fix: use system time in OcspResponseValidator.validateCertificateStatusUpdateTime()

WE2-868

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -166,7 +166,7 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
         //      be available about the status of the certificate (nextUpdate) is
         //      greater than the current time.
 
-        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, producedAt);
+        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse);
 
         // Now we can accept the signed response as valid and validate the certificate status.
         OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse);

src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java

@@ -25,6 +25,7 @@
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.exceptions.UserCertificateRevokedException;
+import eu.webeid.security.util.DateAndTime;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.cert.ocsp.CertificateStatus;
@@ -54,7 +55,7 @@ public final class OcspResponseValidator {
      */
     private static final String OID_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9";
 
-    private static final long ALLOWED_TIME_SKEW = TimeUnit.MINUTES.toMillis(15);
+    static final long ALLOWED_TIME_SKEW_MILLIS = TimeUnit.MINUTES.toMillis(15);
 
     public static void validateHasSigningExtension(X509Certificate certificate) throws OCSPCertificateException {
         Objects.requireNonNull(certificate, "certificate");
@@ -77,7 +78,7 @@ public static void validateResponseSignature(BasicOCSPResp basicResponse, X509Ce
         }
     }
 
-    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Date producedAt) throws UserCertificateOCSPCheckFailedException {
+    public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse) throws UserCertificateOCSPCheckFailedException {
         // From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:
         // 4.2.2.  Notes on OCSP Responses
         // 4.2.2.1.  Time
@@ -87,8 +88,9 @@ public static void validateCertificateStatusUpdateTime(SingleResp certStatusResp
         //   SHOULD be considered unreliable.
         //   If nextUpdate is not set, the responder is indicating that newer
         //   revocation information is available all the time.
-        final Date notAllowedBefore = new Date(producedAt.getTime() - ALLOWED_TIME_SKEW);
-        final Date notAllowedAfter = new Date(producedAt.getTime() + ALLOWED_TIME_SKEW);
+        final Date now = DateAndTime.DefaultClock.getInstance().now();
+        final Date notAllowedBefore = new Date(now.getTime() - ALLOWED_TIME_SKEW_MILLIS);
+        final Date notAllowedAfter = new Date(now.getTime() + ALLOWED_TIME_SKEW_MILLIS);
         final Date thisUpdate = certStatusResponse.getThisUpdate();
         final Date nextUpdate = certStatusResponse.getNextUpdate() != null ? certStatusResponse.getNextUpdate() : thisUpdate;
         if (notAllowedAfter.before(thisUpdate) ||
@@ -118,7 +120,7 @@ public static void validateSubjectCertificateStatus(SingleResp certStatusRespons
         }
     }
 
-    private static String toUtcString(Date date) {
+    static String toUtcString(Date date) {
         if (date == null) {
             return String.valueOf((Object) null);
         }

…a/eu/webeid/security/testutil/Dates.java …webeid/security/testutil/DateMocker.javasrc/test/java/eu/webeid/security/testutil/Dates.java renamed to src/test/java/eu/webeid/security/testutil/DateMocker.java src/test/java/eu/webeid/security/testutil/Dates.java renamed to src/test/java/eu/webeid/security/testutil/DateMocker.java

@@ -23,19 +23,23 @@
 package eu.webeid.security.testutil;
 
 import com.fasterxml.jackson.databind.util.StdDateFormat;
+import eu.webeid.security.util.DateAndTime;
+import io.jsonwebtoken.Clock;
+import org.mockito.MockedStatic;
 
 import java.text.ParseException;
 import java.util.Date;
 
-public final class Dates {
+public class DateMocker {
+
     private static final StdDateFormat STD_DATE_FORMAT = new StdDateFormat();
 
-    public static Date create(String iso8601Date) {
+    public static void mockDate(String iso8601Date, MockedStatic<DateAndTime.DefaultClock> mockedClock) {
         try {
-            return STD_DATE_FORMAT.parse(iso8601Date);
+            final Date theDate = STD_DATE_FORMAT.parse(iso8601Date);
+            mockedClock.when(DateAndTime.DefaultClock::getInstance).thenReturn((Clock) () -> theDate);
         } catch (ParseException e) {
             throw new RuntimeException(e);
         }
     }
-
 }

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -36,18 +36,16 @@
 import eu.webeid.security.exceptions.UserCertificateWrongPurposeException;
 import eu.webeid.security.testutil.AbstractTestWithValidator;
 import eu.webeid.security.testutil.AuthTokenValidators;
-import eu.webeid.security.testutil.Dates;
 import eu.webeid.security.util.DateAndTime;
-import io.jsonwebtoken.Clock;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.mockito.MockedStatic;
 
 import java.security.cert.CertificateException;
-import java.util.Date;
 
+import static eu.webeid.security.testutil.DateMocker.mockDate;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.mockStatic;
 
@@ -71,13 +69,14 @@ class AuthTokenCertificateTest extends AbstractTestWithValidator {
 
     private MockedStatic<DateAndTime.DefaultClock> mockedClock;
 
+
     @Override
     @BeforeEach
     protected void setup() {
         super.setup();
         mockedClock = mockStatic(DateAndTime.DefaultClock.class);
         // Ensure that the certificates do not expire.
-        mockDate("2021-08-01");
+        mockDate("2021-08-01", mockedClock);
     }
 
     @AfterEach
@@ -180,7 +179,7 @@ void whenCertificatePolicyIsDisallowed_thenValidationFails() throws Exception {
 
     @Test
     void whenUsingOldMobileIdCertificate_thenValidationFails() throws AuthTokenException {
-        mockDate("2021-03-01");
+        mockDate("2021-03-01", mockedClock);
         final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", OLD_MOBILE_ID_CERT);
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
@@ -222,7 +221,7 @@ void whenCertificateIsExpiredEcdsa_thenValidationFails() throws AuthTokenExcepti
 
     @Test
     void whenUserCertificateIsNotYetValid_thenValidationFails() {
-        mockDate("2018-10-17");
+        mockDate("2018-10-17", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateNotYetValidException.class)
@@ -231,7 +230,7 @@ void whenUserCertificateIsNotYetValid_thenValidationFails() {
 
     @Test
     void whenTrustedCACertificateIsNotYetValid_thenValidationFails() {
-        mockDate("2018-08-17");
+        mockDate("2018-08-17", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateNotYetValidException.class)
@@ -240,7 +239,7 @@ void whenTrustedCACertificateIsNotYetValid_thenValidationFails() {
 
     @Test
     void whenUserCertificateIsNoLongerValid_thenValidationFails() {
-        mockDate("2026-10-19");
+        mockDate("2026-10-19", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateExpiredException.class)
@@ -249,7 +248,7 @@ void whenUserCertificateIsNoLongerValid_thenValidationFails() {
 
     @Test
     void whenTrustedCACertificateIsNoLongerValid_thenValidationFails() {
-        mockDate("2033-10-19");
+        mockDate("2033-10-19", mockedClock);
         assertThatThrownBy(() -> validator
             .validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateExpiredException.class)
@@ -259,7 +258,7 @@ void whenTrustedCACertificateIsNoLongerValid_thenValidationFails() {
     @Test
     @Disabled("A new designated test OCSP responder certificate was issued whose validity period no longer overlaps with the revoked certificate")
     void whenCertificateIsRevoked_thenOcspCheckFails() throws Exception {
-        mockDate("2020-01-01");
+        mockDate("2020-01-01", mockedClock);
         final AuthTokenValidator validatorWithOcspCheck = AuthTokenValidators.getAuthTokenValidatorWithOcspCheck();
         final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", REVOKED_CERT);
         assertThatThrownBy(() -> validatorWithOcspCheck
@@ -270,7 +269,7 @@ void whenCertificateIsRevoked_thenOcspCheckFails() throws Exception {
     @Test
     @Disabled("A new designated test OCSP responder certificate was issued whose validity period no longer overlaps with the revoked certificate")
     void whenCertificateIsRevoked_thenOcspCheckWithDesignatedOcspServiceFails() throws Exception {
-        mockDate("2020-01-01");
+        mockDate("2020-01-01", mockedClock);
         final AuthTokenValidator validatorWithOcspCheck = AuthTokenValidators.getAuthTokenValidatorWithDesignatedOcspCheck();
         final WebEidAuthToken token = replaceTokenField(AUTH_TOKEN, "X5C", REVOKED_CERT);
         assertThatThrownBy(() -> validatorWithOcspCheck
@@ -286,9 +285,4 @@ void whenCertificateCaIsNotPartOfTrustChain_thenValidationFails() throws Excepti
             .isInstanceOf(CertificateNotTrustedException.class);
     }
 
-    private void mockDate(String date) {
-        final Date theDate = Dates.create(date);
-        mockedClock.when(DateAndTime.DefaultClock::getInstance).thenReturn((Clock) () -> theDate);
-    }
-
 }

src/test/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.java

@@ -26,6 +26,7 @@
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.security.exceptions.UserCertificateOCSPCheckFailedException;
 import eu.webeid.security.exceptions.UserCertificateRevokedException;
+import eu.webeid.security.util.DateAndTime;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspClientImpl;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
@@ -53,11 +54,13 @@
 
 import static eu.webeid.security.testutil.Certificates.getJaakKristjanEsteid2018Cert;
 import static eu.webeid.security.testutil.Certificates.getTestEsteid2018CA;
+import static eu.webeid.security.testutil.DateMocker.mockDate;
 import static eu.webeid.security.testutil.OcspServiceMaker.getAiaOcspServiceProvider;
 import static eu.webeid.security.testutil.OcspServiceMaker.getDesignatedOcspServiceProvider;
 import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.when;
 
 class SubjectCertificateNotRevokedValidatorTest {
@@ -223,21 +226,27 @@ void whenOcspResponseRevoked_thenThrows() throws Exception {
         final SubjectCertificateNotRevokedValidator validator = getSubjectCertificateNotRevokedValidatorWithAiaOcsp(
             getMockedResponse(getOcspResponseBytesFromResources("ocsp_response_revoked.der"))
         );
-        assertThatExceptionOfType(UserCertificateRevokedException.class)
-            .isThrownBy(() ->
-                validator.validateCertificateNotRevoked(estEid2018Cert))
-            .withMessage("User certificate has been revoked: Revocation reason: 0");
+        try (var mockedClock = mockStatic(DateAndTime.DefaultClock.class)) {
+            mockDate("2021-09-18", mockedClock);
+            assertThatExceptionOfType(UserCertificateRevokedException.class)
+                .isThrownBy(() ->
+                    validator.validateCertificateNotRevoked(estEid2018Cert))
+                .withMessage("User certificate has been revoked: Revocation reason: 0");
+        }
     }
 
     @Test
     void whenOcspResponseUnknown_thenThrows() throws Exception {
         final OcspServiceProvider ocspServiceProvider = getDesignatedOcspServiceProvider("https://web-eid-test.free.beeceptor.com");
         final HttpResponse<byte[]> response = getMockedResponse(getOcspResponseBytesFromResources("ocsp_response_unknown.der"));
         final SubjectCertificateNotRevokedValidator validator = getSubjectCertificateNotRevokedValidator(getMockClient(response), ocspServiceProvider);
-        assertThatExceptionOfType(UserCertificateRevokedException.class)
-            .isThrownBy(() ->
-                validator.validateCertificateNotRevoked(estEid2018Cert))
-            .withMessage("User certificate has been revoked: Unknown status");
+        try (var mockedClock = mockStatic(DateAndTime.DefaultClock.class)) {
+            mockDate("2021-09-18T00:16:25", mockedClock);
+            assertThatExceptionOfType(UserCertificateRevokedException.class)
+                .isThrownBy(() ->
+                    validator.validateCertificateNotRevoked(estEid2018Cert))
+                .withMessage("User certificate has been revoked: Unknown status");
+        }
     }
 
     @Test
@@ -256,10 +265,13 @@ void whenNonceDiffers_thenThrows() throws Exception {
         final SubjectCertificateNotRevokedValidator validator = getSubjectCertificateNotRevokedValidatorWithAiaOcsp(
             getMockedResponse(getOcspResponseBytesFromResources())
         );
-        assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
-            .isThrownBy(() ->
-                validator.validateCertificateNotRevoked(estEid2018Cert))
-            .withMessage("User certificate revocation check has failed: OCSP request and response nonces differ, possible replay attack");
+        try (var mockedClock = mockStatic(DateAndTime.DefaultClock.class)) {
+            mockDate("2021-09-17T18:25:24", mockedClock);
+            assertThatExceptionOfType(UserCertificateOCSPCheckFailedException.class)
+                .isThrownBy(() ->
+                    validator.validateCertificateNotRevoked(estEid2018Cert))
+                .withMessage("User certificate revocation check has failed: OCSP request and response nonces differ, possible replay attack");
+        }
     }
 
     private static byte[] buildOcspResponseBodyWithInternalErrorStatus() throws IOException {