refactor(OCSP): simplify AIA OCSP configuration, use single truststore for subject and OCSP responder certificates, add trusted CA certifcates validation

WE2-432

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

README.md

@@ -143,11 +143,6 @@ import java.security.cert.X509Certificate;
 ...
 ```
 
-## 5. Add trusted OCSP responder certificates
-
-- AIA
-- Designated
-
 ## 5. Configure the authentication token validator
 
 Once the prerequisites have been met, the authentication token validator itself can be configured.
@@ -294,12 +289,13 @@ toTitleCase(CertUtil.getSubjectSurname(userCertificate)); // "Jõeorg"
 
 The following additional configuration options are available in `AuthTokenValidatorBuilder`:  
 
-- `withSiteCertificateSha256Fingerprint(String siteCertificateFingerprint)` – turns on origin website certificate fingerprint validation. The validator checks that the site certificate fingerprint from the authentication token matches with the provided site certificate SHA-256 fingerprint. This disables powerful man-in-the-middle attacks where attackers are able to issue falsified certificates for the origin, but also disables TLS proxy usage. Due to the technical limitations of web browsers, certificate fingerprint validation currently works only with Firefox. The provided certificate SHA-256 fingerprint should have the prefix `urn:cert:sha-256:` followed by the hexadecimal encoding of the hash value octets as specified in [URN Namespace for Certificates](https://tools.ietf.org/id/draft-seantek-certspec-01.html). Certificate fingerprint validation is disabled by default.
-- `withoutUserCertificateRevocationCheckWithOcsp()` – turns off user certificate revocation check with OCSP. The OCSP URL is extracted from the user certificate AIA extension. OCSP check is enabled by default.
+- `withSiteCertificateSha256Fingerprint(String siteCertificateFingerprint)` – turns on origin website certificate fingerprint validation. The validator checks that the site certificate fingerprint from the authentication token matches with the provided site certificate SHA-256 fingerprint. This disables powerful man-in-the-middle attacks where attackers are able to issue falsified certificates for the origin, but also disables TLS proxy usage. Due to the technical limitations of web browsers, certificate fingerprint validation is an experimental feature that currently works only with Firefox. The provided certificate SHA-256 fingerprint should have the prefix `urn:cert:sha-256:` followed by the hexadecimal encoding of the hash value octets as specified in [URN Namespace for Certificates](https://tools.ietf.org/id/draft-seantek-certspec-01.html). Certificate fingerprint validation is disabled by default.
+- `withoutUserCertificateRevocationCheckWithOcsp()` – turns off user certificate revocation check with OCSP. OCSP check is enabled by default and the OCSP responder access location URL is extracted from the user certificate AIA extension unless a designated OCSP service is activated.
+- `withDesignatedOcspServiceConfiguration(DesignatedOcspServiceConfiguration serviceConfiguration)` – activates the provided designated OCSP responder service configuration for user certificate revocation check with OCSP. The designated service is only used for checking the status of the certificates whose issuers are supported by the service, for other certificates the default AIA extension service access location will be used. See configuration examples in `testutil.OcspServiceMaker.getDesignatedOcspServiceConfiguration()`.
 - `withOcspRequestTimeout(Duration ocspRequestTimeout)` – sets both the connection and response timeout of user certificate revocation check OCSP requests. Default is 5 seconds.
 - `withAllowedClientClockSkew(Duration allowedClockSkew)` – sets the tolerated clock skew of the client computer when verifying the token expiration. Default value is 3 minutes.
 - `withDisallowedCertificatePolicies(ASN1ObjectIdentifier... policies)` – adds the given policies to the list of disallowed user certificate policies. In order for the user certificate to be considered valid, it must not contain any policies present in this list. Contains the Estonian Mobile-ID policies by default as it must not be possible to authenticate with a Mobile-ID certificate when an eID smart card is expected.
-- `withNonceDisabledOcspUrls(URI... urls)` – adds the given URLs to the list of OCSP URLs for which the nonce protocol extension will be disabled. Some OCSP services don't support the nonce extension. Contains the ESTEID-2015 OCSP URL by default.
+- `withNonceDisabledOcspUrls(URI... urls)` – adds the given URLs to the list of OCSP responder URLs for which the nonce protocol extension will be disabled. Some OCSP responders don't support the nonce extension. Contains the ESTEID-2015 OCSP responder URL by default.
 
 Extended configuration example:  
 
@@ -318,9 +314,9 @@ AuthTokenValidator validator = new AuthTokenValidatorBuilder()
 
 ### Certificates' *Authority Information Access* (AIA) extension
 
-It is assumed that the AIA extension that contains the certificates’ OCSP service location, is part of both the user and CA certificates. The AIA OCSP URL will be used to check the certificate revocation status with OCSP.
+Unless a designated OCSP responder service is in use, it is required that the AIA extension that contains the certificate’s OCSP responder access location is present in the user certificate. The AIA OCSP URL will be used to check the certificate revocation status with OCSP.
 
-**Note that there may be legal limitations to using AIA URLs during signing** as the services behind these URLs provide different security and SLA guarantees than dedicated OCSP services. For digital signing, OCSP responder certificate validation is additionally needed. Using AIA URLs during authentication is sufficient, however.
+**Note that there may be legal limitations to using AIA URLs during signing** as the services behind these URLs provide different security and SLA guarantees than dedicated OCSP responder services. Using AIA URLs during authentication is sufficient, however.
 
 ## Possible validation errors  
 
@@ -350,6 +346,7 @@ String nonce = nonceGenerator.generateAndStoreNonce();
 The `generateAndStoreNonce()` method both generates the nonce and stores it in the cache.
 
 ## Extended configuration  
+
 The following additional configuration options are available in `NonceGeneratorBuilder`:
 
 - `withNonceTtl(Duration duration)` – overrides the default nonce time-to-live duration. When the time-to-live passes, the nonce is considered to be expired. Default nonce time-to-live is 5 minutes.
@@ -363,14 +360,3 @@ NonceGenerator generator = new NonceGeneratorBuilder()
         .withSecureRandom(customSecureRandom)  
         .build();
 ```
-
-## Frequently asked questions
-
-### How can I find the AIA OCSP service URLs?
-
-You can find the AIA OCSP service URLs from the electronic ID certificate profile documents, in the section that describes certificate extensions.
-The AIA OCSP extension OID is 1.3.6.1.5.5.7.48.1.
-
-For example, the EstEID AIA URLs are specified in the documents
-[*Certificate, CRL and OCSP Profile for identification documents of the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID-EN-v8_4-20200630.pdf) and
-[*Certificate, CRL and OCSP Profile for ID-1 Format Identity Documents Issued by the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID2018-EN-v1_2_20200630.pdf).

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>2.0.0</version>
+    <version>1.2.0</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
@@ -16,10 +16,11 @@
         <java.version>1.8</java.version>
         <jjwt.version>0.11.2</jjwt.version>
         <slf4j.version>1.7.30</slf4j.version>
-        <bouncycastle.version>1.65</bouncycastle.version>
+        <bouncycastle.version>1.69</bouncycastle.version>
         <caffeine.version>2.8.5</caffeine.version>
         <junit-jupiter.version>5.6.2</junit-jupiter.version>
         <assertj.version>3.17.2</assertj.version>
+        <mockito.version>3.12.4</mockito.version>
         <jacoco.version>0.8.5</jacoco.version>
         <sonar.coverage.jacoco.xmlReportPaths>
             ${project.basedir}/../jacoco-coverage-report/target/site/jacoco-aggregate/jacoco.xml
@@ -96,6 +97,12 @@
             <version>${assertj.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-simple</artifactId>

src/main/java/org/webeid/security/certificate/CertificateData.java

@@ -37,29 +37,35 @@
 public final class CertificateData {
 
     public static String getSubjectCN(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.CN);
+        return getSubjectField(certificate, BCStyle.CN);
     }
 
     public static String getSubjectSurname(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SURNAME);
+        return getSubjectField(certificate, BCStyle.SURNAME);
     }
 
     public static String getSubjectGivenName(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.GIVENNAME);
+        return getSubjectField(certificate, BCStyle.GIVENNAME);
     }
 
     public static String getSubjectIdCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SERIALNUMBER);
+        return getSubjectField(certificate, BCStyle.SERIALNUMBER);
     }
 
     public static String getSubjectCountryCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.C);
+        return getSubjectField(certificate, BCStyle.C);
     }
 
-    private static String getField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
-        final X500Name x500Name = new JcaX509CertificateHolder(certificate).getSubject();
+    private static String getSubjectField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
+        return getField(new JcaX509CertificateHolder(certificate).getSubject(), fieldId);
+    }
+
+    private static String getField(X500Name x500Name, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
         // Example value: [C=EE, CN=JÕEORG\,JAAK-KRISTJAN\,38001085718, 2.5.4.4=#0c074ac395454f5247, 2.5.4.42=#0c0d4a41414b2d4b524953544a414e, 2.5.4.5=#1311504e4f45452d3338303031303835373138]
         final RDN[] rdns = x500Name.getRDNs(fieldId);
+        if (rdns.length == 0 || rdns[0].getFirst() == null) {
+            throw new CertificateEncodingException("X500 name RDNs empty or first element is null");
+        }
         return Arrays.stream(rdns)
             .map(rdn -> IETFUtils.valueToString(rdn.getFirst().getValue()))
             .collect(Collectors.joining(", "));

src/main/java/org/webeid/security/certificate/CertificateValidator.java

@@ -1,42 +1,64 @@
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.webeid.security.certificate;
 
 import org.webeid.security.exceptions.CertificateNotTrustedException;
 import org.webeid.security.exceptions.JceException;
-import org.webeid.security.exceptions.UserCertificateExpiredException;
-import org.webeid.security.exceptions.UserCertificateNotYetValidException;
+import org.webeid.security.exceptions.CertificateExpiredException;
+import org.webeid.security.exceptions.CertificateNotYetValidException;
 
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathBuilderException;
 import java.security.cert.CertStore;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathBuilderResult;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Date;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 public final class CertificateValidator {
 
-    /**
-     * Checks whether the certificate was valid on the given date.
-     */
-    public static void certificateIsValidOnDate(X509Certificate cert, Date date) throws UserCertificateNotYetValidException, UserCertificateExpiredException {
+    public static void certificateIsValidOnDate(X509Certificate cert, Date date, String subject) throws CertificateNotYetValidException, CertificateExpiredException {
         try {
             cert.checkValidity(date);
-        } catch (CertificateNotYetValidException e) {
-            throw new UserCertificateNotYetValidException(e);
-        } catch (CertificateExpiredException e) {
-            throw new UserCertificateExpiredException(e);
+        } catch (java.security.cert.CertificateNotYetValidException e) {
+            throw new CertificateNotYetValidException(subject, e);
+        } catch (java.security.cert.CertificateExpiredException e) {
+            throw new CertificateExpiredException(subject, e);
+        }
+    }
+
+    public static void trustedCACertificatesAreValidOnDate(Set<TrustAnchor> trustedCACertificateAnchors, Date date) throws CertificateNotYetValidException, CertificateExpiredException {
+        for (TrustAnchor cert : trustedCACertificateAnchors) {
+            certificateIsValidOnDate(cert.getTrustedCert(), date, "Trusted CA");
         }
     }
 
@@ -70,10 +92,6 @@ public static Set<TrustAnchor> buildTrustAnchorsFromCertificates(Collection<X509
             .collect(Collectors.toSet());
     }
 
-    public static Set<TrustAnchor> buildTrustAnchorsFromCertificate(X509Certificate certificate) {
-        return buildTrustAnchorsFromCertificates(Collections.singleton(certificate));
-    }
-
     public static CertStore buildCertStoreFromCertificates(Collection<X509Certificate> certificates) throws JceException {
         // We use the default JCE provider as there is no reason to use Bouncy Castle, moreover BC requires
         // the validated certificate to be in the certificate store which breaks the clean immutable usage of
@@ -85,10 +103,6 @@ public static CertStore buildCertStoreFromCertificates(Collection<X509Certificat
         }
     }
 
-    public static CertStore buildCertStoreFromCertificate(X509Certificate certificate) throws JceException {
-        return buildCertStoreFromCertificates(Collections.singleton(certificate));
-    }
-
     private CertificateValidator() {
         throw new IllegalStateException("Utility class");
     }

src/main/java/org/webeid/security/exceptions/AiaOcspResponderConfigurationException.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2021 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -23,10 +23,10 @@
 package org.webeid.security.exceptions;
 
 /**
- * Thrown when the user certificate valid from date is in the future.
+ * Thrown when the certificate's valid until date is in the past.
  */
-public class UserCertificateNotYetValidException extends TokenValidationException {
-    public UserCertificateNotYetValidException(Throwable cause) {
-        super("User certificate is not yet valid", cause);
+public class CertificateExpiredException extends TokenValidationException {
+    public CertificateExpiredException(String subject, Throwable cause) {
+        super(subject + " certificate has expired", cause);
     }
 }

src/main/java/org/webeid/security/exceptions/UserCertificateNotYetValidException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateExpiredException.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2021 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -23,10 +23,10 @@
 package org.webeid.security.exceptions;
 
 /**
- * Thrown when the user certificate valid until date is in the past.
+ * Thrown when the certificate's valid from date is in the future.
  */
-public class UserCertificateExpiredException extends TokenValidationException {
-    public UserCertificateExpiredException(Throwable cause) {
-        super("User certificate has expired", cause);
+public class CertificateNotYetValidException extends TokenValidationException {
+    public CertificateNotYetValidException(String subject, Throwable cause) {
+        super(subject + " certificate is not yet valid", cause);
     }
 }

src/main/java/org/webeid/security/exceptions/UserCertificateExpiredException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateNotYetValidException.java

@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, mergCertificateExpiryValidatore, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.webeid.security.exceptions;
 
 public class OCSPCertificateException extends TokenValidationException {