Add rejectUnknownOcspResponseStatus configuration option

Author: aarmam

src/main/java/eu/webeid/security/exceptions/UserCertificateUnknownException.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.security.exceptions;
+
+/**
+ * Thrown when the user certificate has been revoked.
+ */
+public class UserCertificateUnknownException extends AuthTokenException {
+
+    public UserCertificateUnknownException(String msg) {
+        super(msg);
+    }
+}

src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -52,6 +52,7 @@ public final class AuthTokenValidationConfiguration {
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
     private Duration allowedOcspResponseTimeSkew = Duration.ofMinutes(15);
     private Duration maxOcspResponseThisUpdateAge = Duration.ofMinutes(2);
+    private boolean rejectUnknownOcspResponseStatus;
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
     private Collection<FallbackOcspServiceConfiguration> fallbackOcspServiceConfigurations = new HashSet<>();
     private CircuitBreakerConfig circuitBreakerConfig;
@@ -74,6 +75,7 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.ocspRequestTimeout = other.ocspRequestTimeout;
         this.allowedOcspResponseTimeSkew = other.allowedOcspResponseTimeSkew;
         this.maxOcspResponseThisUpdateAge = other.maxOcspResponseThisUpdateAge;
+        this.rejectUnknownOcspResponseStatus = other.rejectUnknownOcspResponseStatus;
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
         this.fallbackOcspServiceConfigurations = Set.copyOf(other.fallbackOcspServiceConfigurations);
         this.circuitBreakerConfig = other.circuitBreakerConfig;
@@ -153,6 +155,14 @@ public void setCircuitBreakerConfig(CircuitBreakerConfig circuitBreakerConfig) {
         this.circuitBreakerConfig = circuitBreakerConfig;
     }
 
+    public boolean isRejectUnknownOcspResponseStatus() {
+        return rejectUnknownOcspResponseStatus;
+    }
+
+    public void setRejectUnknownOcspResponseStatus(boolean rejectUnknownOcspResponseStatus) {
+        this.rejectUnknownOcspResponseStatus = rejectUnknownOcspResponseStatus;
+    }
+
     /**
      * Checks that the configuration parameters are valid.
      *

src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -226,6 +226,18 @@ public AuthTokenValidatorBuilder withCircuitBreakerConfig(int slidingWindowSize,
         return this;
     }
 
+    /**
+     * // TODO: Describe the configuration option
+     *
+     * @param rejectUnknownOcspResponseStatus configures whether only GOOD or REVOKED are accepted as valid OCSP response statuses
+     * @return the builder instance for method chaining
+     */
+    public AuthTokenValidatorBuilder withRejectUnknownOcspResponseStatus(boolean rejectUnknownOcspResponseStatus) {
+        configuration.setRejectUnknownOcspResponseStatus(rejectUnknownOcspResponseStatus);
+        LOG.debug("Using the reject unknown OCSP response status validation configuration");
+        return this;
+    }
+
     /**
      * Uses the provided OCSP client instance during user certificate revocation check with OCSP.
      * The provided client instance must be thread-safe.

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -95,8 +95,11 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
                     trustedCACertificateAnchors,
                     trustedCACertificateCertStore),
                 configuration.getFallbackOcspServiceConfigurations());
-            resilientOcspService = new ResilientOcspService(ocspClient, ocspServiceProvider, configuration.getCircuitBreakerConfig(), configuration.getAllowedOcspResponseTimeSkew(),
-                configuration.getMaxOcspResponseThisUpdateAge());
+            resilientOcspService = new ResilientOcspService(ocspClient, ocspServiceProvider,
+                configuration.getCircuitBreakerConfig(),
+                configuration.getAllowedOcspResponseTimeSkew(),
+                configuration.getMaxOcspResponseThisUpdateAge(),
+                configuration.isRejectUnknownOcspResponseStatus());
         }
 
         authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.getSiteOrigin());

src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java

@@ -26,6 +26,7 @@
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.exceptions.UserCertificateRevokedException;
+import eu.webeid.security.exceptions.UserCertificateUnknownException;
 import eu.webeid.security.util.DateAndTime;
 import eu.webeid.security.validator.ocsp.service.OcspService;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
@@ -54,7 +55,7 @@
 
 public final class OcspResponseValidator {
 
-    public static void validateOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    public static void validateOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge, boolean rejectUnknownOcspResponseStatus, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -107,7 +108,7 @@ public static void validateOcspResponse(BasicOCSPResp basicResponse, OcspService
         OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge);
 
         // Now we can accept the signed response as valid and validate the certificate status.
-        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse);
+        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, rejectUnknownOcspResponseStatus);
     }
 
     /**
@@ -180,7 +181,7 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp
         }
     }
 
-    public static void validateSubjectCertificateStatus(SingleResp certStatusResponse) throws UserCertificateRevokedException {
+    public static void validateSubjectCertificateStatus(SingleResp certStatusResponse, boolean rejectUnknownOcspResponseStatus) throws AuthTokenException {
         final CertificateStatus status = certStatusResponse.getCertStatus();
         if (status == null) {
             return;
@@ -191,9 +192,11 @@ public static void validateSubjectCertificateStatus(SingleResp certStatusRespons
                 new UserCertificateRevokedException("Revocation reason: " + revokedStatus.getRevocationReason()) :
                 new UserCertificateRevokedException());
         } else if (status instanceof UnknownStatus) {
-            throw new UserCertificateRevokedException("Unknown status");
+            throw rejectUnknownOcspResponseStatus ? new UserCertificateUnknownException("User certificate has been revoked: Unknown status")
+                : new UserCertificateRevokedException("Unknown status");
         } else {
-            throw new UserCertificateRevokedException("Status is neither good, revoked nor unknown");
+            throw rejectUnknownOcspResponseStatus ? new UserCertificateUnknownException("Status is neither good, revoked nor unknown")
+                : new UserCertificateRevokedException("Status is neither good, revoked nor unknown");
         }
     }
 

src/main/java/eu/webeid/security/validator/ocsp/ResilientOcspService.java

@@ -25,6 +25,7 @@
 import eu.webeid.security.exceptions.AuthTokenException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.exceptions.UserCertificateRevokedException;
+import eu.webeid.security.exceptions.UserCertificateUnknownException;
 import eu.webeid.security.validator.ocsp.service.OcspService;
 import io.github.resilience4j.circuitbreaker.CallNotPermittedException;
 import io.github.resilience4j.circuitbreaker.CircuitBreaker;
@@ -61,13 +62,15 @@ public class ResilientOcspService {
     private final OcspServiceProvider ocspServiceProvider;
     private final Duration allowedOcspResponseTimeSkew;
     private final Duration maxOcspResponseThisUpdateAge;
+    private final boolean rejectUnknownOcspResponseStatus;
     private final CircuitBreakerRegistry circuitBreakerRegistry;
 
-    public ResilientOcspService(OcspClient ocspClient, OcspServiceProvider ocspServiceProvider, CircuitBreakerConfig circuitBreakerConfig, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge) {
+    public ResilientOcspService(OcspClient ocspClient, OcspServiceProvider ocspServiceProvider, CircuitBreakerConfig circuitBreakerConfig, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge, boolean rejectUnknownOcspResponseStatus) {
         this.ocspClient = ocspClient;
         this.ocspServiceProvider = ocspServiceProvider;
         this.allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew;
         this.maxOcspResponseThisUpdateAge = maxOcspResponseThisUpdateAge;
+        this.rejectUnknownOcspResponseStatus = rejectUnknownOcspResponseStatus;
         this.circuitBreakerRegistry = CircuitBreakerRegistry.custom()
             .withCircuitBreakerConfig(getCircuitBreakerConfig(circuitBreakerConfig))
             .build();
@@ -91,7 +94,7 @@ public OcspService validateSubjectCertificateNotRevoked(X509Certificate subjectC
             CheckedFunction0<OcspService> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate);
             CheckedFunction0<OcspService> decoratedSupplier = Decorators.ofCheckedSupplier(primarySupplier)
                 .withCircuitBreaker(circuitBreaker)
-                .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class), e -> fallbackSupplier.apply()) // TODO: Any other exceptions to trigger fallback? Resilience4j does not support Predicate<Exception> shouldFallback = e -> !(e instanceof UserCertificateRevokedException); in withFallback API.
+                .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class, UserCertificateUnknownException.class), e -> fallbackSupplier.apply()) // TODO: Any other exceptions to trigger fallback? Resilience4j does not support Predicate<Exception> shouldFallback = e -> !(e instanceof UserCertificateRevokedException); in withFallback API.
                 .decorate();
 
             return Try.of(decoratedSupplier).getOrElseThrow(throwable -> {
@@ -129,7 +132,7 @@ private OcspService request(OcspService ocspService, X509Certificate subjectCert
                 throw new UserCertificateOCSPCheckFailedException("Missing Basic OCSP Response");
             }
 
-            OcspResponseValidator.validateOcspResponse(basicResponse, ocspService, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, certificateId);
+            OcspResponseValidator.validateOcspResponse(basicResponse, ocspService, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, rejectUnknownOcspResponseStatus, certificateId);
             LOG.debug("OCSP check result is GOOD");
 
             if (ocspService.doesSupportNonce()) {
@@ -153,7 +156,7 @@ private static CircuitBreakerConfig getCircuitBreakerConfig(CircuitBreakerConfig
             .slidingWindowType(CircuitBreakerConfig.SlidingWindowType.COUNT_BASED)
             .slidingWindowSize(100)
             .minimumNumberOfCalls(10)
-            .ignoreExceptions(UserCertificateRevokedException.class) // TODO: Revoked status is a valid response, not a failure. Any other exceptions to ignore?
+            .ignoreExceptions(UserCertificateRevokedException.class) // TODO: Revoked status is a valid response, not a failure and should be ignored. Any other exceptions to ignore?
             .automaticTransitionFromOpenToHalfOpenEnabled(true);
 
         if (circuitBreakerConfig != null) { // TODO: What do we allow to configure?

src/test/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.java

@@ -348,7 +348,11 @@ private SubjectCertificateNotRevokedValidator getSubjectCertificateNotRevokedVal
     }
 
     private SubjectCertificateNotRevokedValidator getSubjectCertificateNotRevokedValidator(OcspClient client, OcspServiceProvider ocspServiceProvider) {
-        ResilientOcspService resilientOcspService = new ResilientOcspService(client, ocspServiceProvider, null, CONFIGURATION.getAllowedOcspResponseTimeSkew(), CONFIGURATION.getMaxOcspResponseThisUpdateAge());
+        ResilientOcspService resilientOcspService = new ResilientOcspService(client, ocspServiceProvider,
+            null,
+            CONFIGURATION.getAllowedOcspResponseTimeSkew(),
+            CONFIGURATION.getMaxOcspResponseThisUpdateAge(),
+            CONFIGURATION.isRejectUnknownOcspResponseStatus());
         return new SubjectCertificateNotRevokedValidator(resilientOcspService, trustedValidator);
     }