NFC-46 Move cert validation first, fix keyUsage logic, compare Authority Key Identifiers, and normalize subject DN comparison. Move trust validator batch creation into SubjectCertificateValidatorBatch. Reuse ObjectReader for WebEidAuthToken parsing

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -8,10 +8,17 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.RFC4519Style;
+import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
 
+import javax.security.auth.x500.X500Principal;
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 
@@ -27,7 +34,6 @@ class AuthTokenV11Validator extends AuthTokenV1Validator {
         "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
     );
     private static final int KEY_USAGE_NON_REPUDIATION = 1;
-    private static final int KEY_USAGE_DIGITAL_SIGNATURE = 0;
 
     public AuthTokenV11Validator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
@@ -56,6 +62,8 @@ public boolean supports(String format) {
 
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+        final X509Certificate subjectCertificate = validateV1(token, currentChallengeNonce);
+
         if (token.getFormat() == null || !token.getFormat().startsWith(SUPPORTED_PREFIX)) {
             throw new AuthTokenParseException("Only token format '" + SUPPORTED_PREFIX + "' is supported by this validator");
         }
@@ -66,19 +74,23 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
 
         validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
 
-        final X509Certificate subjectCertificate = validateV1(token, currentChallengeNonce);
         final X509Certificate signingCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
 
-        if (!subjectCertificate.getSubjectX500Principal().equals(signingCertificate.getSubjectX500Principal())) {
+        if (!subjectAndSigningCertificateSubjectsMatch(subjectCertificate.getSubjectX500Principal(), signingCertificate.getSubjectX500Principal())) {
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
-        if (!subjectCertificate.getIssuerX500Principal().equals(signingCertificate.getIssuerX500Principal())) {
-            throw new AuthTokenParseException("Signing and authentication certificates are not issued by the same authority");
+        byte[] subjectCertificateAuthorityKeyIdentifier = getAuthorityKeyIdentifier(subjectCertificate);
+        byte[] signingCertificateAuthorityKeyIdentifier = getAuthorityKeyIdentifier(signingCertificate);
+
+        if (subjectCertificateAuthorityKeyIdentifier.length == 0
+            || signingCertificateAuthorityKeyIdentifier.length == 0
+            || !Arrays.equals(subjectCertificateAuthorityKeyIdentifier, signingCertificateAuthorityKeyIdentifier)) {
+            throw new AuthTokenParseException("Signing certificate is not issued by the same issuing authority as the authentication certificate");
         }
 
         boolean[] keyUsage = signingCertificate.getKeyUsage();
-        if (keyUsage == null || (keyUsage.length > KEY_USAGE_NON_REPUDIATION && !keyUsage[KEY_USAGE_NON_REPUDIATION] && !keyUsage[KEY_USAGE_DIGITAL_SIGNATURE])) {
+        if (keyUsage == null || keyUsage.length <= KEY_USAGE_NON_REPUDIATION || !keyUsage[KEY_USAGE_NON_REPUDIATION]) {
             throw new AuthTokenParseException("Signing certificate not suitable for signing");
         }
 
@@ -101,6 +113,28 @@ private static void validateSupportedSignatureAlgorithms(List<SupportedSignature
         }
     }
 
+    private static boolean subjectAndSigningCertificateSubjectsMatch(
+        X500Principal authenticationCertificateSubject,
+        X500Principal signingCertificateSubject) {
+        X500Name authName = X500Name.getInstance(RFC4519Style.INSTANCE, authenticationCertificateSubject.getEncoded());
+        X500Name signName = X500Name.getInstance(RFC4519Style.INSTANCE, signingCertificateSubject.getEncoded());
+        return authName.equals(signName);
+    }
+
+    private static byte[] getAuthorityKeyIdentifier(X509Certificate certificate) throws AuthTokenParseException {
+        try {
+            byte[] authorityKeyIdentifierExtension = certificate.getExtensionValue(Extension.authorityKeyIdentifier.getId());
+            if (authorityKeyIdentifierExtension == null) {
+                return new byte[0];
+            }
+            AuthorityKeyIdentifier authorityKeyIdentifier =
+                AuthorityKeyIdentifier.getInstance(JcaX509ExtensionUtils.parseExtensionValue(authorityKeyIdentifierExtension));
+            return authorityKeyIdentifier.getKeyIdentifier();
+        } catch (Exception e) {
+            throw new AuthTokenParseException("Failed to parse Authority Key Identifier", e);
+        }
+    }
+
     protected X509Certificate validateV1(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         return super.validate(token, currentChallengeNonce);
     }

src/main/java/eu/webeid/security/validator/AuthTokenV1Validator.java

@@ -4,8 +4,6 @@
 import eu.webeid.security.certificate.CertificateLoader;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
-import eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator;
-import eu.webeid.security.validator.certvalidators.SubjectCertificateTrustedValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
@@ -67,7 +65,7 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
 
         simpleSubjectCertificateValidators.executeFor(subjectCertificate);
 
-        createCertTrustValidators(
+        SubjectCertificateValidatorBatch.forTrustValidation(
             configuration,
             trustedCACertificateAnchors,
             trustedCACertificateCertStore,
@@ -86,34 +84,4 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
 
         return subjectCertificate;
     }
-
-    /**
-     * Creates the certificate trust validators batch.
-     * As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
-     * they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence, they are
-     * re-created for each validation run for thread safety.
-     *
-     * @return certificate trust validator batch
-     */
-    public static SubjectCertificateValidatorBatch createCertTrustValidators(
-        AuthTokenValidationConfiguration configuration,
-        Set<TrustAnchor> trustedCACertificateAnchors,
-        CertStore trustedCACertificateCertStore,
-        OcspClient ocspClient,
-        OcspServiceProvider ocspServiceProvider
-    ) {
-        final SubjectCertificateTrustedValidator certTrustedValidator =
-            new SubjectCertificateTrustedValidator(trustedCACertificateAnchors, trustedCACertificateCertStore);
-
-        return SubjectCertificateValidatorBatch.createFrom(
-            certTrustedValidator::validateCertificateTrusted
-        ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-            new SubjectCertificateNotRevokedValidator(
-                certTrustedValidator,
-                ocspClient, ocspServiceProvider,
-                configuration.getAllowedOcspResponseTimeSkew(),
-                configuration.getMaxOcspResponseThisUpdateAge()
-            )::validateCertificateNotRevoked
-        );
-    }
 }

src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -87,7 +87,7 @@ Collection<X509Certificate> getTrustedCACertificates() {
         return trustedCACertificates;
     }
 
-    boolean isUserCertificateRevocationCheckWithOcspEnabled() {
+    public boolean isUserCertificateRevocationCheckWithOcspEnabled() {
         return isUserCertificateRevocationCheckWithOcspEnabled;
     }
 

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -37,6 +37,9 @@
  * Parses and validates the provided Web eID authentication token.
  */
 public interface AuthTokenValidator {
+    String CURRENT_TOKEN_FORMAT_VERSION = "web-eid:1.1";
+
+    ObjectReader TOKEN_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
 
     /**
      * Returns whether this validator supports validation of the given token format.
@@ -62,8 +65,7 @@ default WebEidAuthToken parse(String authToken) throws AuthTokenException {
                 throw new AuthTokenParseException("Auth token is too long");
             }
 
-            ObjectReader reader = new ObjectMapper().readerFor(WebEidAuthToken.class);
-            WebEidAuthToken token = reader.readValue(authToken);
+            WebEidAuthToken token = TOKEN_READER.readValue(authToken);
             if (token == null) {
                 throw new AuthTokenParseException("Web eID authentication token is null");
             }

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateValidatorBatch.java

@@ -23,11 +23,17 @@
 package eu.webeid.security.validator.certvalidators;
 
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenValidationConfiguration;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
+import java.security.cert.CertStore;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 
 public final class SubjectCertificateValidatorBatch {
 
@@ -55,4 +61,34 @@ public SubjectCertificateValidatorBatch addOptional(boolean condition, SubjectCe
     private SubjectCertificateValidatorBatch(List<SubjectCertificateValidator> validatorList) {
         this.validatorList = validatorList;
     }
+
+    /**
+     * Creates the certificate trust validators batch.
+     * As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
+     * they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence, they are
+     * re-created for each validation run for thread safety.
+     *
+     * @return certificate trust validator batch
+     */
+    public static SubjectCertificateValidatorBatch forTrustValidation(
+        AuthTokenValidationConfiguration configuration,
+        Set<TrustAnchor> trustedCACertificateAnchors,
+        CertStore trustedCACertificateCertStore,
+        OcspClient ocspClient,
+        OcspServiceProvider ocspServiceProvider) {
+
+        final SubjectCertificateTrustedValidator certTrustedValidator =
+            new SubjectCertificateTrustedValidator(trustedCACertificateAnchors, trustedCACertificateCertStore);
+
+        return SubjectCertificateValidatorBatch.createFrom(
+            certTrustedValidator::validateCertificateTrusted
+        ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
+            new SubjectCertificateNotRevokedValidator(
+                certTrustedValidator,
+                ocspClient, ocspServiceProvider,
+                configuration.getAllowedOcspResponseTimeSkew(),
+                configuration.getMaxOcspResponseThisUpdateAge()
+            )::validateCertificateNotRevoked
+        );
+    }
 }

src/test/java/eu/webeid/security/testutil/AbstractTestWithValidator.java

@@ -46,7 +46,7 @@ public abstract class AbstractTestWithValidator {
 
     public static final String VALID_V11_AUTH_TOKEN = "{\"algorithm\":\"ES384\"," +
         "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
-        "\"unverifiedSigningCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
+        "\"unverifiedSigningCertificate\":\"MIID6zCCA02gAwIBAgIQT7j6zk6pmVRcyspLo5SqejAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE5MDUwMjEwNDUzMVoXDTI5MDUwMjEwNDUzMVowfzELMAkGA1UEBhMCRUUxFjAUBgNVBCoMDUpBQUstS1JJU1RKQU4xEDAOBgNVBAQMB0rDlUVPUkcxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASkwENR8GmCpEs6OshDWDfIiKvGuyNMOD2rjIQW321AnZD3oIsqD0svBMNEJJj9Dlvq/47TYDObIa12KAU5IuOBfJs2lrFdSXZjaM+a5TWT3O2JTM36YDH2GcMe/eisepejggGrMIIBpzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDBIBgNVHSAEQTA/MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAJBgcEAIvsQAECMB0GA1UdDgQWBBTVX3s48Spy/Es2TcXgkRvwUn2YcjCBigYIKwYBBQUHAQMEfjB8MAgGBgQAjkYBATAIBgYEAI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgEwUQYGBACORgEFMEcwRRY/aHR0cHM6Ly9zay5lZS9lbi9yZXBvc2l0b3J5L2NvbmRpdGlvbnMtZm9yLXVzZS1vZi1jZXJ0aWZpY2F0ZXMvEwJFTjAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgGBr+Jbo1GeqgWdIwgMo7SA29AP38JxNm2HWq2Qb+kIHpusAK574Co1K5D4+Mk7/ITTuXQaET5WphHoN7tdAciTaQJBAn0zBigYyVPYSTO68HM6hmlwTwi/KlJDdXW/2NsMjSqofFFJXpGvpxk2CTqSRCjcavxLPnkasTbNROYSJcmM8Xc=\"," +
         "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]," +
         "\"appVersion\":\"https://web-eid.eu/web-eid-mobile-app/releases/v1.0.0\"," +
         "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -45,6 +45,7 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+import org.bouncycastle.asn1.x509.Extension;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
@@ -351,9 +352,15 @@ void whenValidV11Token_thenValidationSucceeds() {
 
     @Test
     void whenV11SigningCertificateFieldIsMissing_thenValidationFails() throws Exception {
-        final WebEidAuthToken token = replaceTokenField(V11_AUTH_TOKEN, "\"unverifiedSigningCertificate\":\"X5C\",", "");
-        assertThatThrownBy(() -> validator
-            .validate(token, VALID_CHALLENGE_NONCE))
+        ObjectMapper mapper = new ObjectMapper();
+        ObjectNode node = (ObjectNode) mapper.readTree(V11_AUTH_TOKEN);
+        node.remove("unverifiedSigningCertificate");
+        WebEidAuthToken token = OBJECT_READER.readValue(node.toString());
+
+        AuthTokenV11Validator spyValidator = spyAuthTokenV11Validator();
+        doReturn(mock(X509Certificate.class)).when(spyValidator).validateV1(any(), any());
+
+        assertThatThrownBy(() -> spyValidator.validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(AuthTokenParseException.class)
             .hasMessage("'unverifiedSigningCertificate' field is missing, null or empty for format 'web-eid:1.1'");
     }
@@ -420,7 +427,7 @@ void whenV11SigningCertificateNotIssuedBySameAuthority_thenValidationFails() thr
 
             assertThatThrownBy(() -> spyValidator.validate(parsedToken, VALID_CHALLENGE_NONCE))
                 .isInstanceOf(AuthTokenParseException.class)
-                .hasMessage("Signing and authentication certificates are not issued by the same authority");
+                .hasMessage("Signing certificate is not issued by the same issuing authority as the authentication certificate");
         }
     }
 
@@ -434,7 +441,9 @@ void whenV11SigningCertificateNotSuitableForSigning_thenValidationFails() throws
         X509Certificate signingCert = mock(X509Certificate.class);
         when(signingCert.getSubjectX500Principal()).thenReturn(realSubjectCert.getSubjectX500Principal());
         when(signingCert.getIssuerX500Principal()).thenReturn(realSubjectCert.getIssuerX500Principal());
-        when(signingCert.getKeyUsage()).thenReturn(new boolean[]{false, false});
+        when(signingCert.getExtensionValue(Extension.authorityKeyIdentifier.getId()))
+            .thenReturn(realSubjectCert.getExtensionValue(Extension.authorityKeyIdentifier.getId()));
+        when(signingCert.getKeyUsage()).thenReturn(new boolean[]{true, false});
 
         try (MockedStatic<CertificateLoader> mocked = mockStatic(CertificateLoader.class)) {
             mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate()))