web-eid / web-eid-authtoken-validation-java Goto Github PK
View Code? Open in Web Editor NEWWeb eID authentication token validation library for Java
Home Page: https://web-eid.eu
License: MIT License
Web eID authentication token validation library for Java
Home Page: https://web-eid.eu
License: MIT License
Refs WE2-253
From the description, it seems that thisUpdate
and nextUpdate
should be checked agaisnt system local time, but the code checks it againts producetAt
value from OCSP response, so no matter the system time, response is always valid:
Documentation #4. Add trusted certificate authority certificates (https://github.com/web-eid/web-eid-authtoken-validation-java#4-add-trusted-certificate-authority-certificates) mentions that "You must explicitly specify which intermediate certificate authorities (CAs) are trusted..". Assuming this is talking about certificates issued by SK (https://www.skidsolutions.eu) I went to look up their certificate list at https://www.skidsolutions.eu/resources/certificates/ for certificates marked as "intermediate" - but I found none. This raises question - exactly what certificates are needed in this trusted certificates list?
I guess that ones on the "Issuing-CAs" tab are needed. But can't be sure. And its difficult to find out for sure by testing.
Is it possible to add concrete list of required certificates to documentation?
Naturally this is going to change in the future but its not an impossible task to keep it updated.
Current version seems to be 2.0.1, but README uses 1.0.1.
Either specify a recent version or change it to some placeholder in README to avoid confusion.
Refs WE2-238
Use standard JCE PKIX classes for certificate trust validation in SubjectCertificateTrustedValidator.validateCertificateTrusted()
.
Refs WE2-332
Guava is a huge library and bringing it as a dependency to just use 3 simple functions is not a good practice.
Using a newer LTS version of Java enables us to use the built-in HttpClient and discard the OkHttpClient dependency as requested in #31.
Version 3 was released on August 7, 2023. As originally announced, we guarantee Java 8 compatible maintenance releases of version 2 until September 2023 and beyond if necessary.
If you need Java 8 support after September 2023, please request it in issue comments below.
When using live Gemalto cards during authentication, then OCSP check fails with status 6, UNAUTHORIZED. This is expected as the AIA OCSP service for Gemalto cards (http://aia.sk.ee/esteid2015) doesn't support nonces.
Make using nonce during OCSP requests configurable by OCSP URL.
Refs WE2-355
Some OCSP servers (e.g. http://ocsp.eparaksts.lv) add multiple responder certificates in OCSP response. This causes auth token validation error:
User certificate revocation check has failed: OCSP response must contain one responder certificate, received 2 certificates instead
due to this check:
https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java#L142-L145
Is it possible to modify the check so that if at least one responder certificate is valid, then whole response is valid?
Refs WE2-249
GitHub Packages does not allow unauthorized read access to Maven repository, which makes using published packages very difficult for library consumers.
Use GitLab Package Repository instead.
Java 9+ has a good built-in HttpClient, so that external http client dependencies are not needed.
You can keep current OcspClientImpl as an optional implementation for those still needing Java 8 support, or implement it using HttpURLConnection, which is available since Java 1.0
Refs WE2-339
It could be a warning, but not a crash just because one day (today) we have an expired cert not removed from production.
"error": "java.security.cert.CertificateExpiredException: NotAfter: Mon Mar 18 00:00:00 EET 2024",
"stack": [
".CertificateValidity.valid(Unknown Source)",
"java.base/sun.security.x509.X509CertImpl.checkValidity(Unknown Source)",
".certificateIsValidOnDate(CertificateValidator.java:52)",
"eu.webeid.security.certificate.CertificateValidator.trustedCACertificatesAreValidOnDate(CertificateValidator.java:62)",
".SubjectCertificateExpiryValidator.validateCertificateExpiry(SubjectCertificateExpiryValidator.java:56)",
".certvalidators.SubjectCertificateValidatorBatch.executeFor(SubjectCertificateValidatorBatch.java:44)",
".validateToken(AuthTokenValidatorImpl.java:161)",
"eu.webeid.security.validator.AuthTokenValidatorImpl.validate(AuthTokenValidatorImpl.java:122)",
"(WebEidClient.kt:29)",
...
The problem appeared today with expired KLASS3 2010 certs.
https://gitlab.com/web-eid/service/web-eid-authtoken-validation-java/-/packages/10019924 doesn't seem to contain sources jar. Please publish sources jar (and possibly also javadoc jar) alongside the release artifact, it's a common practice (e.g. https://repo1.maven.org/maven2/org/springframework/spring-webmvc/5.3.23/). Then IDE-s could fetch it automatically and make browsing and debugging the source code easier, when authtoken-validation
is used as a dependency in some project.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.