NFC-46 Fix and update same authority certs checks.

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -8,12 +8,10 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
-import org.bouncycastle.asn1.x509.Extension;
 
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 
@@ -29,6 +27,7 @@ class AuthTokenV11Validator extends AuthTokenV1Validator {
         "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
     );
     private static final int KEY_USAGE_NON_REPUDIATION = 1;
+    private static final int KEY_USAGE_DIGITAL_SIGNATURE = 0;
 
     public AuthTokenV11Validator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
@@ -74,15 +73,13 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
-        byte[] subjectSki = subjectCertificate.getExtensionValue(Extension.subjectKeyIdentifier.getId());
-        byte[] signingAki = signingCertificate.getExtensionValue(Extension.authorityKeyIdentifier.getId());
-        if (subjectSki != null && signingAki != null && !Arrays.equals(subjectSki, signingAki)) {
-            throw new AuthTokenParseException("Signing certificate not issued by same authority as authentication certificate");
+        if (!subjectCertificate.getIssuerX500Principal().equals(signingCertificate.getIssuerX500Principal())) {
+            throw new AuthTokenParseException("Signing and authentication certificates are not issued by the same authority");
         }
 
         boolean[] keyUsage = signingCertificate.getKeyUsage();
-        if (keyUsage == null || keyUsage.length <= KEY_USAGE_NON_REPUDIATION || !keyUsage[KEY_USAGE_NON_REPUDIATION]) {
-            throw new AuthTokenParseException("Signing certificate does not have nonRepudiation key usage");
+        if (keyUsage == null || (keyUsage.length > KEY_USAGE_NON_REPUDIATION && !keyUsage[KEY_USAGE_NON_REPUDIATION] && !keyUsage[KEY_USAGE_DIGITAL_SIGNATURE])) {
+            throw new AuthTokenParseException("Signing certificate not suitable for signing");
         }
 
         return subjectCertificate;

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -45,7 +45,6 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
-import org.bouncycastle.asn1.x509.Extension;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
@@ -409,8 +408,9 @@ void whenV11SigningCertificateNotIssuedBySameAuthority_thenValidationFails() thr
 
         X509Certificate mockSigningCert = mock(X509Certificate.class);
         when(mockSigningCert.getSubjectX500Principal()).thenReturn(realSubjectCert.getSubjectX500Principal());
-        when(mockSigningCert.getExtensionValue(Extension.authorityKeyIdentifier.getId()))
-            .thenReturn(new byte[]{0x01, 0x02});
+        when(mockSigningCert.getIssuerX500Principal()).thenReturn(
+            new javax.security.auth.x500.X500Principal("CN=Other Test CA, O=Other Org, C=EE")
+        );
 
         try (MockedStatic<CertificateLoader> mocked = mockStatic(CertificateLoader.class)) {
             mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate()))
@@ -420,21 +420,21 @@ void whenV11SigningCertificateNotIssuedBySameAuthority_thenValidationFails() thr
 
             assertThatThrownBy(() -> spyValidator.validate(parsedToken, VALID_CHALLENGE_NONCE))
                 .isInstanceOf(AuthTokenParseException.class)
-                .hasMessage("Signing certificate not issued by same authority as authentication certificate");
+                .hasMessage("Signing and authentication certificates are not issued by the same authority");
         }
     }
 
-
     @Test
-    void whenV11SigningCertificateHasNoNonRepudiationUsage_thenValidationFails() throws Exception {
+    void whenV11SigningCertificateNotSuitableForSigning_thenValidationFails() throws Exception {
         AuthTokenV11Validator spyValidator = spyAuthTokenV11Validator();
         WebEidAuthToken parsedToken = OBJECT_READER.readValue(V11_AUTH_TOKEN, WebEidAuthToken.class);
         X509Certificate realSubjectCert = CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate());
         doReturn(realSubjectCert).when(spyValidator).validateV1(any(), any());
 
         X509Certificate signingCert = mock(X509Certificate.class);
         when(signingCert.getSubjectX500Principal()).thenReturn(realSubjectCert.getSubjectX500Principal());
-        when(signingCert.getKeyUsage()).thenReturn(new boolean[]{true, false});
+        when(signingCert.getIssuerX500Principal()).thenReturn(realSubjectCert.getIssuerX500Principal());
+        when(signingCert.getKeyUsage()).thenReturn(new boolean[]{false, false});
 
         try (MockedStatic<CertificateLoader> mocked = mockStatic(CertificateLoader.class)) {
             mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate()))
@@ -444,7 +444,7 @@ void whenV11SigningCertificateHasNoNonRepudiationUsage_thenValidationFails() thr
 
             assertThatThrownBy(() -> spyValidator.validate(parsedToken, VALID_CHALLENGE_NONCE))
                 .isInstanceOf(AuthTokenParseException.class)
-                .hasMessage("Signing certificate does not have nonRepudiation key usage");
+                .hasMessage("Signing certificate not suitable for signing");
         }
     }