Validate only the relevant CA in certificate chain

WE2-913

Modify the certificate validation process to only check the expiration of CA certificate that is directly part of the user's certificate chain. This prevents service interruptions caused by expired but unrelated CA certificates.

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

README.md

@@ -108,8 +108,7 @@ import eu.webeid.security.certificate.CertificateLoader;
 
 ...
     private X509Certificate[] trustedIntermediateCACertificates() {
-         return CertificateLoader.loadCertificatesFromResources(
-             "cacerts/ESTEID2018.cer");
+         return CertificateLoader.loadCertificatesFromResources("cacerts/ESTEID2018.cer");
     }
 ...
 ```
@@ -128,7 +127,7 @@ import eu.webeid.security.validator.AuthTokenValidatorBuilder;
     public AuthTokenValidator tokenValidator() throws JceException {
         return new AuthTokenValidatorBuilder()
                 .withSiteOrigin("https://example.org")
-                .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
+                .withTrustedCertificateAuthorities(trustedIntermediateCACertificates())
                 .build();
     }
 ...

pom.xml

@@ -118,6 +118,9 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
                 <version>${maven-javadoc-plugin.version}</version>
+                <configuration>
+                  <doclint>all,-missing</doclint>
+                </configuration>
                 <executions>
                     <execution>
                         <id>attach-javadocs</id>

src/main/java/eu/webeid/security/certificate/CertificateValidator.java

@@ -56,31 +56,32 @@ public static void certificateIsValidOnDate(X509Certificate cert, Date date, Str
         }
     }
 
-    public static void trustedCACertificatesAreValidOnDate(Set<TrustAnchor> trustedCACertificateAnchors, Date date) throws CertificateNotYetValidException, CertificateExpiredException {
-        for (TrustAnchor cert : trustedCACertificateAnchors) {
-            certificateIsValidOnDate(cert.getTrustedCert(), date, "Trusted CA");
-        }
-    }
-
     public static X509Certificate validateIsSignedByTrustedCA(X509Certificate certificate,
                                                               Set<TrustAnchor> trustedCACertificateAnchors,
                                                               CertStore trustedCACertificateCertStore,
-                                                              Date date) throws CertificateNotTrustedException, JceException {
+                                                              Date now) throws CertificateNotTrustedException, JceException, CertificateNotYetValidException, CertificateExpiredException {
+        certificateIsValidOnDate(certificate, now, "User");
+
         final X509CertSelector selector = new X509CertSelector();
         selector.setCertificate(certificate);
 
         try {
             final PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters(trustedCACertificateAnchors, selector);
             // Certificate revocation check is intentionally disabled as we do the OCSP check with SubjectCertificateNotRevokedValidator ourselves.
             pkixBuilderParameters.setRevocationEnabled(false);
-            pkixBuilderParameters.setDate(date);
+            pkixBuilderParameters.setDate(now);
             pkixBuilderParameters.addCertStore(trustedCACertificateCertStore);
 
             // See the comment in buildCertStoreFromCertificates() below why we use the default JCE provider.
             final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
             final PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) certPathBuilder.build(pkixBuilderParameters);
 
-            return result.getTrustAnchor().getTrustedCert();
+            final X509Certificate trustedCACert = result.getTrustAnchor().getTrustedCert();
+
+            // Verify that the trusted CA cert is presently valid before returning the result.
+            certificateIsValidOnDate(trustedCACert, now, "Trusted CA");
+
+            return trustedCACert;
 
         } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
             throw new JceException(e);

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -30,7 +30,6 @@
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.JceException;
-import eu.webeid.security.validator.certvalidators.SubjectCertificateExpiryValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificatePolicyValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificatePurposeValidator;
@@ -83,7 +82,6 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
         trustedCACertificateCertStore = CertificateValidator.buildCertStoreFromCertificates(configuration.getTrustedCACertificates());
 
         simpleSubjectCertificateValidators = SubjectCertificateValidatorBatch.createFrom(
-            new SubjectCertificateExpiryValidator(trustedCACertificateAnchors)::validateCertificateExpiry,
             SubjectCertificatePurposeValidator::validateCertificatePurpose,
             new SubjectCertificatePolicyValidator(configuration.getDisallowedSubjectCertificatePolicies())::validateCertificatePolicies
         );

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateExpiryValidator.java

@@ -24,10 +24,12 @@
 
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import eu.webeid.security.exceptions.CertificateExpiredException;
 import eu.webeid.security.exceptions.CertificateNotTrustedException;
+import eu.webeid.security.exceptions.CertificateNotYetValidException;
 import eu.webeid.security.util.DateAndTime;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
@@ -49,10 +51,14 @@ public SubjectCertificateTrustedValidator(Set<TrustAnchor> trustedCACertificateA
     }
 
     /**
-     * Validates that the user certificate from the authentication token is signed by a trusted certificate authority.
+     * Checks that the user certificate from the authentication token is valid and signed by
+     * a trusted certificate authority. Also checks the validity of the user certificate's
+     * trusted CA certificate.
      *
      * @param subjectCertificate user certificate to be validated
-     * @throws CertificateNotTrustedException when user certificate is not signed by a trusted CA.
+     * @throws CertificateNotTrustedException when user certificate is not signed by a trusted CA
+     * @throws CertificateNotYetValidException when a CA certificate in the chain or the user certificate is not yet valid
+     * @throws CertificateExpiredException when a CA certificate in the chain or the user certificate is expired
      */
     public void validateCertificateTrusted(X509Certificate subjectCertificate) throws AuthTokenException {
         // Use the clock instance so that the date can be mocked in tests.
@@ -63,7 +69,7 @@ public void validateCertificateTrusted(X509Certificate subjectCertificate) throw
             trustedCACertificateCertStore,
             now
         );
-        LOG.debug("Subject certificate is signed by a trusted CA");
+        LOG.debug("Subject certificate is valid and signed by a trusted CA");
     }
 
     public X509Certificate getSubjectCertificateIssuerCertificate() {

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateTrustedValidator.java

@@ -82,6 +82,11 @@ public static AuthTokenValidator getAuthTokenValidatorWithWrongTrustedCA() throw
             CertificateLoader.loadCertificatesFromResources("ESTEID2018.cer"));
     }
 
+    public static AuthTokenValidator getAuthTokenValidatorWithJuly2024ExpiredUnrelatedTrustedCA() throws CertificateException, JceException, IOException {
+        return getAuthTokenValidator(TOKEN_ORIGIN_URL,
+            CertificateLoader.loadCertificatesFromResources("TEST_of_ESTEID2018.cer", "TEST_of_SK_OCSP_RESPONDER_2020.cer"));
+    }
+
     public static AuthTokenValidator getAuthTokenValidatorWithDisallowedESTEIDPolicy() throws CertificateException, JceException, IOException {
         return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, getCACertificates())
             .withDisallowedCertificatePolicies(EST_IDEMIA_POLICY)

src/test/java/eu/webeid/security/testutil/AuthTokenValidators.java

@@ -46,6 +46,7 @@
 import java.security.cert.CertificateException;
 
 import static eu.webeid.security.testutil.DateMocker.mockDate;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.mockStatic;
 
@@ -228,13 +229,14 @@ void whenUserCertificateIsNotYetValid_thenValidationFails() {
             .hasMessage("User certificate is not yet valid");
     }
 
+    // In this case both CA and user certificate are not yet valid, we expect the user certificate to be checked first.
     @Test
-    void whenTrustedCACertificateIsNotYetValid_thenValidationFails() {
+    void whenTrustedCACertificateIsNotYetValid_thenUserCertValidationFails() {
         mockDate("2018-08-17", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateNotYetValidException.class)
-            .hasMessage("Trusted CA certificate is not yet valid");
+            .hasMessage("User certificate is not yet valid");
     }
 
     @Test
@@ -246,13 +248,26 @@ void whenUserCertificateIsNoLongerValid_thenValidationFails() {
             .hasMessage("User certificate has expired");
     }
 
+    // In this case both CA and user certificate have expired, we expect the user certificate to be checked first.
     @Test
-    void whenTrustedCACertificateIsNoLongerValid_thenValidationFails() {
+    void whenTrustedCACertificateIsNoLongerValid_thenUserCertValidationFails() {
         mockDate("2033-10-19", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateExpiredException.class)
-            .hasMessage("Trusted CA certificate has expired");
+            .hasMessage("User certificate has expired");
+    }
+
+    // The certificate validation process must only check the expiration of the CA certificate that is directly part of
+    // the user's certificate chain. Expired but unrelated CA certificates must not cause exceptions.
+    @Test
+    void whenUnrelatedCACertificateIsExpired_thenValidationSucceeds() throws Exception {
+        mockDate("2024-07-01", mockedClock);
+        final AuthTokenValidator validatorWithExpiredUnrelatedTrustedCA = AuthTokenValidators.getAuthTokenValidatorWithJuly2024ExpiredUnrelatedTrustedCA();
+
+        assertThatCode(() -> validatorWithExpiredUnrelatedTrustedCA
+            .validate(validAuthToken, VALID_CHALLENGE_NONCE))
+            .doesNotThrowAnyException();
     }
 
     @Test