From 45a80582e0e9e0649e3911c238bea6bed2b0b2b4 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Thu, 4 Jan 2024 13:47:29 +0200 Subject: [PATCH] Nonce support was added to EstEID 2015 All ID-Card certificates are expired in the EstEID 2015 OCSP service WE2-839 Signed-off-by: Raul Metsma --- README.md | 6 +++--- src/main/java/eu/webeid/security/util/DateAndTime.java | 2 +- .../validator/AuthTokenValidationConfiguration.java | 4 +--- .../java/eu/webeid/security/validator/ocsp/OcspUrl.java | 2 -- .../java/eu/webeid/security/testutil/OcspServiceMaker.java | 3 +-- 5 files changed, 6 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index fef735f1..0e993e34 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ import eu.webeid.security.challenge.ChallengeNonceStore; You must explicitly specify which **intermediate** certificate authorities (CAs) are trusted to issue the eID authentication and OCSP responder certificates. CA certificates can be loaded from either the truststore file, resources or any stream source. We use the [`CertificateLoader`](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/certificate/CertificateLoader.java) helper class to load CA certificates from resources here, but consider using [the truststore file](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/config/ValidationConfiguration.java#L104-L123) instead. -First, copy the trusted certificates, for example `ESTEID-SK_2015.cer` and `ESTEID2018.cer`, to `resources/cacerts/`, then load the certificates as follows: +First, copy the trusted certificates, for example `ESTEID2018.cer`, to `resources/cacerts/`, then load the certificates as follows: ```java import java.security.cert.X509Certificate; @@ -109,7 +109,7 @@ import eu.webeid.security.certificate.CertificateLoader; ... private X509Certificate[] trustedIntermediateCACertificates() { return CertificateLoader.loadCertificatesFromResources( - "cacerts/ESTEID-SK_2015.cer", "cacerts/ESTEID2018.cer"); + "cacerts/ESTEID2018.cer"); } ... ``` @@ -301,7 +301,7 @@ The following additional configuration options are available in `AuthTokenValida - `withOcspClient(OcspClient ocspClient)` - uses the provided OCSP client instance during user certificate revocation check with OCSP. The provided client instance must be thread-safe. This gives the possibility to either configure the request timeouts, proxies etc of the `OkHttpClient` instance used by `OkHttpOcspClient` or provide an implementation that uses an altogether different HTTP client, for example the built-in `HttpClient` provided by Java 9+. See examples in `OcspClientOverrideTest`. - `withOcspRequestTimeout(Duration ocspRequestTimeout)` – sets both the connection and response timeout of user certificate revocation check OCSP requests. Default is 5 seconds. - `withDisallowedCertificatePolicies(ASN1ObjectIdentifier... policies)` – adds the given policies to the list of disallowed user certificate policies. In order for the user certificate to be considered valid, it must not contain any policies present in this list. Contains the Estonian Mobile-ID policies by default as it must not be possible to authenticate with a Mobile-ID certificate when an eID smart card is expected. -- `withNonceDisabledOcspUrls(URI... urls)` – adds the given URLs to the list of OCSP responder access location URLs for which the nonce protocol extension will be disabled. Some OCSP responders don't support the nonce extension. Contains the ESTEID-2015 OCSP responder URL by default. +- `withNonceDisabledOcspUrls(URI... urls)` – adds the given URLs to the list of OCSP responder access location URLs for which the nonce protocol extension will be disabled. Some OCSP responders don't support the nonce extension. Extended configuration example: diff --git a/src/main/java/eu/webeid/security/util/DateAndTime.java b/src/main/java/eu/webeid/security/util/DateAndTime.java index 35e4f266..41e178f6 100644 --- a/src/main/java/eu/webeid/security/util/DateAndTime.java +++ b/src/main/java/eu/webeid/security/util/DateAndTime.java @@ -45,7 +45,7 @@ public static void requirePositiveDuration(Duration duration, String fieldName) public static class DefaultClock implements Clock { - // Allows mocking of time-dependent behavior with Mockito.mockStatic(). + // Allows mocking of time-dependent behavior with Mockito.mockStatic() in tests. private static final Clock instance = new DefaultClock(); public static Clock getInstance() { diff --git a/src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java b/src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java index d39cfe51..ed9e566b 100644 --- a/src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java +++ b/src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java @@ -38,7 +38,6 @@ import static eu.webeid.security.util.Collections.newHashSet; import static eu.webeid.security.util.DateAndTime.requirePositiveDuration; -import static eu.webeid.security.validator.ocsp.OcspUrl.AIA_ESTEID_2015; /** * Stores configuration parameters for {@link AuthTokenValidatorImpl}. @@ -57,8 +56,7 @@ public final class AuthTokenValidationConfiguration { SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V3, SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY ); - // Disable OCSP nonce extension for EstEID 2015 cards by default. - private Collection nonceDisabledOcspUrls = newHashSet(AIA_ESTEID_2015); + private Collection nonceDisabledOcspUrls = new HashSet<>(); AuthTokenValidationConfiguration() { } diff --git a/src/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java b/src/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java index fbff637e..ac4851a1 100644 --- a/src/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java +++ b/src/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java @@ -37,8 +37,6 @@ public final class OcspUrl { - public static final URI AIA_ESTEID_2015 = URI.create("http://aia.sk.ee/esteid2015"); - /** * Returns the OCSP responder {@link URI} or an empty {@code Optional} if it doesn't have one. */ diff --git a/src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java b/src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java index 57272287..1a5820a7 100644 --- a/src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java +++ b/src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java @@ -40,7 +40,6 @@ import static eu.webeid.security.testutil.Certificates.getTestEsteid2018CA; import static eu.webeid.security.testutil.Certificates.getTestSkOcspResponder2020; import static eu.webeid.security.util.Collections.newHashSet; -import static eu.webeid.security.validator.ocsp.OcspUrl.AIA_ESTEID_2015; public class OcspServiceMaker { @@ -74,7 +73,7 @@ public static OcspServiceProvider getDesignatedOcspServiceProvider(String ocspSe private static AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() throws JceException { return new AiaOcspServiceConfiguration( - newHashSet(AIA_ESTEID_2015, TEST_ESTEID_2015), + newHashSet(TEST_ESTEID_2015), CertificateValidator.buildTrustAnchorsFromCertificates(TRUSTED_CA_CERTIFICATES), CertificateValidator.buildCertStoreFromCertificates(TRUSTED_CA_CERTIFICATES)); }