Add resilient OCSP certificate revocation checker

Author: madislm

pom.xml

@@ -16,7 +16,7 @@
         <bouncycastle.version>1.81</bouncycastle.version>
         <jackson.version>2.19.1</jackson.version>
         <slf4j.version>2.0.17</slf4j.version>
-        <resilience4j.version>1.7.0</resilience4j.version>
+        <resilience4j.version>2.3.0</resilience4j.version>
         <junit-jupiter.version>5.13.3</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
         <mockito.version>5.18.0</mockito.version>
@@ -89,6 +89,11 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-vavr</artifactId>
+            <version>${resilience4j.version}</version>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java

@@ -23,6 +23,7 @@
 package eu.webeid.ocsp;
 
 import eu.webeid.ocsp.client.OcspClient;
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import eu.webeid.ocsp.protocol.DigestCalculatorImpl;
 import eu.webeid.ocsp.protocol.OcspRequestBuilder;
 import eu.webeid.ocsp.protocol.OcspResponseValidator;
@@ -131,20 +132,20 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId, false, false);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, false, maxOcspResponseThisUpdateAge);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }
             LOG.debug("OCSP response verified successfully");
 
             return List.of(new RevocationInfo(ocspResponderUri, Map.of(RevocationInfo.KEY_OCSP_RESPONSE, response)));
 
-        } catch (OCSPException | CertificateException | OperatorCreationException | IOException e) {
+        } catch (OCSPException | CertificateException | OperatorCreationException | IOException | OCSPClientException e) {
             throw new UserCertificateOCSPCheckFailedException(e, ocspResponderUri);
         }
     }
 
-    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus, boolean allowThisUpdateInPast) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus, Duration maxOcspResponseThisUpdateAge) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -195,7 +196,7 @@ protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspS
         //      be available about the status of the certificate (nextUpdate) is
         //      greater than the current time.
 
-        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation(), allowThisUpdateInPast);
+        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation());
 
         // Now we can accept the signed response as valid and validate the certificate status.
         OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation(), rejectUnknownOcspResponseStatus);
@@ -240,4 +241,8 @@ protected OcspClient getOcspClient() {
     protected OcspServiceProvider getOcspServiceProvider() {
         return ocspServiceProvider;
     }
+
+    protected Duration getMaxOcspResponseThisUpdateAge() {
+        return maxOcspResponseThisUpdateAge;
+    }
 }

src/main/java/eu/webeid/ocsp/exceptions/OCSPClientException.java

@@ -22,29 +22,34 @@
 
 package eu.webeid.ocsp.exceptions;
 
-public class OCSPClientException extends RuntimeException {
+public class OCSPClientException extends Exception {
 
-    private byte[] responseBody;
+    private final byte[] responseBody;
 
-    private Integer statusCode;
+    private final Integer statusCode;
 
     public OCSPClientException() {
+        this(null, null);
     }
 
     public OCSPClientException(String message) {
-        super(message);
+        this(message, null, null);
     }
 
     public OCSPClientException(Throwable cause) {
-        super(cause);
+        this(null, cause, null, null);
     }
 
     public OCSPClientException(String message, Throwable cause) {
-        super(message, cause);
+        this(message, cause, null, null);
+    }
+
+    public OCSPClientException(String message, byte[] responseBody, Integer statusCode) {
+        this(message, null, responseBody, statusCode);
     }
 
-    public OCSPClientException(String message, byte[] responseBody, int statusCode) {
-        super(message);
+    public OCSPClientException(String message, Throwable cause, byte[] responseBody, Integer statusCode) {
+        super(message, cause);
         this.responseBody = responseBody;
         this.statusCode = statusCode;
     }

src/main/java/eu/webeid/ocsp/protocol/IssuerDistinguishedName.java

@@ -0,0 +1,18 @@
+package eu.webeid.ocsp.protocol;
+
+import org.bouncycastle.asn1.x500.X500Name;
+
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+
+public class IssuerDistinguishedName {
+
+    public static X500Name getIssuerDistinguishedName(X509Certificate certificate) {
+        Objects.requireNonNull(certificate, "certificate");
+        return X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());
+    }
+
+    private IssuerDistinguishedName() {
+        throw new IllegalStateException("Utility class");
+    }
+}

src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java

@@ -79,7 +79,7 @@ public static void validateResponseSignature(BasicOCSPResp basicResponse, X509Ce
         }
     }
 
-    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri, boolean allowThisUpdateInPast) throws UserCertificateOCSPCheckFailedException {
+    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Duration allowedTimeSkew, Duration maxThisupdateAge, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
         // From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:
         // 4.2.2.  Notes on OCSP Responses
         // 4.2.2.1.  Time
@@ -100,7 +100,7 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp
                 "thisUpdate '" + thisUpdate + "' is too far in the future, " +
                 "latest allowed: '" + latestAcceptableTimeSkew + "'", ocspResponderUri);
         }
-        if (!allowThisUpdateInPast && thisUpdate.isBefore(minimumValidThisUpdateTime)) {
+        if (thisUpdate.isBefore(minimumValidThisUpdateTime)) {
             throw new UserCertificateOCSPCheckFailedException(ERROR_PREFIX +
                 "thisUpdate '" + thisUpdate + "' is too old, " +
                 "minimum time allowed: '" + minimumValidThisUpdateTime + "'", ocspResponderUri);

src/main/java/eu/webeid/ocsp/service/AiaOcspService.java

@@ -22,13 +22,13 @@
 
 package eu.webeid.ocsp.service;
 
-import eu.webeid.resilientocsp.service.FallbackOcspService;
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
 import eu.webeid.ocsp.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.ocsp.protocol.OcspResponseValidator;
 import eu.webeid.security.validator.revocationcheck.RevocationMode;
+import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 
@@ -39,8 +39,10 @@
 import java.security.cert.X509Certificate;
 import java.util.Date;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 
+import static eu.webeid.ocsp.protocol.IssuerDistinguishedName.getIssuerDistinguishedName;
 import static eu.webeid.ocsp.protocol.OcspUrl.getOcspUri;
 
 /**
@@ -60,8 +62,9 @@ public AiaOcspService(AiaOcspServiceConfiguration configuration, X509Certificate
         this.trustedCACertificateAnchors = configuration.getTrustedCACertificateAnchors();
         this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
         this.url = getOcspAiaUrlFromCertificate(Objects.requireNonNull(certificate));
-        this.supportsNonce = !configuration.getNonceDisabledOcspUrls().contains(this.url);
         this.fallbackOcspService = fallbackOcspService;
+        X500Name issuerDN = getIssuerDistinguishedName(certificate);
+        this.supportsNonce = !configuration.getNonceDisabledIssuerDNs().contains(issuerDN);
     }
 
     @Override
@@ -75,8 +78,8 @@ public URI getAccessLocation() {
     }
 
     @Override
-    public FallbackOcspService getFallbackService() {
-        return fallbackOcspService;
+    public Optional<FallbackOcspService> getFallbackService() {
+        return Optional.ofNullable(fallbackOcspService);
     }
 
     @Override

src/main/java/eu/webeid/ocsp/service/AiaOcspServiceConfiguration.java

@@ -22,7 +22,8 @@
 
 package eu.webeid.ocsp.service;
 
-import java.net.URI;
+import org.bouncycastle.asn1.x500.X500Name;
+
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.util.Collection;
@@ -31,18 +32,18 @@
 
 public class AiaOcspServiceConfiguration {
 
-    private final Collection<URI> nonceDisabledOcspUrls;
+    private final Collection<X500Name> nonceDisabledIssuerDNs;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
 
-    public AiaOcspServiceConfiguration(Collection<URI> nonceDisabledOcspUrls, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
-        this.nonceDisabledOcspUrls = Objects.requireNonNull(nonceDisabledOcspUrls);
+    public AiaOcspServiceConfiguration(Collection<X500Name> nonceDisabledIssuerDNs, Set<TrustAnchor> trustedCACertificateAnchors, CertStore trustedCACertificateCertStore) {
+        this.nonceDisabledIssuerDNs = Objects.requireNonNull(nonceDisabledIssuerDNs);
         this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors);
         this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore);
     }
 
-    public Collection<URI> getNonceDisabledOcspUrls() {
-        return nonceDisabledOcspUrls;
+    public Collection<X500Name> getNonceDisabledIssuerDNs() {
+        return nonceDisabledIssuerDNs;
     }
 
     public Set<TrustAnchor> getTrustedCACertificateAnchors() {

…entocsp/service/FallbackOcspService.java …id/ocsp/service/FallbackOcspService.javasrc/main/java/eu/webeid/resilientocsp/service/FallbackOcspService.java renamed to src/main/java/eu/webeid/ocsp/service/FallbackOcspService.java src/main/java/eu/webeid/resilientocsp/service/FallbackOcspService.java renamed to src/main/java/eu/webeid/ocsp/service/FallbackOcspService.java

@@ -20,18 +20,23 @@
  * SOFTWARE.
  */
 
-package eu.webeid.resilientocsp.service;
+package eu.webeid.ocsp.service;
 
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
-import eu.webeid.ocsp.service.OcspService;
+import eu.webeid.ocsp.protocol.OcspResponseValidator;
+import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.revocationcheck.RevocationMode;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 
 import java.net.URI;
+import java.security.cert.CertStore;
 import java.security.cert.CertificateException;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Date;
+import java.util.Set;
 
 
 import static eu.webeid.security.certificate.CertificateValidator.requireCertificateIsValidOnDate;
@@ -42,11 +47,19 @@ public class FallbackOcspService implements OcspService {
     private final URI url;
     private final boolean supportsNonce;
     private final X509Certificate trustedResponderCertificate;
+    private final FallbackOcspService nextFallback;
+    private final Set<TrustAnchor> trustedCACertificateAnchors;
+    private final CertStore trustedCACertificateCertStore;
 
     public FallbackOcspService(FallbackOcspServiceConfiguration configuration) {
-        this.url = configuration.getFallbackOcspServiceAccessLocation();
+        this.url = configuration.getAccessLocation();
         this.supportsNonce = configuration.doesSupportNonce();
         this.trustedResponderCertificate = configuration.getResponderCertificate();
+        this.nextFallback = configuration.getNextFallbackConfiguration() != null
+            ? new FallbackOcspService(configuration.getNextFallbackConfiguration())
+            : null;
+        this.trustedCACertificateAnchors = configuration.getTrustedCACertificateAnchors();
+        this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
     }
 
     @Override
@@ -63,15 +76,40 @@ public URI getAccessLocation() {
     public void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException {
         try {
             final X509Certificate responderCertificate = certificateConverter.getCertificate(cert);
-            // Certificate pinning is implemented simply by comparing the certificates or their public keys,
-            // see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
-            if (!trustedResponderCertificate.equals(responderCertificate)) {
-                throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to " +
-                    "the configured fallback OCSP responder certificate");
-            }
             requireCertificateIsValidOnDate(responderCertificate, now, "Fallback OCSP responder");
+            if (trustedResponderCertificate != null) {
+                validatePinnedResponderCertificate(responderCertificate);
+            } else {
+                validateResponderCertificateAgainstTrustedCa(responderCertificate, now);
+            }
         } catch (CertificateException e) {
             throw new OCSPCertificateException("X509CertificateHolder conversion to X509Certificate failed", e);
         }
     }
+
+    private void validatePinnedResponderCertificate(X509Certificate responderCertificate) throws OCSPCertificateException {
+        // Certificate pinning is implemented simply by comparing the certificates or their public keys,
+        // see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
+        if (!trustedResponderCertificate.equals(responderCertificate)) {
+            throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to " +
+                "the configured fallback OCSP responder certificate");
+        }
+    }
+
+    private void validateResponderCertificateAgainstTrustedCa(X509Certificate responderCertificate, Date now) throws AuthTokenException {
+        OcspResponseValidator.validateHasSigningExtension(responderCertificate);
+        CertificateValidator.validateCertificateTrustAndRevocation(
+            responderCertificate,
+            trustedCACertificateAnchors,
+            trustedCACertificateCertStore,
+            now,
+            RevocationMode.DISABLED,
+            null,
+            null
+        );
+    }
+
+    public FallbackOcspService getNextFallback() {
+        return nextFallback;
+    }
 }