NFC-46 Add license header. Remove public from factory. Extract certificate validation steps into helper methods. Update test naming. Update error message. Add tests for Authority Key Identifier validation: mismatch between subject and signing cert, and missing AKI extension. Auth and sing cert for V11_AUTH_TOKEN_WRONG_CERT. Bring back comments.

Author: SanderKondratjevNortal

src/main/java/eu/webeid/security/validator/AuthTokenV11Validator.java

@@ -1,10 +1,33 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package eu.webeid.security.validator;
 
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
+import eu.webeid.security.exceptions.CertificateDecodingException;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
@@ -64,52 +87,71 @@ public boolean supports(String format) {
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         final X509Certificate subjectCertificate = validateV1(token, currentChallengeNonce);
 
+        validateFormat(token);
+        final X509Certificate signingCertificate = validateSigningCertificateExists(token);
+        validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
+        validateSameSubject(subjectCertificate, signingCertificate);
+        validateSameIssuer(subjectCertificate, signingCertificate);
+        validateKeyUsage(signingCertificate);
+
+        return subjectCertificate;
+    }
+
+    private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {
+        if (algorithms == null || algorithms.isEmpty()) {
+            throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
+        }
+
+        boolean hasInvalid = algorithms.stream().anyMatch(supportedSignatureAlgorithm ->
+            !SUPPORTED_CRYPTO_ALGORITHMS.contains(supportedSignatureAlgorithm.getCryptoAlgorithm()) ||
+                !SUPPORTED_HASH_FUNCTIONS.contains(supportedSignatureAlgorithm.getHashFunction()) ||
+                !SUPPORTED_PADDING_SCHEMES.contains(supportedSignatureAlgorithm.getPaddingScheme())
+        );
+
+        if (hasInvalid) {
+            throw new AuthTokenParseException("Unsupported signature algorithm");
+        }
+    }
+
+    private static void validateFormat(WebEidAuthToken token) throws AuthTokenParseException {
         if (token.getFormat() == null || !token.getFormat().startsWith(SUPPORTED_PREFIX)) {
             throw new AuthTokenParseException("Only token format '" + SUPPORTED_PREFIX + "' is supported by this validator");
         }
+    }
 
+    private static X509Certificate validateSigningCertificateExists(WebEidAuthToken token) throws AuthTokenParseException, CertificateDecodingException {
         if (isNullOrEmpty(token.getUnverifiedSigningCertificate())) {
             throw new AuthTokenParseException("'unverifiedSigningCertificate' field is missing, null or empty for format 'web-eid:1.1'");
         }
+        return CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
+    }
 
-        validateSupportedSignatureAlgorithms(token.getSupportedSignatureAlgorithms());
-
-        final X509Certificate signingCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedSigningCertificate());
-
-        if (!subjectAndSigningCertificateSubjectsMatch(subjectCertificate.getSubjectX500Principal(), signingCertificate.getSubjectX500Principal())) {
+    private static void validateSameSubject(X509Certificate subjectCertificate, X509Certificate signingCertificate)
+        throws AuthTokenParseException {
+        if (!subjectAndSigningCertificateSubjectsMatch(
+            subjectCertificate.getSubjectX500Principal(),
+            signingCertificate.getSubjectX500Principal())) {
             throw new AuthTokenParseException("Signing certificate subject does not match authentication certificate subject");
         }
+    }
 
+    private static void validateSameIssuer(X509Certificate subjectCertificate, X509Certificate signingCertificate)
+        throws AuthTokenParseException {
         byte[] subjectCertificateAuthorityKeyIdentifier = getAuthorityKeyIdentifier(subjectCertificate);
         byte[] signingCertificateAuthorityKeyIdentifier = getAuthorityKeyIdentifier(signingCertificate);
 
         if (subjectCertificateAuthorityKeyIdentifier.length == 0
             || signingCertificateAuthorityKeyIdentifier.length == 0
             || !Arrays.equals(subjectCertificateAuthorityKeyIdentifier, signingCertificateAuthorityKeyIdentifier)) {
-            throw new AuthTokenParseException("Signing certificate is not issued by the same issuing authority as the authentication certificate");
+            throw new AuthTokenParseException(
+                "Signing certificate is not issued by the same issuing authority as the authentication certificate");
         }
+    }
 
+    private static void validateKeyUsage(X509Certificate signingCertificate) throws AuthTokenParseException {
         boolean[] keyUsage = signingCertificate.getKeyUsage();
         if (keyUsage == null || keyUsage.length <= KEY_USAGE_NON_REPUDIATION || !keyUsage[KEY_USAGE_NON_REPUDIATION]) {
-            throw new AuthTokenParseException("Signing certificate not suitable for signing");
-        }
-
-        return subjectCertificate;
-    }
-
-    private static void validateSupportedSignatureAlgorithms(List<SupportedSignatureAlgorithm> algorithms) throws AuthTokenParseException {
-        if (algorithms == null || algorithms.isEmpty()) {
-            throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
-        }
-
-        boolean hasInvalid = algorithms.stream().anyMatch(supportedSignatureAlgorithm ->
-            !SUPPORTED_CRYPTO_ALGORITHMS.contains(supportedSignatureAlgorithm.getCryptoAlgorithm()) ||
-                !SUPPORTED_HASH_FUNCTIONS.contains(supportedSignatureAlgorithm.getHashFunction()) ||
-                !SUPPORTED_PADDING_SCHEMES.contains(supportedSignatureAlgorithm.getPaddingScheme())
-        );
-
-        if (hasInvalid) {
-            throw new AuthTokenParseException("Unsupported signature algorithm");
+            throw new AuthTokenParseException("Signing certificate key usage extension missing or does not contain non-repudiation bit required for digital signatures");
         }
     }
 

src/main/java/eu/webeid/security/validator/AuthTokenV1Validator.java

@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package eu.webeid.security.validator;
 
 import eu.webeid.security.authtoken.WebEidAuthToken;

src/main/java/eu/webeid/security/validator/AuthTokenValidatorFactory.java

@@ -4,18 +4,18 @@
 
 import java.util.List;
 
-public final class AuthTokenValidatorFactory {
+final class AuthTokenValidatorFactory {
     private final List<AuthTokenValidator> validators;
 
-    public AuthTokenValidatorFactory(List<AuthTokenValidator> validators) {
+    AuthTokenValidatorFactory(List<AuthTokenValidator> validators) {
         this.validators = List.copyOf(validators);
     }
 
-    public boolean supports(String format) {
+    boolean supports(String format) {
         return validators.stream().anyMatch(v -> v.supports(format));
     }
 
-    public AuthTokenValidator requireFor(String format) throws AuthTokenParseException {
+    AuthTokenValidator requireFor(String format) throws AuthTokenParseException {
         return validators.stream()
             .filter(v -> v.supports(format))
             .findFirst()

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -52,8 +52,10 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     private final AuthTokenValidatorFactory tokenValidatorFactory;
 
     AuthTokenValidatorImpl(AuthTokenValidationConfiguration configuration, OcspClient ocspClient) throws JceException {
+        // Copy the configuration object to make AuthTokenValidatorImpl immutable and thread-safe.
         final AuthTokenValidationConfiguration validationConfig = configuration.copy();
 
+        // Create and cache trusted CA certificate JCA objects for SubjectCertificateTrustedValidator and AiaOcspService.
         final Set<TrustAnchor> trustedCACertificateAnchors = CertificateValidator.buildTrustAnchorsFromCertificates(validationConfig.getTrustedCACertificates());
         final CertStore trustedCACertificateCertStore = CertificateValidator.buildCertStoreFromCertificates(validationConfig.getTrustedCACertificates());
 
@@ -64,6 +66,7 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
 
         // OcspClient uses built-in HttpClient internally by default.
         // A single HttpClient instance is reused for all HTTP calls to utilize connection and thread pools.
+        // The OCSP client may be provided by the API consumer.
         if (validationConfig.isUserCertificateRevocationCheckWithOcspEnabled()) {
             Objects.requireNonNull(ocspClient, "OCSP client must not be null when OCSP check is enabled");
             ocspServiceProvider = new OcspServiceProvider(

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -415,9 +415,36 @@ void whenV11SigningCertificateNotIssuedBySameAuthority_thenValidationFails() thr
 
         X509Certificate mockSigningCert = mock(X509Certificate.class);
         when(mockSigningCert.getSubjectX500Principal()).thenReturn(realSubjectCert.getSubjectX500Principal());
-        when(mockSigningCert.getIssuerX500Principal()).thenReturn(
-            new javax.security.auth.x500.X500Principal("CN=Other Test CA, O=Other Org, C=EE")
-        );
+
+        byte[] realAki = realSubjectCert.getExtensionValue(Extension.authorityKeyIdentifier.getId());
+        byte[] differentAki = realAki.clone();
+        if (differentAki.length > 0) {
+            differentAki[differentAki.length - 1] ^= (byte) 0xFF;
+        }
+        when(mockSigningCert.getExtensionValue(Extension.authorityKeyIdentifier.getId())).thenReturn(differentAki);
+
+        try (MockedStatic<CertificateLoader> mocked = mockStatic(CertificateLoader.class)) {
+            mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate()))
+                .thenReturn(realSubjectCert);
+            mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedSigningCertificate()))
+                .thenReturn(mockSigningCert);
+
+            assertThatThrownBy(() -> spyValidator.validate(parsedToken, VALID_CHALLENGE_NONCE))
+                .isInstanceOf(AuthTokenParseException.class)
+                .hasMessage("Signing certificate is not issued by the same issuing authority as the authentication certificate");
+        }
+    }
+
+    @Test
+    void whenV11SigningCertificateHasNoAuthorityKeyIdentifier_thenValidationFails() throws Exception {
+        AuthTokenV11Validator spyValidator = spyAuthTokenV11Validator();
+        WebEidAuthToken parsedToken = OBJECT_READER.readValue(V11_AUTH_TOKEN, WebEidAuthToken.class);
+        X509Certificate realSubjectCert = CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate());
+        doReturn(realSubjectCert).when(spyValidator).validateV1(any(), any());
+
+        X509Certificate mockSigningCert = mock(X509Certificate.class);
+        when(mockSigningCert.getSubjectX500Principal()).thenReturn(realSubjectCert.getSubjectX500Principal());
+        when(mockSigningCert.getExtensionValue(Extension.authorityKeyIdentifier.getId())).thenReturn(null);
 
         try (MockedStatic<CertificateLoader> mocked = mockStatic(CertificateLoader.class)) {
             mocked.when(() -> CertificateLoader.decodeCertificateFromBase64(parsedToken.getUnverifiedCertificate()))
@@ -453,7 +480,7 @@ void whenV11SigningCertificateNotSuitableForSigning_thenValidationFails() throws
 
             assertThatThrownBy(() -> spyValidator.validate(parsedToken, VALID_CHALLENGE_NONCE))
                 .isInstanceOf(AuthTokenParseException.class)
-                .hasMessage("Signing certificate not suitable for signing");
+                .hasMessage("Signing certificate key usage extension missing or does not contain non-repudiation bit required for digital signatures");
         }
     }