feat(token): add Web eID custom JSON token validation

WE2-586

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>

Author: mrts

README.md

@@ -23,7 +23,7 @@ Add the following lines to Maven `pom.xml` to include the Web eID authentication
     <dependency>
         <groupId>org.webeid.security</groupId>
         <artifactId>authtoken-validation</artifactId>
-        <version>1.0.1</version>
+        <version>2.0.0</version>
     </dependency>
 </dependencies>
 
@@ -114,16 +114,15 @@ The validation library needs to generate authentication challenge nonces and sto
 Configure the nonce generator as follows:
 
 ```java
-import org.webeid.security.nonce.NonceGenerator;
-import org.webeid.security.nonce.NonceGeneratorBuilder;
+
 
 ...
-    public NonceGenerator nonceGenerator() {
-        return new NonceGeneratorBuilder()
-                .withNonceCache(nonceCache())
-                .build();
+public NonceGenerator challengeNonceGenerator(){
+    return new NonceGeneratorBuilder()
+    .withNonceCache(nonceCache())
+    .build();
     }
-...
+    ...
 ```
 
 ## 4. Add trusted certificate authority certificates
@@ -150,18 +149,17 @@ The mandatory parameters are the website origin (the URL serving the web applica
 The authentication token validator will be used in the login processing component of your web application authentication framework; it is thread-safe and should be scoped as a singleton.
 
 ```java
-import org.webeid.security.validator.AuthTokenValidator;
-import org.webeid.security.validator.AuthTokenValidatorBuilder;
+
 
 ...
-    public AuthTokenValidator tokenValidator() throws JceException {
-        return new AuthTokenValidatorBuilder()
-                .withSiteOrigin("https://example.org")
-                .withNonceCache(nonceCache())
-                .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
-                .build();
+public AuthTokenValidator tokenValidator()throws JceException{
+    return new AuthTokenValidatorBuilder()
+    .withSiteOrigin("https://example.org")
+    .withNonceCache(nonceCache())
+    .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
+    .build();
     }
-...
+    ...
 ```
 
 ## 6. Add a REST endpoint for issuing challenge nonces
@@ -181,13 +179,13 @@ import org.springframework.web.bind.annotation.RestController;
 public class ChallengeController {
 
     @Autowired // for brevity, prefer constructor dependency injection
-    private NonceGenerator nonceGenerator;
+    private NonceGenerator challengeNonceGenerator;
 
     @GetMapping("challenge")
     public ChallengeDTO challenge() {
         // a simple DTO with a single 'challenge' field
         final ChallengeDTO challenge = new ChallengeDTO();
-        challenge.setNonce(nonceGenerator.generateAndStoreNonce());
+        challenge.setNonce(challengeNonceGenerator.generateAndStoreNonce());
         return challenge;
     }
 }
@@ -271,7 +269,7 @@ X509Certificate userCertificate = tokenValidator.validate(tokenString);
 The `validate()` method returns the validated user certificate object if validation is successful or throws an exception as described in section *[Possible validation errors](#possible-validation-errors)* below if validation fails. The `CertUtil` and `TitleCase` classes can be used for extracting user information from the user certificate object:
 
 ```java  
-import static org.webeid.security.util.TitleCase.toTitleCase;
+import static TitleCase.toTitleCase;
 
 ...
     
@@ -318,7 +316,7 @@ Unless a designated OCSP responder service is in use, it is required that the AI
 
 ## Possible validation errors  
 
-The `validate()` method of `AuthTokenValidator` returns the validated user certificate object if validation is successful or throws an exception if validation fails. All exceptions that can occur during validation derive from `TokenValidationException`, the list of available exceptions is available [here](src/main/java/org/webeid/security/exceptions/). Each exception file contains a documentation comment under which conditions the exception is thrown.
+The `validate()` method of `AuthTokenValidator` returns the validated user certificate object if validation is successful or throws an exception if validation fails. All exceptions that can occur during validation derive from `TokenValidationException`, the list of available exceptions is available [here](src/main/java/eu/webeid/security/exceptions/). Each exception file contains a documentation comment under which conditions the exception is thrown.
 
 # Nonce generation
 The authentication protocol requires support for generating challenge nonces,  large random numbers that can be used only once, and storing them for later use during token validation. The validation library uses the *java.security.SecureRandom* API as the secure random source and the JSR107 *javax.cache.Cache* API for storing issued challenge nonces. 
@@ -338,7 +336,7 @@ The nonce cache instance is used to store the nonce expiry time using the nonce
 The nonce generator configuration and construction is described in more detail in section *[3. Configure the nonce generator](#3-configure-the-nonce-generator)*. Once the generator object has been constructed, it can be used for generating nonces as follows:
 
 ```java  
-String nonce = nonceGenerator.generateAndStoreNonce();  
+String nonce = challengeNonceGenerator.generateAndStoreNonce();  
 ```
 
 The `generateAndStoreNonce()` method both generates the nonce and stores it in the cache.

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>1.2.0</version>
+    <version>2.0.0-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
@@ -15,12 +15,11 @@
         <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
         <java.version>1.8</java.version>
         <jjwt.version>0.11.2</jjwt.version>
-        <slf4j.version>1.7.30</slf4j.version>
+        <slf4j.version>1.7.32</slf4j.version>
         <bouncycastle.version>1.69</bouncycastle.version>
-        <caffeine.version>2.8.5</caffeine.version>
-        <junit-jupiter.version>5.6.2</junit-jupiter.version>
-        <assertj.version>3.17.2</assertj.version>
-        <mockito.version>3.12.4</mockito.version>
+        <junit-jupiter.version>5.8.1</junit-jupiter.version>
+        <assertj.version>3.21.0</assertj.version>
+        <mockito.version>4.0.0</mockito.version>
         <jacoco.version>0.8.5</jacoco.version>
         <sonar.coverage.jacoco.xmlReportPaths>
             ${project.basedir}/../jacoco-coverage-report/target/site/jacoco-aggregate/jacoco.xml
@@ -54,11 +53,6 @@
             <version>${jjwt.version}</version>
         </dependency>
 
-        <dependency>
-            <groupId>javax.cache</groupId>
-            <artifactId>cache-api</artifactId>
-            <version>1.1.1</version>
-        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
@@ -67,7 +61,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>30.1-jre</version>
+            <version>31.0.1-jre</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
@@ -82,7 +76,7 @@
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>okhttp</artifactId>
-            <version>4.9.0</version>
+            <version>4.9.2</version>
         </dependency>
 
         <dependency>
@@ -109,18 +103,6 @@
             <version>${slf4j.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.github.ben-manes.caffeine</groupId>
-            <artifactId>caffeine</artifactId>
-            <version>${caffeine.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.github.ben-manes.caffeine</groupId>
-            <artifactId>jcache</artifactId>
-            <version>${caffeine.version}</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>

src/main/java/eu/webeid/security/authtoken/WebEidAuthToken.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.security.authtoken;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class WebEidAuthToken {
+
+    private String certificate;
+    private String signature;
+    private String algorithm;
+    private String version;
+    private boolean useOriginCertHash;
+
+    public String getCertificate() {
+        return certificate;
+    }
+
+    public void setCertificate(String certificate) {
+        this.certificate = certificate;
+    }
+
+    public String getSignature() {
+        return signature;
+    }
+
+    public void setSignature(String signature) {
+        this.signature = signature;
+    }
+
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    public void setAlgorithm(String algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    public String getVersion() {
+        return version;
+    }
+
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    public boolean getUseOriginCertHash() {
+        return useOriginCertHash;
+    }
+
+    public void setUseOriginCertHash(boolean useOriginCertHash) {
+        this.useOriginCertHash = useOriginCertHash;
+    }
+
+}

…ecurity/certificate/CertificateData.java …ecurity/certificate/CertificateData.javasrc/main/java/org/webeid/security/certificate/CertificateData.java renamed to src/main/java/eu/webeid/security/certificate/CertificateData.java src/main/java/org/webeid/security/certificate/CertificateData.java renamed to src/main/java/eu/webeid/security/certificate/CertificateData.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2021 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.certificate;
+package eu.webeid.security.certificate;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x500.RDN;

…urity/certificate/CertificateLoader.java …urity/certificate/CertificateLoader.javasrc/main/java/org/webeid/security/certificate/CertificateLoader.java renamed to src/main/java/eu/webeid/security/certificate/CertificateLoader.java src/main/java/org/webeid/security/certificate/CertificateLoader.java renamed to src/main/java/eu/webeid/security/certificate/CertificateLoader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2021 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -20,7 +20,9 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.certificate;
+package eu.webeid.security.certificate;
+
+import eu.webeid.security.exceptions.CertificateDecodingException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -29,9 +31,10 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.List;
 
+import static eu.webeid.security.util.Base64Decoder.decodeBase64;
+
 public final class CertificateLoader {
 
     public static X509Certificate[] loadCertificatesFromResources(String... resourceNames) throws CertificateException, IOException {
@@ -48,11 +51,13 @@ public static X509Certificate[] loadCertificatesFromResources(String... resource
         return caCertificates.toArray(new X509Certificate[0]);
     }
 
-    public static X509Certificate loadCertificateFromBase64String(String certificate) throws CertificateException, IOException {
-        try (final InputStream targetStream = new ByteArrayInputStream(Base64.getDecoder().decode(certificate))) {
+    public static X509Certificate decodeCertificateFromBase64(String certificateInBase64) throws CertificateDecodingException {
+        try (final InputStream targetStream = new ByteArrayInputStream(decodeBase64(certificateInBase64))) {
             return (X509Certificate) CertificateFactory
                 .getInstance("X509")
                 .generateCertificate(targetStream);
+        } catch (IOException | CertificateException | IllegalArgumentException e) {
+            throw new CertificateDecodingException(e);
         }
     }
 

…ty/certificate/CertificateValidator.java …ty/certificate/CertificateValidator.javasrc/main/java/org/webeid/security/certificate/CertificateValidator.java renamed to src/main/java/eu/webeid/security/certificate/CertificateValidator.java src/main/java/org/webeid/security/certificate/CertificateValidator.java renamed to src/main/java/eu/webeid/security/certificate/CertificateValidator.java

@@ -20,12 +20,12 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.certificate;
+package eu.webeid.security.certificate;
 
-import org.webeid.security.exceptions.CertificateNotTrustedException;
-import org.webeid.security.exceptions.JceException;
-import org.webeid.security.exceptions.CertificateExpiredException;
-import org.webeid.security.exceptions.CertificateNotYetValidException;
+import eu.webeid.security.exceptions.CertificateExpiredException;
+import eu.webeid.security.exceptions.CertificateNotYetValidException;
+import eu.webeid.security.exceptions.JceException;
+import eu.webeid.security.exceptions.CertificateNotTrustedException;
 
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
@@ -65,13 +65,15 @@ public static void trustedCACertificatesAreValidOnDate(Set<TrustAnchor> trustedC
 
     public static X509Certificate validateIsSignedByTrustedCA(X509Certificate certificate,
                                                               Set<TrustAnchor> trustedCACertificateAnchors,
-                                                              CertStore trustedCACertificateCertStore) throws CertificateNotTrustedException, JceException {
+                                                              CertStore trustedCACertificateCertStore,
+                                                              Date date) throws CertificateNotTrustedException, JceException {
         final X509CertSelector selector = new X509CertSelector();
         selector.setCertificate(certificate);
 
         try {
             final PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters(trustedCACertificateAnchors, selector);
             pkixBuilderParameters.setRevocationEnabled(false);
+            pkixBuilderParameters.setDate(date);
             pkixBuilderParameters.addCertStore(trustedCACertificateCertStore);
 
             // See the comment in buildCertStoreFromCertificates() below why we use the default JCE provider.

…/exceptions/OriginMismatchException.java …d/security/challenge/ChallengeNonce.javasrc/main/java/org/webeid/security/exceptions/OriginMismatchException.java renamed to src/main/java/eu/webeid/security/challenge/ChallengeNonce.java src/main/java/org/webeid/security/exceptions/OriginMismatchException.java renamed to src/main/java/eu/webeid/security/challenge/ChallengeNonce.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2021 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -20,21 +20,26 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.exceptions;
+package eu.webeid.security.challenge;
 
-/**
- * Thrown when the origin URL from the token {@code aud} field does not match the configured origin,
- * i.e. the URL that the site is running on.
- */
-public class OriginMismatchException extends TokenValidationException {
+import java.time.ZonedDateTime;
+
+public class ChallengeNonce {
 
-    private static final String MESSAGE = "Origin from the token does not match the configured origin";
+    private final String base64EncodedNonce;
+    private final ZonedDateTime expirationTime;
 
-    public OriginMismatchException() {
-        super(MESSAGE);
+    public ChallengeNonce(String base64EncodedNonce, ZonedDateTime expirationTime) {
+        this.base64EncodedNonce = base64EncodedNonce;
+        this.expirationTime = expirationTime;
     }
 
-    public OriginMismatchException(Throwable cause) {
-        super(MESSAGE, cause);
+    public ZonedDateTime getExpirationTime() {
+        return expirationTime;
     }
+
+    public String getBase64EncodedNonce() {
+        return base64EncodedNonce;
+    }
+
 }