refactor(SubjectCertificateTrustedValidator): locate the CA certificate by using subject certificate issuer X.500 principal before signature verification (#5)

mrts · mrts · commit 02c788748d26 · 2021-02-27T21:40:59.000+02:00
diff --git a/src/main/java/org/webeid/security/validator/validators/SubjectCertificateTrustedValidator.java b/src/main/java/org/webeid/security/validator/validators/SubjectCertificateTrustedValidator.java
@@ -27,19 +27,24 @@
 import org.webeid.security.exceptions.UserCertificateNotTrustedException;
 import org.webeid.security.validator.AuthTokenValidatorData;
 
+import javax.security.auth.x500.X500Principal;
 import java.security.GeneralSecurityException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
 
 public final class SubjectCertificateTrustedValidator {
 
     private static final Logger LOG = LoggerFactory.getLogger(SubjectCertificateTrustedValidator.class);
 
-    private final Collection<X509Certificate> trustedCACertificates;
+    private final Map<X500Principal, X509Certificate> trustedCACertificates;
     private X509Certificate trustedCACertificate;
 
     public SubjectCertificateTrustedValidator(Collection<X509Certificate> trustedCACertificates) {
-        this.trustedCACertificates = trustedCACertificates;
+        this.trustedCACertificates = trustedCACertificates.stream()
+            .collect(Collectors.toMap(X509Certificate::getSubjectX500Principal, Function.identity()));
     }
 
     /**
@@ -50,22 +55,24 @@ public SubjectCertificateTrustedValidator(Collection<X509Certificate> trustedCAC
      */
     public void validateCertificateTrusted(AuthTokenValidatorData actualTokenData) throws UserCertificateNotTrustedException {
 
-        final X509Certificate certificate = actualTokenData.getSubjectCertificate();
+        final X509Certificate userCertificate = actualTokenData.getSubjectCertificate();
+        final X509Certificate caCertificate = trustedCACertificates.get(userCertificate.getIssuerX500Principal());
 
-        for (final X509Certificate caCertificate : trustedCACertificates) {
-            try {
-                certificate.verify(caCertificate.getPublicKey());
-                if (certificate.getNotAfter().after(caCertificate.getNotAfter())) {
-                    throw new UserCertificateNotTrustedException("Trusted CA certificate expires earlier than the user certificate");
-                }
-                this.trustedCACertificate = caCertificate;
-                LOG.debug("User certificate is signed with a trusted CA certificate");
-                return;
-            } catch (GeneralSecurityException e) {
-                LOG.trace("Error verifying signer's certificate {} against CA certificate {}", certificate.getSubjectDN(), caCertificate.getSubjectDN());
+        if (caCertificate == null) {
+            throw new UserCertificateNotTrustedException("User certificate CA is not in the trusted CA list");
+        }
+
+        try {
+            userCertificate.verify(caCertificate.getPublicKey());
+            if (userCertificate.getNotAfter().after(caCertificate.getNotAfter())) {
+                throw new UserCertificateNotTrustedException("Trusted CA certificate expires earlier than the user certificate");
             }
+            this.trustedCACertificate = caCertificate;
+            LOG.debug("User certificate is signed with a trusted CA certificate");
+        } catch (GeneralSecurityException e) {
+            LOG.trace("Error verifying signer's certificate {} against CA certificate {}", userCertificate.getSubjectDN(), caCertificate.getSubjectDN());
+            throw new UserCertificateNotTrustedException();
         }
-        throw new UserCertificateNotTrustedException();
     }
 
     public X509Certificate getSubjectCertificateIssuerCertificate() {
diff --git a/src/test/java/org/webeid/security/validator/TrustedCaTest.java b/src/test/java/org/webeid/security/validator/TrustedCaTest.java
@@ -51,7 +51,8 @@ protected void setup() {
     @Test
     void detectUntrustedUserCertificate() {
         assertThatThrownBy(() -> validator.validate(Tokens.SIGNED))
-            .isInstanceOf(UserCertificateNotTrustedException.class);
+            .isInstanceOf(UserCertificateNotTrustedException.class)
+            .hasMessageStartingWith("User certificate is not trusted: User certificate CA is not in the trusted CA list");
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,8 @@ protected void setup() {`
`51`	`51`	`@Test`
`52`	`52`	`void detectUntrustedUserCertificate() {`
`53`	`53`	`assertThatThrownBy(() -> validator.validate(Tokens.SIGNED))`
`54`		`- .isInstanceOf(UserCertificateNotTrustedException.class);`
	`54`	`+ .isInstanceOf(UserCertificateNotTrustedException.class)`
	`55`	`+ .hasMessageStartingWith("User certificate is not trusted: User certificate CA is not in the trusted CA list");`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`}`