Skip to content

Less drama, more information #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
runeflobakk merged 3 commits into from
Oct 12, 2023
Merged

Less drama, more information #313

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cf85b05
Remove redundant interface
runeflobakk Oct 11, 2023
a522ffa
More informative, less dramatic exception message
runeflobakk Oct 11, 2023
4742a3c
Upgrade dependencies
runeflobakk Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions lib/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@
<dependency>
<groupId>no.digipost</groupId>
<artifactId>certificate-validator</artifactId>
<version>3.0.2</version>
<version>3.0.3</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
Expand All @@ -72,13 +72,13 @@
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
<version>5.2.2</version>
<version>5.2.3</version>
</dependency>

<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.13.0</version>
<version>2.14.0</version>
<scope>test</scope>
</dependency>

Expand Down Expand Up @@ -124,7 +124,7 @@
<dependency>
<groupId>nl.jqno.equalsverifier</groupId>
<artifactId>equalsverifier</artifactId>
<version>3.15.1</version>
<version>3.15.2</version>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
7 changes: 1 addition & 6 deletions lib/src/main/java/no/digipost/signature/client/ServiceEnvironment.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public String toString() {
}


enum Certificates implements ProvidesCertificateResourcePaths {
enum Certificates {

TEST(
"test/Buypass_Class_3_Test4_CA_3.cer",
Expand Down Expand Up @@ -125,10 +125,5 @@ enum Certificates implements ProvidesCertificateResourcePaths {
.collect(toList());
}

@Override
public List<String> certificatePaths() {
return certificatePaths();
}

}

24 changes: 21 additions & 3 deletions .../main/java/no/digipost/signature/client/core/internal/http/SignatureApiTrustStrategy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,13 @@
import no.digipost.signature.client.security.CertificateChainValidation.Result;
import org.apache.hc.core5.ssl.TrustStrategy;

import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.Optional;

import static javax.security.auth.x500.X500Principal.RFC1779;

public final class SignatureApiTrustStrategy implements TrustStrategy {

Expand Down Expand Up @@ -35,11 +41,23 @@ public boolean isTrusted(X509Certificate[] chain, String authType) {
case TRUSTED_AND_SKIP_FURTHER_VALIDATION: return true;
case TRUSTED: return false;
case UNTRUSTED: default:
String subjectDN = chain[0].getSubjectX500Principal().getName();
String certificateDescription = Optional.ofNullable(chain)
.filter(certs -> certs.length > 0)
.map(certs -> certs[0])
.map(cert -> {
String subjectDN = cert.getSubjectX500Principal().getName(RFC1779);
BigInteger serialNumber = cert.getSerialNumber();
String issuerDN = cert.getIssuerX500Principal().getName(RFC1779);
ZonedDateTime expires = cert.getNotAfter().toInstant().atZone(ZoneId.systemDefault());
return subjectDN + " (serial number " + serialNumber + ", expires " + expires + "), issued by " + issuerDN;
})
.orElse("<no server certificate>");
throw new SecurityException(
"Untrusted server certificate, according to " + certificateChainValidation + ". " +
"Make sure the server URI is correct. Actual certificate: " + subjectDN + ". " +
"This could indicate a misconfiguration of the client or server, or potentially a man-in-the-middle attack.");
"Actual certificate from server response: " + certificateDescription + ". " +
"This normally indicates either a misconfiguration of this client library, or a mixup of URLs used to communicate with the API. " +
"Make sure the request URL is correct, is actually for the API, and it aligns with the configured ServiceEnvironment. " +
"It should e.g. not be a URL that is to be accessed by a user from a web browser.");
}
}

Expand Down
2 changes: 1 addition & 1 deletion lib/src/main/java/no/digipost/signature/client/security/OrganizationNumberValidation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public Result validate(X509Certificate[] certChain) {

@Override
public String toString() {
return getClass().getSimpleName() + " trusting '" + trustedOrganizationNumber + "'";
return getClass().getSimpleName() + " trusting organization number '" + trustedOrganizationNumber + "'";
}

}