WIP: Use plaform OCSP by default

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

…validator/ocsp/DigestCalculatorImpl.java …eu/webeid/ocsp/DigestCalculatorImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java renamed to src/main/java/eu/webeid/ocsp/DigestCalculatorImpl.java src/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java renamed to src/main/java/eu/webeid/ocsp/DigestCalculatorImpl.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;

…/security/validator/ocsp/OcspClient.java …main/java/eu/webeid/ocsp/OcspClient.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspClient.java renamed to src/main/java/eu/webeid/ocsp/OcspClient.java src/main/java/eu/webeid/security/validator/ocsp/OcspClient.java renamed to src/main/java/eu/webeid/ocsp/OcspClient.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;

…urity/validator/ocsp/OcspClientImpl.java …/java/eu/webeid/ocsp/OcspClientImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java renamed to src/main/java/eu/webeid/ocsp/OcspClientImpl.java src/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java renamed to src/main/java/eu/webeid/ocsp/OcspClientImpl.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;

…y/validator/ocsp/OcspRequestBuilder.java …a/eu/webeid/ocsp/OcspRequestBuilder.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java renamed to src/main/java/eu/webeid/ocsp/OcspRequestBuilder.java src/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java renamed to src/main/java/eu/webeid/ocsp/OcspRequestBuilder.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

…alidator/ocsp/OcspResponseValidator.java …u/webeid/ocsp/OcspResponseValidator.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java renamed to src/main/java/eu/webeid/ocsp/OcspResponseValidator.java src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java renamed to src/main/java/eu/webeid/ocsp/OcspResponseValidator.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;

…/validator/ocsp/OcspServiceProvider.java …/eu/webeid/ocsp/OcspServiceProvider.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspServiceProvider.java renamed to src/main/java/eu/webeid/ocsp/OcspServiceProvider.java src/main/java/eu/webeid/security/validator/ocsp/OcspServiceProvider.java renamed to src/main/java/eu/webeid/ocsp/OcspServiceProvider.java

@@ -20,14 +20,14 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import eu.webeid.security.exceptions.AuthTokenException;
-import eu.webeid.security.validator.ocsp.service.AiaOcspService;
-import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
-import eu.webeid.security.validator.ocsp.service.DesignatedOcspService;
-import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
-import eu.webeid.security.validator.ocsp.service.OcspService;
+import eu.webeid.ocsp.service.AiaOcspService;
+import eu.webeid.ocsp.service.AiaOcspServiceConfiguration;
+import eu.webeid.ocsp.service.DesignatedOcspService;
+import eu.webeid.ocsp.service.DesignatedOcspServiceConfiguration;
+import eu.webeid.ocsp.service.OcspService;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;

…eid/security/validator/ocsp/OcspUrl.java src/main/java/eu/webeid/ocsp/OcspUrl.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java renamed to src/main/java/eu/webeid/ocsp/OcspUrl.java src/main/java/eu/webeid/security/validator/ocsp/OcspUrl.java renamed to src/main/java/eu/webeid/ocsp/OcspUrl.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp;
 
 import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.x509.AccessDescription;

…bjectCertificateNotRevokedValidator.java …bjectCertificateNotRevokedValidator.javasrc/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java renamed to src/main/java/eu/webeid/ocsp/certvalidators/SubjectCertificateNotRevokedValidator.java src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java renamed to src/main/java/eu/webeid/ocsp/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -20,17 +20,20 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.certvalidators;
+package eu.webeid.ocsp.certvalidators;
 
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.util.DateAndTime;
-import eu.webeid.security.validator.ocsp.DigestCalculatorImpl;
-import eu.webeid.security.validator.ocsp.OcspClient;
-import eu.webeid.security.validator.ocsp.OcspRequestBuilder;
-import eu.webeid.security.validator.ocsp.OcspResponseValidator;
-import eu.webeid.security.validator.ocsp.OcspServiceProvider;
-import eu.webeid.security.validator.ocsp.service.OcspService;
+import eu.webeid.ocsp.DigestCalculatorImpl;
+import eu.webeid.ocsp.OcspClient;
+import eu.webeid.ocsp.OcspRequestBuilder;
+import eu.webeid.ocsp.OcspResponseValidator;
+import eu.webeid.ocsp.OcspServiceProvider;
+import eu.webeid.ocsp.service.OcspService;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateTrustedValidator;
+import eu.webeid.security.validator.revocationcheck.OcspCertificateRevocationChecker;
+import eu.webeid.security.validator.revocationcheck.RevocationInfo;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
 import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
 import org.bouncycastle.asn1.x509.Extension;
@@ -57,11 +60,12 @@
 import java.util.Date;
 import java.util.Objects;
 
-public final class SubjectCertificateNotRevokedValidator {
+import static java.util.Objects.requireNonNull;
+
+public final class SubjectCertificateNotRevokedValidator implements OcspCertificateRevocationChecker {
 
     private static final Logger LOG = LoggerFactory.getLogger(SubjectCertificateNotRevokedValidator.class);
 
-    private final SubjectCertificateTrustedValidator trustValidator;
     private final OcspClient ocspClient;
     private final OcspServiceProvider ocspServiceProvider;
     private final Duration allowedOcspResponseTimeSkew;
@@ -71,12 +75,10 @@ public final class SubjectCertificateNotRevokedValidator {
         Security.addProvider(new BouncyCastleProvider());
     }
 
-    public SubjectCertificateNotRevokedValidator(SubjectCertificateTrustedValidator trustValidator,
-                                                 OcspClient ocspClient,
+    public SubjectCertificateNotRevokedValidator(OcspClient ocspClient,
                                                  OcspServiceProvider ocspServiceProvider,
                                                  Duration allowedOcspResponseTimeSkew,
                                                  Duration maxOcspResponseThisUpdateAge) {
-        this.trustValidator = trustValidator;
         this.ocspClient = ocspClient;
         this.ocspServiceProvider = ocspServiceProvider;
         this.allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew;
@@ -89,12 +91,11 @@ public SubjectCertificateNotRevokedValidator(SubjectCertificateTrustedValidator
      * @param subjectCertificate user certificate to be validated
      * @throws AuthTokenException when user certificate is revoked or revocation check fails.
      */
-    public void validateCertificateNotRevoked(X509Certificate subjectCertificate) throws AuthTokenException {
+    public RevocationInfo validateCertificateNotRevoked(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {
         try {
             OcspService ocspService = ocspServiceProvider.getService(subjectCertificate);
 
-            final CertificateID certificateId = getCertificateId(subjectCertificate,
-                Objects.requireNonNull(trustValidator.getSubjectCertificateIssuerCertificate()));
+            final CertificateID certificateId = getCertificateId(subjectCertificate, requireNonNull(issuerCertificate));
 
             final OCSPReq request = new OcspRequestBuilder()
                 .withCertificateId(certificateId)
@@ -106,7 +107,7 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
             }
 
             LOG.debug("Sending OCSP request");
-            final OCSPResp response = Objects.requireNonNull(ocspClient.request(ocspService.getAccessLocation(), request));
+            final OCSPResp response = requireNonNull(ocspClient.request(ocspService.getAccessLocation(), request));
             if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
                 throw new UserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus()));
             }
@@ -122,6 +123,8 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
         } catch (OCSPException | CertificateException | OperatorCreationException | IOException e) {
             throw new UserCertificateOCSPCheckFailedException(e);
         }
+        // FIXME:
+        return null;
     }
 
     private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
@@ -198,7 +201,7 @@ private static CertificateID getCertificateId(X509Certificate subjectCertificate
         final BigInteger serial = subjectCertificate.getSerialNumber();
         final DigestCalculator digestCalculator = DigestCalculatorImpl.sha1();
         return new CertificateID(digestCalculator,
-            new X509CertificateHolder(issuerCertificate.getEncoded()), serial);
+                new X509CertificateHolder(issuerCertificate.getEncoded()), serial);
     }
 
     private static String ocspStatusToString(int status) {

…lidator/ocsp/service/AiaOcspService.java …/webeid/ocsp/service/AiaOcspService.javasrc/main/java/eu/webeid/security/validator/ocsp/service/AiaOcspService.java renamed to src/main/java/eu/webeid/ocsp/service/AiaOcspService.java src/main/java/eu/webeid/security/validator/ocsp/service/AiaOcspService.java renamed to src/main/java/eu/webeid/ocsp/service/AiaOcspService.java

@@ -20,13 +20,13 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp.service;
+package eu.webeid.ocsp.service;
 
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
-import eu.webeid.security.validator.ocsp.OcspResponseValidator;
+import eu.webeid.ocsp.OcspResponseValidator;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 
@@ -39,7 +39,7 @@
 import java.util.Objects;
 import java.util.Set;
 
-import static eu.webeid.security.validator.ocsp.OcspUrl.getOcspUri;
+import static eu.webeid.ocsp.OcspUrl.getOcspUri;
 
 /**
  * An OCSP service that uses the responders from the Certificates' Authority Information Access (AIA) extension.
@@ -77,7 +77,7 @@ public void validateResponderCertificate(X509CertificateHolder cert, Date now) t
             CertificateValidator.certificateIsValidOnDate(certificate, now, "AIA OCSP responder");
             // Trusted certificates' validity has been already verified in validateCertificateExpiry().
             OcspResponseValidator.validateHasSigningExtension(certificate);
-            CertificateValidator.validateIsSignedByTrustedCA(certificate, trustedCACertificateAnchors, trustedCACertificateCertStore, now);
+            CertificateValidator.validateIsSignedByTrustedCA(certificate, trustedCACertificateAnchors, trustedCACertificateCertStore, now, true, null);
         } catch (CertificateException e) {
             throw new OCSPCertificateException("Invalid responder certificate", e);
         }

…service/AiaOcspServiceConfiguration.java …service/AiaOcspServiceConfiguration.javasrc/main/java/eu/webeid/security/validator/ocsp/service/AiaOcspServiceConfiguration.java renamed to src/main/java/eu/webeid/ocsp/service/AiaOcspServiceConfiguration.java src/main/java/eu/webeid/security/validator/ocsp/service/AiaOcspServiceConfiguration.java renamed to src/main/java/eu/webeid/ocsp/service/AiaOcspServiceConfiguration.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp.service;
+package eu.webeid.ocsp.service;
 
 import java.net.URI;
 import java.security.cert.CertStore;