feat: add ESTEID-SK 2015 old Mobile-ID policies to disallowed policies

mrts · mrts · commit 535a023ba817 · 2021-03-10T20:23:48.000+02:00
Signed-off-by: Mart Somermaa &lt;mrts@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -289,7 +289,7 @@ The following additional configuration options are available in `AuthTokenValida
 - `withoutUserCertificateRevocationCheckWithOcsp()` – turns off user certificate revocation check with OCSP. The OCSP URL is extracted from the user certificate AIA extension. OCSP check is enabled by default.
 - `withOcspRequestTimeout(Duration ocspRequestTimeout)` – sets both the connection and response timeout of user certificate revocation check OCSP requests. Default is 5 seconds.
 - `withAllowedClientClockSkew(Duration allowedClockSkew)` – sets the tolerated clock skew of the client computer when verifying the token expiration. Default value is 3 minutes.
-- `withDisallowedCertificatePolicies(ASN1ObjectIdentifier... policies)` – adds the given policies to the list of disallowed user certificate policies. In order for the user certificate to be considered valid, it must not contain any policies present in this list. Contains the Estonian Mobile-ID policy by default as it must not be possible to authenticate with a Mobile-ID certificate when an eID smart card is expected.
+- `withDisallowedCertificatePolicies(ASN1ObjectIdentifier... policies)` – adds the given policies to the list of disallowed user certificate policies. In order for the user certificate to be considered valid, it must not contain any policies present in this list. Contains the Estonian Mobile-ID policies by default as it must not be possible to authenticate with a Mobile-ID certificate when an eID smart card is expected.
 - `withNonceDisabledOcspUrls(URI... urls)` – adds the given URLs to the list of OCSP URLs for which the nonce protocol extension will be disabled. Some OCSP services don't support the nonce extension. Contains the ESTEID-2015 OCSP URL by default.
 
 Extended configuration example:  
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
diff --git a/src/main/java/org/webeid/security/util/SubjectCertificatePolicies.java b/src/main/java/org/webeid/security/util/SubjectCertificatePolicies.java
@@ -4,7 +4,16 @@
 
 public final class SubjectCertificatePolicies {
 
-    public static final ASN1ObjectIdentifier EST_MOBILE_ID_POLICY = new ASN1ObjectIdentifier("1.3.6.1.4.1.10015.1.3");
+    private static final String ESTEID_SK_2015_MOBILE_ID_POLICY_PREFIX = "1.3.6.1.4.1.10015.1.3";
+
+    public static final ASN1ObjectIdentifier ESTEID_SK_2015_MOBILE_ID_POLICY =
+        new ASN1ObjectIdentifier(ESTEID_SK_2015_MOBILE_ID_POLICY_PREFIX);
+    public static final ASN1ObjectIdentifier ESTEID_SK_2015_MOBILE_ID_POLICY_V1 =
+        new ASN1ObjectIdentifier(ESTEID_SK_2015_MOBILE_ID_POLICY_PREFIX + ".1");
+    public static final ASN1ObjectIdentifier ESTEID_SK_2015_MOBILE_ID_POLICY_V2 =
+        new ASN1ObjectIdentifier(ESTEID_SK_2015_MOBILE_ID_POLICY_PREFIX + ".2");
+    public static final ASN1ObjectIdentifier ESTEID_SK_2015_MOBILE_ID_POLICY_V3 =
+        new ASN1ObjectIdentifier(ESTEID_SK_2015_MOBILE_ID_POLICY_PREFIX + ".3");
 
     private SubjectCertificatePolicies() {
         throw new IllegalStateException("Constants class");
diff --git a/src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java b/src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java
@@ -37,7 +37,7 @@
 
 import static org.webeid.security.nonce.NonceGeneratorBuilder.requirePositiveDuration;
 import static org.webeid.security.util.OcspUrls.ESTEID_2015;
-import static org.webeid.security.util.SubjectCertificatePolicies.EST_MOBILE_ID_POLICY;
+import static org.webeid.security.util.SubjectCertificatePolicies.*;
 
 /**
  * Stores configuration parameters for {@link AuthTokenValidatorImpl}.
@@ -53,7 +53,12 @@ final class AuthTokenValidationConfiguration {
     private boolean isSiteCertificateFingerprintValidationEnabled = false;
     private String siteCertificateSha256Fingerprint;
     // Don't allow Estonian Mobile-ID policy by default.
-    private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = Sets.newHashSet(EST_MOBILE_ID_POLICY);
+    private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = Sets.newHashSet(
+        ESTEID_SK_2015_MOBILE_ID_POLICY_V1,
+        ESTEID_SK_2015_MOBILE_ID_POLICY_V2,
+        ESTEID_SK_2015_MOBILE_ID_POLICY_V3,
+        ESTEID_SK_2015_MOBILE_ID_POLICY
+    );
     // Disable OCSP nonce extension for EstEID 2015 cards by default.
     private Collection<URI> nonceDisabledOcspUrls = Sets.newHashSet(ESTEID_2015);
 
diff --git a/src/test/java/org/webeid/security/testutil/Tokens.java b/src/test/java/org/webeid/security/testutil/Tokens.java
@@ -96,7 +96,8 @@ public final class Tokens {
     //-----------------------------------------------------------------------------------------------------------------
 
     public static final String X5C_WRONG_POLICY_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlFQVRDQ0EyT2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hCTUlJQnZUQUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkZCZ05WSFNBRVBqQThNREFHQ1NzR0FRUUJ6aDhCQXpBak1DRUdDQ3NHQVFVRkJ3SUJGaFZvZEhSd2N6b3ZMM2QzZHk1emF5NWxaUzlEVUZNd0NBWUdCQUNQZWdFQ01COEdBMVVkRVFRWU1CYUJGRE00TURBeE1EZzFOekU0UUdWbGMzUnBMbVZsTUIwR0ExVWREZ1FXQkJUa0xMMDBDUkFWVERFcG9jbVYrVzRtMkNibXdEQmhCZ2dyQmdFRkJRY0JBd1JWTUZNd1VRWUdCQUNPUmdFRk1FY3dSUlkvYUhSMGNITTZMeTl6YXk1bFpTOWxiaTl5WlhCdmMybDBiM0o1TDJOdmJtUnBkR2x2Ym5NdFptOXlMWFZ6WlMxdlppMWpaWEowYVdacFkyRjBaWE12RXdKRlRqQWdCZ05WSFNVQkFmOEVGakFVQmdnckJnRUZCUWNEQWdZSUt3WUJCUVVIQXdRd0h3WURWUjBqQkJnd0ZvQVV3SVNaS2NST256c0NOUGFaNFFwV0FBZ3BQbnN3Y3dZSUt3WUJCUVVIQVFFRVp6QmxNQ3dHQ0NzR0FRVUZCekFCaGlCb2RIUndPaTh2WVdsaExtUmxiVzh1YzJzdVpXVXZaWE4wWldsa01qQXhPREExQmdnckJnRUZCUWN3QW9ZcGFIUjBjRG92TDJNdWMyc3VaV1V2VkdWemRGOXZabDlGVTFSRlNVUXlNREU0TG1SbGNpNWpjblF3Q2dZSUtvWkl6ajBFQXdRRGdZc0FNSUdIQWtJQjlWTEpqSGJTMmJZdWRSYXRrRWVNRkpBTUtiSjRiQVZkaDBLbEZ4V0FTZXhGNXl3cEdsNDNXU3BCNlFBWHpORUJNZTFGSVdpT0l1ZDQ0aWV4TldPMWpnQUNRUTErTSt0YVo0aHlXcVNOVzVEQ0lpVVA3WXU0V3ZIM1NVakVxUUhiT1FzaHlNaDVFTTFwVmN2T24vWmdPeEx0NkVUdjlhdm5oVk13MnpUZDFiOHU0RUZrIl19.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0";
-    public static final String X5C_MOBILE_ID_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlGbURDQ0E0Q2dBd0lCQWdJUU13Y3k4WWdndjJsZlRUS0xRT2hOWVRBTkJna3Foa2lHOXcwQkFRc0ZBREJqTVFzd0NRWURWUVFHRXdKRlJURWlNQ0FHQTFVRUNnd1pRVk1nVTJWeWRHbG1hWFJ6WldWeWFXMXBjMnRsYzJ0MWN6RVhNQlVHQTFVRVlRd09UbFJTUlVVdE1UQTNORGN3TVRNeEZ6QVZCZ05WQkFNTURrVlRWRVZKUkMxVFN5QXlNREUxTUI0WERUSXdNRGd6TVRFM01qVXpNVm9YRFRJMU1EZ3pNVEl3TlRrMU9Wb3djVEVMTUFrR0ExVUVCaE1DUlVVeEl6QWhCZ05WQkFNTUdrdkRsVlpGVWxOQlVpeE5RVlJKTERNNE16QTVNVFF3TkRJd01SSXdFQVlEVlFRRURBbEx3NVZXUlZKVFFWSXhEVEFMQmdOVkJDb01CRTFCVkVreEdqQVlCZ05WQkFVVEVWQk9UMFZGTFRNNE16QTVNVFF3TkRJd01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUpjZ0lqWkVFSXlJTUdWbGkxeHA4OFlsUzhQbldCQ2NYZEJpQlRETmlWVC80T2xUVHRlQkJJZVBuMnZLV09nVU5ET1d5RnNCUVJQeTkzUGlnMnRoQXpxT0NBZ013Z2dIL01Ba0dBMVVkRXdRQ01BQXdEZ1lEVlIwUEFRSC9CQVFEQWdPSU1ISUdBMVVkSUFSck1Ha3dYUVlKS3dZQkJBSE9Id0VETUZBd0x3WUlLd1lCQlFVSEFnRVdJMmgwZEhCek9pOHZkM2QzTG5OckxtVmxMM0psY0c5emFYUnZiM0pwZFcwdlExQlRNQjBHQ0NzR0FRVUZCd0lDTUJFYUQwTnZiblJ5WVdOMElERXVNVEV0T1RBSUJnWUVBSTk2QVFJd0lRWURWUjBSQkJvd0dJRVdiV0YwYVM1cmIzWmxjbk5oY2tCbFpYTjBhUzVsWlRBZEJnTlZIUTRFRmdRVWFOVzZuMjlhTVJiVUxQdEl5dm1ScTUwZzhnOHdId1lEVlIwakJCZ3dGb0FVczZ1SXZKblZZcVNGS2dqTnRCMXlPNE55UjFFd2FnWUlLd1lCQlFVSEFRRUVYakJjTUNjR0NDc0dBUVVGQnpBQmhodG9kSFJ3T2k4dllXbGhMbk5yTG1WbEwyVnpkR1ZwWkRJd01UVXdNUVlJS3dZQkJRVUhNQUtHSldoMGRIQTZMeTlqTG5OckxtVmxMMFZUVkVWSlJDMVRTMTh5TURFMUxtUmxjaTVqY25Rd1lRWUlLd1lCQlFVSEFRTUVWVEJUTUZFR0JnUUFqa1lCQlRCSE1FVVdQMmgwZEhCek9pOHZjMnN1WldVdlpXNHZjbVZ3YjNOcGRHOXllUzlqYjI1a2FYUnBiMjV6TFdadmNpMTFjMlV0YjJZdFkyVnlkR2xtYVdOaGRHVnpMeE1DUlU0d1BBWURWUjBmQkRVd016QXhvQytnTFlZcmFIUjBjRG92TDNkM2R5NXpheTVsWlM5amNteHpMMlZ6ZEdWcFpDOWxjM1JsYVdReU1ERTFMbU55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQUZ2WW1tYWVOdmg2dmFraXprdjZIdlhZWFhEdlRJVkE3WjNXc1hOOVpmZnZxaXFNNndnOWlJQmlXalVFNXFLaDBzVmE2cWx4VEhKOTBrZWx0Z1dzTGtQYnlDZUp2c2w3bnBJKy8zTnZIandSODNkSHptaThWMjF6TEFWd2czbkdwYmtsZzJ1VFBBYWdRZlJ3YTkxRDMrU1B1LzJVbzZhL3Z3SlZUYU1aUCtQRUhFa0NtTnV3UEFFQ2dubmlOZ2N3bENLMG1oTks5dXJEV2V3c0RjWnFSSWk2MVF5UXpIZGU5bDBJVWxUY0k4blB6SW1hNWY4MzF4VlhHcWk5OFdRWnBxZkhzZFBMMTR3d0FQNVVqc3p2RGUzRE92eDBlQVJob1NybThNTGozWTlvTjgyb00wWEJJYzZ1UncwS05wOGx1bkhNSUFMMmIzMFVMSmtYTUxMZEEvRks0S1MyTXZsdCtkTzN4K3RxS1VHWDR3cnhQdE5tV3Z2TEZLZlBwempMS0RsL0pBNmZCY0QyTEhjS1NETUs4Smdjb2tsM3R6STh6RzBSS3kzeURDcEErYzNDUDdwSURMQmIwZnBOempVQXRUUzcybWdBelJiRk5YY3ROMDV1ZWtZbVRoVTJaNzFNdlVDdzBKaXhONkc3RG1pT2UzY3A5a0EwMWYwUkJsTTc2ZjJ4NlltWjdYQ2RJMEpOUW04U3B5Y3RWWC8yU2JlZDBrYmpwT1YwNUNGRXRXV1lsQk8zb0hmN1NmMGpxWXJzM1NOOTk5TUhIQ2c0d2RzV1VKaUd1SUx5TUppK2dRcGhJRC9QZ2pEVzlxeExkMGtxSzFjQkxLeWJ3Z0JTY2R0NUtaanJUS1lXT1NUd3ZoNUZoRktWVndzQ01lT2gvK29qS1doWDZ1S2h3TU9RPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0";
+    public static final String X5C_OLD_MOBILE_ID_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlFL1RDQ0F1V2dBd0lCQWdJUUtiQ04rMDV2ZnAxWE9YVnU2SE1YUlRBTkJna3Foa2lHOXcwQkFRc0ZBREJqTVFzd0NRWURWUVFHRXdKRlJURWlNQ0FHQTFVRUNnd1pRVk1nVTJWeWRHbG1hWFJ6WldWeWFXMXBjMnRsYzJ0MWN6RVhNQlVHQTFVRVlRd09UbFJTUlVVdE1UQTNORGN3TVRNeEZ6QVZCZ05WQkFNTURrVlRWRVZKUkMxVFN5QXlNREUxTUI0WERURTJNRFV4TmpBM01qTXlObG9YRFRJeE1EVXhOakl3TlRrMU9Wb3dnWnN4Q3pBSkJnTlZCQVlUQWtWRk1Sc3dHUVlEVlFRS0RCSkZVMVJGU1VRZ0tFMVBRa2xKVEMxSlJDa3hGekFWQmdOVkJBc01EbUYxZEdobGJuUnBZMkYwYVc5dU1TQXdIZ1lEVlFRRERCZExRVk5UTEVGU1ZGVlNTU3d6TmpBeE1qTTBOVFkzT0RFTk1Bc0dBMVVFQkF3RVMwRlRVekVQTUEwR0ExVUVLZ3dHUVZKVVZWSkpNUlF3RWdZRFZRUUZFd3N6TmpBeE1qTTBOVFkzT0RCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkJNc3RweUdMY0FFWGtjdHdGOFRreVBVbDFJaXpRYjZuQnZmRUlhYXlNbU56WkZSQ05MWmZWNno0QVhKTjU4TWpzNGQ0UlhzQVJVMXZqQnNpOHlKTWFDamdnRTlNSUlCT1RBSkJnTlZIUk1FQWpBQU1BNEdBMVVkRHdFQi93UUVBd0lFc0RCYkJnTlZIU0FFVkRCU01GQUdDaXNHQVFRQnpoOEJBd013UWpBZEJnZ3JCZ0VGQlFjQ0FqQVJEQTlEYjI1MGNtRmpkQ0F4TGpFeExUa3dJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDJOd2N6QWZCZ05WSFJFRUdEQVdnUlJvWldscmEya3VhMmwwZEVCbFpYTjBhUzVsWlRBZEJnTlZIUTRFRmdRVWtOUi9yOW03N285R3NwMDRKRklCcUVBVFZHUXdJQVlEVlIwbEFRSC9CQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNRU1COEdBMVVkSXdRWU1CYUFGTE9yaUx5WjFXS2toU29JemJRZGNqdURja2RSTUR3R0ExVWRId1ExTURNd01hQXZvQzJHSzJoMGRIQTZMeTkzZDNjdWMyc3VaV1V2WTNKc2N5OWxjM1JsYVdRdlpYTjBaV2xrTWpBeE5TNWpjbXd3RFFZSktvWklodmNOQVFFTEJRQURnZ0lCQUVKQ0NNUjZJUS9YbmNqeWo5anRsRm0xVUJ1ZjRnNzFHZlNRTXRMMWczWnhMQmM3N2FLd0JCdFR1T1RtUERVZFk1K3hBNWREZmo2bkZSZFpad1dlZHBzOVRtNVQ5OEcreTA0NzdUQ2ZQMjlVbG5wUTU1RXRkWEdkZ3plRE1sQ3BtUnBzdTJZY2VhamRwUW5jcDZBOHRKc0craFc3MzNPNlcyZHFyUVYyZTdEbm9mbTIwS1ZISGxVYSttYStwR3ZhSERZWEhnWUFEMW81OFJvK0pIeTdCdzNqbzRMZytqL0N1QnpUazRUNkQwNVlibnZ2NTgvUEJyUGpBU3dLVmhqTk52SFl3Z0RtZUd6UUtvY21EV1VTUmpUaVdBeFA5UFl4d3VpUDJlcG95cHl2OVZQSkVlM2R5M0VXZ1kraVBmTU4yQnVGZG1adEtTSGRXU2VxQ0sranJvNGt6aldyR1lZK0pieFNZbWZGM0dXV0FqNXNxLysvUzJTZ2lGV0dIZHZ0cjFrVnI3RGFMRG16OE4vUXlyTmpWVno0Yllremo5T1BNN29mSnMxUURFLzJ5R0NrcEo2Mjh6QjFBVHBFanRWc2l0NWh0aTBkM2sxY0lCVGJ0aVV1U3JPR0hUeXh3UmVudklaL01ja3ZMRm1US1o2bTI1NUFTanR3cVRmMlorSm8xM0FkcjV6aFJ2UXZZK3FHZlpiL0U0S2hWU3JjVUk4T2dUWHprUEdJZG02dFlFVEtxbWRnZXZHMTZub1B4em16ZjZESnNqbmJyT3d1RWhSeWtVelNSV08raDBwQTdsdmpMTjhTS2JDbi91V0FSTjFYc2JhckEweUFuVzQ4NEdzdThwc09hR3BaK1Z6TTd6NS95di9CWTJhVFBQMGhJZUkwY3FSdGtvN1pzNnZIIl19.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTYxNDk3MzQ4NCIsImlhdCI6IjE2MTQ5NzIyODQiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0.rQg4biWXPK08r6myHmneOMIZZD5wPVIrBMWralmhUwNuzZFnBH1RDvNj7S3rKNHR2EZX1e2_4nBTnQsKCPIh0CkYAE_4u0q9J2lzb0riYIv9FFjwCDX-P8QHrB-QUBUx";
+    public static final String X5C_NEW_MOBILE_ID_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlGbURDQ0E0Q2dBd0lCQWdJUU13Y3k4WWdndjJsZlRUS0xRT2hOWVRBTkJna3Foa2lHOXcwQkFRc0ZBREJqTVFzd0NRWURWUVFHRXdKRlJURWlNQ0FHQTFVRUNnd1pRVk1nVTJWeWRHbG1hWFJ6WldWeWFXMXBjMnRsYzJ0MWN6RVhNQlVHQTFVRVlRd09UbFJTUlVVdE1UQTNORGN3TVRNeEZ6QVZCZ05WQkFNTURrVlRWRVZKUkMxVFN5QXlNREUxTUI0WERUSXdNRGd6TVRFM01qVXpNVm9YRFRJMU1EZ3pNVEl3TlRrMU9Wb3djVEVMTUFrR0ExVUVCaE1DUlVVeEl6QWhCZ05WQkFNTUdrdkRsVlpGVWxOQlVpeE5RVlJKTERNNE16QTVNVFF3TkRJd01SSXdFQVlEVlFRRURBbEx3NVZXUlZKVFFWSXhEVEFMQmdOVkJDb01CRTFCVkVreEdqQVlCZ05WQkFVVEVWQk9UMFZGTFRNNE16QTVNVFF3TkRJd01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUpjZ0lqWkVFSXlJTUdWbGkxeHA4OFlsUzhQbldCQ2NYZEJpQlRETmlWVC80T2xUVHRlQkJJZVBuMnZLV09nVU5ET1d5RnNCUVJQeTkzUGlnMnRoQXpxT0NBZ013Z2dIL01Ba0dBMVVkRXdRQ01BQXdEZ1lEVlIwUEFRSC9CQVFEQWdPSU1ISUdBMVVkSUFSck1Ha3dYUVlKS3dZQkJBSE9Id0VETUZBd0x3WUlLd1lCQlFVSEFnRVdJMmgwZEhCek9pOHZkM2QzTG5OckxtVmxMM0psY0c5emFYUnZiM0pwZFcwdlExQlRNQjBHQ0NzR0FRVUZCd0lDTUJFYUQwTnZiblJ5WVdOMElERXVNVEV0T1RBSUJnWUVBSTk2QVFJd0lRWURWUjBSQkJvd0dJRVdiV0YwYVM1cmIzWmxjbk5oY2tCbFpYTjBhUzVsWlRBZEJnTlZIUTRFRmdRVWFOVzZuMjlhTVJiVUxQdEl5dm1ScTUwZzhnOHdId1lEVlIwakJCZ3dGb0FVczZ1SXZKblZZcVNGS2dqTnRCMXlPNE55UjFFd2FnWUlLd1lCQlFVSEFRRUVYakJjTUNjR0NDc0dBUVVGQnpBQmhodG9kSFJ3T2k4dllXbGhMbk5yTG1WbEwyVnpkR1ZwWkRJd01UVXdNUVlJS3dZQkJRVUhNQUtHSldoMGRIQTZMeTlqTG5OckxtVmxMMFZUVkVWSlJDMVRTMTh5TURFMUxtUmxjaTVqY25Rd1lRWUlLd1lCQlFVSEFRTUVWVEJUTUZFR0JnUUFqa1lCQlRCSE1FVVdQMmgwZEhCek9pOHZjMnN1WldVdlpXNHZjbVZ3YjNOcGRHOXllUzlqYjI1a2FYUnBiMjV6TFdadmNpMTFjMlV0YjJZdFkyVnlkR2xtYVdOaGRHVnpMeE1DUlU0d1BBWURWUjBmQkRVd016QXhvQytnTFlZcmFIUjBjRG92TDNkM2R5NXpheTVsWlM5amNteHpMMlZ6ZEdWcFpDOWxjM1JsYVdReU1ERTFMbU55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQUZ2WW1tYWVOdmg2dmFraXprdjZIdlhZWFhEdlRJVkE3WjNXc1hOOVpmZnZxaXFNNndnOWlJQmlXalVFNXFLaDBzVmE2cWx4VEhKOTBrZWx0Z1dzTGtQYnlDZUp2c2w3bnBJKy8zTnZIandSODNkSHptaThWMjF6TEFWd2czbkdwYmtsZzJ1VFBBYWdRZlJ3YTkxRDMrU1B1LzJVbzZhL3Z3SlZUYU1aUCtQRUhFa0NtTnV3UEFFQ2dubmlOZ2N3bENLMG1oTks5dXJEV2V3c0RjWnFSSWk2MVF5UXpIZGU5bDBJVWxUY0k4blB6SW1hNWY4MzF4VlhHcWk5OFdRWnBxZkhzZFBMMTR3d0FQNVVqc3p2RGUzRE92eDBlQVJob1NybThNTGozWTlvTjgyb00wWEJJYzZ1UncwS05wOGx1bkhNSUFMMmIzMFVMSmtYTUxMZEEvRks0S1MyTXZsdCtkTzN4K3RxS1VHWDR3cnhQdE5tV3Z2TEZLZlBwempMS0RsL0pBNmZCY0QyTEhjS1NETUs4Smdjb2tsM3R6STh6RzBSS3kzeURDcEErYzNDUDdwSURMQmIwZnBOempVQXRUUzcybWdBelJiRk5YY3ROMDV1ZWtZbVRoVTJaNzFNdlVDdzBKaXhONkc3RG1pT2UzY3A5a0EwMWYwUkJsTTc2ZjJ4NlltWjdYQ2RJMEpOUW04U3B5Y3RWWC8yU2JlZDBrYmpwT1YwNUNGRXRXV1lsQk8zb0hmN1NmMGpxWXJzM1NOOTk5TUhIQ2c0d2RzV1VKaUd1SUx5TUppK2dRcGhJRC9QZ2pEVzlxeExkMGtxSzFjQkxLeWJ3Z0JTY2R0NUtaanJUS1lXT1NUd3ZoNUZoRktWVndzQ01lT2gvK29qS1doWDZ1S2h3TU9RPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0";
 
     //-----------------------------------------------------------------------------------------------------------------
 
diff --git a/src/test/java/org/webeid/security/validator/X5cTest.java b/src/test/java/org/webeid/security/validator/X5cTest.java
@@ -105,8 +105,15 @@ void testX5cWrongPolicyCertificate() {
     }
 
     @Test
-    void testMobileIDCertificate() {
-        assertThatThrownBy(() -> validator.validate(Tokens.X5C_MOBILE_ID_CERTIFICATE))
+    void testOldMobileIDCertificate() {
+        assertThatThrownBy(() -> validator.validate(Tokens.X5C_OLD_MOBILE_ID_CERTIFICATE))
+            .isInstanceOf(UserCertificateDisallowedPolicyException.class);
+    }
+
+    @Test
+    void testNewMobileIDCertificate() {
+        assertThatThrownBy(() -> validator.validate(Tokens.X5C_NEW_MOBILE_ID_CERTIFICATE))
             .isInstanceOf(UserCertificateMissingPurposeException.class);
     }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,15 @@ void testX5cWrongPolicyCertificate() {`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`@Test`
`108`		`- void testMobileIDCertificate() {`
`109`		`- assertThatThrownBy(() -> validator.validate(Tokens.X5C_MOBILE_ID_CERTIFICATE))`
	`108`	`+ void testOldMobileIDCertificate() {`
	`109`	`+ assertThatThrownBy(() -> validator.validate(Tokens.X5C_OLD_MOBILE_ID_CERTIFICATE))`
	`110`	`+ .isInstanceOf(UserCertificateDisallowedPolicyException.class);`
	`111`	`+ }`
	`112`	`+`
	`113`	`+ @Test`
	`114`	`+ void testNewMobileIDCertificate() {`
	`115`	`+ assertThatThrownBy(() -> validator.validate(Tokens.X5C_NEW_MOBILE_ID_CERTIFICATE))`
`110`	`116`	`.isInstanceOf(UserCertificateMissingPurposeException.class);`
`111`	`117`	`}`
	`118`	`+`
`112`	`119`	`}`