NFC-46 Fix challenge and nonce and ocsp related issues

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/authtoken/WebEidAuthToken.java

@@ -33,8 +33,8 @@ public class WebEidAuthToken {
     private String signature;
     private String algorithm;
     private String format;
+    private String challenge;
 
-    // NFC-specific fields
     private String unverifiedSigningCertificate;
     private List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
@@ -70,6 +70,14 @@ public void setFormat(String format) {
         this.format = format;
     }
 
+    public String getChallenge() {
+        return challenge;
+    }
+
+    public void setChallenge(String challenge) {
+        this.challenge = challenge;
+    }
+
     public String getUnverifiedSigningCertificate() {
         return unverifiedSigningCertificate;
     }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -87,11 +87,6 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
             new SubjectCertificatePolicyValidator(configuration.getDisallowedSubjectCertificatePolicies())::validateCertificatePolicies
         );
 
-        this.nfcAuthTokenValidator = new NfcAuthTokenValidator(
-            simpleSubjectCertificateValidators,
-            getCertTrustValidators()
-        );
-
         if (configuration.isUserCertificateRevocationCheckWithOcspEnabled()) {
             // The OCSP client may be provided by the API consumer.
             this.ocspClient = Objects.requireNonNull(ocspClient, "OCSP client must not be null when OCSP check is enabled");
@@ -102,6 +97,11 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
                     trustedCACertificateCertStore));
         }
 
+        this.nfcAuthTokenValidator = new NfcAuthTokenValidator(
+            simpleSubjectCertificateValidators,
+            this::getCertTrustValidators
+        );
+
         authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.getSiteOrigin());
     }
 

src/main/java/eu/webeid/security/validator/NfcAuthTokenValidator.java

@@ -1,25 +1,3 @@
-/*
- * Copyright (c) 2020-2025 Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
 package eu.webeid.security.validator;
 
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
@@ -32,20 +10,21 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Set;
+import java.util.function.Supplier;
 
 import static eu.webeid.security.util.Strings.isNullOrEmpty;
 
 public class NfcAuthTokenValidator {
 
     private final SubjectCertificateValidatorBatch simpleSubjectCertificateValidators;
-    private final SubjectCertificateValidatorBatch certTrustValidators;
+    private final Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier;
 
     NfcAuthTokenValidator(
         SubjectCertificateValidatorBatch simpleSubjectCertificateValidators,
-        SubjectCertificateValidatorBatch certTrustValidators
+        Supplier<SubjectCertificateValidatorBatch> certTrustValidatorsSupplier
     ) {
         this.simpleSubjectCertificateValidators = simpleSubjectCertificateValidators;
-        this.certTrustValidators = certTrustValidators;
+        this.certTrustValidatorsSupplier = certTrustValidatorsSupplier;
     }
 
     void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws AuthTokenException {
@@ -59,19 +38,20 @@ void validate(WebEidAuthToken token, X509Certificate subjectCertificate) throws
 
         validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
 
-        final X509Certificate signingCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
+        final X509Certificate signingCertificate =
+            CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
 
         if (!subjectCertificate.getSubjectX500Principal().equals(signingCertificate.getSubjectX500Principal())) {
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
 
         simpleSubjectCertificateValidators.executeFor(signingCertificate);
-        certTrustValidators.executeFor(signingCertificate);
+        certTrustValidatorsSupplier.get().executeFor(signingCertificate);
     }
 
     private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {
         boolean hasInvalid = algorithms.stream().anyMatch(supportedSignatureAlgorithm ->
-                   !isValidCryptoAlgorithm(supportedSignatureAlgorithm.getCryptoAlgorithm())
+            !isValidCryptoAlgorithm(supportedSignatureAlgorithm.getCryptoAlgorithm())
                 || !isValidHashFunction(supportedSignatureAlgorithm.getHashFunction())
                 || !isValidPaddingScheme(supportedSignatureAlgorithm.getPaddingScheme())
         );