AUT-2547 Add support for two fallbacks

madislm · madislm · commit e02a80e8193d · 2026-02-10T10:27:56.000+02:00
diff --git a/src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java b/src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java
@@ -76,4 +76,7 @@ public OcspService getService(X509Certificate certificate) throws AuthTokenExcep
         return new AiaOcspService(aiaOcspServiceConfiguration, certificate, fallbackOcspService);
     }
 
+    public FallbackOcspService getFallbackService(URI ocspServiceUri) {
+        return fallbackOcspServiceMap.get(ocspServiceUri);
+    }
 }
diff --git a/src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java b/src/main/java/eu/webeid/resilientocsp/ResilientOcspCertificateRevocationChecker.java
@@ -116,7 +116,34 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         List<RevocationInfo> revocationInfoList = new ArrayList<>();
 
         CheckedFunction0<RevocationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate, false);
-        CheckedFunction0<RevocationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate, true);
+        OcspService firstFallbackService = ocspService.getFallbackService();
+        CheckedFunction0<RevocationInfo> firstFallbackSupplier = () -> request(firstFallbackService, subjectCertificate, issuerCertificate, true);
+        OcspService secondFallbackService = getOcspServiceProvider().getFallbackService(firstFallbackService.getAccessLocation());
+        CheckedFunction0<RevocationInfo> fallbackSupplier;
+        if (secondFallbackService == null) {
+            fallbackSupplier = firstFallbackSupplier;
+        } else {
+            CheckedFunction0<RevocationInfo> secondFallbackSupplier = () -> request(secondFallbackService, subjectCertificate, issuerCertificate, true);
+            fallbackSupplier = () -> {
+                try {
+                    return firstFallbackSupplier.apply();
+                } catch (ResilientUserCertificateRevokedException e) {
+                    // NOTE: ResilientUserCertificateRevokedException must be re-thrown before the generic
+                    // catch (Exception) block. Without this, a "revoked" verdict from the first fallback would
+                    // be swallowed, and the second fallback could silently override it with a "good" response.
+                    throw e;
+                } catch (Exception e) {
+                    if (e instanceof ResilientUserCertificateOCSPCheckFailedException exception) {
+                        revocationInfoList.addAll((exception.getValidationInfo().revocationInfoList()));
+                    } else {
+                        revocationInfoList.add(new RevocationInfo(null, Map.ofEntries(
+                            Map.entry(RevocationInfo.KEY_OCSP_ERROR, e)
+                        )));
+                    }
+                    return secondFallbackSupplier.apply();
+                }
+            };
+        }
         Decorators.DecorateCheckedSupplier<RevocationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);
         if (retryRegistry != null) {
             Retry retry = retryRegistry.retry(ocspService.getAccessLocation().toASCIIString());

Original file line number	Diff line number	Diff line change
`@@ -76,4 +76,7 @@ public OcspService getService(X509Certificate certificate) throws AuthTokenExcep`
`76`	`76`	`return new AiaOcspService(aiaOcspServiceConfiguration, certificate, fallbackOcspService);`
`77`	`77`	`}`
`78`	`78`
	`79`	`+ public FallbackOcspService getFallbackService(URI ocspServiceUri) {`
	`80`	`+ return fallbackOcspServiceMap.get(ocspServiceUri);`
	`81`	`+ }`
`79`	`82`	`}`