Merge pull request #313 from digipost/less-drama-more-information

Less drama, more information

Author: runeflobakk

lib/pom.xml

@@ -55,7 +55,7 @@
         <dependency>
             <groupId>no.digipost</groupId>
             <artifactId>certificate-validator</artifactId>
-            <version>3.0.2</version>
+            <version>3.0.3</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.bouncycastle</groupId>
@@ -72,13 +72,13 @@
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.2.2</version>
+            <version>5.2.3</version>
         </dependency>
 
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.13.0</version>
+            <version>2.14.0</version>
             <scope>test</scope>
         </dependency>
 
@@ -124,7 +124,7 @@
         <dependency>
             <groupId>nl.jqno.equalsverifier</groupId>
             <artifactId>equalsverifier</artifactId>
-            <version>3.15.1</version>
+            <version>3.15.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>

lib/src/main/java/no/digipost/signature/client/ServiceEnvironment.java

@@ -87,7 +87,7 @@ public String toString() {
 }
 
 
-enum Certificates implements ProvidesCertificateResourcePaths {
+enum Certificates {
 
     TEST(
             "test/Buypass_Class_3_Test4_CA_3.cer",
@@ -125,10 +125,5 @@ enum Certificates implements ProvidesCertificateResourcePaths {
                 .collect(toList());
     }
 
-    @Override
-    public List<String> certificatePaths() {
-        return certificatePaths();
-    }
-
 }
 

lib/src/main/java/no/digipost/signature/client/core/internal/http/SignatureApiTrustStrategy.java

@@ -5,7 +5,13 @@
 import no.digipost.signature.client.security.CertificateChainValidation.Result;
 import org.apache.hc.core5.ssl.TrustStrategy;
 
+import java.math.BigInteger;
 import java.security.cert.X509Certificate;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.Optional;
+
+import static javax.security.auth.x500.X500Principal.RFC1779;
 
 public final class SignatureApiTrustStrategy implements TrustStrategy {
 
@@ -35,11 +41,23 @@ public boolean isTrusted(X509Certificate[] chain, String authType) {
             case TRUSTED_AND_SKIP_FURTHER_VALIDATION: return true;
             case TRUSTED: return false;
             case UNTRUSTED: default:
-                String subjectDN = chain[0].getSubjectX500Principal().getName();
+                String certificateDescription = Optional.ofNullable(chain)
+                        .filter(certs -> certs.length > 0)
+                        .map(certs -> certs[0])
+                        .map(cert -> {
+                            String subjectDN = cert.getSubjectX500Principal().getName(RFC1779);
+                            BigInteger serialNumber = cert.getSerialNumber();
+                            String issuerDN = cert.getIssuerX500Principal().getName(RFC1779);
+                            ZonedDateTime expires = cert.getNotAfter().toInstant().atZone(ZoneId.systemDefault());
+                            return subjectDN + " (serial number " + serialNumber + ", expires " + expires + "), issued by " + issuerDN;
+                        })
+                        .orElse("<no server certificate>");
                 throw new SecurityException(
                     "Untrusted server certificate, according to " + certificateChainValidation + ". " +
-                    "Make sure the server URI is correct. Actual certificate: " + subjectDN + ". " +
-                    "This could indicate a misconfiguration of the client or server, or potentially a man-in-the-middle attack.");
+                    "Actual certificate from server response: " + certificateDescription + ". " +
+                    "This normally indicates either a misconfiguration of this client library, or a mixup of URLs used to communicate with the API. " +
+                    "Make sure the request URL is correct, is actually for the API, and it aligns with the configured ServiceEnvironment. " +
+                    "It should e.g. not be a URL that is to be accessed by a user from a web browser.");
         }
     }
 

lib/src/main/java/no/digipost/signature/client/security/OrganizationNumberValidation.java

@@ -28,7 +28,7 @@ public Result validate(X509Certificate[] certChain) {
 
     @Override
     public String toString() {
-        return getClass().getSimpleName() + " trusting '" + trustedOrganizationNumber + "'";
+        return getClass().getSimpleName() + " trusting organization number '" + trustedOrganizationNumber + "'";
     }
 
 }