2020 * SOFTWARE.
2121 */
2222
23- package eu .webeid .security . validator .certvalidators ;
23+ package eu .webeid .ocsp .certvalidators ;
2424
2525import eu .webeid .security .exceptions .AuthTokenException ;
2626import eu .webeid .security .exceptions .UserCertificateOCSPCheckFailedException ;
2727import eu .webeid .security .util .DateAndTime ;
28- import eu .webeid .security .validator .ocsp .DigestCalculatorImpl ;
29- import eu .webeid .security .validator .ocsp .OcspClient ;
30- import eu .webeid .security .validator .ocsp .OcspRequestBuilder ;
31- import eu .webeid .security .validator .ocsp .OcspResponseValidator ;
32- import eu .webeid .security .validator .ocsp .OcspServiceProvider ;
33- import eu .webeid .security .validator .ocsp .service .OcspService ;
28+ import eu .webeid .ocsp .DigestCalculatorImpl ;
29+ import eu .webeid .ocsp .OcspClient ;
30+ import eu .webeid .ocsp .OcspRequestBuilder ;
31+ import eu .webeid .ocsp .OcspResponseValidator ;
32+ import eu .webeid .ocsp .OcspServiceProvider ;
33+ import eu .webeid .ocsp .service .OcspService ;
34+ import eu .webeid .security .validator .certvalidators .SubjectCertificateTrustedValidator ;
35+ import eu .webeid .security .validator .revocationcheck .OcspCertificateRevocationChecker ;
36+ import eu .webeid .security .validator .revocationcheck .RevocationInfo ;
3437import org .bouncycastle .asn1 .ocsp .OCSPObjectIdentifiers ;
3538import org .bouncycastle .asn1 .ocsp .OCSPResponseStatus ;
3639import org .bouncycastle .asn1 .x509 .Extension ;
5760import java .util .Date ;
5861import java .util .Objects ;
5962
60- public final class SubjectCertificateNotRevokedValidator {
63+ import static java .util .Objects .requireNonNull ;
64+
65+ public final class SubjectCertificateNotRevokedValidator implements OcspCertificateRevocationChecker {
6166
6267 private static final Logger LOG = LoggerFactory .getLogger (SubjectCertificateNotRevokedValidator .class );
6368
64- private final SubjectCertificateTrustedValidator trustValidator ;
6569 private final OcspClient ocspClient ;
6670 private final OcspServiceProvider ocspServiceProvider ;
6771 private final Duration allowedOcspResponseTimeSkew ;
@@ -71,12 +75,10 @@ public final class SubjectCertificateNotRevokedValidator {
7175 Security .addProvider (new BouncyCastleProvider ());
7276 }
7377
74- public SubjectCertificateNotRevokedValidator (SubjectCertificateTrustedValidator trustValidator ,
75- OcspClient ocspClient ,
78+ public SubjectCertificateNotRevokedValidator (OcspClient ocspClient ,
7679 OcspServiceProvider ocspServiceProvider ,
7780 Duration allowedOcspResponseTimeSkew ,
7881 Duration maxOcspResponseThisUpdateAge ) {
79- this .trustValidator = trustValidator ;
8082 this .ocspClient = ocspClient ;
8183 this .ocspServiceProvider = ocspServiceProvider ;
8284 this .allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew ;
@@ -89,24 +91,23 @@ public SubjectCertificateNotRevokedValidator(SubjectCertificateTrustedValidator
8991 * @param subjectCertificate user certificate to be validated
9092 * @throws AuthTokenException when user certificate is revoked or revocation check fails.
9193 */
92- public void validateCertificateNotRevoked (X509Certificate subjectCertificate ) throws AuthTokenException {
94+ public RevocationInfo validateCertificateNotRevoked (X509Certificate subjectCertificate , X509Certificate issuerCertificate ) throws AuthTokenException {
9395 try {
9496 OcspService ocspService = ocspServiceProvider .getService (subjectCertificate );
9597
96- final CertificateID certificateId = getCertificateId (subjectCertificate ,
97- Objects .requireNonNull (trustValidator .getSubjectCertificateIssuerCertificate ()));
98+ final CertificateID certificateId = getCertificateId (subjectCertificate , requireNonNull (issuerCertificate ));
9899
99100 final OCSPReq request = new OcspRequestBuilder ()
100- .withCertificateId (certificateId )
101- .enableOcspNonce (ocspService .doesSupportNonce ())
102- .build ();
101+ .withCertificateId (certificateId )
102+ .enableOcspNonce (ocspService .doesSupportNonce ())
103+ .build ();
103104
104105 if (!ocspService .doesSupportNonce ()) {
105106 LOG .debug ("Disabling OCSP nonce extension" );
106107 }
107108
108109 LOG .debug ("Sending OCSP request" );
109- final OCSPResp response = Objects . requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ));
110+ final OCSPResp response = requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ));
110111 if (response .getStatus () != OCSPResponseStatus .SUCCESSFUL ) {
111112 throw new UserCertificateOCSPCheckFailedException ("Response status: " + ocspStatusToString (response .getStatus ()));
112113 }
@@ -122,6 +123,8 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
122123 } catch (OCSPException | CertificateException | OperatorCreationException | IOException e ) {
123124 throw new UserCertificateOCSPCheckFailedException (e );
124125 }
126+ // FIXME:
127+ return null ;
125128 }
126129
127130 private void verifyOcspResponse (BasicOCSPResp basicResponse , OcspService ocspService , CertificateID requestCertificateId ) throws AuthTokenException , OCSPException , CertificateException , OperatorCreationException {
@@ -137,7 +140,7 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
137140 // As we sent the request for only a single certificate, we expect only a single response.
138141 if (basicResponse .getResponses ().length != 1 ) {
139142 throw new UserCertificateOCSPCheckFailedException ("OCSP response must contain one response, "
140- + "received " + basicResponse .getResponses ().length + " responses instead" );
143+ + "received " + basicResponse .getResponses ().length + " responses instead" );
141144 }
142145 final SingleResp certStatusResponse = basicResponse .getResponses ()[0 ];
143146 if (!requestCertificateId .equals (certStatusResponse .getCertID ())) {
@@ -151,7 +154,7 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
151154 // is standard practice.
152155 if (basicResponse .getCerts ().length < 1 ) {
153156 throw new UserCertificateOCSPCheckFailedException ("OCSP response must contain the responder certificate, "
154- + "but none was provided" );
157+ + "but none was provided" );
155158 }
156159 // The first certificate is the responder certificate, other certificates, if given, are the certificate's chain.
157160 final X509CertificateHolder responderCert = basicResponse .getCerts ()[0 ];
@@ -186,19 +189,19 @@ private static void checkNonce(OCSPReq request, BasicOCSPResp response) throws U
186189 final Extension responseNonce = response .getExtension (OCSPObjectIdentifiers .id_pkix_ocsp_nonce );
187190 if (requestNonce == null || responseNonce == null ) {
188191 throw new UserCertificateOCSPCheckFailedException ("OCSP request or response nonce extension missing, " +
189- "possible replay attack" );
192+ "possible replay attack" );
190193 }
191194 if (!requestNonce .equals (responseNonce )) {
192195 throw new UserCertificateOCSPCheckFailedException ("OCSP request and response nonces differ, " +
193- "possible replay attack" );
196+ "possible replay attack" );
194197 }
195198 }
196199
197200 private static CertificateID getCertificateId (X509Certificate subjectCertificate , X509Certificate issuerCertificate ) throws CertificateEncodingException , IOException , OCSPException {
198201 final BigInteger serial = subjectCertificate .getSerialNumber ();
199202 final DigestCalculator digestCalculator = DigestCalculatorImpl .sha1 ();
200203 return new CertificateID (digestCalculator ,
201- new X509CertificateHolder (issuerCertificate .getEncoded ()), serial );
204+ new X509CertificateHolder (issuerCertificate .getEncoded ()), serial );
202205 }
203206
204207 private static String ocspStatusToString (int status ) {
0 commit comments