2020 * SOFTWARE.
2121 */
2222
23- package eu .webeid .security . validator . certvalidators ;
23+ package eu .webeid .ocsp ;
2424
25+ import eu .webeid .ocsp .client .OcspClient ;
26+ import eu .webeid .ocsp .protocol .DigestCalculatorImpl ;
27+ import eu .webeid .ocsp .protocol .OcspRequestBuilder ;
28+ import eu .webeid .ocsp .protocol .OcspResponseValidator ;
2529import eu .webeid .security .exceptions .AuthTokenException ;
2630import eu .webeid .security .exceptions .UserCertificateOCSPCheckFailedException ;
2731import eu .webeid .security .util .DateAndTime ;
28- import eu .webeid .security .validator .ocsp .DigestCalculatorImpl ;
29- import eu .webeid .security .validator .ocsp .OcspClient ;
30- import eu .webeid .security .validator .ocsp .OcspRequestBuilder ;
31- import eu .webeid .security .validator .ocsp .OcspResponseValidator ;
32- import eu .webeid .security .validator .ocsp .OcspServiceProvider ;
33- import eu .webeid .security .validator .ocsp .service .OcspService ;
32+ import eu .webeid .ocsp .service .OcspServiceProvider ;
33+ import eu .webeid .ocsp .service .OcspService ;
34+ import eu .webeid .security .validator .revocationcheck .OcspCertificateRevocationChecker ;
35+ import eu .webeid .security .validator .revocationcheck .RevocationInfo ;
3436import org .bouncycastle .asn1 .ocsp .OCSPObjectIdentifiers ;
3537import org .bouncycastle .asn1 .ocsp .OCSPResponseStatus ;
3638import org .bouncycastle .asn1 .x509 .Extension ;
5557import java .security .cert .X509Certificate ;
5658import java .time .Duration ;
5759import java .util .Date ;
58- import java .util .Objects ;
60+ import java .util .Map ;
5961
60- public final class SubjectCertificateNotRevokedValidator {
62+ import static eu .webeid .security .util .DateAndTime .requirePositiveDuration ;
63+ import static java .util .Objects .requireNonNull ;
6164
62- private static final Logger LOG = LoggerFactory .getLogger (SubjectCertificateNotRevokedValidator .class );
65+ public final class DefaultOcspCertificateRevocationChecker implements OcspCertificateRevocationChecker {
66+
67+ public static final Duration DEFAULT_TIME_SKEW = Duration .ofMinutes (15 );
68+ public static final Duration DEFAULT_THIS_UPDATE_AGE = Duration .ofMinutes (2 );
69+
70+ private static final Logger LOG = LoggerFactory .getLogger (DefaultOcspCertificateRevocationChecker .class );
6371
64- private final SubjectCertificateTrustedValidator trustValidator ;
6572 private final OcspClient ocspClient ;
6673 private final OcspServiceProvider ocspServiceProvider ;
6774 private final Duration allowedOcspResponseTimeSkew ;
@@ -71,30 +78,31 @@ public final class SubjectCertificateNotRevokedValidator {
7178 Security .addProvider (new BouncyCastleProvider ());
7279 }
7380
74- public SubjectCertificateNotRevokedValidator (SubjectCertificateTrustedValidator trustValidator ,
75- OcspClient ocspClient ,
76- OcspServiceProvider ocspServiceProvider ,
77- Duration allowedOcspResponseTimeSkew ,
78- Duration maxOcspResponseThisUpdateAge ) {
79- this .trustValidator = trustValidator ;
80- this .ocspClient = ocspClient ;
81- this .ocspServiceProvider = ocspServiceProvider ;
82- this .allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew ;
83- this .maxOcspResponseThisUpdateAge = maxOcspResponseThisUpdateAge ;
81+ public DefaultOcspCertificateRevocationChecker (OcspClient ocspClient ,
82+ OcspServiceProvider ocspServiceProvider ,
83+ Duration allowedOcspResponseTimeSkew ,
84+ Duration maxOcspResponseThisUpdateAge ) {
85+ this .ocspClient = requireNonNull (ocspClient , "ocspClient" );
86+ this .ocspServiceProvider = requireNonNull (ocspServiceProvider , "ocspServiceProvider" );
87+ this .allowedOcspResponseTimeSkew = requirePositiveDuration (allowedOcspResponseTimeSkew , "allowedOcspResponseTimeSkew" );
88+ this .maxOcspResponseThisUpdateAge = requirePositiveDuration (maxOcspResponseThisUpdateAge , "maxOcspResponseThisUpdateAge" );
8489 }
8590
8691 /**
87- * Validates that the user certificate from the authentication token is not revoked with OCSP .
92+ * Validates with OCSP that the user certificate from the authentication token is not revoked.
8893 *
8994 * @param subjectCertificate user certificate to be validated
9095 * @throws AuthTokenException when user certificate is revoked or revocation check fails.
9196 */
92- public void validateCertificateNotRevoked (X509Certificate subjectCertificate ) throws AuthTokenException {
97+ @ Override
98+ public RevocationInfo validateCertificateNotRevoked (X509Certificate subjectCertificate , X509Certificate issuerCertificate ) throws AuthTokenException {
99+ requireNonNull (subjectCertificate , "subjectCertificate" );
100+ requireNonNull (issuerCertificate , "issuerCertificate" );
101+
93102 try {
94103 OcspService ocspService = ocspServiceProvider .getService (subjectCertificate );
95104
96- final CertificateID certificateId = getCertificateId (subjectCertificate ,
97- Objects .requireNonNull (trustValidator .getSubjectCertificateIssuerCertificate ()));
105+ final CertificateID certificateId = getCertificateId (subjectCertificate , issuerCertificate );
98106
99107 final OCSPReq request = new OcspRequestBuilder ()
100108 .withCertificateId (certificateId )
@@ -106,7 +114,7 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
106114 }
107115
108116 LOG .debug ("Sending OCSP request" );
109- final OCSPResp response = Objects . requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ));
117+ final OCSPResp response = requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ), "OCSPResp" );
110118 if (response .getStatus () != OCSPResponseStatus .SUCCESSFUL ) {
111119 throw new UserCertificateOCSPCheckFailedException ("Response status: " + ocspStatusToString (response .getStatus ()));
112120 }
@@ -119,6 +127,10 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
119127 if (ocspService .doesSupportNonce ()) {
120128 checkNonce (request , basicResponse );
121129 }
130+
131+ // TODO: @madislm, just an example, please amend according to your requirements.
132+ return new RevocationInfo (ocspService .getAccessLocation (), Map .of ("BasicOCSPResp" , basicResponse ));
133+
122134 } catch (OCSPException | CertificateException | OperatorCreationException | IOException e ) {
123135 throw new UserCertificateOCSPCheckFailedException (e );
124136 }
@@ -202,20 +214,14 @@ private static CertificateID getCertificateId(X509Certificate subjectCertificate
202214 }
203215
204216 private static String ocspStatusToString (int status ) {
205- switch (status ) {
206- case OCSPResp .MALFORMED_REQUEST :
207- return "malformed request" ;
208- case OCSPResp .INTERNAL_ERROR :
209- return "internal error" ;
210- case OCSPResp .TRY_LATER :
211- return "service unavailable" ;
212- case OCSPResp .SIG_REQUIRED :
213- return "request signature missing" ;
214- case OCSPResp .UNAUTHORIZED :
215- return "unauthorized" ;
216- default :
217- return "unknown" ;
218- }
217+ return switch (status ) {
218+ case OCSPResp .MALFORMED_REQUEST -> "malformed request" ;
219+ case OCSPResp .INTERNAL_ERROR -> "internal error" ;
220+ case OCSPResp .TRY_LATER -> "service unavailable" ;
221+ case OCSPResp .SIG_REQUIRED -> "request signature missing" ;
222+ case OCSPResp .UNAUTHORIZED -> "unauthorized" ;
223+ default -> "unknown" ;
224+ };
219225 }
220226
221227}
0 commit comments