Skip to content

feat: add SubjectCertificatePolicyValidator #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 26, 2021
Merged

feat: add SubjectCertificatePolicyValidator #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions src/main/java/org/webeid/security/exceptions/UserCertificateDisallowedPolicyException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package org.webeid.security.exceptions;

/**
* Thrown when any of the configured disallowed policies is present in the user certificate.
*/
public class UserCertificateDisallowedPolicyException extends TokenValidationException {
public UserCertificateDisallowedPolicyException() {
super("Disallowed user certificate policy");
}
}
10 changes: 10 additions & 0 deletions src/main/java/org/webeid/security/exceptions/UserCertificateInvalidPolicyException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package org.webeid.security.exceptions;

/**
* Thrown when the user certificate policy is invalid.
*/
public class UserCertificateInvalidPolicyException extends TokenValidationException {
public UserCertificateInvalidPolicyException() {
super("User certificate policy is invalid");
}
}
12 changes: 12 additions & 0 deletions src/main/java/org/webeid/security/util/SubjectCertificatePolicies.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package org.webeid.security.util;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;

public final class SubjectCertificatePolicies {

public static final ASN1ObjectIdentifier EST_MOBILE_ID_POLICY = new ASN1ObjectIdentifier("1.3.6.1.4.1.10015.1.3");

private SubjectCertificatePolicies() {
throw new IllegalStateException("Constants class");
}
}
17 changes: 14 additions & 3 deletions src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,21 @@

package org.webeid.security.validator;

import com.google.common.collect.Sets;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.webeid.security.validator.validators.OriginValidator;

import javax.cache.Cache;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Objects;

import static org.webeid.security.nonce.NonceGeneratorBuilder.requirePositiveDuration;
import static org.webeid.security.util.SubjectCertificatePolicies.EST_MOBILE_ID_POLICY;

/**
* Stores configuration parameters for {@link AuthTokenValidatorImpl}.
Expand All @@ -42,25 +45,28 @@ final class AuthTokenValidationConfiguration {

private URI siteOrigin;
private Cache<String, LocalDateTime> nonceCache;
private Collection<X509Certificate> trustedCACertificates = new ArrayList<>();
private Collection<X509Certificate> trustedCACertificates = new HashSet<>();
private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
private Duration ocspRequestTimeout = Duration.ofSeconds(5);
private Duration allowedClientClockSkew = Duration.ofMinutes(3);
private boolean isSiteCertificateFingerprintValidationEnabled = false;
private String siteCertificateSha256Fingerprint;
// Don't allow Estonian Mobile-ID policy by default.
private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = Sets.newHashSet(EST_MOBILE_ID_POLICY);

AuthTokenValidationConfiguration() {
}

private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other) {
this.siteOrigin = other.siteOrigin;
this.nonceCache = other.nonceCache;
this.trustedCACertificates = new ArrayList<>(other.trustedCACertificates);
this.trustedCACertificates = new HashSet<>(other.trustedCACertificates);
this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
this.ocspRequestTimeout = other.ocspRequestTimeout;
this.allowedClientClockSkew = other.allowedClientClockSkew;
this.isSiteCertificateFingerprintValidationEnabled = other.isSiteCertificateFingerprintValidationEnabled;
this.siteCertificateSha256Fingerprint = other.siteCertificateSha256Fingerprint;
this.disallowedSubjectCertificatePolicies = new HashSet<>(other.disallowedSubjectCertificatePolicies);
}

void setSiteOrigin(URI siteOrigin) {
Expand Down Expand Up @@ -144,4 +150,9 @@ void validate() {
AuthTokenValidationConfiguration copy() {
return new AuthTokenValidationConfiguration(this);
}

public Collection<ASN1ObjectIdentifier> getDisallowedSubjectCertificatePolicies() {
return disallowedSubjectCertificatePolicies;
}

}
19 changes: 17 additions & 2 deletions src/main/java/org/webeid/security/validator/AuthTokenValidatorBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.webeid.security.validator;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand All @@ -30,7 +31,7 @@
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.util.Arrays;
import java.util.Collections;

/**
* Builder for constructing {@link AuthTokenValidator} instances.
Expand Down Expand Up @@ -81,11 +82,25 @@ public AuthTokenValidatorBuilder withNonceCache(Cache<String, LocalDateTime> cac
* @return the builder instance for method chaining
*/
public AuthTokenValidatorBuilder withTrustedCertificateAuthorities(X509Certificate... certificates) {
configuration.getTrustedCACertificates().addAll(Arrays.asList(certificates));
Collections.addAll(configuration.getTrustedCACertificates(), certificates);
LOG.debug("Trusted certificate authorities set to {}", configuration.getTrustedCACertificates());
return this;
}

/**
* Sets the list of disallowed user certificate policies.
* In order for the user certificate to be considered valid, it must not contain any policies
* present in this list.
*
* @param policies disallowed user certificate policies
* @return the builder instance for method chaining
*/
public AuthTokenValidatorBuilder withDisallowedCertificatePolicies(ASN1ObjectIdentifier... policies) {
Collections.addAll(configuration.getDisallowedSubjectCertificatePolicies(), policies);
LOG.debug("Disallowed subject certificate policies set to {}", configuration.getDisallowedSubjectCertificatePolicies());
return this;
}

/**
* Turns off user certificate revocation check with OCSP.
* <p>
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/org/webeid/security/validator/AuthTokenValidatorImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {

simpleSubjectCertificateValidators = ValidatorBatch.createFrom(
FunctionalSubjectCertificateValidators::validateCertificateExpiry,
FunctionalSubjectCertificateValidators::validateCertificatePurpose
FunctionalSubjectCertificateValidators::validateCertificatePurpose,
new SubjectCertificatePolicyValidator(configuration.getDisallowedSubjectCertificatePolicies())::validateCertificatePolicies
);
tokenBodyValidators = ValidatorBatch.createFrom(
new NonceValidator(configuration.getNonceCache())::validateNonce,
Expand Down
52 changes: 52 additions & 0 deletions ...main/java/org/webeid/security/validator/validators/SubjectCertificatePolicyValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package org.webeid.security.validator.validators;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.webeid.security.exceptions.TokenValidationException;
import org.webeid.security.exceptions.UserCertificateDisallowedPolicyException;
import org.webeid.security.exceptions.UserCertificateInvalidPolicyException;
import org.webeid.security.validator.AuthTokenValidatorData;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Optional;

public class SubjectCertificatePolicyValidator {

private final Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies;

public SubjectCertificatePolicyValidator(Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies) {
this.disallowedSubjectCertificatePolicies = disallowedSubjectCertificatePolicies;
}

/**
* Validates that the user certificate policies match the configured policies.
*
* @param actualTokenData authentication token data that contains the user certificate.
* @throws UserCertificateDisallowedPolicyException when user certificate policy does not match the configured policies.
* @throws UserCertificateInvalidPolicyException when user certificate policy is invalid.
*/
public void validateCertificatePolicies(AuthTokenValidatorData actualTokenData) throws TokenValidationException {
final X509Certificate certificate = actualTokenData.getSubjectCertificate();
final byte[] extensionValue = certificate.getExtensionValue(Extension.certificatePolicies.getId());
try {
final CertificatePolicies policies = CertificatePolicies.getInstance(
JcaX509ExtensionUtils.parseExtensionValue(extensionValue)
);
final Optional<PolicyInformation> disallowedPolicy = Arrays.stream(policies.getPolicyInformation())
.filter(policyInformation ->
disallowedSubjectCertificatePolicies.contains(policyInformation.getPolicyIdentifier()))
.findFirst();
if (disallowedPolicy.isPresent()) {
throw new UserCertificateDisallowedPolicyException();
}
} catch (IOException e) {
throw new UserCertificateInvalidPolicyException();
}
}
}
8 changes: 8 additions & 0 deletions src/test/java/org/webeid/security/testutil/AuthTokenValidators.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.webeid.security.testutil;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.webeid.security.validator.AuthTokenValidator;
import org.webeid.security.validator.AuthTokenValidatorBuilder;

Expand All @@ -34,6 +35,7 @@
public final class AuthTokenValidators {

private static final String TOKEN_ORIGIN_URL = "https://ria.ee";
private static final ASN1ObjectIdentifier EST_IDEMIA_POLICY = new ASN1ObjectIdentifier("1.3.6.1.4.1.51361.1.2.1");

public static AuthTokenValidator getAuthTokenValidator(Cache<String, LocalDateTime> cache) throws CertificateException {
return getAuthTokenValidator(TOKEN_ORIGIN_URL, cache);
Expand Down Expand Up @@ -65,6 +67,12 @@ public static AuthTokenValidator getAuthTokenValidatorWithWrongTrustedCA(Cache<S
CertificateLoader.loadCertificatesFromResources("ESTEID2018.cer"));
}

public static AuthTokenValidator getAuthTokenValidatorWithDisallowedESTEIDPolicy(Cache<String, LocalDateTime> cache) throws CertificateException {
return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, cache, getCACertificates())
.withDisallowedCertificatePolicies(EST_IDEMIA_POLICY)
.build();
}

private static AuthTokenValidatorBuilder getAuthTokenValidatorBuilder(String uri, Cache<String, LocalDateTime> cache, X509Certificate[] certificates) {
return new AuthTokenValidatorBuilder()
.withSiteOrigin(URI.create(uri))
Expand Down
6 changes: 5 additions & 1 deletion src/test/java/org/webeid/security/testutil/Tokens.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,15 @@ public final class Tokens {
//-----------------------------------------------------------------------------------------------------------------

public static final String TOKEN_TOO_SHORT = new String(new char[99]);

public static final String TOKEN_TOO_LONG = new String(new char[10001]);

//-----------------------------------------------------------------------------------------------------------------

public static final String X5C_WRONG_POLICY_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlFQVRDQ0EyT2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hCTUlJQnZUQUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkZCZ05WSFNBRVBqQThNREFHQ1NzR0FRUUJ6aDhCQXpBak1DRUdDQ3NHQVFVRkJ3SUJGaFZvZEhSd2N6b3ZMM2QzZHk1emF5NWxaUzlEVUZNd0NBWUdCQUNQZWdFQ01COEdBMVVkRVFRWU1CYUJGRE00TURBeE1EZzFOekU0UUdWbGMzUnBMbVZsTUIwR0ExVWREZ1FXQkJUa0xMMDBDUkFWVERFcG9jbVYrVzRtMkNibXdEQmhCZ2dyQmdFRkJRY0JBd1JWTUZNd1VRWUdCQUNPUmdFRk1FY3dSUlkvYUhSMGNITTZMeTl6YXk1bFpTOWxiaTl5WlhCdmMybDBiM0o1TDJOdmJtUnBkR2x2Ym5NdFptOXlMWFZ6WlMxdlppMWpaWEowYVdacFkyRjBaWE12RXdKRlRqQWdCZ05WSFNVQkFmOEVGakFVQmdnckJnRUZCUWNEQWdZSUt3WUJCUVVIQXdRd0h3WURWUjBqQkJnd0ZvQVV3SVNaS2NST256c0NOUGFaNFFwV0FBZ3BQbnN3Y3dZSUt3WUJCUVVIQVFFRVp6QmxNQ3dHQ0NzR0FRVUZCekFCaGlCb2RIUndPaTh2WVdsaExtUmxiVzh1YzJzdVpXVXZaWE4wWldsa01qQXhPREExQmdnckJnRUZCUWN3QW9ZcGFIUjBjRG92TDJNdWMyc3VaV1V2VkdWemRGOXZabDlGVTFSRlNVUXlNREU0TG1SbGNpNWpjblF3Q2dZSUtvWkl6ajBFQXdRRGdZc0FNSUdIQWtJQjlWTEpqSGJTMmJZdWRSYXRrRWVNRkpBTUtiSjRiQVZkaDBLbEZ4V0FTZXhGNXl3cEdsNDNXU3BCNlFBWHpORUJNZTFGSVdpT0l1ZDQ0aWV4TldPMWpnQUNRUTErTSt0YVo0aHlXcVNOVzVEQ0lpVVA3WXU0V3ZIM1NVakVxUUhiT1FzaHlNaDVFTTFwVmN2T24vWmdPeEx0NkVUdjlhdm5oVk13MnpUZDFiOHU0RUZrIl19.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0";
public static final String X5C_MOBILE_ID_CERTIFICATE = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlGbURDQ0E0Q2dBd0lCQWdJUU13Y3k4WWdndjJsZlRUS0xRT2hOWVRBTkJna3Foa2lHOXcwQkFRc0ZBREJqTVFzd0NRWURWUVFHRXdKRlJURWlNQ0FHQTFVRUNnd1pRVk1nVTJWeWRHbG1hWFJ6WldWeWFXMXBjMnRsYzJ0MWN6RVhNQlVHQTFVRVlRd09UbFJTUlVVdE1UQTNORGN3TVRNeEZ6QVZCZ05WQkFNTURrVlRWRVZKUkMxVFN5QXlNREUxTUI0WERUSXdNRGd6TVRFM01qVXpNVm9YRFRJMU1EZ3pNVEl3TlRrMU9Wb3djVEVMTUFrR0ExVUVCaE1DUlVVeEl6QWhCZ05WQkFNTUdrdkRsVlpGVWxOQlVpeE5RVlJKTERNNE16QTVNVFF3TkRJd01SSXdFQVlEVlFRRURBbEx3NVZXUlZKVFFWSXhEVEFMQmdOVkJDb01CRTFCVkVreEdqQVlCZ05WQkFVVEVWQk9UMFZGTFRNNE16QTVNVFF3TkRJd01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUpjZ0lqWkVFSXlJTUdWbGkxeHA4OFlsUzhQbldCQ2NYZEJpQlRETmlWVC80T2xUVHRlQkJJZVBuMnZLV09nVU5ET1d5RnNCUVJQeTkzUGlnMnRoQXpxT0NBZ013Z2dIL01Ba0dBMVVkRXdRQ01BQXdEZ1lEVlIwUEFRSC9CQVFEQWdPSU1ISUdBMVVkSUFSck1Ha3dYUVlKS3dZQkJBSE9Id0VETUZBd0x3WUlLd1lCQlFVSEFnRVdJMmgwZEhCek9pOHZkM2QzTG5OckxtVmxMM0psY0c5emFYUnZiM0pwZFcwdlExQlRNQjBHQ0NzR0FRVUZCd0lDTUJFYUQwTnZiblJ5WVdOMElERXVNVEV0T1RBSUJnWUVBSTk2QVFJd0lRWURWUjBSQkJvd0dJRVdiV0YwYVM1cmIzWmxjbk5oY2tCbFpYTjBhUzVsWlRBZEJnTlZIUTRFRmdRVWFOVzZuMjlhTVJiVUxQdEl5dm1ScTUwZzhnOHdId1lEVlIwakJCZ3dGb0FVczZ1SXZKblZZcVNGS2dqTnRCMXlPNE55UjFFd2FnWUlLd1lCQlFVSEFRRUVYakJjTUNjR0NDc0dBUVVGQnpBQmhodG9kSFJ3T2k4dllXbGhMbk5yTG1WbEwyVnpkR1ZwWkRJd01UVXdNUVlJS3dZQkJRVUhNQUtHSldoMGRIQTZMeTlqTG5OckxtVmxMMFZUVkVWSlJDMVRTMTh5TURFMUxtUmxjaTVqY25Rd1lRWUlLd1lCQlFVSEFRTUVWVEJUTUZFR0JnUUFqa1lCQlRCSE1FVVdQMmgwZEhCek9pOHZjMnN1WldVdlpXNHZjbVZ3YjNOcGRHOXllUzlqYjI1a2FYUnBiMjV6TFdadmNpMTFjMlV0YjJZdFkyVnlkR2xtYVdOaGRHVnpMeE1DUlU0d1BBWURWUjBmQkRVd016QXhvQytnTFlZcmFIUjBjRG92TDNkM2R5NXpheTVsWlM5amNteHpMMlZ6ZEdWcFpDOWxjM1JsYVdReU1ERTFMbU55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQUZ2WW1tYWVOdmg2dmFraXprdjZIdlhZWFhEdlRJVkE3WjNXc1hOOVpmZnZxaXFNNndnOWlJQmlXalVFNXFLaDBzVmE2cWx4VEhKOTBrZWx0Z1dzTGtQYnlDZUp2c2w3bnBJKy8zTnZIandSODNkSHptaThWMjF6TEFWd2czbkdwYmtsZzJ1VFBBYWdRZlJ3YTkxRDMrU1B1LzJVbzZhL3Z3SlZUYU1aUCtQRUhFa0NtTnV3UEFFQ2dubmlOZ2N3bENLMG1oTks5dXJEV2V3c0RjWnFSSWk2MVF5UXpIZGU5bDBJVWxUY0k4blB6SW1hNWY4MzF4VlhHcWk5OFdRWnBxZkhzZFBMMTR3d0FQNVVqc3p2RGUzRE92eDBlQVJob1NybThNTGozWTlvTjgyb00wWEJJYzZ1UncwS05wOGx1bkhNSUFMMmIzMFVMSmtYTUxMZEEvRks0S1MyTXZsdCtkTzN4K3RxS1VHWDR3cnhQdE5tV3Z2TEZLZlBwempMS0RsL0pBNmZCY0QyTEhjS1NETUs4Smdjb2tsM3R6STh6RzBSS3kzeURDcEErYzNDUDdwSURMQmIwZnBOempVQXRUUzcybWdBelJiRk5YY3ROMDV1ZWtZbVRoVTJaNzFNdlVDdzBKaXhONkc3RG1pT2UzY3A5a0EwMWYwUkJsTTc2ZjJ4NlltWjdYQ2RJMEpOUW04U3B5Y3RWWC8yU2JlZDBrYmpwT1YwNUNGRXRXV1lsQk8zb0hmN1NmMGpxWXJzM1NOOTk5TUhIQ2c0d2RzV1VKaUd1SUx5TUppK2dRcGhJRC9QZ2pEVzlxeExkMGtxSzFjQkxLeWJ3Z0JTY2R0NUtaanJUS1lXT1NUd3ZoNUZoRktWVndzQ01lT2gvK29qS1doWDZ1S2h3TU9RPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKXHUwMGQ1RU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0";

//-----------------------------------------------------------------------------------------------------------------

public static String getUnsignedTokenString() {
int sigPos = Tokens.SIGNED.lastIndexOf(".");
return Tokens.SIGNED.substring(0, sigPos + 1);
Expand Down
34 changes: 34 additions & 0 deletions src/test/java/org/webeid/security/validator/SubjectCertificatePolicyValidatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package org.webeid.security.validator;

import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.webeid.security.exceptions.UserCertificateDisallowedPolicyException;
import org.webeid.security.testutil.AbstractTestWithMockedDateAndCorrectNonce;
import org.webeid.security.testutil.Tokens;
import org.webeid.security.validator.AuthTokenValidator;

import java.security.cert.CertificateException;

import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.webeid.security.testutil.AuthTokenValidators.getAuthTokenValidatorWithDisallowedESTEIDPolicy;

class SubjectCertificatePolicyValidatorTest extends AbstractTestWithMockedDateAndCorrectNonce {

private AuthTokenValidator validator;

@BeforeEach
void setUp() {
try {
validator = getAuthTokenValidatorWithDisallowedESTEIDPolicy(cache);
} catch (CertificateException e) {
throw new RuntimeException(e);
}
}

@Test
void testX5cDisallowedPolicyCertificate() {
// Tokens.SIGNED has EST IDEMIA policy which is configured as disallowed in setUp().
assertThatThrownBy(() -> validator.validate(Tokens.SIGNED))
.isInstanceOf(UserCertificateDisallowedPolicyException.class);
}
}
15 changes: 12 additions & 3 deletions src/test/java/org/webeid/security/validator/X5cTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,7 @@

import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.webeid.security.exceptions.TokenParseException;
import org.webeid.security.exceptions.UserCertificateMissingPurposeException;
import org.webeid.security.exceptions.UserCertificateWrongPurposeException;
import org.webeid.security.exceptions.*;
import org.webeid.security.testutil.AbstractTestWithValidatorAndCorrectNonce;
import org.webeid.security.testutil.Dates;
import org.webeid.security.testutil.Tokens;
Expand Down Expand Up @@ -96,4 +94,15 @@ void testX5cWrongPurposeCertificate() {
.isInstanceOf(UserCertificateWrongPurposeException.class);
}

@Test
void testX5cWrongPolicyCertificate() {
assertThatThrownBy(() -> validator.validate(Tokens.X5C_WRONG_POLICY_CERTIFICATE))
.isInstanceOf(UserCertificateDisallowedPolicyException.class);
}

@Test
void testMobileIDCertificate() {
assertThatThrownBy(() -> validator.validate(Tokens.X5C_MOBILE_ID_CERTIFICATE))
.isInstanceOf(UserCertificateMissingPurposeException.class);
}
}