AUT-2473 Add rejectUnknownOcspResponseStatus configuration option

Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>

Author: aarmam

src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java

@@ -131,7 +131,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, false);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }
@@ -144,7 +144,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }
     }
 
-    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -198,7 +198,7 @@ protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspS
         OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation());
 
         // Now we can accept the signed response as valid and validate the certificate status.
-        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation());
+        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation(), rejectUnknownOcspResponseStatus);
         LOG.debug("OCSP check result is GOOD");
     }
 

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateUnknownException.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.exceptions;
+
+import eu.webeid.security.exceptions.AuthTokenException;
+
+import java.net.URI;
+
+import static eu.webeid.ocsp.exceptions.OcspResponderUriMessage.withResponderUri;
+
+public class UserCertificateUnknownException extends AuthTokenException {
+
+    public UserCertificateUnknownException(String msg, URI ocspResponderUri) {
+        super(withResponderUri("User certificate status is unknown: " + msg, ocspResponderUri));
+    }
+}

src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java

@@ -25,6 +25,8 @@
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
 import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.ocsp.exceptions.UserCertificateRevokedException;
+import eu.webeid.ocsp.exceptions.UserCertificateUnknownException;
+import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.util.DateAndTime;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
@@ -118,7 +120,7 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp
         }
     }
 
-    public static void validateSubjectCertificateStatus(SingleResp certStatusResponse, URI ocspResponderUri) throws UserCertificateRevokedException {
+    public static void validateSubjectCertificateStatus(SingleResp certStatusResponse, URI ocspResponderUri, boolean rejectUnknownOcspResponseStatus) throws AuthTokenException {
         final CertificateStatus status = certStatusResponse.getCertStatus();
         if (status == null) {
             return;
@@ -128,9 +130,11 @@ public static void validateSubjectCertificateStatus(SingleResp certStatusRespons
                 new UserCertificateRevokedException("Revocation reason: " + revokedStatus.getRevocationReason(), ocspResponderUri) :
                 new UserCertificateRevokedException(ocspResponderUri));
         } else if (status instanceof UnknownStatus) {
-            throw new UserCertificateRevokedException("Unknown status", ocspResponderUri);
+            throw rejectUnknownOcspResponseStatus ? new UserCertificateUnknownException("Unknown status", ocspResponderUri)
+                : new UserCertificateRevokedException("Unknown status", ocspResponderUri);
         } else {
-            throw new UserCertificateRevokedException("Status is neither good, revoked nor unknown", ocspResponderUri);
+            throw rejectUnknownOcspResponseStatus ? new UserCertificateUnknownException("Status is neither good, revoked nor unknown", ocspResponderUri)
+                : new UserCertificateRevokedException("Status is neither good, revoked nor unknown", ocspResponderUri);
         }
     }
 

src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java

@@ -26,6 +26,7 @@
 import eu.webeid.ocsp.client.OcspClient;
 import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.ocsp.exceptions.UserCertificateRevokedException;
+import eu.webeid.ocsp.exceptions.UserCertificateUnknownException;
 import eu.webeid.ocsp.protocol.OcspRequestBuilder;
 import eu.webeid.ocsp.service.OcspService;
 import eu.webeid.ocsp.service.OcspServiceProvider;
@@ -67,14 +68,17 @@ public class ResilientOcspCertificateRevocationChecker extends OcspCertificateRe
 
     private final CircuitBreakerRegistry circuitBreakerRegistry;
     private final RetryRegistry retryRegistry;
+    private final boolean rejectUnknownOcspResponseStatus;
 
     public ResilientOcspCertificateRevocationChecker(OcspClient ocspClient,
                                                      OcspServiceProvider ocspServiceProvider,
                                                      CircuitBreakerConfig circuitBreakerConfig,
                                                      RetryConfig retryConfig,
                                                      Duration allowedOcspResponseTimeSkew,
-                                                     Duration maxOcspResponseThisUpdateAge) {
+                                                     Duration maxOcspResponseThisUpdateAge,
+                                                     boolean rejectUnknownOcspResponseStatus) {
         super(ocspClient, ocspServiceProvider, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge);
+        this.rejectUnknownOcspResponseStatus = rejectUnknownOcspResponseStatus;
         this.circuitBreakerRegistry = CircuitBreakerRegistry.custom()
             .withCircuitBreakerConfig(getCircuitBreakerConfig(circuitBreakerConfig))
             .build();
@@ -116,7 +120,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             decorateCheckedSupplier.withRetry(retry);
         }
         decorateCheckedSupplier.withCircuitBreaker(circuitBreaker)
-            .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class), e -> fallbackSupplier.apply());
+            .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class, UserCertificateUnknownException.class), e -> fallbackSupplier.apply());
 
         CheckedFunction0<RevocationInfo> decoratedSupplier = decorateCheckedSupplier.decorate();
 
@@ -156,7 +160,7 @@ private RevocationInfo request(OcspService ocspService, X509Certificate subjectC
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, rejectUnknownOcspResponseStatus);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }