Use plaform OCSP implementation by default, move custom OCSP implementation to eu.webeid.ocsp and make it optional

WE2-1030

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

.github/workflows/coverity-analysis.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 17
 
       - name: Cache Maven packages
         uses: actions/cache@v4

.github/workflows/maven-build.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 17
 
       - name: Cache Maven packages
         uses: actions/cache@v4

.github/workflows/maven-deploy.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 17
 
       - name: Cache Maven packages
         uses: actions/cache@v4

pom.xml

@@ -11,7 +11,7 @@
     <description>Web eID authentication token validation library for Java</description>
 
     <properties>
-        <java.version>11</java.version>
+        <java.version>17</java.version>
         <jjwt.version>0.12.6</jjwt.version>
         <bouncycastle.version>1.81</bouncycastle.version>
         <jackson.version>2.19.1</jackson.version>

…bjectCertificateNotRevokedValidator.java …ultOcspCertificateRevocationChecker.javasrc/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java renamed to src/main/java/eu/webeid/ocsp/DefaultOcspCertificateRevocationChecker.java src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java renamed to src/main/java/eu/webeid/ocsp/DefaultOcspCertificateRevocationChecker.java

@@ -20,17 +20,19 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.certvalidators;
+package eu.webeid.ocsp;
 
+import eu.webeid.ocsp.client.OcspClient;
+import eu.webeid.ocsp.protocol.DigestCalculatorImpl;
+import eu.webeid.ocsp.protocol.OcspRequestBuilder;
+import eu.webeid.ocsp.protocol.OcspResponseValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.util.DateAndTime;
-import eu.webeid.security.validator.ocsp.DigestCalculatorImpl;
-import eu.webeid.security.validator.ocsp.OcspClient;
-import eu.webeid.security.validator.ocsp.OcspRequestBuilder;
-import eu.webeid.security.validator.ocsp.OcspResponseValidator;
-import eu.webeid.security.validator.ocsp.OcspServiceProvider;
-import eu.webeid.security.validator.ocsp.service.OcspService;
+import eu.webeid.ocsp.service.OcspServiceProvider;
+import eu.webeid.ocsp.service.OcspService;
+import eu.webeid.security.validator.revocationcheck.OcspCertificateRevocationChecker;
+import eu.webeid.security.validator.revocationcheck.RevocationInfo;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
 import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
 import org.bouncycastle.asn1.x509.Extension;
@@ -55,13 +57,18 @@
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.Date;
-import java.util.Objects;
+import java.util.Map;
 
-public final class SubjectCertificateNotRevokedValidator {
+import static eu.webeid.security.util.DateAndTime.requirePositiveDuration;
+import static java.util.Objects.requireNonNull;
 
-    private static final Logger LOG = LoggerFactory.getLogger(SubjectCertificateNotRevokedValidator.class);
+public final class DefaultOcspCertificateRevocationChecker implements OcspCertificateRevocationChecker {
+
+    public static final Duration DEFAULT_TIME_SKEW = Duration.ofMinutes(15);
+    public static final Duration DEFAULT_THIS_UPDATE_AGE = Duration.ofMinutes(2);
+
+    private static final Logger LOG = LoggerFactory.getLogger(DefaultOcspCertificateRevocationChecker.class);
 
-    private final SubjectCertificateTrustedValidator trustValidator;
     private final OcspClient ocspClient;
     private final OcspServiceProvider ocspServiceProvider;
     private final Duration allowedOcspResponseTimeSkew;
@@ -71,30 +78,30 @@ public final class SubjectCertificateNotRevokedValidator {
         Security.addProvider(new BouncyCastleProvider());
     }
 
-    public SubjectCertificateNotRevokedValidator(SubjectCertificateTrustedValidator trustValidator,
-                                                 OcspClient ocspClient,
-                                                 OcspServiceProvider ocspServiceProvider,
-                                                 Duration allowedOcspResponseTimeSkew,
-                                                 Duration maxOcspResponseThisUpdateAge) {
-        this.trustValidator = trustValidator;
-        this.ocspClient = ocspClient;
-        this.ocspServiceProvider = ocspServiceProvider;
-        this.allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew;
-        this.maxOcspResponseThisUpdateAge = maxOcspResponseThisUpdateAge;
+    public DefaultOcspCertificateRevocationChecker(OcspClient ocspClient,
+                                                   OcspServiceProvider ocspServiceProvider,
+                                                   Duration allowedOcspResponseTimeSkew,
+                                                   Duration maxOcspResponseThisUpdateAge) {
+        this.ocspClient = requireNonNull(ocspClient, "ocspClient");
+        this.ocspServiceProvider = requireNonNull(ocspServiceProvider, "ocspServiceProvider");
+        this.allowedOcspResponseTimeSkew = requirePositiveDuration(allowedOcspResponseTimeSkew, "allowedOcspResponseTimeSkew");
+        this.maxOcspResponseThisUpdateAge = requirePositiveDuration(maxOcspResponseThisUpdateAge, "maxOcspResponseThisUpdateAge");
     }
 
     /**
-     * Validates that the user certificate from the authentication token is not revoked with OCSP.
+     * Validates with OCSP that the user certificate from the authentication token is not revoked.
      *
      * @param subjectCertificate user certificate to be validated
      * @throws AuthTokenException when user certificate is revoked or revocation check fails.
      */
-    public void validateCertificateNotRevoked(X509Certificate subjectCertificate) throws AuthTokenException {
+    public RevocationInfo validateCertificateNotRevoked(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {
+        requireNonNull(subjectCertificate, "subjectCertificate");
+        requireNonNull(issuerCertificate, "issuerCertificate");
+
         try {
             OcspService ocspService = ocspServiceProvider.getService(subjectCertificate);
 
-            final CertificateID certificateId = getCertificateId(subjectCertificate,
-                Objects.requireNonNull(trustValidator.getSubjectCertificateIssuerCertificate()));
+            final CertificateID certificateId = getCertificateId(subjectCertificate, issuerCertificate);
 
             final OCSPReq request = new OcspRequestBuilder()
                 .withCertificateId(certificateId)
@@ -106,7 +113,7 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
             }
 
             LOG.debug("Sending OCSP request");
-            final OCSPResp response = Objects.requireNonNull(ocspClient.request(ocspService.getAccessLocation(), request));
+            final OCSPResp response = requireNonNull(ocspClient.request(ocspService.getAccessLocation(), request), "OCSPResp");
             if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
                 throw new UserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus()));
             }
@@ -119,6 +126,10 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse);
             }
+
+            // TODO: @madislm, just an example, please amend according to your requirements.
+            return new RevocationInfo(ocspService.getAccessLocation(), Map.of("BasicOCSPResp", basicResponse));
+
         } catch (OCSPException | CertificateException | OperatorCreationException | IOException e) {
             throw new UserCertificateOCSPCheckFailedException(e);
         }
@@ -202,20 +213,14 @@ private static CertificateID getCertificateId(X509Certificate subjectCertificate
     }
 
     private static String ocspStatusToString(int status) {
-        switch (status) {
-            case OCSPResp.MALFORMED_REQUEST:
-                return "malformed request";
-            case OCSPResp.INTERNAL_ERROR:
-                return "internal error";
-            case OCSPResp.TRY_LATER:
-                return "service unavailable";
-            case OCSPResp.SIG_REQUIRED:
-                return "request signature missing";
-            case OCSPResp.UNAUTHORIZED:
-                return "unauthorized";
-            default:
-                return "unknown";
-        }
+        return switch (status) {
+            case OCSPResp.MALFORMED_REQUEST -> "malformed request";
+            case OCSPResp.INTERNAL_ERROR -> "internal error";
+            case OCSPResp.TRY_LATER -> "service unavailable";
+            case OCSPResp.SIG_REQUIRED -> "request signature missing";
+            case OCSPResp.UNAUTHORIZED -> "unauthorized";
+            default -> "unknown";
+        };
     }
 
 }

…/security/validator/ocsp/OcspClient.java …va/eu/webeid/ocsp/client/OcspClient.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspClient.java renamed to src/main/java/eu/webeid/ocsp/client/OcspClient.java src/main/java/eu/webeid/security/validator/ocsp/OcspClient.java renamed to src/main/java/eu/webeid/ocsp/client/OcspClient.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp.client;
 
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;

…urity/validator/ocsp/OcspClientImpl.java …u/webeid/ocsp/client/OcspClientImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java renamed to src/main/java/eu/webeid/ocsp/client/OcspClientImpl.java src/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java renamed to src/main/java/eu/webeid/ocsp/client/OcspClientImpl.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp.client;
 
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
@@ -34,6 +34,9 @@
 import java.net.http.HttpResponse;
 import java.time.Duration;
 
+import static eu.webeid.security.util.DateAndTime.requirePositiveDuration;
+import static java.util.Objects.requireNonNull;
+
 public class OcspClientImpl implements OcspClient {
 
     private static final Logger LOG = LoggerFactory.getLogger(OcspClientImpl.class);
@@ -45,6 +48,7 @@ public class OcspClientImpl implements OcspClient {
     private final Duration ocspRequestTimeout;
 
     public static OcspClient build(Duration ocspRequestTimeout) {
+        requirePositiveDuration(ocspRequestTimeout, "ocspRequestTimeout");
         return new OcspClientImpl(
             HttpClient.newBuilder()
                 .connectTimeout(ocspRequestTimeout)
@@ -91,8 +95,8 @@ public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
     }
 
     public OcspClientImpl(HttpClient httpClient, Duration ocspRequestTimeout) {
-        this.httpClient = httpClient;
-        this.ocspRequestTimeout = ocspRequestTimeout;
+        this.httpClient = requireNonNull(httpClient, "httpClient");
+        this.ocspRequestTimeout = requirePositiveDuration(ocspRequestTimeout, "ocspRequestTimeout");
     }
 
 }

…validator/ocsp/DigestCalculatorImpl.java …/ocsp/protocol/DigestCalculatorImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java renamed to src/main/java/eu/webeid/ocsp/protocol/DigestCalculatorImpl.java src/main/java/eu/webeid/security/validator/ocsp/DigestCalculatorImpl.java renamed to src/main/java/eu/webeid/ocsp/protocol/DigestCalculatorImpl.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp.protocol;
 
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;

…y/validator/ocsp/OcspRequestBuilder.java …id/ocsp/protocol/OcspRequestBuilder.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java renamed to src/main/java/eu/webeid/ocsp/protocol/OcspRequestBuilder.java src/main/java/eu/webeid/security/validator/ocsp/OcspRequestBuilder.java renamed to src/main/java/eu/webeid/ocsp/protocol/OcspRequestBuilder.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp.protocol;
 
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

…alidator/ocsp/OcspResponseValidator.java …ocsp/protocol/OcspResponseValidator.javasrc/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java renamed to src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java renamed to src/main/java/eu/webeid/ocsp/protocol/OcspResponseValidator.java

@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package eu.webeid.security.validator.ocsp;
+package eu.webeid.ocsp.protocol;
 
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
@@ -121,8 +121,7 @@ public static void validateSubjectCertificateStatus(SingleResp certStatusRespons
         if (status == null) {
             return;
         }
-        if (status instanceof RevokedStatus) {
-            RevokedStatus revokedStatus = (RevokedStatus) status;
+        if (status instanceof RevokedStatus revokedStatus) {
             throw (revokedStatus.hasRevocationReason() ?
                 new UserCertificateRevokedException("Revocation reason: " + revokedStatus.getRevocationReason()) :
                 new UserCertificateRevokedException());