refactor(OCSP): simplify AIA OCSP configuration, use single truststore for subject and OCSP responder certificates, add truste CA certifcates validation

WE2-432

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

README.md

@@ -145,6 +145,7 @@ import java.security.cert.X509Certificate;
 
 ## 5. Add trusted OCSP responder certificates
 
+FIXME: describe the fallback scheme. As everything works out of the box, move below under andvanced config.
 - AIA
 - Designated
 
@@ -350,6 +351,7 @@ String nonce = nonceGenerator.generateAndStoreNonce();
 The `generateAndStoreNonce()` method both generates the nonce and stores it in the cache.
 
 ## Extended configuration  
+
 The following additional configuration options are available in `NonceGeneratorBuilder`:
 
 - `withNonceTtl(Duration duration)` – overrides the default nonce time-to-live duration. When the time-to-live passes, the nonce is considered to be expired. Default nonce time-to-live is 5 minutes.
@@ -363,14 +365,3 @@ NonceGenerator generator = new NonceGeneratorBuilder()
         .withSecureRandom(customSecureRandom)  
         .build();
 ```
-
-## Frequently asked questions
-
-### How can I find the AIA OCSP service URLs?
-
-You can find the AIA OCSP service URLs from the electronic ID certificate profile documents, in the section that describes certificate extensions.
-The AIA OCSP extension OID is 1.3.6.1.5.5.7.48.1.
-
-For example, the EstEID AIA URLs are specified in the documents
-[*Certificate, CRL and OCSP Profile for identification documents of the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID-EN-v8_4-20200630.pdf) and
-[*Certificate, CRL and OCSP Profile for ID-1 Format Identity Documents Issued by the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID2018-EN-v1_2_20200630.pdf).

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>2.0.0</version>
+    <version>1.2.0</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
@@ -16,10 +16,11 @@
         <java.version>1.8</java.version>
         <jjwt.version>0.11.2</jjwt.version>
         <slf4j.version>1.7.30</slf4j.version>
-        <bouncycastle.version>1.65</bouncycastle.version>
+        <bouncycastle.version>1.69</bouncycastle.version>
         <caffeine.version>2.8.5</caffeine.version>
         <junit-jupiter.version>5.6.2</junit-jupiter.version>
         <assertj.version>3.17.2</assertj.version>
+        <mockito.version>3.12.4</mockito.version>
         <jacoco.version>0.8.5</jacoco.version>
         <sonar.coverage.jacoco.xmlReportPaths>
             ${project.basedir}/../jacoco-coverage-report/target/site/jacoco-aggregate/jacoco.xml
@@ -96,6 +97,12 @@
             <version>${assertj.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-simple</artifactId>

src/main/java/org/webeid/security/certificate/CertificateData.java

@@ -37,29 +37,35 @@
 public final class CertificateData {
 
     public static String getSubjectCN(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.CN);
+        return getSubjectField(certificate, BCStyle.CN);
     }
 
     public static String getSubjectSurname(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SURNAME);
+        return getSubjectField(certificate, BCStyle.SURNAME);
     }
 
     public static String getSubjectGivenName(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.GIVENNAME);
+        return getSubjectField(certificate, BCStyle.GIVENNAME);
     }
 
     public static String getSubjectIdCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SERIALNUMBER);
+        return getSubjectField(certificate, BCStyle.SERIALNUMBER);
     }
 
     public static String getSubjectCountryCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.C);
+        return getSubjectField(certificate, BCStyle.C);
     }
 
-    private static String getField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
-        final X500Name x500Name = new JcaX509CertificateHolder(certificate).getSubject();
+    private static String getSubjectField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
+        return getField(new JcaX509CertificateHolder(certificate).getSubject(), fieldId);
+    }
+
+    private static String getField(X500Name x500Name, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
         // Example value: [C=EE, CN=JÕEORG\,JAAK-KRISTJAN\,38001085718, 2.5.4.4=#0c074ac395454f5247, 2.5.4.42=#0c0d4a41414b2d4b524953544a414e, 2.5.4.5=#1311504e4f45452d3338303031303835373138]
         final RDN[] rdns = x500Name.getRDNs(fieldId);
+        if (rdns.length == 0 || rdns[0].getFirst() == null) {
+            throw new CertificateEncodingException("X500 name RDNs empty or first element is null");
+        }
         return Arrays.stream(rdns)
             .map(rdn -> IETFUtils.valueToString(rdn.getFirst().getValue()))
             .collect(Collectors.joining(", "));

src/main/java/org/webeid/security/certificate/CertificateValidator.java

@@ -2,41 +2,41 @@
 
 import org.webeid.security.exceptions.CertificateNotTrustedException;
 import org.webeid.security.exceptions.JceException;
-import org.webeid.security.exceptions.UserCertificateExpiredException;
-import org.webeid.security.exceptions.UserCertificateNotYetValidException;
+import org.webeid.security.exceptions.CertificateExpiredException;
+import org.webeid.security.exceptions.CertificateNotYetValidException;
 
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathBuilderException;
 import java.security.cert.CertStore;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathBuilderResult;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Date;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 public final class CertificateValidator {
 
-    /**
-     * Checks whether the certificate was valid on the given date.
-     */
-    public static void certificateIsValidOnDate(X509Certificate cert, Date date) throws UserCertificateNotYetValidException, UserCertificateExpiredException {
+    public static void certificateIsValidOnDate(X509Certificate cert, Date date, String subject) throws CertificateNotYetValidException, CertificateExpiredException {
         try {
             cert.checkValidity(date);
-        } catch (CertificateNotYetValidException e) {
-            throw new UserCertificateNotYetValidException(e);
-        } catch (CertificateExpiredException e) {
-            throw new UserCertificateExpiredException(e);
+        } catch (java.security.cert.CertificateNotYetValidException e) {
+            throw new CertificateNotYetValidException(subject, e);
+        } catch (java.security.cert.CertificateExpiredException e) {
+            throw new CertificateExpiredException(subject, e);
+        }
+    }
+
+    public static void trustedCACertificatesAreValidOnDate(Set<TrustAnchor> trustedCACertificateAnchors, Date date) throws CertificateNotYetValidException, CertificateExpiredException {
+        for (TrustAnchor cert : trustedCACertificateAnchors) {
+            certificateIsValidOnDate(cert.getTrustedCert(), date, "Trusted CA");
         }
     }
 
@@ -70,10 +70,6 @@ public static Set<TrustAnchor> buildTrustAnchorsFromCertificates(Collection<X509
             .collect(Collectors.toSet());
     }
 
-    public static Set<TrustAnchor> buildTrustAnchorsFromCertificate(X509Certificate certificate) {
-        return buildTrustAnchorsFromCertificates(Collections.singleton(certificate));
-    }
-
     public static CertStore buildCertStoreFromCertificates(Collection<X509Certificate> certificates) throws JceException {
         // We use the default JCE provider as there is no reason to use Bouncy Castle, moreover BC requires
         // the validated certificate to be in the certificate store which breaks the clean immutable usage of
@@ -85,10 +81,6 @@ public static CertStore buildCertStoreFromCertificates(Collection<X509Certificat
         }
     }
 
-    public static CertStore buildCertStoreFromCertificate(X509Certificate certificate) throws JceException {
-        return buildCertStoreFromCertificates(Collections.singleton(certificate));
-    }
-
     private CertificateValidator() {
         throw new IllegalStateException("Utility class");
     }

src/main/java/org/webeid/security/exceptions/AiaOcspResponderConfigurationException.java

@@ -25,8 +25,8 @@
 /**
  * Thrown when the user certificate valid until date is in the past.
  */
-public class UserCertificateExpiredException extends TokenValidationException {
-    public UserCertificateExpiredException(Throwable cause) {
-        super("User certificate has expired", cause);
+public class CertificateExpiredException extends TokenValidationException {
+    public CertificateExpiredException(String subject, Throwable cause) {
+        super(subject + " certificate has expired", cause);
     }
 }

src/main/java/org/webeid/security/exceptions/UserCertificateExpiredException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateExpiredException.java

@@ -23,10 +23,10 @@
 package org.webeid.security.exceptions;
 
 /**
- * Thrown when the user certificate valid from date is in the future.
+ * Thrown when the certificate's valid from date is in the future.
  */
-public class UserCertificateNotYetValidException extends TokenValidationException {
-    public UserCertificateNotYetValidException(Throwable cause) {
-        super("User certificate is not yet valid", cause);
+public class CertificateNotYetValidException extends TokenValidationException {
+    public CertificateNotYetValidException(String subject, Throwable cause) {
+        super(subject + " certificate is not yet valid", cause);
     }
 }

src/main/java/org/webeid/security/exceptions/UserCertificateNotYetValidException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateNotYetValidException.java

@@ -24,7 +24,6 @@
 
 import com.google.common.collect.Sets;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
 import org.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import org.webeid.security.validator.validators.OriginValidator;
 
@@ -38,23 +37,20 @@
 import java.util.Objects;
 
 import static org.webeid.security.nonce.NonceGeneratorBuilder.requirePositiveDuration;
-import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY;
-import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1;
-import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V2;
-import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V3;
+import static org.webeid.security.validator.ocsp.OcspUrl.AIA_ESTEID_2015;
+import static org.webeid.security.util.SubjectCertificatePolicies.*;
 
 /**
  * Stores configuration parameters for {@link AuthTokenValidatorImpl}.
  */
-final class AuthTokenValidationConfiguration {
+public final class AuthTokenValidationConfiguration {
 
     private URI siteOrigin;
     private Cache<String, ZonedDateTime> nonceCache;
     private Collection<X509Certificate> trustedCACertificates = new HashSet<>();
     private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
     private Duration allowedClientClockSkew = Duration.ofMinutes(3);
-    private AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
     private boolean isSiteCertificateFingerprintValidationEnabled = false;
     private String siteCertificateSha256Fingerprint;
@@ -65,6 +61,8 @@ final class AuthTokenValidationConfiguration {
         ESTEID_SK_2015_MOBILE_ID_POLICY_V3,
         ESTEID_SK_2015_MOBILE_ID_POLICY
     );
+    // Disable OCSP nonce extension for EstEID 2015 cards by default.
+    private Collection<URI> nonceDisabledOcspUrls = Sets.newHashSet(AIA_ESTEID_2015);
 
     AuthTokenValidationConfiguration() {
     }
@@ -76,11 +74,11 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
         this.ocspRequestTimeout = other.ocspRequestTimeout;
         this.allowedClientClockSkew = other.allowedClientClockSkew;
-        this.aiaOcspServiceConfiguration = other.aiaOcspServiceConfiguration;
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
         this.isSiteCertificateFingerprintValidationEnabled = other.isSiteCertificateFingerprintValidationEnabled;
         this.siteCertificateSha256Fingerprint = other.siteCertificateSha256Fingerprint;
         this.disallowedSubjectCertificatePolicies = new HashSet<>(other.disallowedSubjectCertificatePolicies);
+        this.nonceDisabledOcspUrls = new HashSet<>(other.nonceDisabledOcspUrls);
     }
 
     void setSiteOrigin(URI siteOrigin) {
@@ -127,14 +125,6 @@ Duration getAllowedClientClockSkew() {
         return allowedClientClockSkew;
     }
 
-    public AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() {
-        return aiaOcspServiceConfiguration;
-    }
-
-    public void setAiaOcspServiceConfiguration(AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
-        this.aiaOcspServiceConfiguration = aiaOcspServiceConfiguration;
-    }
-
     public DesignatedOcspServiceConfiguration getDesignatedOcspServiceConfiguration() {
         return designatedOcspServiceConfiguration;
     }
@@ -160,6 +150,10 @@ public Collection<ASN1ObjectIdentifier> getDisallowedSubjectCertificatePolicies(
         return disallowedSubjectCertificatePolicies;
     }
 
+    public Collection<URI> getNonceDisabledOcspUrls() {
+        return nonceDisabledOcspUrls;
+    }
+
     /**
      * Checks that the configuration parameters are valid.
      *
@@ -173,18 +167,6 @@ void validate() {
         if (trustedCACertificates.isEmpty()) {
             throw new IllegalArgumentException("At least one trusted certificate authority must be provided");
         }
-        if (isUserCertificateRevocationCheckWithOcspEnabled) {
-            if (aiaOcspServiceConfiguration == null && designatedOcspServiceConfiguration == null) {
-                throw new IllegalArgumentException("Either AIA or designated OCSP service configuration must be provided");
-            }
-            if (aiaOcspServiceConfiguration != null && designatedOcspServiceConfiguration != null) {
-                throw new IllegalArgumentException("AIA and designated OCSP service configuration cannot provided together, " +
-                    "please provide either one or the other");
-            }
-        } else if (aiaOcspServiceConfiguration != null || designatedOcspServiceConfiguration != null) {
-            throw new IllegalArgumentException("When user certificate OCSP check is disabled, " +
-                "AIA or designated OCSP service configuration should not be provided");
-        }
         requirePositiveDuration(ocspRequestTimeout, "OCSP request timeout");
         requirePositiveDuration(allowedClientClockSkew, "Allowed client clock skew");
         if (isSiteCertificateFingerprintValidationEnabled) {