Refactor OCSP digest calculator and request builder

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -24,7 +24,11 @@
 
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
-import eu.webeid.security.validator.ocsp.*;
+import eu.webeid.security.validator.ocsp.DigestCalculatorImpl;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspRequestBuilder;
+import eu.webeid.security.validator.ocsp.OcspResponseValidator;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 import eu.webeid.security.validator.ocsp.service.OcspService;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
 import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
@@ -41,10 +45,6 @@
 import org.bouncycastle.operator.OperatorCreationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import eu.webeid.security.validator.ocsp.Digester;
-import eu.webeid.security.validator.ocsp.OcspClient;
-import eu.webeid.security.validator.ocsp.OcspRequestBuilder;
-import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
 import java.io.IOException;
 import java.math.BigInteger;
@@ -58,7 +58,7 @@
 public final class SubjectCertificateNotRevokedValidator {
 
     private static final Logger LOG = LoggerFactory.getLogger(SubjectCertificateNotRevokedValidator.class);
-    private static final DigestCalculator DIGEST_CALCULATOR = Digester.sha1();
+    private static final DigestCalculator DIGEST_CALCULATOR = DigestCalculatorImpl.sha1();
 
     private final SubjectCertificateTrustedValidator trustValidator;
     private final OcspClient ocspClient;
@@ -86,10 +86,6 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
         try {
             OcspService ocspService = ocspServiceProvider.getService(subjectCertificate);
 
-            if (!ocspService.doesSupportNonce()) {
-                LOG.debug("Disabling OCSP nonce extension");
-            }
-
             final CertificateID certificateId = getCertificateId(subjectCertificate,
                 Objects.requireNonNull(trustValidator.getSubjectCertificateIssuerCertificate()));
 
@@ -98,6 +94,10 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
                 .enableOcspNonce(ocspService.doesSupportNonce())
                 .build();
 
+            if (!ocspService.doesSupportNonce()) {
+                LOG.debug("Disabling OCSP nonce extension");
+            }
+
             LOG.debug("Sending OCSP request");
             final OCSPResp response = Objects.requireNonNull(ocspClient.request(ocspService.getAccessLocation(), request));
             if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {

…id/security/validator/ocsp/Digester.java …validator/ocsp/DigestCalculatorImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/Digester.java renamed to src/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java src/main/java/eu/webeid/security/validator/ocsp/Digester.java renamed to src/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java

@@ -20,26 +20,9 @@
  * SOFTWARE.
  */
 
-/*
- * Copyright 2017 The Netty Project
- * Copyright 2020 The Web eID project
- *
- * The Netty Project and The Web eID Project license this file to you under the
- * Apache License, version 2.0 (the "License"); you may not use this file except
- * in compliance with the License. You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-
 package eu.webeid.security.validator.ocsp;
 
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.crypto.Digest;
@@ -52,33 +35,26 @@
 
 /**
  * BouncyCastle's OCSPReqBuilder needs a DigestCalculator but BC doesn't
- * provide any public implementations of that interface. That's why we need to
- * write our own. There's a default SHA-1 implementation and one for SHA-256.
- * Which one to use will depend on the Certificate Authority (CA).
+ * provide any public implementations of it, hence this implementation.
  */
-public final class Digester implements DigestCalculator {
+public final class DigestCalculatorImpl implements DigestCalculator {
+
+    private static final AlgorithmIdentifier SHA1 = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
+    private static final AlgorithmIdentifier SHA256 = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256);
 
     private final DigestOutputStream dos;
     private final AlgorithmIdentifier algId;
 
-    public static DigestCalculator sha1() {
-        final Digest digest = new SHA1Digest();
-        final AlgorithmIdentifier algId = new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
 
-        return new Digester(digest, algId);
+    public static DigestCalculator sha1() {
+        return new DigestCalculatorImpl(new SHA1Digest(), SHA1);
     }
 
     public static DigestCalculator sha256() {
-        Digest digest = new SHA256Digest();
-
-        // The OID for SHA-256: http://www.oid-info.com/get/2.16.840.1.101.3.4.2.1
-        final ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.1").intern();
-        final AlgorithmIdentifier algId = new AlgorithmIdentifier(oid);
-
-        return new Digester(digest, algId);
+        return new DigestCalculatorImpl(new SHA256Digest(), SHA256);
     }
 
-    private Digester(Digest digest, AlgorithmIdentifier algId) {
+    private DigestCalculatorImpl(Digest digest, AlgorithmIdentifier algId) {
         this.dos = new DigestOutputStream(digest);
         this.algId = algId;
     }

src/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java

@@ -36,13 +36,12 @@
 import java.util.Objects;
 
 /**
- * This is a simplified version of Bouncy Castle's {@link OCSPReqBuilder}.
- *
- * @see OCSPReqBuilder
+ * This is a wrapper around Bouncy Castle's {@link OCSPReqBuilder} that
+ * adds the OCSP nonce extension to the request if needed.
  */
 public final class OcspRequestBuilder {
 
-    private static final SecureRandom GENERATOR = new SecureRandom();
+    private static final SecureRandom RANDOM_GENERATOR = new SecureRandom();
 
     private boolean ocspNonceEnabled = true;
     private CertificateID certificateId;
@@ -69,7 +68,7 @@ public OCSPReq build() throws OCSPException {
             try {
                 addNonce(builder);
             } catch (IOException e) {
-                throw new OCSPException("Failed to generate OCSP NONCE extension", e);
+                throw new OCSPException("Failed to generate OCSP nonce extension", e);
             }
         }
 
@@ -78,10 +77,11 @@ public OCSPReq build() throws OCSPException {
 
     private void addNonce(OCSPReqBuilder builder) throws IOException {
         final byte[] nonce = new byte[32];
-        GENERATOR.nextBytes(nonce);
+        RANDOM_GENERATOR.nextBytes(nonce);
 
         final Extension[] extensions = new Extension[]{
             new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
+                // Follow OpenSSL OCSP nonce encoding convention and add double octet string header.
                 new DEROctetString(new DEROctetString(nonce)))
         };
         builder.setRequestExtensions(new Extensions(extensions));