Add ValidationInfo and OcspValidationInfo in validation response and exception

Author: aarmam

example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java

@@ -27,6 +27,7 @@
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.validator.AuthTokenValidator;
+import eu.webeid.security.validator.ValidationInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -72,7 +73,8 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
 
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
-            final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
+            final ValidationInfo validationInfo = tokenValidator.validate(authToken, nonce);
+            final X509Certificate userCertificate = validationInfo.getSubjectCertificate();
             return WebEidAuthentication.fromCertificate(userCertificate, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);

src/main/java/eu/webeid/security/exceptions/UserCertificateOCSPCheckFailedException.java

@@ -22,15 +22,33 @@
 
 package eu.webeid.security.exceptions;
 
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
+
 /**
  * Thrown when user certificate revocation check with OCSP fails.
  */
 public class UserCertificateOCSPCheckFailedException extends AuthTokenException {
+    private final OcspValidationInfo ocspValidationInfo;
+
     public UserCertificateOCSPCheckFailedException(Throwable cause) {
-        super("User certificate revocation check has failed", cause);
+        this(cause, null);
     }
 
     public UserCertificateOCSPCheckFailedException(String message) {
+        this(message, null);
+    }
+
+    public UserCertificateOCSPCheckFailedException(Throwable cause, OcspValidationInfo ocspValidationInfo) {
+        super("User certificate revocation check has failed", cause);
+        this.ocspValidationInfo = ocspValidationInfo;
+    }
+
+    public UserCertificateOCSPCheckFailedException(String message, OcspValidationInfo ocspValidationInfo) {
         super("User certificate revocation check has failed: " + message);
+        this.ocspValidationInfo = ocspValidationInfo;
+    }
+
+    public OcspValidationInfo getOcspValidationInfo() {
+        return ocspValidationInfo;
     }
 }

src/main/java/eu/webeid/security/exceptions/UserCertificateRevokedException.java

@@ -22,15 +22,25 @@
 
 package eu.webeid.security.exceptions;
 
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
+
 /**
  * Thrown when the user certificate has been revoked.
  */
 public class UserCertificateRevokedException extends AuthTokenException {
-    public UserCertificateRevokedException() {
+    private final OcspValidationInfo ocspValidationInfo;
+
+    public UserCertificateRevokedException(OcspValidationInfo ocspValidationInfo) {
         super("User certificate has been revoked");
+        this.ocspValidationInfo = ocspValidationInfo;
     }
 
-    public UserCertificateRevokedException(String msg) {
+    public UserCertificateRevokedException(String msg, OcspValidationInfo ocspValidationInfo) {
         super("User certificate has been revoked: " + msg);
+        this.ocspValidationInfo = ocspValidationInfo;
+    }
+
+    public OcspValidationInfo getOcspValidationInfo() {
+        return ocspValidationInfo;
     }
 }

src/main/java/eu/webeid/security/exceptions/UserCertificateUnknownException.java

@@ -22,12 +22,20 @@
 
 package eu.webeid.security.exceptions;
 
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
+
 /**
  * Thrown when the user certificate has been revoked.
  */
 public class UserCertificateUnknownException extends AuthTokenException {
+    private final OcspValidationInfo ocspValidationInfo;
 
-    public UserCertificateUnknownException(String msg) {
+    public UserCertificateUnknownException(String msg, OcspValidationInfo ocspValidationInfo) {
         super(msg);
+        this.ocspValidationInfo = ocspValidationInfo;
+    }
+
+    public OcspValidationInfo getOcspValidationInfo() {
+        return ocspValidationInfo;
     }
 }

src/main/java/eu/webeid/security/validator/AuthTokenValidator.java

@@ -57,6 +57,6 @@ public interface AuthTokenValidator {
      * @return validated subject certificate
      * @throws AuthTokenException when validation fails
      */
-    X509Certificate validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException;
+    ValidationInfo validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException;
 
 }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -37,6 +37,7 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
 import eu.webeid.security.validator.ocsp.ResilientOcspService;
 import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
 import org.slf4j.Logger;
@@ -119,7 +120,7 @@ public WebEidAuthToken parse(String authToken) throws AuthTokenException {
     }
 
     @Override
-    public X509Certificate validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException {
+    public ValidationInfo validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException {
         try {
             LOG.info("Starting token validation");
             return validateToken(authToken, currentChallengeNonce);
@@ -151,7 +152,7 @@ private WebEidAuthToken parseToken(String authToken) throws AuthTokenParseExcept
         }
     }
 
-    private X509Certificate validateToken(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
+    private ValidationInfo validateToken(WebEidAuthToken token, String currentChallengeNonce) throws AuthTokenException {
         if (token.getFormat() == null || !token.getFormat().startsWith(CURRENT_TOKEN_FORMAT_VERSION)) {
             throw new AuthTokenParseException("Only token format version '" + CURRENT_TOKEN_FORMAT_VERSION +
                 "' is currently supported");
@@ -162,7 +163,7 @@ private X509Certificate validateToken(WebEidAuthToken token, String currentChall
         final X509Certificate subjectCertificate = CertificateLoader.decodeCertificateFromBase64(token.getUnverifiedCertificate());
 
         simpleSubjectCertificateValidators.executeFor(subjectCertificate);
-        getCertTrustValidators().executeFor(subjectCertificate);
+        OcspValidationInfo ocspValidationInfo = validateCertificateTrust(subjectCertificate);
 
         // It is guaranteed that if the signature verification succeeds, then the origin and challenge
         // have been implicitly and correctly verified without the need to implement any additional checks.
@@ -171,25 +172,23 @@ private X509Certificate validateToken(WebEidAuthToken token, String currentChall
             subjectCertificate.getPublicKey(),
             currentChallengeNonce);
 
-        return subjectCertificate;
+        return new ValidationInfo(subjectCertificate, ocspValidationInfo);
     }
 
     /**
-     * Creates the certificate trust validators batch.
+     * Validates the certificate trust and optionally the revocation status.
      * As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
      * they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence, they are
      * re-created for each validation run for thread safety.
      *
-     * @return certificate trust validator batch
+     * @return ocsp validation information if revocation check is performed, null otherwise
      */
-    private SubjectCertificateValidatorBatch getCertTrustValidators() {
+    private OcspValidationInfo validateCertificateTrust(X509Certificate subjectCertificate) throws AuthTokenException {
         final SubjectCertificateTrustedValidator certTrustedValidator =
             new SubjectCertificateTrustedValidator(trustedCACertificateAnchors, trustedCACertificateCertStore);
-        return SubjectCertificateValidatorBatch.createFrom(
-            certTrustedValidator::validateCertificateTrusted
-        ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-            new SubjectCertificateNotRevokedValidator(resilientOcspService, certTrustedValidator)::validateCertificateNotRevoked
-        );
+        certTrustedValidator.validateCertificateTrusted(subjectCertificate);
+        return configuration.isUserCertificateRevocationCheckWithOcspEnabled() ? new SubjectCertificateNotRevokedValidator(resilientOcspService, certTrustedValidator)
+            .validateCertificateNotRevoked(subjectCertificate) : null;
     }
 
 }

src/main/java/eu/webeid/security/validator/ValidationInfo.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.security.validator;
+
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
+
+import java.security.cert.X509Certificate;
+
+public class ValidationInfo {
+    private final X509Certificate subjectCertificate;
+    private final OcspValidationInfo ocspValidationInfo;
+
+    public ValidationInfo(X509Certificate subjectCertificate, OcspValidationInfo ocspValidationInfo) {
+        this.subjectCertificate = subjectCertificate;
+        this.ocspValidationInfo = ocspValidationInfo;
+    }
+
+    public X509Certificate getSubjectCertificate() {
+        return subjectCertificate;
+    }
+
+    public OcspValidationInfo getOcspValidationInfo() {
+        return ocspValidationInfo;
+    }
+}

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -23,6 +23,7 @@
 package eu.webeid.security.validator.certvalidators;
 
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.ocsp.OcspValidationInfo;
 import eu.webeid.security.validator.ocsp.ResilientOcspService;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
@@ -50,8 +51,8 @@ public SubjectCertificateNotRevokedValidator(ResilientOcspService resilientOcspS
      * @param subjectCertificate user certificate to be validated
      * @throws AuthTokenException when user certificate is revoked or revocation check fails.
      */
-    public void validateCertificateNotRevoked(X509Certificate subjectCertificate) throws AuthTokenException {
+    public OcspValidationInfo validateCertificateNotRevoked(X509Certificate subjectCertificate) throws AuthTokenException {
         final X509Certificate issuerCertificate = Objects.requireNonNull(trustValidator.getSubjectCertificateIssuerCertificate());
-        resilientOcspService.validateSubjectCertificateNotRevoked(subjectCertificate, issuerCertificate);
+        return resilientOcspService.validateSubjectCertificateNotRevoked(subjectCertificate, issuerCertificate);
     }
 }