feat(OCSP): implement configurable designated OCSP service, verify OCSP responder certificate and response signature

WE2-432

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

README.md

@@ -143,6 +143,11 @@ import java.security.cert.X509Certificate;
 ...
 ```
 
+## 5. Add trusted OCSP responder certificates
+
+- AIA
+- Designated
+
 ## 5. Configure the authentication token validator
 
 Once the prerequisites have been met, the authentication token validator itself can be configured.
@@ -235,6 +240,8 @@ try {
 - [Nonce generation](#nonce-generation)
   - [Basic usage](#basic-usage-1)
   - [Extended configuration](#extended-configuration-1)
+- [Frequently asked questions](#frequently-asked-questions)
+  - [How can I find the AIA OCSP service URLs?](#how-can-i-find-the-aia-ocsp-service-urls)
 
 # Introduction
 
@@ -356,3 +363,14 @@ NonceGenerator generator = new NonceGeneratorBuilder()
         .withSecureRandom(customSecureRandom)  
         .build();
 ```
+
+## Frequently asked questions
+
+### How can I find the AIA OCSP service URLs?
+
+You can find the AIA OCSP service URLs from the electronic ID certificate profile documents, in the section that describes certificate extensions.
+The AIA OCSP extension OID is 1.3.6.1.5.5.7.48.1.
+
+For example, the EstEID AIA URLs are specified in the documents
+[*Certificate, CRL and OCSP Profile for identification documents of the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID-EN-v8_4-20200630.pdf) and
+[*Certificate, CRL and OCSP Profile for ID-1 Format Identity Documents Issued by the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID2018-EN-v1_2_20200630.pdf).

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>1.1.0</version>
+    <version>2.0.0</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
@@ -16,6 +16,7 @@
         <java.version>1.8</java.version>
         <jjwt.version>0.11.2</jjwt.version>
         <slf4j.version>1.7.30</slf4j.version>
+        <bouncycastle.version>1.65</bouncycastle.version>
         <caffeine.version>2.8.5</caffeine.version>
         <junit-jupiter.version>5.6.2</junit-jupiter.version>
         <assertj.version>3.17.2</assertj.version>
@@ -67,10 +68,15 @@
             <artifactId>guava</artifactId>
             <version>30.1-jre</version>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <version>${bouncycastle.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>
-            <version>1.65</version>
+            <version>${bouncycastle.version}</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>

…a/org/webeid/security/util/CertUtil.java …ecurity/certificate/CertificateData.javasrc/main/java/org/webeid/security/util/CertUtil.java renamed to src/main/java/org/webeid/security/certificate/CertificateData.java src/main/java/org/webeid/security/util/CertUtil.java renamed to src/main/java/org/webeid/security/certificate/CertificateData.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.util;
+package org.webeid.security.certificate;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x500.RDN;
@@ -34,7 +34,7 @@
 import java.util.Arrays;
 import java.util.stream.Collectors;
 
-public final class CertUtil {
+public final class CertificateData {
 
     public static String getSubjectCN(X509Certificate certificate) throws CertificateEncodingException {
         return getField(certificate, BCStyle.CN);
@@ -65,7 +65,7 @@ private static String getField(X509Certificate certificate, ASN1ObjectIdentifier
             .collect(Collectors.joining(", "));
     }
 
-    private CertUtil() {
+    private CertificateData() {
         throw new IllegalStateException("Utility class");
     }
 

…security/testutil/CertificateLoader.java …urity/certificate/CertificateLoader.javasrc/test/java/org/webeid/security/testutil/CertificateLoader.java renamed to src/main/java/org/webeid/security/certificate/CertificateLoader.java src/test/java/org/webeid/security/testutil/CertificateLoader.java renamed to src/main/java/org/webeid/security/certificate/CertificateLoader.java

@@ -20,32 +20,43 @@
  * SOFTWARE.
  */
 
-package org.webeid.security.testutil;
+package org.webeid.security.certificate;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.List;
 
 public final class CertificateLoader {
 
-    public static X509Certificate[] loadCertificatesFromResources(String... resourceNames) throws CertificateException {
-        List<X509Certificate> caCertificates = new ArrayList<>();
-        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+    public static X509Certificate[] loadCertificatesFromResources(String... resourceNames) throws CertificateException, IOException {
+        final List<X509Certificate> caCertificates = new ArrayList<>();
+        final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
 
         for (final String resourceName : resourceNames) {
             try (final InputStream resourceAsStream = ClassLoader.getSystemResourceAsStream(resourceName)) {
                 X509Certificate caCertificate = (X509Certificate) certFactory.generateCertificate(resourceAsStream);
                 caCertificates.add(caCertificate);
-            } catch (IOException e) {
-                throw new RuntimeException("Error loading certificate resource.", e);
             }
         }
 
         return caCertificates.toArray(new X509Certificate[0]);
     }
 
+    public static X509Certificate loadCertificateFromBase64String(String certificate) throws CertificateException, IOException {
+        try (final InputStream targetStream = new ByteArrayInputStream(Base64.getDecoder().decode(certificate))) {
+            return (X509Certificate) CertificateFactory
+                .getInstance("X509")
+                .generateCertificate(targetStream);
+        }
+    }
+
+    private CertificateLoader() {
+        throw new IllegalStateException("Utility class");
+    }
 }

src/main/java/org/webeid/security/certificate/CertificateValidator.java

@@ -0,0 +1,96 @@
+package org.webeid.security.certificate;
+
+import org.webeid.security.exceptions.CertificateNotTrustedException;
+import org.webeid.security.exceptions.JceException;
+import org.webeid.security.exceptions.UserCertificateExpiredException;
+import org.webeid.security.exceptions.UserCertificateNotYetValidException;
+
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public final class CertificateValidator {
+
+    /**
+     * Checks whether the certificate was valid on the given date.
+     */
+    public static void certificateIsValidOnDate(X509Certificate cert, Date date) throws UserCertificateNotYetValidException, UserCertificateExpiredException {
+        try {
+            cert.checkValidity(date);
+        } catch (CertificateNotYetValidException e) {
+            throw new UserCertificateNotYetValidException(e);
+        } catch (CertificateExpiredException e) {
+            throw new UserCertificateExpiredException(e);
+        }
+    }
+
+    public static X509Certificate validateIsSignedByTrustedCA(X509Certificate certificate,
+                                                              Set<TrustAnchor> trustedCACertificateAnchors,
+                                                              CertStore trustedCACertificateCertStore) throws CertificateNotTrustedException, JceException {
+        final X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(certificate);
+
+        try {
+            final PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters(trustedCACertificateAnchors, selector);
+            pkixBuilderParameters.setRevocationEnabled(false);
+            pkixBuilderParameters.addCertStore(trustedCACertificateCertStore);
+
+            // See the comment in buildCertStoreFromCertificates() below why we use the default JCE provider.
+            final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType());
+            final PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) certPathBuilder.build(pkixBuilderParameters);
+
+            return result.getTrustAnchor().getTrustedCert();
+
+        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
+            throw new JceException(e);
+        } catch (CertPathBuilderException e) {
+            throw new CertificateNotTrustedException(certificate, e);
+        }
+    }
+
+    public static Set<TrustAnchor> buildTrustAnchorsFromCertificates(Collection<X509Certificate> certificates) {
+        return certificates.stream()
+            .map(cert -> new TrustAnchor(cert, null))
+            .collect(Collectors.toSet());
+    }
+
+    public static Set<TrustAnchor> buildTrustAnchorsFromCertificate(X509Certificate certificate) {
+        return buildTrustAnchorsFromCertificates(Collections.singleton(certificate));
+    }
+
+    public static CertStore buildCertStoreFromCertificates(Collection<X509Certificate> certificates) throws JceException {
+        // We use the default JCE provider as there is no reason to use Bouncy Castle, moreover BC requires
+        // the validated certificate to be in the certificate store which breaks the clean immutable usage of
+        // trustedCACertificateCertStore in SubjectCertificateTrustedValidator.
+        try {
+            return CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificates));
+        } catch (GeneralSecurityException e) {
+            throw new JceException(e);
+        }
+    }
+
+    public static CertStore buildCertStoreFromCertificate(X509Certificate certificate) throws JceException {
+        return buildCertStoreFromCertificates(Collections.singleton(certificate));
+    }
+
+    private CertificateValidator() {
+        throw new IllegalStateException("Utility class");
+    }
+
+}

src/main/java/org/webeid/security/exceptions/AiaOcspResponderConfigurationException.java

@@ -0,0 +1,7 @@
+package org.webeid.security.exceptions;
+
+public class AiaOcspResponderConfigurationException extends TokenValidationException {
+    public AiaOcspResponderConfigurationException(String message) {
+        super(message);
+    }
+}

…/UserCertificateNotTrustedException.java …ions/CertificateNotTrustedException.javasrc/main/java/org/webeid/security/exceptions/UserCertificateNotTrustedException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateNotTrustedException.java src/main/java/org/webeid/security/exceptions/UserCertificateNotTrustedException.java renamed to src/main/java/org/webeid/security/exceptions/CertificateNotTrustedException.java

@@ -22,15 +22,15 @@
 
 package org.webeid.security.exceptions;
 
+import java.security.cert.X509Certificate;
+
 /**
- * Thrown when the user certificate is not trusted.
+ * Thrown when the given certificate is not signed by a trusted CA.
  */
-public class UserCertificateNotTrustedException extends TokenValidationException {
-    public UserCertificateNotTrustedException() {
-        super("User certificate is not trusted");
-    }
+public class CertificateNotTrustedException extends TokenValidationException {
 
-    public UserCertificateNotTrustedException(String msg) {
-        super("User certificate is not trusted: " + msg);
+    public CertificateNotTrustedException(X509Certificate certificate, Throwable e) {
+        super("Certificate " + certificate.getSubjectDN() + " is not trusted", e);
     }
+
 }

src/main/java/org/webeid/security/exceptions/OCSPCertificateException.java

@@ -0,0 +1,13 @@
+package org.webeid.security.exceptions;
+
+public class OCSPCertificateException extends TokenValidationException {
+
+    public OCSPCertificateException(String message) {
+        super(message);
+    }
+
+    public OCSPCertificateException(String message, Throwable exception) {
+        super(message, exception);
+    }
+
+}

src/main/java/org/webeid/security/exceptions/OriginMismatchException.java

@@ -35,6 +35,6 @@ public OriginMismatchException() {
     }
 
     public OriginMismatchException(Throwable cause) {
-        super(MESSAGE + ":", cause);
+        super(MESSAGE, cause);
     }
 }

src/main/java/org/webeid/security/exceptions/TokenExpiredException.java

@@ -28,6 +28,6 @@
 public class TokenExpiredException extends TokenValidationException {
 
     public TokenExpiredException(Throwable cause) {
-        super("Token has expired:", cause);
+        super("Token has expired", cause);
     }
 }