feat(token): remove site cert hash validation, rename fields according to final spec

WE2-586

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/main/java/eu/webeid/security/authtoken/WebEidAuthToken.java

@@ -27,18 +27,17 @@
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class WebEidAuthToken {
 
-    private String certificate;
+    private String untrustedCertificate;
     private String signature;
     private String algorithm;
-    private String version;
-    private boolean useOriginCertHash;
+    private String format;
 
-    public String getCertificate() {
-        return certificate;
+    public String getUntrustedCertificate() {
+        return untrustedCertificate;
     }
 
-    public void setCertificate(String certificate) {
-        this.certificate = certificate;
+    public void setUntrustedCertificate(String untrustedCertificate) {
+        this.untrustedCertificate = untrustedCertificate;
     }
 
     public String getSignature() {
@@ -57,20 +56,12 @@ public void setAlgorithm(String algorithm) {
         this.algorithm = algorithm;
     }
 
-    public String getVersion() {
-        return version;
+    public String getFormat() {
+        return format;
     }
 
-    public void setVersion(String version) {
-        this.version = version;
-    }
-
-    public boolean getUseOriginCertHash() {
-        return useOriginCertHash;
-    }
-
-    public void setUseOriginCertHash(boolean useOriginCertHash) {
-        this.useOriginCertHash = useOriginCertHash;
+    public void setFormat(String format) {
+        this.format = format;
     }
 
 }

src/main/java/eu/webeid/security/certificate/CertificateLoader.java

@@ -32,6 +32,7 @@
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 
 import static eu.webeid.security.util.Base64Decoder.decodeBase64;
 
@@ -52,6 +53,7 @@ public static X509Certificate[] loadCertificatesFromResources(String... resource
     }
 
     public static X509Certificate decodeCertificateFromBase64(String certificateInBase64) throws CertificateDecodingException {
+        Objects.requireNonNull(certificateInBase64, "certificateInBase64");
         try (final InputStream targetStream = new ByteArrayInputStream(decodeBase64(certificateInBase64))) {
             return (X509Certificate) CertificateFactory
                 .getInstance("X509")

src/main/java/eu/webeid/security/challenge/ChallengeNonceGeneratorBuilder.java

@@ -23,7 +23,6 @@
 package eu.webeid.security.challenge;
 
 import eu.webeid.security.util.DateAndTime;
-import eu.webeid.security.validator.AuthTokenValidator;
 
 import java.security.SecureRandom;
 import java.time.Duration;

src/main/java/eu/webeid/security/exceptions/TokenSignatureValidationException.java

@@ -27,10 +27,8 @@
  */
 public class TokenSignatureValidationException extends TokenValidationException {
 
-    public static final String MESSAGE = "Token signature validation has failed";
-
     public TokenSignatureValidationException() {
-        super(MESSAGE);
+        super("Token signature validation has failed");
     }
 
 }

src/main/java/eu/webeid/security/validator/AuthTokenSignatureValidator.java

@@ -59,7 +59,7 @@ public AuthTokenSignatureValidator(URI siteOrigin) {
     }
 
     // This method is based on the relevant subset of JJWT's DefaultJwtParser.parse().
-    public void validate(String algorithm, String signature, PublicKey publicKey, String currentChallengeNonce, byte[] originCertHash) throws TokenValidationException {
+    public void validate(String algorithm, String signature, PublicKey publicKey, String currentChallengeNonce) throws TokenValidationException {
         requireNotEmpty(algorithm, "algorithm");
         requireNotEmpty(signature, "signature");
         Objects.requireNonNull(publicKey);
@@ -88,9 +88,7 @@ public void validate(String algorithm, String signature, PublicKey publicKey, St
         final byte[] decodedSignature = decodeBase64(signature);
 
         final byte[] nonceHash = sha256Digest(currentChallengeNonce);
-        final byte[] concatSignedFields = originCertHash == null ?
-            Bytes.concat(originHash, nonceHash) :
-            Bytes.concat(originHash, nonceHash, originCertHash);
+        final byte[] concatSignedFields = Bytes.concat(originHash, nonceHash);
 
         // Note that in case of ECDSA, the eID card outputs raw R||S, but JCA's SHA384withECDSA signature
         // validation implementation requires the signature in DER encoding.

src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -50,7 +50,6 @@ public final class AuthTokenValidationConfiguration {
     private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
-    private byte[] siteCertificateSha256Hash;
     // Don't allow Estonian Mobile-ID policy by default.
     private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = Sets.newHashSet(
         SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1,
@@ -70,7 +69,6 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
         this.ocspRequestTimeout = other.ocspRequestTimeout;
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
-        this.siteCertificateSha256Hash = other.siteCertificateSha256Hash;
         this.disallowedSubjectCertificatePolicies = Collections.unmodifiableSet(new HashSet<>(other.disallowedSubjectCertificatePolicies));
         this.nonceDisabledOcspUrls = Collections.unmodifiableSet(new HashSet<>(other.nonceDisabledOcspUrls));
     }
@@ -111,14 +109,6 @@ public void setDesignatedOcspServiceConfiguration(DesignatedOcspServiceConfigura
         this.designatedOcspServiceConfiguration = designatedOcspServiceConfiguration;
     }
 
-    public void setSiteCertificateSha256Hash(byte[] siteCertificateSha256Hash) {
-        this.siteCertificateSha256Hash = siteCertificateSha256Hash;
-    }
-
-    public byte[] getSiteCertificateSha256Hash() {
-        return siteCertificateSha256Hash;
-    }
-
     public Collection<ASN1ObjectIdentifier> getDisallowedSubjectCertificatePolicies() {
         return disallowedSubjectCertificatePolicies;
     }
@@ -139,10 +129,6 @@ void validate() {
         if (trustedCACertificates.isEmpty()) {
             throw new IllegalArgumentException("At least one trusted certificate authority must be provided");
         }
-        // If given, a SHA256 hash must be 32 bytes long.
-        if (siteCertificateSha256Hash!= null && siteCertificateSha256Hash.length != 32) {
-            throw new IllegalArgumentException("Site certificate SHA-256 hash must be 32 bytes long");
-        }
         requirePositiveDuration(ocspRequestTimeout, "OCSP request timeout");
     }
 

src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -152,24 +152,6 @@ public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(Designat
         return this;
     }
 
-    /**
-     * Sets the site certificate hash, i.e. the SHA-256 hash of the HTTPS certificate
-     * that the site is using.
-     * <p>
-     * When the experimental origin certificate validation support is enabled, then
-     * the origin certificate hash is used along with the origin and challenge nonce hashes
-     * during authentication token signature calculation. In this case the site certificate hash
-     * must be provided in configuration to verify the signature.
-     *
-     * @param certificateSha256Hash SHA-256 hash of the HTTPS certificate that the site is using
-     * @return the builder instance for method chaining.
-     */
-    public AuthTokenValidatorBuilder withSiteCertificateSha256Hash(byte[] certificateSha256Hash) {
-        configuration.setSiteCertificateSha256Hash(certificateSha256Hash);
-        LOG.debug("Site certificate hash validation is enabled, hash is {}", certificateSha256Hash);
-        return this;
-    }
-
     /**
      * Validates the configuration and builds the {@link AuthTokenValidator} object with it.
      * The returned {@link AuthTokenValidator} object is immutable/thread-safe.

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -32,7 +32,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import eu.webeid.security.authtoken.WebEidAuthToken;
-import eu.webeid.security.exceptions.SiteCertificateHashNotConfiguredException;
 import eu.webeid.security.exceptions.TokenParseException;
 import eu.webeid.security.exceptions.TokenValidationException;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateExpiryValidator;
@@ -149,19 +148,14 @@ private WebEidAuthToken parseToken(String authToken) throws TokenParseException
     }
 
     private X509Certificate validateToken(WebEidAuthToken token, String currentChallengeNonce) throws TokenValidationException {
-        if (!Objects.equals(token.getVersion(), CURRENT_TOKEN_FORMAT_VERSION)) {
-            throw new TokenParseException("Only token version '" + CURRENT_TOKEN_FORMAT_VERSION +
+        if (token.getFormat() == null || !token.getFormat().startsWith(CURRENT_TOKEN_FORMAT_VERSION)) {
+            throw new TokenParseException("Only token format version '" + CURRENT_TOKEN_FORMAT_VERSION +
                 "' is currently supported");
         }
-        // When the token signature contains the experimental origin certificate hash,
-        // the hash must be provided in the configuration.
-        if (token.getUseOriginCertHash() && configuration.getSiteCertificateSha256Hash() == null) {
-            throw new SiteCertificateHashNotConfiguredException();
-        }
-        if (token.getCertificate() == null || token.getCertificate().isEmpty()) {
+        if (token.getUntrustedCertificate() == null || token.getUntrustedCertificate().isEmpty()) {
             throw new TokenParseException("'certificate' field is missing, null or empty");
         }
-        final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getCertificate());
+        final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUntrustedCertificate());
 
         simpleSubjectCertificateValidators.executeFor(subjectCertificate);
         getCertTrustValidators().executeFor(subjectCertificate);
@@ -172,10 +166,7 @@ private X509Certificate validateToken(WebEidAuthToken token, String currentChall
         authTokenSignatureValidator.validate(token.getAlgorithm(),
             token.getSignature(),
             subjectCertificate.getPublicKey(),
-            currentChallengeNonce,
-            token.getUseOriginCertHash() ?
-                configuration.getSiteCertificateSha256Hash() :
-                null);
+            currentChallengeNonce);
 
         return subjectCertificate;
     }

src/test/java/eu/webeid/security/testutil/AbstractTestWithValidator.java

@@ -35,10 +35,10 @@
 public abstract class AbstractTestWithValidator {
 
     public static final String VALID_AUTH_TOKEN = "{\"algorithm\":\"ES384\"," +
-        "\"certificate\":\"MIIEAzCCA2WgAwIBAgIQHWbVWxCkcYxbzz9nBzGrDzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAyMzE1MzM1OVoXDTIzMTAyMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/u+9IncarVpgrACN6aRgUiT9lWC9H7llnxoEXe8xoCI982Md8YuJsVfRdeG5jwVfXe0N6KkHLFRARspst8qnACULkqFNat/Kj+XRwJ2UANeJ3Gl5XBr+tnLNuDf/UiR6jggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFOTddHnA9rJtbLwhBNyn0xZTQGCMMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgHYElkX4vn821JR41akI/lpexCnJFUf4GiOMbTfzAxpZma333R8LNrmI4zbzDp03hvMTzH49g1jcbGnaCcbboS8DAJBObenUp++L5VqldHwKAps61nM4V+TiLqD0jILnTzl+pV+LexNL3uGzUfvvDNLHnF9t6ygi8+Bsjsu3iHHyM1haKM=\"," +
-        "\"issuerApp\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
+        "\"untrustedCertificate\":\"MIIEAzCCA2WgAwIBAgIQHWbVWxCkcYxbzz9nBzGrDzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAyMzE1MzM1OVoXDTIzMTAyMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/u+9IncarVpgrACN6aRgUiT9lWC9H7llnxoEXe8xoCI982Md8YuJsVfRdeG5jwVfXe0N6KkHLFRARspst8qnACULkqFNat/Kj+XRwJ2UANeJ3Gl5XBr+tnLNuDf/UiR6jggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFOTddHnA9rJtbLwhBNyn0xZTQGCMMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgHYElkX4vn821JR41akI/lpexCnJFUf4GiOMbTfzAxpZma333R8LNrmI4zbzDp03hvMTzH49g1jcbGnaCcbboS8DAJBObenUp++L5VqldHwKAps61nM4V+TiLqD0jILnTzl+pV+LexNL3uGzUfvvDNLHnF9t6ygi8+Bsjsu3iHHyM1haKM=\"," +
+        "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
         "\"signature\":\"arx164xRiwhIQDINe0J+ZxJWZFOQTx0PBtOaWaxAe7gofEIHRIbV1w0sOCYBJnvmvMem9hU4nc2+iJx2x8poYck4Z6eI3GwtiksIec3XQ9ZIk1n/XchXnmPn3GYV+HzJ\"," +
-        "\"version\":\"web-eid:1\"}";
+        "\"format\":\"web-eid:1\"}";
     public static final String VALID_CHALLENGE_NONCE = "12345678123456781234567812345678912356789123";
 
     protected AuthTokenValidator validator;

src/test/java/eu/webeid/security/testutil/AuthTokenValidators.java

@@ -84,17 +84,6 @@ public static AuthTokenValidator getAuthTokenValidatorWithDisallowedESTEIDPolicy
             .build();
     }
 
-    public static AuthTokenValidator getAuthTokenValidatorWithCertHashCheck() throws CertificateException, JceException, IOException, CertificateDecodingException {
-        return getAuthTokenValidatorWithCertHashCheck(getRiaSiteCertificateSha256Hash());
-    }
-
-    public static AuthTokenValidator getAuthTokenValidatorWithCertHashCheck(byte[] certHash) throws CertificateException, JceException, IOException, CertificateDecodingException {
-        return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, getCACertificates())
-            .withSiteCertificateSha256Hash(certHash)
-            .withoutUserCertificateRevocationCheckWithOcsp()
-            .build();
-    }
-
     private static AuthTokenValidatorBuilder getAuthTokenValidatorBuilder(String uri, X509Certificate[] certificates) {
         return new AuthTokenValidatorBuilder()
             .withSiteOrigin(URI.create(uri))