NFC-115 Improve unverifiedSigningCertificates check

SanderKondratjevNortal · SanderKondratjevNortal · commit 80daf65b6c25 · 2026-03-20T10:48:19.000+02:00
Signed-off-by: Sander Kondratjev &lt;sander.kondratjev@nortal.com&gt;
diff --git a/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1Validator.java b/src/main/java/eu/webeid/security/validator/versionvalidators/AuthTokenVersion1Validator.java
@@ -78,8 +78,10 @@ protected String getSupportedFormatPrefix() {
 
     @Override
     public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
-        if (token.getUnverifiedSigningCertificates() != null) {
-            throw new AuthTokenParseException("'unverifiedSigningCertificates' field is not allowed for format '" + token.getFormat() + "'");
+        if (isExactV10Format(token.getFormat()) && token.getUnverifiedSigningCertificates() != null) {
+            throw new AuthTokenParseException(
+                "'unverifiedSigningCertificates' field is not allowed for format '" + token.getFormat() + "'"
+            );
         }
 
         if (token.getUnverifiedCertificate() == null || token.getUnverifiedCertificate().isEmpty()) {
@@ -109,4 +111,8 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo
 
         return subjectCertificate;
     }
+
+    private static boolean isExactV10Format(String format) {
+        return V1_SUPPORTED_TOKEN_FORMAT_PREFIX.equals(format) || "web-eid:1.0".equals(format);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -78,8 +78,10 @@ protected String getSupportedFormatPrefix() {`
`78`	`78`
`79`	`79`	`@Override`
`80`	`80`	`public X509Certificate validate(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {`
`81`		`- if (token.getUnverifiedSigningCertificates() != null) {`
`82`		`- throw new AuthTokenParseException("'unverifiedSigningCertificates' field is not allowed for format '" + token.getFormat() + "'");`
	`81`	`+ if (isExactV10Format(token.getFormat()) && token.getUnverifiedSigningCertificates() != null) {`
	`82`	`+ throw new AuthTokenParseException(`
	`83`	`+ "'unverifiedSigningCertificates' field is not allowed for format '" + token.getFormat() + "'"`
	`84`	`+ );`
`83`	`85`	`}`
`84`	`86`
`85`	`87`	`if (token.getUnverifiedCertificate() == null \|\| token.getUnverifiedCertificate().isEmpty()) {`
`@@ -109,4 +111,8 @@ public X509Certificate validate(WebEidAuthToken token, String currentChallengeNo`
`109`	`111`
`110`	`112`	`return subjectCertificate;`
`111`	`113`	`}`
	`114`	`+`
	`115`	`+ private static boolean isExactV10Format(String format) {`
	`116`	`+ return V1_SUPPORTED_TOKEN_FORMAT_PREFIX.equals(format) \|\| "web-eid:1.0".equals(format);`
	`117`	`+ }`
`112`	`118`	`}`