AUT-2473 Add ResilientOcspRevocationChecker

Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>

Author: aarmam

pom.xml

@@ -16,6 +16,7 @@
         <bouncycastle.version>1.81</bouncycastle.version>
         <jackson.version>2.19.1</jackson.version>
         <slf4j.version>2.0.17</slf4j.version>
+        <resilience4j.version>1.7.0</resilience4j.version>
         <junit-jupiter.version>5.13.3</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
         <mockito.version>5.18.0</mockito.version>
@@ -65,6 +66,29 @@
             <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-all</artifactId>
+            <version>${resilience4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-bulkhead</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-cache</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-ratelimiter</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-timelimiter</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java

@@ -64,7 +64,7 @@
 import static eu.webeid.security.util.DateAndTime.requirePositiveDuration;
 import static java.util.Objects.requireNonNull;
 
-public final class OcspCertificateRevocationChecker implements CertificateRevocationChecker {
+public class OcspCertificateRevocationChecker implements CertificateRevocationChecker {
 
     public static final Duration DEFAULT_TIME_SKEW = Duration.ofMinutes(15);
     public static final Duration DEFAULT_THIS_UPDATE_AGE = Duration.ofMinutes(2);
@@ -144,7 +144,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }
     }
 
-    private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -202,7 +202,7 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
         LOG.debug("OCSP check result is GOOD");
     }
 
-    private static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
+    protected static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
         final Extension requestNonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
         final Extension responseNonce = response.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
         if (requestNonce == null || responseNonce == null) {
@@ -215,14 +215,14 @@ private static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocsp
         }
     }
 
-    private static CertificateID getCertificateId(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws CertificateEncodingException, IOException, OCSPException {
+    protected static CertificateID getCertificateId(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws CertificateEncodingException, IOException, OCSPException {
         final BigInteger serial = subjectCertificate.getSerialNumber();
         final DigestCalculator digestCalculator = DigestCalculatorImpl.sha1();
         return new CertificateID(digestCalculator,
             new X509CertificateHolder(issuerCertificate.getEncoded()), serial);
     }
 
-    private static String ocspStatusToString(int status) {
+    protected static String ocspStatusToString(int status) {
         return switch (status) {
             case OCSPResp.MALFORMED_REQUEST -> "malformed request";
             case OCSPResp.INTERNAL_ERROR -> "internal error";
@@ -233,4 +233,11 @@ private static String ocspStatusToString(int status) {
         };
     }
 
+    protected OcspClient getOcspClient() {
+        return ocspClient;
+    }
+
+    protected OcspServiceProvider getOcspServiceProvider() {
+        return ocspServiceProvider;
+    }
 }

src/main/java/eu/webeid/ocsp/service/AiaOcspService.java

@@ -22,6 +22,7 @@
 
 package eu.webeid.ocsp.service;
 
+import eu.webeid.resilientocsp.service.FallbackOcspService;
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
@@ -52,13 +53,15 @@ public class AiaOcspService implements OcspService {
     private final CertStore trustedCACertificateCertStore;
     private final URI url;
     private final boolean supportsNonce;
+    private final FallbackOcspService fallbackOcspService;
 
-    public AiaOcspService(AiaOcspServiceConfiguration configuration, X509Certificate certificate) throws AuthTokenException {
+    public AiaOcspService(AiaOcspServiceConfiguration configuration, X509Certificate certificate, FallbackOcspService fallbackOcspService) throws AuthTokenException {
         Objects.requireNonNull(configuration);
         this.trustedCACertificateAnchors = configuration.getTrustedCACertificateAnchors();
         this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
         this.url = getOcspAiaUrlFromCertificate(Objects.requireNonNull(certificate));
         this.supportsNonce = !configuration.getNonceDisabledOcspUrls().contains(this.url);
+        this.fallbackOcspService = fallbackOcspService;
     }
 
     @Override
@@ -71,6 +74,11 @@ public URI getAccessLocation() {
         return url;
     }
 
+    @Override
+    public FallbackOcspService getFallbackService() {
+        return fallbackOcspService;
+    }
+
     @Override
     public void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException {
         try {

src/main/java/eu/webeid/ocsp/service/OcspService.java

@@ -36,4 +36,8 @@ public interface OcspService {
 
     void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException;
 
+    default OcspService getFallbackService() {
+        return null;
+    }
+
 }

src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java

@@ -22,22 +22,39 @@
 
 package eu.webeid.ocsp.service;
 
+import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
+import eu.webeid.resilientocsp.service.FallbackOcspService;
+import eu.webeid.resilientocsp.service.FallbackOcspServiceConfiguration;
 import eu.webeid.security.exceptions.AuthTokenException;
 
+import java.net.URI;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Map;
 import java.util.Objects;
+import java.util.stream.Collectors;
+
+import static eu.webeid.ocsp.protocol.OcspUrl.getOcspUri;
 
 public class OcspServiceProvider {
 
     private final DesignatedOcspService designatedOcspService;
     private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
+    private final Map<URI, FallbackOcspService> fallbackOcspServiceMap;
 
     public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration, AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
+        this(designatedOcspServiceConfiguration, aiaOcspServiceConfiguration, null);
+    }
+
+    public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration, AiaOcspServiceConfiguration aiaOcspServiceConfiguration, Collection<FallbackOcspServiceConfiguration> fallbackOcspServiceConfigurations) {
         designatedOcspService = designatedOcspServiceConfiguration != null ?
             new DesignatedOcspService(designatedOcspServiceConfiguration)
             : null;
         this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");
+        this.fallbackOcspServiceMap = fallbackOcspServiceConfigurations != null ? fallbackOcspServiceConfigurations.stream()
+            .collect(Collectors.toMap(FallbackOcspServiceConfiguration::getOcspServiceAccessLocation, FallbackOcspService::new))
+            : Map.of();
     }
 
     /**
@@ -47,13 +64,16 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ
      * @param certificate subject certificate that is to be checked with OCSP
      * @return either the designated or AIA OCSP service instance
      * @throws AuthTokenException when AIA URL is not found in certificate
-     * @throws CertificateEncodingException when certificate is invalid
+     * @throws IllegalArgumentException when certificate is invalid
      */
     public OcspService getService(X509Certificate certificate) throws AuthTokenException, CertificateEncodingException {
         if (designatedOcspService != null && designatedOcspService.supportsIssuerOf(certificate)) {
             return designatedOcspService;
         }
-        return new AiaOcspService(aiaOcspServiceConfiguration, certificate);
+        URI ocspServiceUri = getOcspUri(certificate).orElseThrow(() ->
+            new UserCertificateOCSPCheckFailedException("Getting the AIA OCSP responder field from the certificate failed"));
+        FallbackOcspService fallbackOcspService = fallbackOcspServiceMap.get(ocspServiceUri);
+        return new AiaOcspService(aiaOcspServiceConfiguration, certificate, fallbackOcspService);
     }
 
 }

src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java

@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.resilientocsp;
+
+import eu.webeid.ocsp.OcspCertificateRevocationChecker;
+import eu.webeid.ocsp.client.OcspClient;
+import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
+import eu.webeid.ocsp.exceptions.UserCertificateRevokedException;
+import eu.webeid.ocsp.protocol.OcspRequestBuilder;
+import eu.webeid.ocsp.service.OcspService;
+import eu.webeid.ocsp.service.OcspServiceProvider;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.revocationcheck.RevocationInfo;
+import io.github.resilience4j.circuitbreaker.CallNotPermittedException;
+import io.github.resilience4j.circuitbreaker.CircuitBreaker;
+import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
+import io.github.resilience4j.circuitbreaker.CircuitBreakerRegistry;
+import io.github.resilience4j.decorators.Decorators;
+import io.github.resilience4j.retry.Retry;
+import io.github.resilience4j.retry.RetryConfig;
+import io.github.resilience4j.retry.RetryRegistry;
+import io.vavr.CheckedFunction0;
+import io.vavr.control.Try;
+import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
+import org.bouncycastle.cert.ocsp.BasicOCSPResp;
+import org.bouncycastle.cert.ocsp.CertificateID;
+import org.bouncycastle.cert.ocsp.OCSPException;
+import org.bouncycastle.cert.ocsp.OCSPReq;
+import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URI;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+
+import static java.util.Objects.requireNonNull;
+
+public class ResilientOcspCertificateRevocationChecker extends OcspCertificateRevocationChecker {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ResilientOcspCertificateRevocationChecker.class);
+
+    private final CircuitBreakerRegistry circuitBreakerRegistry;
+    private final RetryRegistry retryRegistry;
+
+    public ResilientOcspCertificateRevocationChecker(OcspClient ocspClient,
+                                                     OcspServiceProvider ocspServiceProvider,
+                                                     CircuitBreakerConfig circuitBreakerConfig,
+                                                     RetryConfig retryConfig,
+                                                     Duration allowedOcspResponseTimeSkew,
+                                                     Duration maxOcspResponseThisUpdateAge) {
+        super(ocspClient, ocspServiceProvider, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge);
+        this.circuitBreakerRegistry = CircuitBreakerRegistry.custom()
+            .withCircuitBreakerConfig(getCircuitBreakerConfig(circuitBreakerConfig))
+            .build();
+        this.retryRegistry = retryConfig != null ? RetryRegistry.custom()
+            .withRetryConfig(getRetryConfigConfig(retryConfig))
+            .build() : null;
+        if (!LOG.isDebugEnabled()) {
+            return;
+        }
+        this.circuitBreakerRegistry.getEventPublisher()
+            .onEntryAdded(entryAddedEvent -> {
+                CircuitBreaker circuitBreaker = entryAddedEvent.getAddedEntry();
+                LOG.debug("CircuitBreaker {} added", circuitBreaker.getName());
+                circuitBreaker.getEventPublisher()
+                    .onEvent(event -> LOG.debug(event.toString()));
+            });
+    }
+
+    @Override
+    public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjectCertificate,
+                                                              X509Certificate issuerCertificate) throws AuthTokenException {
+        OcspService ocspService;
+        try {
+            ocspService = getOcspServiceProvider().getService(subjectCertificate);
+        } catch (CertificateException e) {
+            throw new UserCertificateOCSPCheckFailedException(e, null);
+        }
+        final OcspService fallbackOcspService = ocspService.getFallbackService();
+        if (fallbackOcspService == null) {
+            return List.of(request(ocspService, subjectCertificate, issuerCertificate));
+        }
+
+        CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(ocspService.getAccessLocation().toASCIIString());
+        CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate);
+        CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate);
+        Decorators.DecorateCheckedSupplier<RevocationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);
+        if (retryRegistry != null) {
+            Retry retry = retryRegistry.retry(ocspService.getAccessLocation().toASCIIString());
+            decorateCheckedSupplier.withRetry(retry);
+        }
+        decorateCheckedSupplier.withCircuitBreaker(circuitBreaker)
+            .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class), e -> fallbackSupplier.apply());
+
+        CheckedFunction0<RevocationInfo> decoratedSupplier = decorateCheckedSupplier.decorate();
+
+        // TODO Collect the intermediate results
+        return List.of(Try.of(decoratedSupplier).getOrElseThrow(throwable -> {
+            if (throwable instanceof AuthTokenException) {
+                return (AuthTokenException) throwable;
+            }
+            return new UserCertificateOCSPCheckFailedException(throwable, null);
+        }));
+    }
+
+    private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {
+        URI ocspResponderUri = null;
+        try {
+            ocspResponderUri = requireNonNull(ocspService.getAccessLocation(), "ocspResponderUri");
+
+            final CertificateID certificateId = getCertificateId(subjectCertificate, issuerCertificate);
+            final OCSPReq request = new OcspRequestBuilder()
+                .withCertificateId(certificateId)
+                .enableOcspNonce(ocspService.doesSupportNonce())
+                .build();
+
+            if (!ocspService.doesSupportNonce()) {
+                LOG.debug("Disabling OCSP nonce extension");
+            }
+
+            LOG.debug("Sending OCSP request");
+            OCSPResp response = requireNonNull(getOcspClient().request(ocspResponderUri, request)); // TODO: This should trigger fallback?
+            if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
+                throw new UserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus()), ocspResponderUri);
+            }
+
+            final BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
+            if (basicResponse == null) {
+                throw new UserCertificateOCSPCheckFailedException("Missing Basic OCSP Response", ocspResponderUri);
+            }
+            LOG.debug("OCSP response received successfully");
+
+            verifyOcspResponse(basicResponse, ocspService, certificateId);
+            if (ocspService.doesSupportNonce()) {
+                checkNonce(request, basicResponse, ocspResponderUri);
+            }
+            LOG.debug("OCSP response verified successfully");
+
+            return new RevocationInfo(ocspResponderUri, Map.ofEntries(
+                Map.entry(RevocationInfo.KEY_OCSP_REQUEST, request),
+                Map.entry(RevocationInfo.KEY_OCSP_RESPONSE, response)
+            ));
+        } catch (OCSPException | CertificateException | OperatorCreationException | IOException e) {
+            throw new UserCertificateOCSPCheckFailedException(e, ocspResponderUri);
+        }
+    }
+
+    private static CircuitBreakerConfig getCircuitBreakerConfig(CircuitBreakerConfig circuitBreakerConfig) {
+        return CircuitBreakerConfig.from(circuitBreakerConfig)
+            // Users must not be able to modify these three values.
+            .slidingWindowType(CircuitBreakerConfig.SlidingWindowType.COUNT_BASED)
+            .ignoreExceptions(UserCertificateRevokedException.class)
+            .automaticTransitionFromOpenToHalfOpenEnabled(true)
+            .build();
+    }
+
+    private static RetryConfig getRetryConfigConfig(RetryConfig retryConfig) {
+        return RetryConfig.from(retryConfig)
+            // Users must not be able to modify this value.
+            .ignoreExceptions(UserCertificateRevokedException.class)
+            .build();
+    }
+}