable meaningful names for token limits.
+    private final int TOKEN_MIN_LENGTH = 100;
+    private final int TOKEN_MAX_LENGTH = 10000;
+
+    private final ObjectReader TOKEN_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
 
     AuthTokenValidatorManager(AuthTokenValidationConfiguration configuration, OcspClient ocspClient)
         throws JceException {
-        this.tokenValidatorFactory = AuthTokenValidatorFactory.create(configuration, ocspClient);
+        this.tokenValidatorFactory = AuthTokenVersionValidatorFactory.create(configuration, ocspClient);
     }
 
     @Override
     public WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        return AuthTokenValidator.super.parse(authToken);
+        try {
+            LOG.info("Starting token parsing");
+            validateTokenLength(authToken);
+            return parseToken(authToken);
+        } catch (Exception e) {
+            // Generally "log and rethrow" is an antipattern, but it fits with the surrounding logging style.
+            LOG.warn("Token parsing was interrupted:", e);
+            throw e;
+        }
     }
 
     @Override
     public X509Certificate validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException {
         try {
             LOG.info("Starting token validation");
-            return tokenValidatorFactory.getValidatorFor(authToken.getFormat()).validate(authToken, currentChallengeNonce);
+            return tokenValidatorFactory
+                .getValidatorFor(authToken.getFormat())
+                .validate(authToken, currentChallengeNonce);
         } catch (Exception e) {
-            // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
+            // Generally "log and rethrow" is an antipattern, but it fits with the surrounding logging style.
             LOG.warn("Token validation was interrupted:", e);
             throw e;
         }
     }
+
+    private void validateTokenLength(String authToken) throws AuthTokenParseException {
+        if (authToken == null || authToken.length() < TOKEN_MIN_LENGTH) {
+            throw new AuthTokenParseException("Auth token is null or too short");
+        }
+        if (authToken.length() > TOKEN_MAX_LENGTH) {
+            throw new AuthTokenParseException("Auth token is too long");
+        }
+    }
+
+    private WebEidAuthToken parseToken(String authToken) throws AuthTokenParseException {
+        try {
+            final WebEidAuthToken token = TOKEN_READER.readValue(authToken);
+            if (token == null) {
+                throw new AuthTokenParseException("Web eID authentication token is null");
+            }
+            return token;
+        } catch (IOException e) {
+            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
+        }
+    }
+
 }

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificatePolicyValidator.java

@@ -23,13 +23,13 @@
 package eu.webeid.security.validator.certvalidators;
 
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.UserCertificateDisallowedPolicyException;
+import eu.webeid.security.exceptions.UserCertificateParseException;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x509.CertificatePolicies;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.PolicyInformation;
 import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
-import eu.webeid.security.exceptions.UserCertificateDisallowedPolicyException;
-import eu.webeid.security.exceptions.UserCertificateParseException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificatePurposeValidator.java

@@ -22,12 +22,12 @@
 
 package eu.webeid.security.validator.certvalidators;
 
-import eu.webeid.security.exceptions.UserCertificateWrongPurposeException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.UserCertificateMissingPurposeException;
 import eu.webeid.security.exceptions.UserCertificateParseException;
+import eu.webeid.security.exceptions.UserCertificateWrongPurposeException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;

src/main/java/eu/webeid/security/validator/ocsp/service/DesignatedOcspService.java

@@ -22,10 +22,10 @@
 
 package eu.webeid.security.validator.ocsp.service;
 
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.OCSPCertificateException;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import eu.webeid.security.exceptions.OCSPCertificateException;
-import eu.webeid.security.exceptions.AuthTokenException;
 
 import java.net.URI;
 import java.security.cert.CertificateEncodingException;

src/main/java/eu/webeid/security/validator/ocsp/service/DesignatedOcspServiceConfiguration.java

@@ -22,10 +22,10 @@
 
 package eu.webeid.security.validator.ocsp.service;
 
+import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.validator.ocsp.OcspResponseValidator;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
-import eu.webeid.security.exceptions.OCSPCertificateException;
 
 import java.net.URI;
 import java.security.cert.CertificateEncodingException;

src/main/java/eu/webeid/security/validator/ocsp/service/OcspService.java

@@ -22,8 +22,8 @@
 
 package eu.webeid.security.validator.ocsp.service;
 
-import org.bouncycastle.cert.X509CertificateHolder;
 import eu.webeid.security.exceptions.AuthTokenException;
+import org.bouncycastle.cert.X509CertificateHolder;
 
 import java.net.URI;
 import java.util.Date;

…ity/validator/AuthTokenV11Validator.java …idators/AuthTokenVersion11Validator.javasrc/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java renamed to src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java renamed to src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java

@@ -20,14 +20,16 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator;
+package eu.webeid.security.validator.versionvalidators;
 
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.CertificateDecodingException;
+import eu.webeid.security.validator.AuthTokenSignatureValidator;
+import eu.webeid.security.validator.AuthTokenValidationConfiguration;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
@@ -49,7 +51,7 @@
 
 import static eu.webeid.security.util.Strings.isNullOrEmpty;
 
-class AuthTokenV11Validator extends AuthTokenV1Validator implements AuthTokenVersionValidator {
+class AuthTokenVersion11Validator extends AuthTokenVersion1Validator implements AuthTokenVersionValidator {
 
     private static final String V11_SUPPORTED_TOKEN_FORMAT_PREFIX = "web-eid:1.1";
     private static final Set<String> SUPPORTED_SIGNING_CRYPTO_ALGORITHMS = Set.of("ECC", "RSA");
@@ -60,7 +62,7 @@ class AuthTokenV11Validator extends AuthTokenV1Validator implements AuthTokenVer
     );
     private static final int KEY_USAGE_NON_REPUDIATION = 1;
 
-    public AuthTokenV11Validator(
+    public AuthTokenVersion11Validator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
         Set<TrustAnchor> trustedCACertificateAnchors,
         CertStore trustedCACertificateCertStore,
@@ -80,11 +82,6 @@ public AuthTokenV11Validator(
         );
     }
 
-    @Override
-    public boolean supports(String format) {
-        return format != null && format.startsWith(getSupportedFormatPrefix());
-    }
-
     @Override
     protected String getSupportedFormatPrefix() {
         return V11_SUPPORTED_TOKEN_FORMAT_PREFIX;