AUT-2597 Use issuer CNs to get fallback OCSP services

Author: madislm

src/main/java/eu/webeid/ocsp/protocol/IssuerCommonName.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.protocol;
+
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+import java.util.Optional;
+
+public class IssuerCommonName {
+
+    public static Optional<String> getIssuerCommonName(X509Certificate certificate) {
+        Objects.requireNonNull(certificate, "certificate");
+        try {
+            X500Name x500Name = new JcaX509CertificateHolder(certificate).getIssuer();
+            final RDN cn = x500Name.getRDNs(BCStyle.CN)[0];
+            return Optional.of(IETFUtils.valueToString(cn.getFirst().getValue()));
+        } catch (CertificateEncodingException e) {
+            return Optional.empty();
+        }
+    }
+
+    private IssuerCommonName() {
+        throw new IllegalStateException("Utility class");
+    }
+}

src/main/java/eu/webeid/ocsp/service/AiaOcspService.java

@@ -41,6 +41,7 @@
 import java.util.Objects;
 import java.util.Set;
 
+import static eu.webeid.ocsp.protocol.IssuerCommonName.getIssuerCommonName;
 import static eu.webeid.ocsp.protocol.OcspUrl.getOcspUri;
 
 /**
@@ -60,8 +61,10 @@ public AiaOcspService(AiaOcspServiceConfiguration configuration, X509Certificate
         this.trustedCACertificateAnchors = configuration.getTrustedCACertificateAnchors();
         this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
         this.url = getOcspAiaUrlFromCertificate(Objects.requireNonNull(certificate));
-        this.supportsNonce = !configuration.getNonceDisabledOcspUrls().contains(this.url);
         this.fallbackOcspService = fallbackOcspService;
+        String issuerCN = getIssuerCommonName(certificate).orElseThrow(() ->
+            new UserCertificateOCSPCheckFailedException("Getting the issuer common name failed"));
+        this.supportsNonce = !configuration.getNonceDisabledIssuerCNs().contains(issuerCN);
     }
 
     @Override

src/main/java/eu/webeid/ocsp/service/AiaOcspServiceConfiguration.java

@@ -22,7 +22,6 @@
 
 package eu.webeid.ocsp.service;
 
-import java.net.URI;
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.util.Collection;
@@ -31,18 +30,18 @@
 
 public class AiaOcspServiceConfiguration {
 
-    private final Collection<URI> nonceDisabledOcspUrls;
+    private final Collection<String> nonceDisabledIssuerCNs;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
 
-    public AiaOcspServiceConfiguration(Collection<URI> nonceDisabledOcspUrls, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
-        this.nonceDisabledOcspUrls = Objects.requireNonNull(nonceDisabledOcspUrls);
+    public AiaOcspServiceConfiguration(Collection<String> nonceDisabledIssuerCNs, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
+        this.nonceDisabledIssuerCNs = Objects.requireNonNull(nonceDisabledIssuerCNs);
         this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors);
         this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore);
     }
 
-    public Collection<URI> getNonceDisabledOcspUrls() {
-        return nonceDisabledOcspUrls;
+    public Collection<String> getNonceDisabledIssuerCNs() {
+        return nonceDisabledIssuerCNs;
     }
 
     public Set<TrustAnchor> getTrustedCACertificateAnchors() {

src/main/java/eu/webeid/ocsp/service/OcspService.java

@@ -22,6 +22,7 @@
 
 package eu.webeid.ocsp.service;
 
+import eu.webeid.resilientocsp.service.FallbackOcspService;
 import org.bouncycastle.cert.X509CertificateHolder;
 import eu.webeid.security.exceptions.AuthTokenException;
 
@@ -36,7 +37,7 @@ public interface OcspService {
 
     void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException;
 
-    default OcspService getFallbackService() {
+    default FallbackOcspService getFallbackService() {
         return null;
     }
 

src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java

@@ -27,21 +27,20 @@
 import eu.webeid.resilientocsp.service.FallbackOcspServiceConfiguration;
 import eu.webeid.security.exceptions.AuthTokenException;
 
-import java.net.URI;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
-import java.util.stream.Collectors;
 
-import static eu.webeid.ocsp.protocol.OcspUrl.getOcspUri;
+import static eu.webeid.ocsp.protocol.IssuerCommonName.getIssuerCommonName;
 
 public class OcspServiceProvider {
 
     private final DesignatedOcspService designatedOcspService;
     private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
-    private final Map<URI, FallbackOcspService> fallbackOcspServiceMap;
+    private final Map<String, FallbackOcspService> fallbackOcspServiceMap = new HashMap<>();
 
     public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration, AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
         this(designatedOcspServiceConfiguration, aiaOcspServiceConfiguration, null);
@@ -52,9 +51,13 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ
             new DesignatedOcspService(designatedOcspServiceConfiguration)
             : null;
         this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");
-        this.fallbackOcspServiceMap = fallbackOcspServiceConfigurations != null ? fallbackOcspServiceConfigurations.stream()
-            .collect(Collectors.toMap(FallbackOcspServiceConfiguration::getOcspServiceAccessLocation, FallbackOcspService::new))
-            : Map.of();
+        if (fallbackOcspServiceConfigurations != null) {
+            for (FallbackOcspServiceConfiguration configuration : fallbackOcspServiceConfigurations) {
+                String issuerCN = getIssuerCommonName(configuration.getResponderCertificate()).orElseThrow(() ->
+                    new RuntimeException("Certificate does not contain issuer CN"));
+                fallbackOcspServiceMap.put(issuerCN, new FallbackOcspService(configuration));
+            }
+        }
     }
 
     /**
@@ -63,20 +66,16 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ
      *
      * @param certificate subject certificate that is to be checked with OCSP
      * @return either the designated or AIA OCSP service instance
-     * @throws AuthTokenException when AIA URL is not found in certificate
+     * @throws UserCertificateOCSPCheckFailedException when issuer common name is not found in certificate
      * @throws IllegalArgumentException when certificate is invalid
      */
     public OcspService getService(X509Certificate certificate) throws AuthTokenException, CertificateEncodingException {
         if (designatedOcspService != null && designatedOcspService.supportsIssuerOf(certificate)) {
             return designatedOcspService;
         }
-        URI ocspServiceUri = getOcspUri(certificate).orElseThrow(() ->
-            new UserCertificateOCSPCheckFailedException("Getting the AIA OCSP responder field from the certificate failed"));
-        FallbackOcspService fallbackOcspService = fallbackOcspServiceMap.get(ocspServiceUri);
+        String issuerCommonName = getIssuerCommonName(certificate).orElseThrow(() ->
+            new UserCertificateOCSPCheckFailedException("Getting the issuer common name failed"));
+        FallbackOcspService fallbackOcspService = fallbackOcspServiceMap.get(issuerCommonName);
         return new AiaOcspService(aiaOcspServiceConfiguration, certificate, fallbackOcspService);
     }
-
-    public FallbackOcspService getFallbackService(URI ocspServiceUri) {
-        return fallbackOcspServiceMap.get(ocspServiceUri);
-    }
 }

src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java

@@ -31,6 +31,7 @@
 import eu.webeid.ocsp.service.OcspServiceProvider;
 import eu.webeid.resilientocsp.exceptions.ResilientUserCertificateOCSPCheckFailedException;
 import eu.webeid.resilientocsp.exceptions.ResilientUserCertificateRevokedException;
+import eu.webeid.resilientocsp.service.FallbackOcspService;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.validator.ValidationInfo;
 import eu.webeid.security.validator.revocationcheck.RevocationInfo;
@@ -106,8 +107,8 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         } catch (CertificateException e) {
             throw new ResilientUserCertificateOCSPCheckFailedException(new ValidationInfo(subjectCertificate, List.of()));
         }
-        final OcspService fallbackOcspService = ocspService.getFallbackService();
-        if (fallbackOcspService == null) {
+        final FallbackOcspService firstFallbackService = ocspService.getFallbackService();
+        if (firstFallbackService == null) {
             return List.of(request(ocspService, subjectCertificate, issuerCertificate, false));
         }
 
@@ -123,7 +124,6 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
                 throw e;
             }
         };
-        OcspService firstFallbackService = ocspService.getFallbackService();
         CheckedSupplier<RevocationInfo> firstFallbackSupplier = () -> {
             try {
                 return request(firstFallbackService, subjectCertificate, issuerCertificate, true);
@@ -132,7 +132,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
                 throw e;
             }
         };
-        OcspService secondFallbackService = getOcspServiceProvider().getFallbackService(firstFallbackService.getAccessLocation());
+        OcspService secondFallbackService = firstFallbackService.getNextFallback();
         CheckedSupplier<RevocationInfo> fallbackSupplier;
         if (secondFallbackService == null) {
             fallbackSupplier = firstFallbackSupplier;

src/main/java/eu/webeid/resilientocsp/service/FallbackOcspService.java

@@ -42,11 +42,13 @@ public class FallbackOcspService implements OcspService {
     private final URI url;
     private final boolean supportsNonce;
     private final X509Certificate trustedResponderCertificate;
+    private final FallbackOcspService nextFallback;
 
     public FallbackOcspService(FallbackOcspServiceConfiguration configuration) {
-        this.url = configuration.getFallbackOcspServiceAccessLocation();
+        this.url = configuration.getAccessLocation();
         this.supportsNonce = configuration.doesSupportNonce();
         this.trustedResponderCertificate = configuration.getResponderCertificate();
+        this.nextFallback = configuration.getNextFallback();
     }
 
     @Override
@@ -74,4 +76,8 @@ public void validateResponderCertificate(X509CertificateHolder cert, Date now) t
             throw new OCSPCertificateException("X509CertificateHolder conversion to X509Certificate failed", e);
         }
     }
+
+    public FallbackOcspService getNextFallback() {
+        return nextFallback;
+    }
 }

src/main/java/eu/webeid/resilientocsp/service/FallbackOcspServiceConfiguration.java

@@ -31,26 +31,23 @@
 
 public class FallbackOcspServiceConfiguration {
 
-    private final URI ocspServiceAccessLocation;
-    private final URI fallbackOcspServiceAccessLocation;
+    private final URI accessLocation;
     private final X509Certificate responderCertificate;
     private final boolean doesSupportNonce;
+    private final FallbackOcspService nextFallback;
 
-    public FallbackOcspServiceConfiguration(URI ocspServiceAccessLocation, URI fallbackOcspServiceAccessLocation,
-                                            X509Certificate responderCertificate, boolean doesSupportNonce) throws OCSPCertificateException {
-        this.ocspServiceAccessLocation = Objects.requireNonNull(ocspServiceAccessLocation, "Primary OCSP service access location");
-        this.fallbackOcspServiceAccessLocation = Objects.requireNonNull(fallbackOcspServiceAccessLocation, "Fallback OCSP service access location");
+    public FallbackOcspServiceConfiguration(URI accessLocation, X509Certificate responderCertificate,
+                                            boolean doesSupportNonce,
+                                            FallbackOcspService nextFallback) throws OCSPCertificateException {
+        this.accessLocation = Objects.requireNonNull(accessLocation, "Fallback OCSP service access location");
         this.responderCertificate = Objects.requireNonNull(responderCertificate, "Fallback OCSP responder certificate");
         OcspResponseValidator.validateHasSigningExtension(responderCertificate);
         this.doesSupportNonce = doesSupportNonce;
+        this.nextFallback = nextFallback;
     }
 
-    public URI getOcspServiceAccessLocation() {
-        return ocspServiceAccessLocation;
-    }
-
-    public URI getFallbackOcspServiceAccessLocation() {
-        return fallbackOcspServiceAccessLocation;
+    public URI getAccessLocation() {
+        return accessLocation;
     }
 
     public X509Certificate getResponderCertificate() {
@@ -61,4 +58,7 @@ public boolean doesSupportNonce() {
         return doesSupportNonce;
     }
 
+    public FallbackOcspService getNextFallback() {
+        return nextFallback;
+    }
 }

src/test/java/eu/webeid/ocsp/service/OcspServiceMaker.java

@@ -41,7 +41,7 @@ public class OcspServiceMaker {
 
     private static final String TEST_OCSP_ACCESS_LOCATION = "http://demo.sk.ee/ocsp";
     private static final List<X509Certificate> TRUSTED_CA_CERTIFICATES;
-    private static final URI TEST_ESTEID_2015 = URI.create("http://aia.demo.sk.ee/esteid2015");
+    private static final String ISSUER_CN = "TEST of ESTEID-SK 2015";
 
     static {
         try {
@@ -69,7 +69,7 @@ public static OcspServiceProvider getDesignatedOcspServiceProvider(String ocspSe
 
     private static AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() throws JceException {
         return new AiaOcspServiceConfiguration(
-            Set.of(TEST_ESTEID_2015),
+            Set.of(ISSUER_CN),
             CertificateValidator.buildTrustAnchorsFromCertificates(TRUSTED_CA_CERTIFICATES),
             CertificateValidator.buildCertStoreFromCertificates(TRUSTED_CA_CERTIFICATES));
     }

src/test/java/eu/webeid/ocsp/service/OcspServiceProviderTest.java

@@ -100,4 +100,4 @@ void whenAiaOcspServiceConfigurationDoesNotHaveResponderCertTrustedCA_thenThrows
 //        assertThatThrownBy(() -> validatorWithOcspCheck
 //            .validate(token, VALID_CHALLENGE_NONCE))
 //            .isInstanceOf(UserCertificateRevokedException.class);
-//    }
+//    }