2020 * SOFTWARE.
2121 */
2222
23- package eu .webeid .security . validator . certvalidators ;
23+ package eu .webeid .ocsp ;
2424
25+ import eu .webeid .ocsp .client .OcspClient ;
26+ import eu .webeid .ocsp .protocol .DigestCalculatorImpl ;
27+ import eu .webeid .ocsp .protocol .OcspRequestBuilder ;
28+ import eu .webeid .ocsp .protocol .OcspResponseValidator ;
2529import eu .webeid .security .exceptions .AuthTokenException ;
2630import eu .webeid .security .exceptions .UserCertificateOCSPCheckFailedException ;
2731import eu .webeid .security .util .DateAndTime ;
28- import eu .webeid .security .validator .ocsp .DigestCalculatorImpl ;
29- import eu .webeid .security .validator .ocsp .OcspClient ;
30- import eu .webeid .security .validator .ocsp .OcspRequestBuilder ;
31- import eu .webeid .security .validator .ocsp .OcspResponseValidator ;
32- import eu .webeid .security .validator .ocsp .OcspServiceProvider ;
33- import eu .webeid .security .validator .ocsp .service .OcspService ;
32+ import eu .webeid .ocsp .service .OcspServiceProvider ;
33+ import eu .webeid .ocsp .service .OcspService ;
34+ import eu .webeid .security .validator .revocationcheck .OcspCertificateRevocationChecker ;
35+ import eu .webeid .security .validator .revocationcheck .RevocationInfo ;
3436import org .bouncycastle .asn1 .ocsp .OCSPObjectIdentifiers ;
3537import org .bouncycastle .asn1 .ocsp .OCSPResponseStatus ;
3638import org .bouncycastle .asn1 .x509 .Extension ;
5557import java .security .cert .X509Certificate ;
5658import java .time .Duration ;
5759import java .util .Date ;
58- import java .util .Objects ;
60+ import java .util .Map ;
5961
60- public final class SubjectCertificateNotRevokedValidator {
62+ import static eu .webeid .security .util .DateAndTime .requirePositiveDuration ;
63+ import static java .util .Objects .requireNonNull ;
6164
62- private static final Logger LOG = LoggerFactory .getLogger (SubjectCertificateNotRevokedValidator .class );
65+ public final class DefaultOcspCertificateRevocationChecker implements OcspCertificateRevocationChecker {
66+
67+ private static final Logger LOG = LoggerFactory .getLogger (DefaultOcspCertificateRevocationChecker .class );
6368
64- private final SubjectCertificateTrustedValidator trustValidator ;
6569 private final OcspClient ocspClient ;
6670 private final OcspServiceProvider ocspServiceProvider ;
6771 private final Duration allowedOcspResponseTimeSkew ;
@@ -71,30 +75,30 @@ public final class SubjectCertificateNotRevokedValidator {
7175 Security .addProvider (new BouncyCastleProvider ());
7276 }
7377
74- public SubjectCertificateNotRevokedValidator (SubjectCertificateTrustedValidator trustValidator ,
75- OcspClient ocspClient ,
76- OcspServiceProvider ocspServiceProvider ,
77- Duration allowedOcspResponseTimeSkew ,
78- Duration maxOcspResponseThisUpdateAge ) {
79- this .trustValidator = trustValidator ;
80- this .ocspClient = ocspClient ;
81- this .ocspServiceProvider = ocspServiceProvider ;
82- this .allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew ;
83- this .maxOcspResponseThisUpdateAge = maxOcspResponseThisUpdateAge ;
78+ public DefaultOcspCertificateRevocationChecker (OcspClient ocspClient ,
79+ OcspServiceProvider ocspServiceProvider ,
80+ Duration allowedOcspResponseTimeSkew ,
81+ Duration maxOcspResponseThisUpdateAge ) {
82+ this .ocspClient = requireNonNull (ocspClient , "ocspClient" );
83+ this .ocspServiceProvider = requireNonNull (ocspServiceProvider , "ocspServiceProvider" );
84+ this .allowedOcspResponseTimeSkew = requirePositiveDuration (allowedOcspResponseTimeSkew , "allowedOcspResponseTimeSkew" );
85+ this .maxOcspResponseThisUpdateAge = requirePositiveDuration (maxOcspResponseThisUpdateAge , "maxOcspResponseThisUpdateAge" );
8486 }
8587
8688 /**
87- * Validates that the user certificate from the authentication token is not revoked with OCSP .
89+ * Validates with OCSP that the user certificate from the authentication token is not revoked.
8890 *
8991 * @param subjectCertificate user certificate to be validated
9092 * @throws AuthTokenException when user certificate is revoked or revocation check fails.
9193 */
92- public void validateCertificateNotRevoked (X509Certificate subjectCertificate ) throws AuthTokenException {
94+ public RevocationInfo validateCertificateNotRevoked (X509Certificate subjectCertificate , X509Certificate issuerCertificate ) throws AuthTokenException {
95+ requireNonNull (subjectCertificate , "subjectCertificate" );
96+ requireNonNull (issuerCertificate , "issuerCertificate" );
97+
9398 try {
9499 OcspService ocspService = ocspServiceProvider .getService (subjectCertificate );
95100
96- final CertificateID certificateId = getCertificateId (subjectCertificate ,
97- Objects .requireNonNull (trustValidator .getSubjectCertificateIssuerCertificate ()));
101+ final CertificateID certificateId = getCertificateId (subjectCertificate , issuerCertificate );
98102
99103 final OCSPReq request = new OcspRequestBuilder ()
100104 .withCertificateId (certificateId )
@@ -106,7 +110,7 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
106110 }
107111
108112 LOG .debug ("Sending OCSP request" );
109- final OCSPResp response = Objects . requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ));
113+ final OCSPResp response = requireNonNull (ocspClient .request (ocspService .getAccessLocation (), request ), "OCSPResp" );
110114 if (response .getStatus () != OCSPResponseStatus .SUCCESSFUL ) {
111115 throw new UserCertificateOCSPCheckFailedException ("Response status: " + ocspStatusToString (response .getStatus ()));
112116 }
@@ -119,6 +123,10 @@ public void validateCertificateNotRevoked(X509Certificate subjectCertificate) th
119123 if (ocspService .doesSupportNonce ()) {
120124 checkNonce (request , basicResponse );
121125 }
126+
127+ // TODO: @madislm, just an example, please amend according to your requirements.
128+ return new RevocationInfo (ocspService .getAccessLocation (), Map .of ("BasicOCSPResp" , basicResponse ));
129+
122130 } catch (OCSPException | CertificateException | OperatorCreationException | IOException e ) {
123131 throw new UserCertificateOCSPCheckFailedException (e );
124132 }
@@ -202,20 +210,14 @@ private static CertificateID getCertificateId(X509Certificate subjectCertificate
202210 }
203211
204212 private static String ocspStatusToString (int status ) {
205- switch (status ) {
206- case OCSPResp .MALFORMED_REQUEST :
207- return "malformed request" ;
208- case OCSPResp .INTERNAL_ERROR :
209- return "internal error" ;
210- case OCSPResp .TRY_LATER :
211- return "service unavailable" ;
212- case OCSPResp .SIG_REQUIRED :
213- return "request signature missing" ;
214- case OCSPResp .UNAUTHORIZED :
215- return "unauthorized" ;
216- default :
217- return "unknown" ;
218- }
213+ return switch (status ) {
214+ case OCSPResp .MALFORMED_REQUEST -> "malformed request" ;
215+ case OCSPResp .INTERNAL_ERROR -> "internal error" ;
216+ case OCSPResp .TRY_LATER -> "service unavailable" ;
217+ case OCSPResp .SIG_REQUIRED -> "request signature missing" ;
218+ case OCSPResp .UNAUTHORIZED -> "unauthorized" ;
219+ default -> "unknown" ;
220+ };
219221 }
220222
221223}
0 commit comments