NFC-115 Review findings

SanderKondratjevNortal · SanderKondratjevNortal · commit ec1cc76ced18 · 2026-03-20T10:48:19.000+02:00
Signed-off-by: Sander Kondratjev &lt;sander.kondratjev@nortal.com&gt;
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -23,6 +23,7 @@
 package eu.webeid.example.security;
 
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
+import eu.webeid.security.authtoken.UnverifiedSigningCertificate;
 import eu.webeid.security.certificate.CertificateData;
 import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
@@ -48,11 +49,17 @@ private WebEidAuthentication(String principalName, String idCode, String signing
         this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
     }
 
-    public static Authentication fromCertificate(X509Certificate userCertificate, @Nullable String signingCertificate, @Nullable List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+    public static Authentication fromCertificate(X509Certificate userCertificate, @Nullable UnverifiedSigningCertificate signingCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
         final String principalName = getPrincipalNameFromCertificate(userCertificate);
         final String idCode = CertificateData.getSubjectIdCode(userCertificate)
             .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
-        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
+        return new WebEidAuthentication(
+            principalName,
+            idCode,
+            signingCertificate != null ? signingCertificate.getUnverifiedSigningCertificate() : null,
+            signingCertificate != null ? signingCertificate.getSupportedSignatureAlgorithms() : null,
+            authorities
+        );
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
@@ -76,15 +76,10 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            boolean isV11 = authToken.getFormat() != null && authToken.getFormat().startsWith("web-eid:1.1");
-            final String signingCertificate = (requireSigningCert && isV11)
-                ? authToken.getUnverifiedSigningCertificates().get(0).getUnverifiedSigningCertificate()
+            final var signingCertificate = requireSigningCert
+                ? authToken.getUnverifiedSigningCertificates().getFirst() // NOTE: Handling multiple signing certificates is out of scope of this example.
                 : null;
-            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = (requireSigningCert && isV11)
-                ? authToken.getUnverifiedSigningCertificates().get(0).getSupportedSignatureAlgorithms()
-                : null;
-
-            return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
+            return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -116,7 +116,7 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
 
         final DataToSign dataToSign = SignatureBuilder
                 .aSignature(containerToSign)
-                .withSignatureProfile(SignatureProfile.T) // AIA OCSP is supported for signatures with LT or LTA profile.
+                .withSignatureProfile(SignatureProfile.LT) // AIA OCSP is supported for signatures with LT or LTA profile.
                 .withSigningCertificate(certificate)
                 .withSignatureDigestAlgorithm(signatureDigestAlgorithm)
                 .buildDataToSign();
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
@@ -38,7 +38,7 @@ class WebEidAuthenticationTest {
     @Test
     void whenOrganizationCertificate_thenSucceeds() throws Exception {
         final X509Certificate certificate = CertificateLoader.decodeCertificateFromBase64(ORGANIZATION_CERT);
-        final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, null, null, Collections.emptyList());
+        final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, null, Collections.emptyList());
         assertThat(authentication.getPrincipal()).isEqualTo("Testijad.ee isikutuvastus");
     }
 
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -72,7 +72,7 @@ public class ObjectMother {
                             "\"unverifiedSigningCertificate\":\"MIID6zCCA02gAwIBAgIQT7j6zk6pmVRcyspLo5SqejAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE5MDUwMjEwNDUzMVoXDTI5MDUwMjEwNDUzMVowfzELMAkGA1UEBhMCRUUxFjAUBgNVBCoMDUpBQUstS1JJU1RKQU4xEDAOBgNVBAQMB0rDlUVPUkcxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASkwENR8GmCpEs6OshDWDfIiKvGuyNMOD2rjIQW321AnZD3oIsqD0svBMNEJJj9Dlvq/47TYDObIa12KAU5IuOBfJs2lrFdSXZjaM+a5TWT3O2JTM36YDH2GcMe/eisepejggGrMIIBpzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDBIBgNVHSAEQTA/MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAJBgcEAIvsQAECMB0GA1UdDgQWBBTVX3s48Spy/Es2TcXgkRvwUn2YcjCBigYIKwYBBQUHAQMEfjB8MAgGBgQAjkYBATAIBgYEAI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgEwUQYGBACORgEFMEcwRRY/aHR0cHM6Ly9zay5lZS9lbi9yZXBvc2l0b3J5L2NvbmRpdGlvbnMtZm9yLXVzZS1vZi1jZXJ0aWZpY2F0ZXMvEwJFTjAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgGBr+Jbo1GeqgWdIwgMo7SA29AP38JxNm2HWq2Qb+kIHpusAK574Co1K5D4+Mk7/ITTuXQaET5WphHoN7tdAciTaQJBAn0zBigYyVPYSTO68HM6hmlwTwi/KlJDdXW/2NsMjSqofFFJXpGvpxk2CTqSRCjcavxLPnkasTbNROYSJcmM8Xc=\"," +
                             "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]" +
                             "}]," +
-                            "\"issuerApp\":\"https://web-eid.eu/web-eid-mobile-app/releases/v1.0.0\"," +
+                            "\"appVersion\":\"https://web-eid.eu/web-eid-mobile-app/releases/v1.0.0\"," +
                             "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +
                             "\"format\":\"web-eid:1.1\"}",
                 WebEidAuthToken.class);
diff --git a/src/main/java/eu/webeid/security/authtoken/UnverifiedSigningCertificate.java b/src/main/java/eu/webeid/security/authtoken/UnverifiedSigningCertificate.java
@@ -20,14 +20,16 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.certificate;
+package eu.webeid.security.authtoken;
 
-import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 
 import java.util.List;
 
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class UnverifiedSigningCertificate {
 
+
     private String unverifiedSigningCertificate;
     private List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
diff --git a/src/main/java/eu/webeid/security/authtoken/WebEidAuthToken.java b/src/main/java/eu/webeid/security/authtoken/WebEidAuthToken.java
@@ -23,7 +23,6 @@
 package eu.webeid.security.authtoken;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import eu.webeid.security.certificate.UnverifiedSigningCertificate;
 
 import java.util.List;
 
diff --git a/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java b/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11Validator.java
@@ -25,7 +25,7 @@
 import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
-import eu.webeid.security.certificate.UnverifiedSigningCertificate;
+import eu.webeid.security.authtoken.UnverifiedSigningCertificate;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.CertificateDecodingException;
@@ -46,7 +46,9 @@
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 
@@ -91,50 +93,57 @@ protected String getSupportedFormatPrefix() {
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         final X509Certificate subjectCertificate = validateV1(token, currentChallengeNonce);
-        final X509Certificate signingCertificate = validateSigningCertificatesExist(token);
-        validateSupportedSignatureAlgorithms(token.getUnverifiedSigningCertificates());
-        validateSameSubject(subjectCertificate, signingCertificate);
-        validateSameIssuer(subjectCertificate, signingCertificate);
-        validateSigningCertificateValidity(signingCertificate);
-        validateKeyUsage(signingCertificate);
+        final List<X509Certificate> signingCertificates = validateSigningCertificatesExist(token);
+        final List<UnverifiedSigningCertificate> unverifiedSigningCertificates = token.getUnverifiedSigningCertificates();
+        Iterator<UnverifiedSigningCertificate> unverifiedIterator = unverifiedSigningCertificates.iterator();
+        for(X509Certificate signingCertificate : signingCertificates) {
+            UnverifiedSigningCertificate unverifiedSigningCertificate = unverifiedIterator.next();
+            validateSupportedSignatureAlgorithms(unverifiedSigningCertificate);
+            validateSameSubject(subjectCertificate, signingCertificate);
+            validateSameIssuer(subjectCertificate, signingCertificate);
+            validateSigningCertificateValidity(signingCertificate);
+            validateKeyUsage(signingCertificate);
+        }
 
         return subjectCertificate;
     }
 
-    private static void validateSupportedSignatureAlgorithms(List<UnverifiedSigningCertificate> unverifiedSigningCertificates) throws AuthTokenParseException {
-        for (UnverifiedSigningCertificate cert : unverifiedSigningCertificates) {
-            List<SupportedSignatureAlgorithm> algorithms = cert.getSupportedSignatureAlgorithms();
+    private static void validateSupportedSignatureAlgorithms(UnverifiedSigningCertificate cert) throws AuthTokenParseException {
+        List<SupportedSignatureAlgorithm> algorithms = cert.getSupportedSignatureAlgorithms();
 
-            if (algorithms == null || algorithms.isEmpty()) {
-                throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
-            }
+        if (algorithms == null || algorithms.isEmpty()) {
+            throw new AuthTokenParseException("'supportedSignatureAlgorithms' field is missing");
+        }
 
-            boolean hasInvalid = algorithms.stream().anyMatch(algorithm ->
-                !SUPPORTED_SIGNING_CRYPTO_ALGORITHMS.contains(algorithm.getCryptoAlgorithm()) ||
-                    !SUPPORTED_SIGNING_HASH_FUNCTIONS.contains(algorithm.getHashFunction()) ||
-                    !SUPPORTED_SIGNING_PADDING_SCHEMES.contains(algorithm.getPaddingScheme())
-            );
+        boolean hasInvalid = algorithms.stream().anyMatch(algorithm ->
+            !SUPPORTED_SIGNING_CRYPTO_ALGORITHMS.contains(algorithm.getCryptoAlgorithm()) ||
+                !SUPPORTED_SIGNING_HASH_FUNCTIONS.contains(algorithm.getHashFunction()) ||
+                !SUPPORTED_SIGNING_PADDING_SCHEMES.contains(algorithm.getPaddingScheme())
+        );
 
-            if (hasInvalid) {
-                throw new AuthTokenParseException("Unsupported signature algorithm");
-            }
+        if (hasInvalid) {
+            throw new AuthTokenParseException("Unsupported signature algorithm");
         }
     }
 
-    private static X509Certificate validateSigningCertificatesExist(WebEidAuthToken token) throws AuthTokenParseException, CertificateDecodingException {
+    private static List<X509Certificate> validateSigningCertificatesExist(WebEidAuthToken token) throws AuthTokenParseException, CertificateDecodingException {
         List<UnverifiedSigningCertificate> signingCertificates = token.getUnverifiedSigningCertificates();
 
         if (signingCertificates == null || signingCertificates.isEmpty()) {
             throw new AuthTokenParseException("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
         }
 
-        UnverifiedSigningCertificate signingCertificate = signingCertificates.get(0);
+        List<X509Certificate> result = new ArrayList<>();
 
-        if (signingCertificate == null || isNullOrEmpty(signingCertificate.getUnverifiedSigningCertificate())) {
-            throw new AuthTokenParseException("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
+        for (UnverifiedSigningCertificate certificate : signingCertificates) {
+            if (certificate == null || isNullOrEmpty(certificate.getUnverifiedSigningCertificate())) {
+                throw new AuthTokenParseException("'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'");
+            }
+
+            result.add(CertificateLoader.decodeCertificateFromBase64(certificate.getUnverifiedSigningCertificate()));
         }
 
-        return CertificateLoader.decodeCertificateFromBase64(signingCertificate.getUnverifiedSigningCertificate());
+        return result;
     }
 
     private static void validateSameSubject(X509Certificate subjectCertificate, X509Certificate signingCertificate)
diff --git a/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1Validator.java b/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1Validator.java
@@ -78,6 +78,10 @@ protected String getSupportedFormatPrefix() {
 
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+        if (token.getUnverifiedSigningCertificates() != null) {
+            throw new AuthTokenParseException("'unverifiedSigningCertificates' field is not allowed for format '" + token.getFormat() + "'");
+        }
+
         if (token.getUnverifiedCertificate() == null || token.getUnverifiedCertificate().isEmpty()) {
             throw new AuthTokenParseException("'unverifiedCertificate' field is missing, null or empty");
         }
diff --git a/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11ValidatorTest.java b/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion11ValidatorTest.java
@@ -24,7 +24,7 @@
 
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.certificate.CertificateLoader;
-import eu.webeid.security.certificate.UnverifiedSigningCertificate;
+import eu.webeid.security.authtoken.UnverifiedSigningCertificate;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.validator.AuthTokenSignatureValidator;
 import eu.webeid.security.validator.AuthTokenValidationConfiguration;
diff --git a/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1ValidatorTest.java b/src/test/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1ValidatorTest.java
@@ -23,6 +23,7 @@
 package eu.webeid.security.validator.versionvalidators;
 
 import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.authtoken.UnverifiedSigningCertificate;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.validator.AuthTokenSignatureValidator;
 import eu.webeid.security.validator.AuthTokenValidationConfiguration;
@@ -35,6 +36,7 @@
 import org.junit.jupiter.params.provider.ValueSource;
 
 import java.security.cert.CertStore;
+import java.util.List;
 import java.util.Set;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -75,10 +77,22 @@ void whenFormatIsNullEmptyOrNotV1_thenSupportsReturnsFalse(String format) {
     void whenUnverifiedCertificateMissing_thenValidationFails() {
         WebEidAuthToken token = mock(WebEidAuthToken.class);
         when(token.getFormat()).thenReturn("web-eid:1");
+        when(token.getUnverifiedSigningCertificates()).thenReturn(null);
         when(token.getUnverifiedCertificate()).thenReturn(null);
 
         assertThatThrownBy(() -> validator.validate(token, "nonce"))
             .isInstanceOf(AuthTokenParseException.class)
             .hasMessageContaining("'unverifiedCertificate' field is missing");
     }
+
+    @Test
+    void whenUnverifiedSigningCertificatesPresentForV1_thenValidationFails() {
+        WebEidAuthToken token = mock(WebEidAuthToken.class);
+        when(token.getFormat()).thenReturn("web-eid:1");
+        when(token.getUnverifiedSigningCertificates()).thenReturn(List.of(mock(UnverifiedSigningCertificate.class)));
+
+        assertThatThrownBy(() -> validator.validate(token, "nonce"))
+            .isInstanceOf(AuthTokenParseException.class)
+            .hasMessageContaining("'unverifiedSigningCertificates' field is not allowed for format 'web-eid:1'");
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ class WebEidAuthenticationTest {`
`38`	`38`	`@Test`
`39`	`39`	`void whenOrganizationCertificate_thenSucceeds() throws Exception {`
`40`	`40`	`final X509Certificate certificate = CertificateLoader.decodeCertificateFromBase64(ORGANIZATION_CERT);`
`41`		`- final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, null, null, Collections.emptyList());`
	`41`	`+ final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, null, Collections.emptyList());`
`42`	`42`	`assertThat(authentication.getPrincipal()).isEqualTo("Testijad.ee isikutuvastus");`
`43`	`43`	`}`
`44`	`44`