web-eid / web-eid-authtoken-validation-java Goto Github PK

Refs WE2-253

From the description, it seems that thisUpdate and nextUpdate should be checked agaisnt system local time, but the code checks it againts producetAt value from OCSP response, so no matter the system time, response is always valid:

Documentation #4. Add trusted certificate authority certificates (https://github.com/web-eid/web-eid-authtoken-validation-java#4-add-trusted-certificate-authority-certificates) mentions that "You must explicitly specify which intermediate certificate authorities (CAs) are trusted..". Assuming this is talking about certificates issued by SK (https://www.skidsolutions.eu) I went to look up their certificate list at https://www.skidsolutions.eu/resources/certificates/ for certificates marked as "intermediate" - but I found none. This raises question - exactly what certificates are needed in this trusted certificates list?
I guess that ones on the "Issuing-CAs" tab are needed. But can't be sure. And its difficult to find out for sure by testing.
Is it possible to add concrete list of required certificates to documentation?
Naturally this is going to change in the future but its not an impossible task to keep it updated.

Current version seems to be 2.0.1, but README uses 1.0.1.
Either specify a recent version or change it to some placeholder in README to avoid confusion.

Refs WE2-238

• x5c field certificate is valid, trusted and has a correct purpose, but was not used to sign authentication token

Use standard JCE PKIX classes for certificate trust validation in SubjectCertificateTrustedValidator.validateCertificateTrusted().

• Add configuration option for disallowed user certificate policies
• Add user certificate policy validator that checks policies against disallowed policies

Refs WE2-332

Guava is a huge library and bringing it as a dependency to just use 3 simple functions is not a good practice.

Using a newer LTS version of Java enables us to use the built-in HttpClient and discard the OkHttpClient dependency as requested in #31.

Version 3 was released on August 7, 2023. As originally announced, we guarantee Java 8 compatible maintenance releases of version 2 until September 2023 and beyond if necessary.

If you need Java 8 support after September 2023, please request it in issue comments below.

When using live Gemalto cards during authentication, then OCSP check fails with status 6, UNAUTHORIZED. This is expected as the AIA OCSP service for Gemalto cards (http://aia.sk.ee/esteid2015) doesn't support nonces.

Make using nonce during OCSP requests configurable by OCSP URL.

Refs WE2-355

Some OCSP servers (e.g. http://ocsp.eparaksts.lv) add multiple responder certificates in OCSP response. This causes auth token validation error:
User certificate revocation check has failed: OCSP response must contain one responder certificate, received 2 certificates instead
due to this check:
https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java#L142-L145

Is it possible to modify the check so that if at least one responder certificate is valid, then whole response is valid?

Refs WE2-249

GitHub Packages does not allow unauthorized read access to Maven repository, which makes using published packages very difficult for library consumers.

Use GitLab Package Repository instead.

Java 9+ has a good built-in HttpClient, so that external http client dependencies are not needed.

You can keep current OcspClientImpl as an optional implementation for those still needing Java 8 support, or implement it using HttpURLConnection, which is available since Java 1.0

• Setup publishing to GitHub Packages
• Get rid of JMockit and use raw reflection to fix tests

Refs WE2-339

It could be a warning, but not a crash just because one day (today) we have an expired cert not removed from production.

"error": "java.security.cert.CertificateExpiredException: NotAfter: Mon Mar 18 00:00:00 EET 2024",
    "stack": [
      ".CertificateValidity.valid(Unknown Source)",
      "java.base/sun.security.x509.X509CertImpl.checkValidity(Unknown Source)",
      ".certificateIsValidOnDate(CertificateValidator.java:52)",
      "eu.webeid.security.certificate.CertificateValidator.trustedCACertificatesAreValidOnDate(CertificateValidator.java:62)",
      ".SubjectCertificateExpiryValidator.validateCertificateExpiry(SubjectCertificateExpiryValidator.java:56)",
      ".certvalidators.SubjectCertificateValidatorBatch.executeFor(SubjectCertificateValidatorBatch.java:44)",
      ".validateToken(AuthTokenValidatorImpl.java:161)",
      "eu.webeid.security.validator.AuthTokenValidatorImpl.validate(AuthTokenValidatorImpl.java:122)",
      "(WebEidClient.kt:29)",
...

The problem appeared today with expired KLASS3 2010 certs.

https://gitlab.com/web-eid/service/web-eid-authtoken-validation-java/-/packages/10019924 doesn't seem to contain sources jar. Please publish sources jar (and possibly also javadoc jar) alongside the release artifact, it's a common practice (e.g. https://repo1.maven.org/maven2/org/springframework/spring-webmvc/5.3.23/). Then IDE-s could fetch it automatically and make browsing and debugging the source code easier, when authtoken-validation is used as a dependency in some project.