AUT-2510 Disable thisUpdate in the past check for fallback OCSP service

madislm · madislm · commit afb5be8afb08 · 2026-01-30T12:53:21.000+02:00
diff --git a/src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java b/src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java
@@ -131,7 +131,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId, false);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, false, false);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }
@@ -144,7 +144,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }
     }
 
-    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus, boolean allowThisUpdateInPast) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -195,7 +195,7 @@ protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspS
         //      be available about the status of the certificate (nextUpdate) is
         //      greater than the current time.
 
-        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation());
+        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation(), allowThisUpdateInPast);
 
         // Now we can accept the signed response as valid and validate the certificate status.
         OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation(), rejectUnknownOcspResponseStatus);
diff --git a/src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java b/src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java
@@ -79,7 +79,7 @@ public static void validateResponseSignature(BasicOCSPResp basicResponse, X509Ce
         }
     }
 
-    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
+    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri, boolean allowThisUpdateInPast) throws UserCertificateOCSPCheckFailedException {
         // From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:
         // 4.2.2.  Notes on OCSP Responses
         // 4.2.2.1.  Time
@@ -100,7 +100,7 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp
                 "thisUpdate '" + thisUpdate + "' is too far in the future, " +
                 "latest allowed: '" + latestAcceptableTimeSkew + "'", ocspResponderUri);
         }
-        if (thisUpdate.isBefore(minimumValidThisUpdateTime)) {
+        if (!allowThisUpdateInPast && thisUpdate.isBefore(minimumValidThisUpdateTime)) {
             throw new UserCertificateOCSPCheckFailedException(ERROR_PREFIX +
                 "thisUpdate '" + thisUpdate + "' is too old, " +
                 "minimum time allowed: '" + minimumValidThisUpdateTime + "'", ocspResponderUri);
diff --git a/src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java b/src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java
@@ -108,12 +108,12 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }
         final OcspService fallbackOcspService = ocspService.getFallbackService();
         if (fallbackOcspService == null) {
-            return List.of(request(ocspService, subjectCertificate, issuerCertificate));
+            return List.of(request(ocspService, subjectCertificate, issuerCertificate, false));
         }
 
         CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(ocspService.getAccessLocation().toASCIIString());
-        CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate);
-        CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate);
+        CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate, false);
+        CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate, true);
         Decorators.DecorateCheckedSupplier<RevocationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);
         if (retryRegistry != null) {
             Retry retry = retryRegistry.retry(ocspService.getAccessLocation().toASCIIString());
@@ -133,7 +133,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }));
     }
 
-    private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {
+    private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate, boolean allowThisUpdateInPast) throws AuthTokenException {
         URI ocspResponderUri = null;
         try {
             ocspResponderUri = requireNonNull(ocspService.getAccessLocation(), "ocspResponderUri");
@@ -160,7 +160,7 @@ private RevocationInfo request(OcspService ocspService, X509Certificate subjectC
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId, rejectUnknownOcspResponseStatus);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, rejectUnknownOcspResponseStatus, allowThisUpdateInPast);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }
diff --git a/src/test/java/eu/webeid/ocsp/protocol/OcspResponseValidatorTest.java b/src/test/java/eu/webeid/ocsp/protocol/OcspResponseValidatorTest.java
@@ -53,7 +53,7 @@ void whenThisAndNextUpdateWithinSkew_thenValidationSucceeds() {
         var nextUpdateWithinAgeLimit = Date.from(now.minus(THIS_UPDATE_AGE.minusSeconds(2)));
         when(mockResponse.getThisUpdate()).thenReturn(thisUpdateWithinAgeLimit);
         when(mockResponse.getNextUpdate()).thenReturn(nextUpdateWithinAgeLimit);
-        assertThatCode(() -> validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL))
+        assertThatCode(() -> validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL, false))
             .doesNotThrowAnyException();
     }
 
@@ -67,7 +67,7 @@ void whenNextUpdateBeforeThisUpdate_thenThrows() {
         when(mockResponse.getNextUpdate()).thenReturn(beforeThisUpdate);
         assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
             .isThrownBy(() ->
-                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL))
+                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL, false))
             .withMessageStartingWith("User certificate revocation check has failed: "
                 + "Certificate status update time check failed: "
                 + "nextUpdate '" + beforeThisUpdate.toInstant() + "' is before thisUpdate '" + thisUpdateWithinAgeLimit.toInstant() + "'");
@@ -81,7 +81,7 @@ void whenThisUpdateHalfHourBeforeNow_thenThrows() {
         when(mockResponse.getThisUpdate()).thenReturn(halfHourBeforeNow);
         assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
             .isThrownBy(() ->
-                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL))
+                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL, false))
             .withMessageStartingWith("User certificate revocation check has failed: "
                 + "Certificate status update time check failed: "
                 + "thisUpdate '" + halfHourBeforeNow.toInstant() + "' is too old, minimum time allowed: ");
@@ -95,7 +95,7 @@ void whenThisUpdateHalfHourAfterNow_thenThrows() {
         when(mockResponse.getThisUpdate()).thenReturn(halfHourAfterNow);
         assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
             .isThrownBy(() ->
-                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL))
+                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL, false))
             .withMessageStartingWith("User certificate revocation check has failed: "
                 + "Certificate status update time check failed: "
                 + "thisUpdate '" + halfHourAfterNow.toInstant() + "' is too far in the future, latest allowed: ");
@@ -111,7 +111,7 @@ void whenNextUpdateHalfHourBeforeNow_thenThrows() {
         when(mockResponse.getNextUpdate()).thenReturn(halfHourBeforeNow);
         assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
             .isThrownBy(() ->
-                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL))
+                validateCertificateStatusUpdateTime(mockResponse, TIME_SKEW, THIS_UPDATE_AGE, OCSP_URL, false))
             .withMessage("User certificate revocation check has failed: "
                 + "Certificate status update time check failed: "
                 + "nextUpdate '" + halfHourBeforeNow.toInstant() + "' is in the past"

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec`
`131`	`131`	`}`
`132`	`132`	`LOG.debug("OCSP response received successfully");`
`133`	`133`
`134`		`- verifyOcspResponse(basicResponse, ocspService, certificateId, false);`
	`134`	`+ verifyOcspResponse(basicResponse, ocspService, certificateId, false, false);`
`135`	`135`	`if (ocspService.doesSupportNonce()) {`
`136`	`136`	`checkNonce(request, basicResponse, ocspResponderUri);`
`137`	`137`	`}`
`@@ -144,7 +144,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
`147`		`- protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {`
	`147`	`+ protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus, boolean allowThisUpdateInPast) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {`
`148`	`148`	`// The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.`
`149`	`149`	`//`
`150`	`150`	`// 3.2. Signed Response Acceptance Requirements`
`@@ -195,7 +195,7 @@ protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspS`
`195`	`195`	`// be available about the status of the certificate (nextUpdate) is`
`196`	`196`	`// greater than the current time.`
`197`	`197`
`198`		`- OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation());`
	`198`	`+ OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation(), allowThisUpdateInPast);`
`199`	`199`
`200`	`200`	`// Now we can accept the signed response as valid and validate the certificate status.`
`201`	`201`	`OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation(), rejectUnknownOcspResponseStatus);`
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ public static void validateResponseSignature(BasicOCSPResp basicResponse, X509Ce`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`
`82`		`- public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {`
	`82`	`+ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri, boolean allowThisUpdateInPast) throws UserCertificateOCSPCheckFailedException {`
`83`	`83`	`// From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:`
`84`	`84`	`// 4.2.2. Notes on OCSP Responses`
`85`	`85`	`// 4.2.2.1. Time`
`@@ -100,7 +100,7 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp`
`100`	`100`	`"thisUpdate '" + thisUpdate + "' is too far in the future, " +`
`101`	`101`	`"latest allowed: '" + latestAcceptableTimeSkew + "'", ocspResponderUri);`
`102`	`102`	`}`
`103`		`- if (thisUpdate.isBefore(minimumValidThisUpdateTime)) {`
	`103`	`+ if (!allowThisUpdateInPast && thisUpdate.isBefore(minimumValidThisUpdateTime)) {`
`104`	`104`	`throw new UserCertificateOCSPCheckFailedException(ERROR_PREFIX +`
`105`	`105`	`"thisUpdate '" + thisUpdate + "' is too old, " +`
`106`	`106`	`"minimum time allowed: '" + minimumValidThisUpdateTime + "'", ocspResponderUri);`
Original file line number	Diff line number	Diff line change
`@@ -108,12 +108,12 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec`
`108`	`108`	`}`
`109`	`109`	`final OcspService fallbackOcspService = ocspService.getFallbackService();`
`110`	`110`	`if (fallbackOcspService == null) {`
`111`		`- return List.of(request(ocspService, subjectCertificate, issuerCertificate));`
	`111`	`+ return List.of(request(ocspService, subjectCertificate, issuerCertificate, false));`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(ocspService.getAccessLocation().toASCIIString());`
`115`		`- CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate);`
`116`		`- CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate);`
	`115`	`+ CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate, false);`
	`116`	`+ CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate, true);`
`117`	`117`	`Decorators.DecorateCheckedSupplier<RevocationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);`
`118`	`118`	`if (retryRegistry != null) {`
`119`	`119`	`Retry retry = retryRegistry.retry(ocspService.getAccessLocation().toASCIIString());`
`@@ -133,7 +133,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec`
`133`	`133`	`}));`
`134`	`134`	`}`
`135`	`135`
`136`		`- private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {`
	`136`	`+ private RevocationInfo request(OcspService ocspService, X509Certificate subjectCertificate, X509Certificate issuerCertificate, boolean allowThisUpdateInPast) throws AuthTokenException {`
`137`	`137`	`URI ocspResponderUri = null;`
`138`	`138`	`try {`
`139`	`139`	`ocspResponderUri = requireNonNull(ocspService.getAccessLocation(), "ocspResponderUri");`
`@@ -160,7 +160,7 @@ private RevocationInfo request(OcspService ocspService, X509Certificate subjectC`
`160`	`160`	`}`
`161`	`161`	`LOG.debug("OCSP response received successfully");`
`162`	`162`
`163`		`- verifyOcspResponse(basicResponse, ocspService, certificateId, rejectUnknownOcspResponseStatus);`
	`163`	`+ verifyOcspResponse(basicResponse, ocspService, certificateId, rejectUnknownOcspResponseStatus, allowThisUpdateInPast);`
`164`	`164`	`if (ocspService.doesSupportNonce()) {`
`165`	`165`	`checkNonce(request, basicResponse, ocspResponderUri);`
`166`	`166`	`}`