AUT-2552 Collect failed requests, add resilient OCSP specific exceptions

Author: madislm

src/main/java/eu/webeid/ocsp/client/OcspClient.java

@@ -22,14 +22,14 @@
 
 package eu.webeid.ocsp.client;
 
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 
-import java.io.IOException;
 import java.net.URI;
 
 public interface OcspClient {
 
-    OCSPResp request(URI url, OCSPReq request) throws IOException;
+    OCSPResp request(URI url, OCSPReq request) throws OCSPClientException;
 
 }

src/main/java/eu/webeid/ocsp/client/OcspClientImpl.java

@@ -22,6 +22,7 @@
 
 package eu.webeid.ocsp.client;
 
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.slf4j.Logger;
@@ -62,15 +63,21 @@ public static OcspClient build(Duration ocspRequestTimeout) {
      * @param uri     OCSP server URL
      * @param ocspReq OCSP request
      * @return OCSP response from the server
-     * @throws IOException if the request could not be executed due to cancellation, a connectivity problem or timeout,
+     * @throws OCSPClientException if the request could not be executed due to cancellation, a connectivity problem or timeout,
      *                     or if the response status is not successful, or if response has wrong content type.
      */
     @Override
-    public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
+    public OCSPResp request(URI uri, OCSPReq ocspReq) throws OCSPClientException {
+        byte[] encodedOcspReq;
+        try {
+            encodedOcspReq = ocspReq.getEncoded();
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
+        }
         final HttpRequest request = HttpRequest.newBuilder()
             .uri(uri)
             .header(CONTENT_TYPE, OCSP_REQUEST_TYPE)
-            .POST(HttpRequest.BodyPublishers.ofByteArray(ocspReq.getEncoded()))
+            .POST(HttpRequest.BodyPublishers.ofByteArray(encodedOcspReq))
             .timeout(ocspRequestTimeout)
             .build();
 
@@ -79,19 +86,28 @@ public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
             response = httpClient.send(request, HttpResponse.BodyHandlers.ofByteArray());
         } catch (InterruptedException e) {
             Thread.currentThread().interrupt();
-            throw new IOException("Interrupted while sending OCSP request", e);
+            throw new OCSPClientException("Interrupted while sending OCSP request", e);
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
         }
 
         if (response.statusCode() != 200) {
-            throw new IOException("OCSP request was not successful, response: " + response);
+            throw new OCSPClientException("OCSP request was not successful", response.body(), response.statusCode());
         } else {
             LOG.debug("OCSP response: {}", response);
         }
         final String contentType = response.headers().firstValue(CONTENT_TYPE).orElse("");
         if (!contentType.startsWith(OCSP_RESPONSE_TYPE)) {
-            throw new IOException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
+            throw new OCSPClientException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
+        }
+
+        OCSPResp ocspResp;
+        try {
+            ocspResp = new OCSPResp(response.body());
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
         }
-        return new OCSPResp(response.body());
+        return ocspResp;
     }
 
     public OcspClientImpl(HttpClient httpClient, Duration ocspRequestTimeout) {

src/main/java/eu/webeid/ocsp/exceptions/OCSPClientException.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.exceptions;
+
+public class OCSPClientException extends RuntimeException {
+
+    private byte[] responseBody;
+
+    private Integer statusCode;
+
+    public OCSPClientException() {
+    }
+
+    public OCSPClientException(String message) {
+        super(message);
+    }
+
+    public OCSPClientException(Throwable cause) {
+        super(cause);
+    }
+
+    public OCSPClientException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public OCSPClientException(String message, byte[] responseBody, int statusCode) {
+        super(message);
+        this.responseBody = responseBody;
+        this.statusCode = statusCode;
+    }
+
+    public byte[] getResponseBody() {
+        return responseBody;
+    }
+
+    public Integer getStatusCode() {
+        return statusCode;
+    }
+}

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateOCSPCheckFailedException.java

@@ -33,6 +33,10 @@
  */
 public class UserCertificateOCSPCheckFailedException extends AuthTokenException {
 
+    public UserCertificateOCSPCheckFailedException() {
+        super("User certificate revocation check has failed");
+    }
+
     public UserCertificateOCSPCheckFailedException(Throwable cause, URI ocspResponderUri) {
         super(withResponderUri("User certificate revocation check has failed", ocspResponderUri), cause);
     }

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateRevokedException.java

@@ -33,6 +33,10 @@
  */
 public class UserCertificateRevokedException extends AuthTokenException {
 
+    public UserCertificateRevokedException() {
+        super("User certificate has been revoked");
+    }
+
     public UserCertificateRevokedException(URI ocspResponderUri) {
         super(withResponderUri("User certificate has been revoked", ocspResponderUri));
     }

src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java

@@ -24,13 +24,15 @@
 
 import eu.webeid.ocsp.OcspCertificateRevocationChecker;
 import eu.webeid.ocsp.client.OcspClient;
-import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import eu.webeid.ocsp.exceptions.UserCertificateRevokedException;
-import eu.webeid.ocsp.exceptions.UserCertificateUnknownException;
 import eu.webeid.ocsp.protocol.OcspRequestBuilder;
 import eu.webeid.ocsp.service.OcspService;
 import eu.webeid.ocsp.service.OcspServiceProvider;
+import eu.webeid.resilientocsp.exceptions.ResilientUserCertificateOCSPCheckFailedException;
+import eu.webeid.resilientocsp.exceptions.ResilientUserCertificateRevokedException;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.ValidationInfo;
 import eu.webeid.security.validator.revocationcheck.RevocationInfo;
 import io.github.resilience4j.circuitbreaker.CallNotPermittedException;
 import io.github.resilience4j.circuitbreaker.CircuitBreaker;
@@ -45,18 +47,17 @@
 import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.cert.ocsp.CertificateID;
-import org.bouncycastle.cert.ocsp.OCSPException;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
-import org.bouncycastle.operator.OperatorCreationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
 import java.net.URI;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -104,14 +105,27 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         try {
             ocspService = getOcspServiceProvider().getService(subjectCertificate);
         } catch (CertificateException e) {
-            throw new UserCertificateOCSPCheckFailedException(e, null);
+            throw new ResilientUserCertificateOCSPCheckFailedException(new ValidationInfo(subjectCertificate, List.of()));
         }
         final OcspService fallbackOcspService = ocspService.getFallbackService();
         if (fallbackOcspService == null) {
             return List.of(request(ocspService, subjectCertificate, issuerCertificate, false));
         }
 
         CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(ocspService.getAccessLocation().toASCIIString());
+
+        List<RevocationInfo> revocationInfoList = new ArrayList<>();
+        circuitBreaker.getEventPublisher().onError(event -> {
+            Throwable throwable = event.getThrowable();
+            if (throwable instanceof ResilientUserCertificateOCSPCheckFailedException e) {
+                revocationInfoList.addAll(e.getValidationInfo().revocationInfoList());
+                return;
+            }
+            revocationInfoList.add(new RevocationInfo(null, Map.ofEntries(
+                Map.entry(RevocationInfo.KEY_OCSP_ERROR, throwable)
+            )));
+        });
+
         CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate, false);
         CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate, true);
         Decorators.DecorateCheckedSupplier<RevocationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);
@@ -120,26 +134,40 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             decorateCheckedSupplier.withRetry(retry);
         }
         decorateCheckedSupplier.withCircuitBreaker(circuitBreaker)
-            .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class, UserCertificateUnknownException.class), e -> fallbackSupplier.apply());
+            .withFallback(List.of(ResilientUserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class), e -> fallbackSupplier.apply());
 
         CheckedFunction0<RevocationInfo> decoratedSupplier = decorateCheckedSupplier.decorate();
 
-        // TODO Collect the intermediate results
-        return List.of(Try.of(decoratedSupplier).getOrElseThrow(throwable -> {
-            if (throwable instanceof AuthTokenException) {
-                return (AuthTokenException) throwable;
+        Try<RevocationInfo> result = Try.of(decoratedSupplier);
+
+        RevocationInfo revocationInfo = result.getOrElseThrow(throwable -> {
+            if (throwable instanceof ResilientUserCertificateOCSPCheckFailedException exception) {
+                revocationInfoList.addAll(exception.getValidationInfo().revocationInfoList());
+                exception.setValidationInfo(new ValidationInfo(subjectCertificate, revocationInfoList));
+                return exception;
+            }
+            if (throwable instanceof ResilientUserCertificateRevokedException exception) {
+                revocationInfoList.addAll(exception.getValidationInfo().revocationInfoList());
+                exception.setValidationInfo(new ValidationInfo(subjectCertificate, revocationInfoList));
+                return exception;
             }
-            return new UserCertificateOCSPCheckFailedException(throwable, null);
-        }));
+            // TODO This should always be TaraUserCertificateOCSPCheckFailedException when reached?
+            return new ResilientUserCertificateOCSPCheckFailedException(new ValidationInfo(subjectCertificate, revocationInfoList));
+        });
+
+        revocationInfoList.add(revocationInfo);
+        return revocationInfoList;
     }
 
-    private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate, boolean allowThisUpdateInPast) throws AuthTokenException {
+    private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate, boolean allowThisUpdateInPast) throws ResilientUserCertificateOCSPCheckFailedException, ResilientUserCertificateRevokedException {
         URI ocspResponderUri = null;
+        OCSPResp response = null;
+        OCSPReq request = null;
         try {
             ocspResponderUri = requireNonNull(ocspService.getAccessLocation(), "ocspResponderUri");
 
             final CertificateID certificateId = getCertificateId(subjectCertificate, issuerCertificate);
-            final OCSPReq request = new OcspRequestBuilder()
+            request = new OcspRequestBuilder()
                 .withCertificateId(certificateId)
                 .enableOcspNonce(ocspService.doesSupportNonce())
                 .build();
@@ -149,14 +177,28 @@ private RevocationInfo request(OcspService ocspService, X509Certificate subjectC
             }
 
             LOG.debug("Sending OCSP request");
-            OCSPResp response = requireNonNull(getOcspClient().request(ocspResponderUri, request)); // TODO: This should trigger fallback?
+            response = requireNonNull(getOcspClient().request(ocspResponderUri, request)); // TODO: This should trigger fallback?
             if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
-                throw new UserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus()), ocspResponderUri);
+                ResilientUserCertificateOCSPCheckFailedException exception = new ResilientUserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus()));
+                RevocationInfo revocationInfo = new RevocationInfo(ocspService.getAccessLocation(), Map.ofEntries(
+                    Map.entry(RevocationInfo.KEY_OCSP_ERROR, exception),
+                    Map.entry(RevocationInfo.KEY_OCSP_REQUEST, request),
+                    Map.entry(RevocationInfo.KEY_OCSP_RESPONSE, response)
+                ));
+                exception.setValidationInfo(new ValidationInfo(subjectCertificate, List.of(revocationInfo)));
+                throw exception;
             }
 
             final BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
             if (basicResponse == null) {
-                throw new UserCertificateOCSPCheckFailedException("Missing Basic OCSP Response", ocspResponderUri);
+                ResilientUserCertificateOCSPCheckFailedException exception = new ResilientUserCertificateOCSPCheckFailedException("Missing Basic OCSP Response");
+                RevocationInfo revocationInfo = new RevocationInfo(ocspService.getAccessLocation(), Map.ofEntries(
+                    Map.entry(RevocationInfo.KEY_OCSP_ERROR, exception),
+                    Map.entry(RevocationInfo.KEY_OCSP_REQUEST, request),
+                    Map.entry(RevocationInfo.KEY_OCSP_RESPONSE, response)
+                ));
+                exception.setValidationInfo(new ValidationInfo(subjectCertificate, List.of(revocationInfo)));
+                throw exception;
             }
             LOG.debug("OCSP response received successfully");
 
@@ -170,24 +212,44 @@ private RevocationInfo request(OcspService ocspService, X509Certificate subjectC
                 Map.entry(RevocationInfo.KEY_OCSP_REQUEST, request),
                 Map.entry(RevocationInfo.KEY_OCSP_RESPONSE, response)
             ));
-        } catch (OCSPException | CertificateException | OperatorCreationException | IOException e) {
-            throw new UserCertificateOCSPCheckFailedException(e, ocspResponderUri);
+        } catch (UserCertificateRevokedException e) {
+            RevocationInfo revocationInfo = getRevocationInfo(ocspResponderUri, e, request, response);
+            throw new ResilientUserCertificateRevokedException(new ValidationInfo(subjectCertificate, List.of(revocationInfo)));
+        } catch (OCSPClientException e) {
+            RevocationInfo revocationInfo = getRevocationInfo(ocspResponderUri, e, request, response);
+            revocationInfo.ocspResponseAttributes().put(RevocationInfo.KEY_OCSP_RESPONSE, e.getResponseBody());
+            revocationInfo.ocspResponseAttributes().put(RevocationInfo.KEY_HTTP_STATUS_CODE, e.getStatusCode());
+            throw new ResilientUserCertificateOCSPCheckFailedException(new ValidationInfo(subjectCertificate, List.of(revocationInfo)));
+        } catch (Exception e) {
+            RevocationInfo revocationInfo = getRevocationInfo(ocspResponderUri, e, request, response);
+            throw new ResilientUserCertificateOCSPCheckFailedException(new ValidationInfo(subjectCertificate, List.of(revocationInfo)));
+        }
+    }
+
+    private RevocationInfo getRevocationInfo(URI ocspResponderUri, Exception e, OCSPReq request, OCSPResp response) {
+        RevocationInfo revocationInfo = new RevocationInfo(ocspResponderUri, new HashMap<>(Map.of(RevocationInfo.KEY_OCSP_ERROR, e)));
+        if (request != null) {
+            revocationInfo.ocspResponseAttributes().put(RevocationInfo.KEY_OCSP_REQUEST, request);
+        }
+        if (response != null) {
+            revocationInfo.ocspResponseAttributes().put(RevocationInfo.KEY_OCSP_RESPONSE, response);
         }
+        return revocationInfo;
     }
 
     private static CircuitBreakerConfig getCircuitBreakerConfig(CircuitBreakerConfig circuitBreakerConfig) {
         return CircuitBreakerConfig.from(circuitBreakerConfig)
             // Users must not be able to modify these three values.
             .slidingWindowType(CircuitBreakerConfig.SlidingWindowType.COUNT_BASED)
-            .ignoreExceptions(UserCertificateRevokedException.class)
+            .ignoreExceptions(ResilientUserCertificateRevokedException.class)
             .automaticTransitionFromOpenToHalfOpenEnabled(true)
             .build();
     }
 
     private static RetryConfig getRetryConfigConfig(RetryConfig retryConfig) {
         return RetryConfig.from(retryConfig)
             // Users must not be able to modify this value.
-            .ignoreExceptions(UserCertificateRevokedException.class)
+            .ignoreExceptions(ResilientUserCertificateRevokedException.class)
             .build();
     }
 }