NFC-46 Strategy + Factory for token format validation (V1, V11). Refactoring.

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -14,20 +14,40 @@
 
 import static eu.webeid.security.util.Strings.isNullOrEmpty;
 
-public class AuthTokenV11Validator {
+public final class AuthTokenV11Validator implements AuthTokenValidator {
+
+    private static final String SUPPORTED_PREFIX = "web-eid:1.1";
 
     private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
     private final Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier;
+    private final AuthTokenSignatureValidator authTokenSignatureValidator;
 
     public AuthTokenV11Validator(
-        SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
-        Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier
+            SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
+            Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier,
+            AuthTokenSignatureValidator authTokenSignatureValidator
     ) {
         this.simpleSubjectCertificateValidators = simpleSubjectCertificateValidators;
         this.certTrustValidatorsSupplier = certTrustValidatorsSupplier;
+        this.authTokenSignatureValidator = authTokenSignatureValidator;
+    }
+
+    @Override
+    public boolean supports(String format) {
+        return format != null && format.startsWith(SUPPORTED_PREFIX);
+    }
+
+    @Override
+    public WebEidAuthToken parse(String authToken) throws AuthTokenException {
+        throw new UnsupportedOperationException("Parsing is handled by AuthTokenValidatorImpl. " + this.getClass().getSimpleName() + " only supports validation.");
     }
 
-    public void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException {
+    @Override
+    public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+        if (token.getFormat() == null || !token.getFormat().startsWith(SUPPORTED_PREFIX)) {
+            throw new AuthTokenParseException("Only token format '" + SUPPORTED_PREFIX + "' is supported by this validator");
+        }
+
         if (isNullOrEmpty(token.getUnverifiedSigningCertificate())) {
             throw new AuthTokenParseException("'unverifiedSigningCertificate' field is missing, null or empty for format 'web-eid:1.1'");
         }
@@ -38,22 +58,31 @@ public void validate(WebEidAuthToken token, X509Certificate subjectCertificate)
 
         validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
 
-        final X509Certificate signingCertificate =
-            CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
+        final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedCertificate());
+        final X509Certificate signingCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
 
         if (!subjectCertificate.getSubjectX500Principal().equals(signingCertificate.getSubjectX500Principal())) {
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
         simpleSubjectCertificateValidators.executeFor(signingCertificate);
         certTrustValidatorsSupplier.get().executeFor(signingCertificate);
+
+        authTokenSignatureValidator.validate(
+                token.getAlgorithm(),
+                token.getSignature(),
+                signingCertificate.getPublicKey(),
+                currentChallengeNonce
+        );
+
+        return subjectCertificate;
     }
 
     private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {
         boolean hasInvalid = algorithms.stream().anyMatch(supportedSignatureAlgorithm ->
-            !isValidCryptoAlgorithm(supportedSignatureAlgorithm.getCryptoAlgorithm())
-                || !isValidHashFunction(supportedSignatureAlgorithm.getHashFunction())
-                || !isValidPaddingScheme(supportedSignatureAlgorithm.getPaddingScheme())
+                !isValidCryptoAlgorithm(supportedSignatureAlgorithm.getCryptoAlgorithm())
+                        || !isValidHashFunction(supportedSignatureAlgorithm.getHashFunction())
+                        || !isValidPaddingScheme(supportedSignatureAlgorithm.getPaddingScheme())
         );
 
         if (hasInvalid) {
@@ -67,8 +96,8 @@ private static boolean isValidCryptoAlgorithm(String value) {
 
     private static boolean isValidHashFunction(String value) {
         return Set.of(
-            "SHA-224", "SHA-256", "SHA-384", "SHA-512",
-            "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
+                "SHA-224", "SHA-256", "SHA-384", "SHA-512",
+                "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
         ).contains(value);
     }
 

src/main/java/eu/webeid/security/validator/AuthTokenV1Validator.java

@@ -0,0 +1,127 @@
+package eu.webeid.security.validator;
+
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.certificate.CertificateLoader;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.AuthTokenParseException;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateTrustedValidator;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+
+import java.security.cert.CertStore;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.util.Set;
+
+public final class AuthTokenV1Validator implements AuthTokenValidator {
+
+    private static final String SUPPORTED_TOKEN_FORMAT_VERSION = "web-eid:1";
+
+    private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
+    private final Set<TrustAnchor> trustedCACertificateAnchors;
+    private final CertStore trustedCACertificateCertStore;
+    private final AuthTokenSignatureValidator authTokenSignatureValidator;
+    private final AuthTokenValidationConfiguration configuration;
+    private final OcspClient ocspClient;
+    private final OcspServiceProvider ocspServiceProvider;
+
+    public AuthTokenV1Validator(
+        SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
+        Set<TrustAnchor> trustedCACertificateAnchors,
+        CertStore trustedCACertificateCertStore,
+        AuthTokenSignatureValidator authTokenSignatureValidator,
+        AuthTokenValidationConfiguration configuration,
+        OcspClient ocspClient,
+        OcspServiceProvider ocspServiceProvider
+    ) {
+        this.simpleSubjectCertificateValidators = simpleSubjectCertificateValidators;
+        this.trustedCACertificateAnchors = trustedCACertificateAnchors;
+        this.trustedCACertificateCertStore = trustedCACertificateCertStore;
+        this.authTokenSignatureValidator = authTokenSignatureValidator;
+        this.configuration = configuration;
+        this.ocspClient = ocspClient;
+        this.ocspServiceProvider = ocspServiceProvider;
+    }
+
+    @Override
+    public boolean supports(String format) {
+        return format != null && format.startsWith(SUPPORTED_TOKEN_FORMAT_VERSION);
+    }
+
+    @Override
+    public WebEidAuthToken parse(String authToken) throws AuthTokenException {
+        throw new UnsupportedOperationException("Parsing is handled by AuthTokenValidatorImpl. " + this.getClass().getSimpleName() + " only supports validation.");
+    }
+
+    @Override
+    public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+        if (token.getFormat() == null || token.getFormat().isBlank()) {
+            throw new AuthTokenParseException("'format' field is missing");
+        }
+        if (!token.getFormat().startsWith(SUPPORTED_TOKEN_FORMAT_VERSION)) {
+            throw new AuthTokenParseException("Only token format version '" + SUPPORTED_TOKEN_FORMAT_VERSION + "' is currently supported");
+        }
+
+        if (token.getUnverifiedCertificate() == null || token.getUnverifiedCertificate().isEmpty()) {
+            throw new AuthTokenParseException("'unverifiedCertificate' field is missing, null or empty");
+        }
+
+        final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedCertificate());
+
+        simpleSubjectCertificateValidators.executeFor(subjectCertificate);
+        getCertTrustValidators().executeFor(subjectCertificate);
+
+        // It is guaranteed that if the signature verification succeeds, then the origin and challenge
+        // have been implicitly and correctly verified without the need to implement any additional checks.
+        authTokenSignatureValidator.validate(
+            token.getAlgorithm(),
+            token.getSignature(),
+            subjectCertificate.getPublicKey(),
+            currentChallengeNonce
+        );
+
+        return subjectCertificate;
+    }
+
+    /**
+     * Creates the certificate trust validators batch.
+     * As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
+     * they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence, they are
+     * re-created for each validation run for thread safety.
+     *
+     * @return certificate trust validator batch
+     */
+    private SubjectCertificateValidatorBatch getCertTrustValidators() {
+        return createCertTrustValidators(
+            configuration,
+            trustedCACertificateAnchors,
+            trustedCACertificateCertStore,
+            ocspClient,
+            ocspServiceProvider
+        );
+    }
+
+    public static SubjectCertificateValidatorBatch createCertTrustValidators(
+        AuthTokenValidationConfiguration configuration,
+        Set<TrustAnchor> trustedCACertificateAnchors,
+        CertStore trustedCACertificateCertStore,
+        OcspClient ocspClient,
+        OcspServiceProvider ocspServiceProvider
+    ) {
+        final SubjectCertificateTrustedValidator certTrustedValidator =
+            new SubjectCertificateTrustedValidator(trustedCACertificateAnchors, trustedCACertificateCertStore);
+
+        return SubjectCertificateValidatorBatch.createFrom(
+            certTrustedValidator::validateCertificateTrusted
+        ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
+            new SubjectCertificateNotRevokedValidator(
+                certTrustedValidator,
+                ocspClient, ocspServiceProvider,
+                configuration.getAllowedOcspResponseTimeSkew(),
+                configuration.getMaxOcspResponseThisUpdateAge()
+            )::validateCertificateNotRevoked
+        );
+    }
+}

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -34,6 +34,14 @@
  */
 public interface AuthTokenValidator {
 
+    /**
+     * Returns whether this validator supports validation of the given token format.
+     *
+     * @param format the format string from the Web eID authentication token (e.g. "web-eid:1.0", "web-eid:1.1")
+     * @return true if this validator can handle the given format, false otherwise
+     */
+    boolean supports(String format);
+
     /**
      * Parses the Web eID authentication token signed by the subject.
      *

src/main/java/eu/webeid/security/validator/AuthTokenValidatorFactory.java

@@ -0,0 +1,20 @@
+package eu.webeid.security.validator;
+
+import eu.webeid.security.exceptions.AuthTokenParseException;
+
+import java.util.List;
+
+public final class AuthTokenValidatorFactory {
+    private final List<AuthTokenValidator> validators;
+
+    public AuthTokenValidatorFactory(List<AuthTokenValidator> validators) {
+        this.validators = List.copyOf(validators);
+    }
+
+    public AuthTokenValidator requireFor(String format) throws AuthTokenParseException {
+        return validators.stream()
+                .filter(v -> v.supports(format))
+                .findFirst()
+                .orElseThrow(() -> new AuthTokenParseException("Only token format version 'web-eid:1' is currently supported"));
+    }
+}