NFC-157 Make v1.1 signing certificates optional

SanderKondratjevNortal · SanderKondratjevNortal · commit a04960b85311 · 2026-04-28T12:07:53.000+03:00
Signed-off-by: Sander Kondratjev &lt;sander.kondratjev@nortal.com&gt;
diff --git a/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java b/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java
@@ -128,8 +128,12 @@ private static void validateSupportedSignatureAlgorithms(UnverifiedSigningCertif
     private static List<X509Certificate> validateSigningCertificates(WebEidAuthToken token) throws AuthTokenParseException, CertificateDecodingException {
         List<UnverifiedSigningCertificate> signingCertificates = token.getUnverifiedSigningCertificates();
 
-        if (signingCertificates == null || signingCertificates.isEmpty()) {
-            throw new AuthTokenParseException("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
+        if (signingCertificates == null) {
+            return List.of();
+        }
+
+        if (signingCertificates.isEmpty()) {
+            throw new AuthTokenParseException("'unverifiedSigningCertificates' field is empty for format 'web-eid:1.1'");
         }
 
         List<X509Certificate> result = new ArrayList<>();
diff --git a/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenV11CertificateTest.java b/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenV11CertificateTest.java
@@ -115,7 +115,7 @@ void whenValidV11Token_thenValidationSucceeds() {
     }
 
     @Test
-    void whenV11SigningCertificateFieldIsMissing_thenValidationFails() throws Exception {
+    void whenV11SigningCertificateFieldIsMissing_thenValidationSucceeds() throws Exception {
         ObjectMapper mapper = new ObjectMapper();
         ObjectNode node = (ObjectNode) mapper.readTree(V11_AUTH_TOKEN);
         node.remove("unverifiedSigningCertificates");
@@ -124,9 +124,24 @@ void whenV11SigningCertificateFieldIsMissing_thenValidationFails() throws Except
         AuthTokenVersion11Validator spyValidator = spyAuthTokenVersion11Validator();
         doReturn(mock(X509Certificate.class)).when(spyValidator).validateV1(any(), any());
 
+        assertThatCode(() -> spyValidator.validate(token, VALID_CHALLENGE_NONCE))
+            .doesNotThrowAnyException();
+    }
+
+    @Test
+    void whenV11SigningCertificateFieldIsEmpty_thenValidationFails() throws Exception {
+        ObjectMapper mapper = new ObjectMapper();
+        ObjectNode node = (ObjectNode) mapper.readTree(V11_AUTH_TOKEN);
+        node.putArray("unverifiedSigningCertificates"); // []
+
+        WebEidAuthToken token = OBJECT_READER.readValue(node.toString());
+
+        AuthTokenVersion11Validator spyValidator = spyAuthTokenVersion11Validator();
+        doReturn(mock(X509Certificate.class)).when(spyValidator).validateV1(any(), any());
+
         assertThatThrownBy(() -> spyValidator.validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(AuthTokenParseException.class)
-            .hasMessage("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
+            .hasMessage("'unverifiedSigningCertificates' field is empty for format 'web-eid:1.1'");
     }
 
     @Test
diff --git a/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11ValidatorTest.java b/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11ValidatorTest.java
@@ -46,6 +46,7 @@
 import java.util.Set;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doReturn;
@@ -92,17 +93,30 @@ void whenFormatIsNullEmptyOrNotV11_thenSupportsReturnsFalse(String format) {
     }
 
     @Test
-    void whenUnverifiedSigningCertificatesMissing_thenValidationFails() throws Exception {
+    void whenUnverifiedSigningCertificatesMissing_thenValidationSucceeds() throws Exception {
         WebEidAuthToken token = mock(WebEidAuthToken.class);
         when(token.getFormat()).thenReturn("web-eid:1.1");
         when(token.getUnverifiedSigningCertificates()).thenReturn(null);
 
         AuthTokenVersion11Validator spyValidator = Mockito.spy(validator);
         doReturn(mock(X509Certificate.class)).when(spyValidator).validateV1(any(), any());
 
+        assertThatCode(() -> spyValidator.validate(token, "nonce"))
+            .doesNotThrowAnyException();
+    }
+
+    @Test
+    void whenUnverifiedSigningCertificatesIsEmpty_thenValidationFails() throws Exception {
+        WebEidAuthToken token = mock(WebEidAuthToken.class);
+        when(token.getFormat()).thenReturn("web-eid:1.1");
+        when(token.getUnverifiedSigningCertificates()).thenReturn(Collections.emptyList());
+
+        AuthTokenVersion11Validator spyValidator = Mockito.spy(validator);
+        doReturn(mock(X509Certificate.class)).when(spyValidator).validateV1(any(), any());
+
         assertThatThrownBy(() -> spyValidator.validate(token, "nonce"))
             .isInstanceOf(AuthTokenParseException.class)
-            .hasMessage("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
+            .hasMessage("'unverifiedSigningCertificates' field is empty for format 'web-eid:1.1'");
     }
 
     @Test
