AUT-2677 Use distinguished names instead of common names for OCSP service lookup

Author: madislm

src/main/java/eu/webeid/ocsp/protocol/IssuerCommonName.java

@@ -0,0 +1,23 @@
+package eu.webeid.ocsp.protocol;
+
+import org.bouncycastle.asn1.x500.X500Name;
+
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+import java.util.Optional;
+
+public class IssuerDistinguishedName {
+
+    public static Optional<X500Name> getIssuerDistinguishedName(X509Certificate certificate) {
+        Objects.requireNonNull(certificate, "certificate");
+        String issuerDN = certificate.getIssuerX500Principal().getName();
+        if (issuerDN.isEmpty()) {
+            return Optional.empty();
+        }
+        return Optional.of(new X500Name(issuerDN));
+    }
+
+    private IssuerDistinguishedName() {
+        throw new IllegalStateException("Utility class");
+    }
+}

src/main/java/eu/webeid/ocsp/protocol/IssuerDistinguishedName.java

@@ -28,6 +28,7 @@
 import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.ocsp.protocol.OcspResponseValidator;
 import eu.webeid.security.validator.revocationcheck.RevocationMode;
+import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 
@@ -41,7 +42,7 @@
 import java.util.Optional;
 import java.util.Set;
 
-import static eu.webeid.ocsp.protocol.IssuerCommonName.getIssuerCommonName;
+import static eu.webeid.ocsp.protocol.IssuerDistinguishedName.getIssuerDistinguishedName;
 import static eu.webeid.ocsp.protocol.OcspUrl.getOcspUri;
 
 /**
@@ -62,9 +63,9 @@ public AiaOcspService(AiaOcspServiceConfiguration configuration, X509Certificate
         this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
         this.url = getOcspAiaUrlFromCertificate(Objects.requireNonNull(certificate));
         this.fallbackOcspService = fallbackOcspService;
-        String issuerCN = getIssuerCommonName(certificate).orElseThrow(() ->
-            new UserCertificateOCSPCheckFailedException("Getting the issuer common name failed"));
-        this.supportsNonce = !configuration.getNonceDisabledIssuerCNs().contains(issuerCN);
+        X500Name issuerDN = getIssuerDistinguishedName(certificate).orElseThrow(() ->
+            new UserCertificateOCSPCheckFailedException("Getting the issuer distinguished name failed"));
+        this.supportsNonce = !configuration.getNonceDisabledIssuerDNs().contains(issuerDN);
     }
 
     @Override

src/main/java/eu/webeid/ocsp/service/AiaOcspService.java

@@ -22,6 +22,8 @@
 
 package eu.webeid.ocsp.service;
 
+import org.bouncycastle.asn1.x500.X500Name;
+
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.util.Collection;
@@ -30,18 +32,18 @@
 
 public class AiaOcspServiceConfiguration {
 
-    private final Collection<String> nonceDisabledIssuerCNs;
+    private final Collection<X500Name> nonceDisabledIssuerDNs;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
 
-    public AiaOcspServiceConfiguration(Collection<String> nonceDisabledIssuerCNs, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
-        this.nonceDisabledIssuerCNs = Objects.requireNonNull(nonceDisabledIssuerCNs);
+    public AiaOcspServiceConfiguration(Collection<X500Name> nonceDisabledIssuerDNs, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
+        this.nonceDisabledIssuerDNs = Objects.requireNonNull(nonceDisabledIssuerDNs);
         this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors);
         this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore);
     }
 
-    public Collection<String> getNonceDisabledIssuerCNs() {
-        return nonceDisabledIssuerCNs;
+    public Collection<X500Name> getNonceDisabledIssuerDNs() {
+        return nonceDisabledIssuerDNs;
     }
 
     public Set<TrustAnchor> getTrustedCACertificateAnchors() {

src/main/java/eu/webeid/ocsp/service/AiaOcspServiceConfiguration.java

@@ -24,6 +24,7 @@
 
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
 import eu.webeid.ocsp.protocol.OcspResponseValidator;
+import org.bouncycastle.asn1.x500.X500Name;
 
 import java.net.URI;
 import java.security.cert.CertStore;
@@ -38,14 +39,14 @@ public class FallbackOcspServiceConfiguration {
     private final X509Certificate responderCertificate;
     private final boolean doesSupportNonce;
     private final FallbackOcspServiceConfiguration nextFallbackConfiguration;
-    private final String issuerCN;
+    private final X500Name issuerDN;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
 
     public FallbackOcspServiceConfiguration(URI accessLocation, X509Certificate responderCertificate,
                                             boolean doesSupportNonce,
                                             FallbackOcspServiceConfiguration nextFallbackConfiguration,
-                                            String issuerCN, Set<TrustAnchor> trustedCACertificateAnchors,
+                                            X500Name issuerDN, Set<TrustAnchor> trustedCACertificateAnchors,
                                             CertStore trustedCACertificateCertStore) throws OCSPCertificateException {
         this.accessLocation = Objects.requireNonNull(accessLocation, "Fallback OCSP service access location");
         this.responderCertificate = responderCertificate;
@@ -54,7 +55,7 @@ public FallbackOcspServiceConfiguration(URI accessLocation, X509Certificate resp
         }
         this.doesSupportNonce = doesSupportNonce;
         this.nextFallbackConfiguration = nextFallbackConfiguration;
-        this.issuerCN = issuerCN;
+        this.issuerDN = issuerDN;
         this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors);
         this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore);
     }
@@ -75,8 +76,8 @@ public FallbackOcspServiceConfiguration getNextFallbackConfiguration() {
         return nextFallbackConfiguration;
     }
 
-    public String getIssuerCN() {
-        return issuerCN;
+    public X500Name getIssuerDN() {
+        return issuerDN;
     }
 
     public Set<TrustAnchor> getTrustedCACertificateAnchors() {

src/main/java/eu/webeid/ocsp/service/FallbackOcspServiceConfiguration.java

@@ -24,6 +24,7 @@
 
 import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.exceptions.AuthTokenException;
+import org.bouncycastle.asn1.x500.X500Name;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
@@ -32,13 +33,13 @@
 import java.util.Map;
 import java.util.Objects;
 
-import static eu.webeid.ocsp.protocol.IssuerCommonName.getIssuerCommonName;
+import static eu.webeid.ocsp.protocol.IssuerDistinguishedName.getIssuerDistinguishedName;
 
 public class OcspServiceProvider {
 
     private final DesignatedOcspService designatedOcspService;
     private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
-    private final Map<String, FallbackOcspService> fallbackOcspServiceMap = new HashMap<>();
+    private final Map<X500Name, FallbackOcspService> fallbackOcspServiceMap = new HashMap<>();
 
     public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration, AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
         this(designatedOcspServiceConfiguration, aiaOcspServiceConfiguration, null);
@@ -51,7 +52,7 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ
         this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");
         if (fallbackOcspServiceConfigurations != null) {
             for (FallbackOcspServiceConfiguration configuration : fallbackOcspServiceConfigurations) {
-                fallbackOcspServiceMap.put(configuration.getIssuerCN(), new FallbackOcspService(configuration));
+                fallbackOcspServiceMap.put(configuration.getIssuerDN(), new FallbackOcspService(configuration));
             }
         }
     }
@@ -69,9 +70,9 @@ public OcspService getService(X509Certificate certificate) throws AuthTokenExcep
         if (designatedOcspService != null && designatedOcspService.supportsIssuerOf(certificate)) {
             return designatedOcspService;
         }
-        String issuerCommonName = getIssuerCommonName(certificate).orElseThrow(() ->
-            new UserCertificateOCSPCheckFailedException("Getting the issuer common name failed"));
-        FallbackOcspService fallbackOcspService = fallbackOcspServiceMap.get(issuerCommonName);
+        X500Name issuerDistinguishedName = getIssuerDistinguishedName(certificate).orElseThrow(() ->
+            new UserCertificateOCSPCheckFailedException("Getting the issuer distinguished name failed"));
+        FallbackOcspService fallbackOcspService = fallbackOcspServiceMap.get(issuerDistinguishedName);
         return new AiaOcspService(aiaOcspServiceConfiguration, certificate, fallbackOcspService);
     }
 }

src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java

@@ -25,6 +25,7 @@
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
+import org.bouncycastle.asn1.x500.X500Name;
 
 import java.io.IOException;
 import java.net.URI;
@@ -41,7 +42,7 @@ public class OcspServiceMaker {
 
     private static final String TEST_OCSP_ACCESS_LOCATION = "http://demo.sk.ee/ocsp";
     private static final List<X509Certificate> TRUSTED_CA_CERTIFICATES;
-    private static final String ISSUER_CN = "TEST of ESTEID-SK 2015";
+    private static final X500Name ISSUER_DN = new X500Name("CN=TEST of ESTEID-SK 2015, OID.2.5.4.97=NTREE-10747013, O=AS Sertifitseerimiskeskus, C=EE");
 
     static {
         try {
@@ -69,7 +70,7 @@ public static OcspServiceProvider getDesignatedOcspServiceProvider(String ocspSe
 
     private static AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() throws JceException {
         return new AiaOcspServiceConfiguration(
-            Set.of(ISSUER_CN),
+            Set.of(ISSUER_DN),
             CertificateValidator.buildTrustAnchorsFromCertificates(TRUSTED_CA_CERTIFICATES),
             CertificateValidator.buildCertStoreFromCertificates(TRUSTED_CA_CERTIFICATES));
     }