NFC-46 Delegate to super.validate first and fix tests. Centralize common parse logic in AuthTokenValidator and remove duplicates. Move null/empty check into validateSupportedSignatureAlgorithms. Signing cert authority and key check.

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -8,10 +8,12 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+import org.bouncycastle.asn1.x509.Extension;
 
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 
@@ -26,6 +28,7 @@ class AuthTokenV11Validator extends AuthTokenV1Validator {
         "SHA-224", "SHA-256", "SHA-384", "SHA-512",
         "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
     );
+    private static final int KEY_USAGE_NON_REPUDIATION = 1;
 
     public AuthTokenV11Validator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
@@ -62,23 +65,34 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
             throw new AuthTokenParseException("'unverifiedSigningCertificate' field is missing, null or empty for format 'web-eid:1.1'");
         }
 
-        if (token.getSupportedSignatureAlgorithms() == null || token.getSupportedSignatureAlgorithms().isEmpty()) {
-            throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
-        }
-
         validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
 
-        final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedCertificate());
+        final X509Certificate subjectCertificate = validateV1(token, currentChallengeNonce);
         final X509Certificate signingCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
 
         if (!subjectCertificate.getSubjectX500Principal().equals(signingCertificate.getSubjectX500Principal())) {
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
-        return super.validate(token, currentChallengeNonce);
+        byte[] subjectSki = subjectCertificate.getExtensionValue(Extension.subjectKeyIdentifier.getId());
+        byte[] signingAki = signingCertificate.getExtensionValue(Extension.authorityKeyIdentifier.getId());
+        if (subjectSki != null && signingAki != null && !Arrays.equals(subjectSki, signingAki)) {
+            throw new AuthTokenParseException("Signing certificate not issued by same authority as authentication certificate");
+        }
+
+        boolean[] keyUsage = signingCertificate.getKeyUsage();
+        if (keyUsage == null || keyUsage.length <= KEY_USAGE_NON_REPUDIATION || !keyUsage[KEY_USAGE_NON_REPUDIATION]) {
+            throw new AuthTokenParseException("Signing certificate does not have nonRepudiation key usage");
+        }
+
+        return subjectCertificate;
     }
 
     private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {
+        if (algorithms == null || algorithms.isEmpty()) {
+            throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
+        }
+
         boolean hasInvalid = algorithms.stream().anyMatch(supportedSignatureAlgorithm ->
             !SUPPORTED_CRYPTO_ALGORITHMS.contains(supportedSignatureAlgorithm.getCryptoAlgorithm()) ||
                 !SUPPORTED_HASH_FUNCTIONS.contains(supportedSignatureAlgorithm.getHashFunction()) ||
@@ -89,4 +103,8 @@ private static void validateSupportedSignatureAlgorithms(List<SupportedSignature
             throw new AuthTokenParseException("Unsupported signature algorithm");
         }
     }
+
+    protected X509Certificate validateV1(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+        return super.validate(token, currentChallengeNonce);
+    }
 }

src/main/java/eu/webeid/security/validator/AuthTokenV1Validator.java

@@ -1,6 +1,5 @@
 package eu.webeid.security.validator;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
 import eu.webeid.security.exceptions.AuthTokenException;
@@ -11,7 +10,6 @@
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
-import java.io.IOException;
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
@@ -52,19 +50,6 @@ public boolean supports(String format) {
         return format != null && format.startsWith(SUPPORTED_TOKEN_FORMAT_VERSION);
     }
 
-    @Override
-    public WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        try {
-            final WebEidAuthToken token = new ObjectMapper().readValue(authToken, WebEidAuthToken.class);
-            if (token == null) {
-                throw new AuthTokenParseException("Web eID authentication token is null");
-            }
-            return token;
-        } catch (IOException e) {
-            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
-        }
-    }
-
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         if (token.getFormat() == null || token.getFormat().isBlank()) {

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -22,11 +22,15 @@
 
 package eu.webeid.security.validator;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateData;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.util.Strings;
 
+import java.io.IOException;
 import java.security.cert.X509Certificate;
 
 /**
@@ -49,7 +53,25 @@ public interface AuthTokenValidator {
      * @return the Web eID authentication token
      * @throws AuthTokenException when parsing fails
      */
-    WebEidAuthToken parse(String authToken) throws AuthTokenException;
+    default WebEidAuthToken parse(String authToken) throws AuthTokenException {
+        try {
+            if (authToken == null || authToken.length() < 100) {
+                throw new AuthTokenParseException("Auth token is null or too short");
+            }
+            if (authToken.length() > 10000) {
+                throw new AuthTokenParseException("Auth token is too long");
+            }
+
+            ObjectReader reader = new ObjectMapper().readerFor(WebEidAuthToken.class);
+            WebEidAuthToken token = reader.readValue(authToken);
+            if (token == null) {
+                throw new AuthTokenParseException("Web eID authentication token is null");
+            }
+            return token;
+        } catch (IOException e) {
+            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
+        }
+    }
 
     /**
      * Validates the Web eID authentication token signed by the subject and returns

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -22,12 +22,9 @@
 
 package eu.webeid.security.validator;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
-import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.security.validator.certvalidators.SubjectCertificatePolicyValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificatePurposeValidator;
@@ -38,7 +35,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
@@ -51,11 +47,7 @@
  */
 final class AuthTokenValidatorImpl implements AuthTokenValidator {
 
-    private static final int TOKEN_MIN_LENGTH = 100;
-    private static final int TOKEN_MAX_LENGTH = 10000;
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenValidatorImpl.class);
-
-    private static final ObjectReader OBJECT_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
     private OcspServiceProvider ocspServiceProvider;
     private final AuthTokenValidatorFactory tokenValidatorFactory;
 
@@ -112,20 +104,6 @@ public boolean supports(String format) {
         return tokenValidatorFactory.supports(format);
     }
 
-    @Override
-    public WebEidAuthToken parse(String authToken) throws AuthTokenException {
-        try {
-            LOG.info("Starting token parsing");
-            validateTokenLength(authToken);
-            WebEidAuthToken token = parseToken(authToken);
-            return tokenValidatorFactory.requireFor(token.getFormat()).parse(authToken);
-        } catch (Exception e) {
-            // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
-            LOG.warn("Token parsing was interrupted:", e);
-            throw e;
-        }
-    }
-
     @Override
     public X509Certificate validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException {
         try {
@@ -137,25 +115,4 @@ public X509Certificate validate(WebEidAuthToken authToken, String currentChallen
             throw e;
         }
     }
-
-    private void validateTokenLength(String authToken) throws AuthTokenParseException {
-        if (authToken == null || authToken.length() < TOKEN_MIN_LENGTH) {
-            throw new AuthTokenParseException("Auth token is null or too short");
-        }
-        if (authToken.length() > TOKEN_MAX_LENGTH) {
-            throw new AuthTokenParseException("Auth token is too long");
-        }
-    }
-
-    private WebEidAuthToken parseToken(String authToken) throws AuthTokenParseException {
-        try {
-            final WebEidAuthToken token = OBJECT_READER.readValue(authToken);
-            if (token == null) {
-                throw new AuthTokenParseException("Web eID authentication token is null");
-            }
-            return token;
-        } catch (IOException e) {
-            throw new AuthTokenParseException("Error parsing Web eID authentication token", e);
-        }
-    }
 }