Merge branch 'v2.2.x' into backport-v3-to-v2-helper

mrts · mrts · commit bbb67419d82b · 2025-11-03T22:12:02.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -18,7 +18,7 @@
         <java.version>11</java.version>
         <jjwt.version>0.12.6</jjwt.version>
         <bouncycastle.version>1.80</bouncycastle.version>
-        <jackson.version>2.18.3</jackson.version>
+        <jackson.version>2.18.5</jackson.version>
         <slf4j.version>2.0.17</slf4j.version>
         <junit-jupiter.version>5.12.0</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
diff --git a/src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java b/src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java
@@ -77,7 +77,7 @@ public AuthTokenValidatorBuilder withTrustedCertificateAuthorities(X509Certifica
         if (LOG.isDebugEnabled()) {
             LOG.debug("Trusted intermediate certificate authorities set to {}",
                 configuration.getTrustedCACertificates().stream()
-                    .map(X509Certificate::getSubjectDN)
+                    .map(X509Certificate::getSubjectX500Principal)
                     .collect(Collectors.toList()));
         }
         return this;
diff --git a/src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java b/src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java
@@ -106,7 +106,7 @@ public WebEidAuthToken parse(String authToken) throws AuthTokenException {
             validateTokenLength(authToken);
             return parseToken(authToken);
         } catch (Exception e) {
-            // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
+            // Generally "log and rethrow" is an antipattern, but it fits with the surrounding logging style.
             LOG.warn("Token parsing was interrupted:", e);
             throw e;
         }
@@ -118,7 +118,7 @@ public X509Certificate validate(WebEidAuthToken authToken, String currentChallen
             LOG.info("Starting token validation");
             return validateToken(authToken, currentChallengeNonce);
         } catch (Exception e) {
-            // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
+            // Generally "log and rethrow" is an antipattern, but it fits with the surrounding logging style.
             LOG.warn("Token validation was interrupted:", e);
             throw e;
         }
diff --git a/src/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java b/src/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java
@@ -83,7 +83,6 @@ private void addNonce(OCSPReqBuilder builder) throws IOException {
             new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
                 // Follow OpenSSL OCSP nonce encoding convention and add double octet string header.
                 new DEROctetString(new DEROctetString(nonce)))
-                new DEROctetString(new DEROctetString(nonce)))
         };
         builder.setRequestExtensions(new Extensions(extensions));
     }
diff --git a/src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java b/src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java
@@ -58,7 +58,7 @@ public static void validateHasSigningExtension(X509Certificate certificate) thro
         Objects.requireNonNull(certificate, "certificate");
         try {
             if (certificate.getExtendedKeyUsage() == null || !certificate.getExtendedKeyUsage().contains(OID_OCSP_SIGNING)) {
-                throw new OCSPCertificateException("Certificate " + certificate.getSubjectDN() +
+                throw new OCSPCertificateException("Certificate " + certificate.getSubjectX500Principal() +
                     " does not contain the key usage extension for OCSP response signing");
             }
         } catch (CertificateParsingException e) {
diff --git a/src/test/java/eu/webeid/security/testutil/AuthTokenValidators.java b/src/test/java/eu/webeid/security/testutil/AuthTokenValidators.java
@@ -94,6 +94,20 @@ public static AuthTokenValidator getAuthTokenValidatorWithDisallowedESTEIDPolicy
             .build();
     }
 
+    public static AuthTokenValidator getAuthTokenValidatorForBelgianIdCard() throws CertificateException, IOException, JceException {
+      return getAuthTokenValidator(
+                "https://47f0-46-131-86-189.ngrok-free.app",
+                CertificateLoader.loadCertificatesFromResources("eID TEST EC Citizen CA.cer")
+            );
+    }
+
+    public static AuthTokenValidator getAuthTokenValidatorForFinnishIdCard() throws CertificateException, IOException, JceException {
+      return getAuthTokenValidator(
+                "https://47f0-46-131-86-189.ngrok-free.app",
+                CertificateLoader.loadCertificatesFromResources("DVV TEST Certificates - G5E.crt", "VRK TEST CA for Test Purposes - G4.crt")
+            );
+    }
+
     public static AuthTokenValidatorBuilder getDefaultAuthTokenValidatorBuilder() throws CertificateException, IOException {
         return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, getCACertificates());
     }
diff --git a/src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java b/src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java
@@ -58,7 +58,7 @@ class AuthTokenCertificateTest extends AbstractTestWithValidator {
         "\"signature\":\"arx164xRiwhIQDINe0J+ZxJWZFOQTx0PBtOaWaxAe7gofEIHRIbV1w0sOCYBJnvmvMem9hU4nc2+iJx2x8poYck4Z6eI3GwtiksIec3XQ9ZIk1n/XchXnmPn3GYV+HzJ\"," +
         "\"format\":\"web-eid:1\"}";
 
-    private static final String MISSING_PURPOSE_CERT = "MIICxjCCAa6gAwIBAgIJANTbd26vS6fmMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNVBAMTCndlYi1laWQuZXUwHhcNMjAwOTI0MTIyNDMzWhcNMzAwOTIyMTIyNDMzWjAVMRMwEQYDVQQDEwp3ZWItZWlkLmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAza5qBFu5fvs47rx3o9yzBVfIxHjMotID8ppkwWVen/uFxlqsRVi+XnWkggW+K8X45inAnBAVi1rIw7GQNdacSHglyvQfwM64AallmD0+K+QgbqxcO9fvRvlAeISENBc2bGgqTIytPEON5ZmazzbOZjqY3M1QcPlPZOeUm6M9ZcZFhsxpiB4gwZUic9tnCz9eujd6k6DzNVfSRaJcpGA5hJ9aKH4vXS3x7anewna+USEXkRb4Il5zSlZR0i1yrVA1YNOxCG/+GgWvXfvXwdQ0z9BpGwNEyc0mRDNx+umaTukz9t+7/qTcB2JLTuiwM9Gqg5sDDnzPlcZSa7GnIU0MLQIDAQABoxkwFzAVBgNVHREEDjAMggp3ZWItZWlkLmV1MA0GCSqGSIb3DQEBBQUAA4IBAQAYGkBhTlet47uw3JYunYo6dj4nGWSGV4x6LYjCp5QlAmGd28HpC1RFB3ba+inwW8SP69kEOcB0sJQAZ/tV90oCATNsy/Whg/TtiHISL2pr1dyBoKDRWbgTp8jjzcp2Bj9nL14aqpj1t4K1lcoYETX41yVmyyJu6VFs80M5T3yikm2giAhszjChnjyoT2kaEKoua9EUK9SS27pVltgbbvtmeTp3ZPHtBfiDOATL6E03RZ5WfMLRefI796a+RcznnudzQHhMSwcjLpMDgIWpUU4OU7RiwrU+S3MrvgzCjkWh2MGu/OGLB+d3JZoW+eCvigoshmAsbJCMLbh4N78BCPqk";
+    private static final String MISSING_KEY_USAGE_CERT = "MIICxjCCAa6gAwIBAgIJANTbd26vS6fmMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNVBAMTCndlYi1laWQuZXUwHhcNMjAwOTI0MTIyNDMzWhcNMzAwOTIyMTIyNDMzWjAVMRMwEQYDVQQDEwp3ZWItZWlkLmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAza5qBFu5fvs47rx3o9yzBVfIxHjMotID8ppkwWVen/uFxlqsRVi+XnWkggW+K8X45inAnBAVi1rIw7GQNdacSHglyvQfwM64AallmD0+K+QgbqxcO9fvRvlAeISENBc2bGgqTIytPEON5ZmazzbOZjqY3M1QcPlPZOeUm6M9ZcZFhsxpiB4gwZUic9tnCz9eujd6k6DzNVfSRaJcpGA5hJ9aKH4vXS3x7anewna+USEXkRb4Il5zSlZR0i1yrVA1YNOxCG/+GgWvXfvXwdQ0z9BpGwNEyc0mRDNx+umaTukz9t+7/qTcB2JLTuiwM9Gqg5sDDnzPlcZSa7GnIU0MLQIDAQABoxkwFzAVBgNVHREEDjAMggp3ZWItZWlkLmV1MA0GCSqGSIb3DQEBBQUAA4IBAQAYGkBhTlet47uw3JYunYo6dj4nGWSGV4x6LYjCp5QlAmGd28HpC1RFB3ba+inwW8SP69kEOcB0sJQAZ/tV90oCATNsy/Whg/TtiHISL2pr1dyBoKDRWbgTp8jjzcp2Bj9nL14aqpj1t4K1lcoYETX41yVmyyJu6VFs80M5T3yikm2giAhszjChnjyoT2kaEKoua9EUK9SS27pVltgbbvtmeTp3ZPHtBfiDOATL6E03RZ5WfMLRefI796a+RcznnudzQHhMSwcjLpMDgIWpUU4OU7RiwrU+S3MrvgzCjkWh2MGu/OGLB+d3JZoW+eCvigoshmAsbJCMLbh4N78BCPqk";
     private static final String WRONG_PURPOSE_CERT = "MIIEBDCCA2WgAwIBAgIQGIgoZxFL7VZbyFH7MAVEkTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAxODA5MjcyM1oXDTIzMTAxNzIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT3SZB34CUGYhQyLsLd9b2ihv35q7NT47Id9ugLIdgg3NSFDccH6rV16D2m8DKfuD2mn3V6QdaaZnbWF4YdDK1W0C9kLNsB70ob//y39pugMftepmQpJcBGPqug81tf5jujggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPhJx7ro54+N8r2ByiZXzZyWBbjFMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsG/wUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgFi5XSCFGgsc8SKLWwMBWS0nu/20FjEqh6OGvsI4iPctNDkinsxcYgARdfqPsNnDX+KjALKPEKZCLKRixGL2kPLMgJCAQFXP9gstThxlj/1Q5YFb7KWhPWFiKgQEi9JdvxJQNXLkWV9onEh96mRFgv4IJJpGazuoSMZtzNpyBxmM0dwnxOf";
     private static final String WRONG_POLICY_CERT = "MIIEATCCA2OgAwIBAgIQOWkBWXNDJm1byFd3XsWkvjAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAxODA5NTA0N1oXDTIzMTAxNzIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR5k1lXzvSeI9O/1s1pZvjhEW8nItJoG0EBFxmLEY6S7ki1vF2Q3TEDx6dNztI1Xtx96cs8r4zYTwdiQoDg7k3diUuR9nTWGxQEMO1FDo4Y9fAmiPGWT++GuOVoZQY3XxijggHBMIIBvTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBFBgNVHSAEPjA8MDAGCSsGAQQBzh8BAzAjMCEGCCsGAQUFBwIBFhVodHRwczovL3d3dy5zay5lZS9DUFMwCAYGBACPegECMB8GA1UdEQQYMBaBFDM4MDAxMDg1NzE4QGVlc3RpLmVlMB0GA1UdDgQWBBTkLL00CRAVTDEpocmV+W4m2CbmwDBhBggrBgEFBQcBAwRVMFMwUQYGBACORgEFMEcwRRY/aHR0cHM6Ly9zay5lZS9lbi9yZXBvc2l0b3J5L2NvbmRpdGlvbnMtZm9yLXVzZS1vZi1jZXJ0aWZpY2F0ZXMvEwJFTjAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUwISZKcROnzsCNPaZ4QpWAAgpPnswcwYIKwYBBQUHAQEEZzBlMCwGCCsGAQUFBzABhiBodHRwOi8vYWlhLmRlbW8uc2suZWUvZXN0ZWlkMjAxODA1BggrBgEFBQcwAoYpaHR0cDovL2Muc2suZWUvVGVzdF9vZl9FU1RFSUQyMDE4LmRlci5jcnQwCgYIKoZIzj0EAwQDgYsAMIGHAkIB9VLJjHbS2bYudRatkEeMFJAMKbJ4bAVdh0KlFxWASexF5ywpGl43WSpB6QAXzNEBMe1FIWiOIud44iexNWO1jgACQQ1+M+taZ4hyWqSNW5DCIiUP7Yu4WvH3SUjEqQHbOQshyMh5EM1pVcvOn/ZgOxLt6ETv9avnhVMw2zTd1b8u4EFk";
 
@@ -147,8 +147,8 @@ void whenCertificateFieldIsNotCertificate_thenParsingFails() throws AuthTokenExc
     }
 
     @Test
-    void whenCertificatePurposeIsMissing_thenValidationFails() throws AuthTokenException {
-        final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", MISSING_PURPOSE_CERT);
+    void whenCertificateKeyUsageIsMissing_thenValidationFails() throws AuthTokenException {
+        final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", MISSING_KEY_USAGE_CERT);
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(UserCertificateMissingPurposeException.class);
@@ -192,7 +192,7 @@ void whenUsingNewMobileIdCertificate_thenValidationFails() throws AuthTokenExcep
         final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", NEW_MOBILE_ID_CERT);
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
-            .isInstanceOf(UserCertificateMissingPurposeException.class);
+            .isInstanceOf(UserCertificateDisallowedPolicyException.class);
     }
 
     @Test
diff --git a/src/test/java/eu/webeid/security/validator/AuthTokenSignatureTest.java b/src/test/java/eu/webeid/security/validator/AuthTokenSignatureTest.java
@@ -29,6 +29,7 @@
 import eu.webeid.security.testutil.AuthTokenValidators;
 import eu.webeid.security.util.DateAndTime;
 import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
 
 import java.security.cert.X509Certificate;
 

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public AuthTokenValidatorBuilder withTrustedCertificateAuthorities(X509Certifica`
`77`	`77`	`if (LOG.isDebugEnabled()) {`
`78`	`78`	`LOG.debug("Trusted intermediate certificate authorities set to {}",`
`79`	`79`	`configuration.getTrustedCACertificates().stream()`
`80`		`- .map(X509Certificate::getSubjectDN)`
	`80`	`+ .map(X509Certificate::getSubjectX500Principal)`
`81`	`81`	`.collect(Collectors.toList()));`
`82`	`82`	`}`
`83`	`83`	`return this;`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,6 @@ private void addNonce(OCSPReqBuilder builder) throws IOException {`
`83`	`83`	`new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,`
`84`	`84`	`// Follow OpenSSL OCSP nonce encoding convention and add double octet string header.`
`85`	`85`	`new DEROctetString(new DEROctetString(nonce)))`
`86`		`- new DEROctetString(new DEROctetString(nonce)))`
`87`	`86`	`};`
`88`	`87`	`builder.setRequestExtensions(new Extensions(extensions));`
`89`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ public static void validateHasSigningExtension(X509Certificate certificate) thro`
`58`	`58`	`Objects.requireNonNull(certificate, "certificate");`
`59`	`59`	`try {`
`60`	`60`	`if (certificate.getExtendedKeyUsage() == null \|\| !certificate.getExtendedKeyUsage().contains(OID_OCSP_SIGNING)) {`
`61`		`- throw new OCSPCertificateException("Certificate " + certificate.getSubjectDN() +`
	`61`	`+ throw new OCSPCertificateException("Certificate " + certificate.getSubjectX500Principal() +`
`62`	`62`	`" does not contain the key usage extension for OCSP response signing");`
`63`	`63`	`}`
`64`	`64`	`} catch (CertificateParsingException e) {`