refactor(OCSP): simplify AIA OCSP configuration, use single truststore for subject and OCSP responder certificates

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>

Author: mrts

README.md

@@ -145,6 +145,7 @@ import java.security.cert.X509Certificate;
 
 ## 5. Add trusted OCSP responder certificates
 
+FIXME: describe the fallback scheme. As everything works out of the box, move below under andvanced config.
 - AIA
 - Designated
 

src/main/java/org/webeid/security/certificate/CertificateData.java

@@ -32,34 +32,49 @@
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 public final class CertificateData {
 
     public static String getSubjectCN(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.CN);
+        return getSubjectField(certificate, BCStyle.CN);
+    }
+
+    public static Optional<String> getSubjectCNOptional(X509Certificate certificate) {
+        try {
+            return Optional.of(getSubjectField(certificate, BCStyle.CN));
+        } catch (CertificateEncodingException e) {
+            return Optional.empty();
+        }
     }
 
     public static String getSubjectSurname(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SURNAME);
+        return getSubjectField(certificate, BCStyle.SURNAME);
     }
 
     public static String getSubjectGivenName(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.GIVENNAME);
+        return getSubjectField(certificate, BCStyle.GIVENNAME);
     }
 
     public static String getSubjectIdCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.SERIALNUMBER);
+        return getSubjectField(certificate, BCStyle.SERIALNUMBER);
     }
 
     public static String getSubjectCountryCode(X509Certificate certificate) throws CertificateEncodingException {
-        return getField(certificate, BCStyle.C);
+        return getSubjectField(certificate, BCStyle.C);
+    }
+
+    private static String getSubjectField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
+        return getField(new JcaX509CertificateHolder(certificate).getSubject(), fieldId);
     }
 
-    private static String getField(X509Certificate certificate, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
-        final X500Name x500Name = new JcaX509CertificateHolder(certificate).getSubject();
+    private static String getField(X500Name x500Name, ASN1ObjectIdentifier fieldId) throws CertificateEncodingException {
         // Example value: [C=EE, CN=JÕEORG\,JAAK-KRISTJAN\,38001085718, 2.5.4.4=#0c074ac395454f5247, 2.5.4.42=#0c0d4a41414b2d4b524953544a414e, 2.5.4.5=#1311504e4f45452d3338303031303835373138]
         final RDN[] rdns = x500Name.getRDNs(fieldId);
+        if (rdns.length == 0 || rdns[0].getFirst() == null) {
+            throw new CertificateEncodingException("X500 name RDNs empty or first element is null");
+        }
         return Arrays.stream(rdns)
             .map(rdn -> IETFUtils.valueToString(rdn.getFirst().getValue()))
             .collect(Collectors.joining(", "));

src/main/java/org/webeid/security/util/AiaOcspUrls.java

@@ -0,0 +1,13 @@
+package org.webeid.security.util;
+
+import java.net.URI;
+
+public class AiaOcspUrls {
+
+    public static final URI ESTEID_2015 = URI.create("http://aia.sk.ee/esteid2015");
+
+    private AiaOcspUrls() {
+        throw new IllegalStateException("Constants class");
+    }
+
+}

src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -38,6 +38,7 @@
 import java.util.Objects;
 
 import static org.webeid.security.nonce.NonceGeneratorBuilder.requirePositiveDuration;
+import static org.webeid.security.util.AiaOcspUrls.ESTEID_2015;
 import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY;
 import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1;
 import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V2;
@@ -46,15 +47,14 @@
 /**
  * Stores configuration parameters for {@link AuthTokenValidatorImpl}.
  */
-final class AuthTokenValidationConfiguration {
+public final class AuthTokenValidationConfiguration {
 
     private URI siteOrigin;
     private Cache<String, ZonedDateTime> nonceCache;
     private Collection<X509Certificate> trustedCACertificates = new HashSet<>();
     private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
     private Duration allowedClientClockSkew = Duration.ofMinutes(3);
-    private AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
     private boolean isSiteCertificateFingerprintValidationEnabled = false;
     private String siteCertificateSha256Fingerprint;
@@ -65,6 +65,8 @@ final class AuthTokenValidationConfiguration {
         ESTEID_SK_2015_MOBILE_ID_POLICY_V3,
         ESTEID_SK_2015_MOBILE_ID_POLICY
     );
+    // Disable OCSP nonce extension for EstEID 2015 cards by default.
+    private Collection<URI> nonceDisabledOcspUrls = Sets.newHashSet(ESTEID_2015);
 
     AuthTokenValidationConfiguration() {
     }
@@ -76,11 +78,11 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
         this.ocspRequestTimeout = other.ocspRequestTimeout;
         this.allowedClientClockSkew = other.allowedClientClockSkew;
-        this.aiaOcspServiceConfiguration = other.aiaOcspServiceConfiguration;
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
         this.isSiteCertificateFingerprintValidationEnabled = other.isSiteCertificateFingerprintValidationEnabled;
         this.siteCertificateSha256Fingerprint = other.siteCertificateSha256Fingerprint;
         this.disallowedSubjectCertificatePolicies = new HashSet<>(other.disallowedSubjectCertificatePolicies);
+        this.nonceDisabledOcspUrls = new HashSet<>(other.nonceDisabledOcspUrls);
     }
 
     void setSiteOrigin(URI siteOrigin) {
@@ -127,14 +129,6 @@ Duration getAllowedClientClockSkew() {
         return allowedClientClockSkew;
     }
 
-    public AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() {
-        return aiaOcspServiceConfiguration;
-    }
-
-    public void setAiaOcspServiceConfiguration(AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
-        this.aiaOcspServiceConfiguration = aiaOcspServiceConfiguration;
-    }
-
     public DesignatedOcspServiceConfiguration getDesignatedOcspServiceConfiguration() {
         return designatedOcspServiceConfiguration;
     }
@@ -160,6 +154,10 @@ public Collection<ASN1ObjectIdentifier> getDisallowedSubjectCertificatePolicies(
         return disallowedSubjectCertificatePolicies;
     }
 
+    public Collection<URI> getNonceDisabledOcspUrls() {
+        return nonceDisabledOcspUrls;
+    }
+
     /**
      * Checks that the configuration parameters are valid.
      *
@@ -173,18 +171,6 @@ void validate() {
         if (trustedCACertificates.isEmpty()) {
             throw new IllegalArgumentException("At least one trusted certificate authority must be provided");
         }
-        if (isUserCertificateRevocationCheckWithOcspEnabled) {
-            if (aiaOcspServiceConfiguration == null && designatedOcspServiceConfiguration == null) {
-                throw new IllegalArgumentException("Either AIA or designated OCSP service configuration must be provided");
-            }
-            if (aiaOcspServiceConfiguration != null && designatedOcspServiceConfiguration != null) {
-                throw new IllegalArgumentException("AIA and designated OCSP service configuration cannot provided together, " +
-                    "please provide either one or the other");
-            }
-        } else if (aiaOcspServiceConfiguration != null || designatedOcspServiceConfiguration != null) {
-            throw new IllegalArgumentException("When user certificate OCSP check is disabled, " +
-                "AIA or designated OCSP service configuration should not be provided");
-        }
         requirePositiveDuration(ocspRequestTimeout, "OCSP request timeout");
         requirePositiveDuration(allowedClientClockSkew, "Allowed client clock skew");
         if (isSiteCertificateFingerprintValidationEnabled) {

src/main/java/org/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -75,9 +75,10 @@ public AuthTokenValidatorBuilder withNonceCache(Cache<String, ZonedDateTime> cac
     }
 
     /**
-     * Adds the given certificates to the list of trusted subject certificate intermediate Certificate Authorities.
-     * In order for the user certificate to be considered valid, the certificate of the issuer of the user certificate
-     * must be present in this list.
+     * Adds the given certificates to the list of trusted intermediate Certificate Authorities
+     * used during validation of subject and OCSP responder certificates.
+     * In order for a user or OCSP responder certificate to be considered valid, the certificate
+     * of the issuer of the certificate must be present in this list.
      * <p>
      * At least one trusted intermediate Certificate Authority must be provided as a mandatory configuration parameter.
      *
@@ -134,12 +135,6 @@ public AuthTokenValidatorBuilder withOcspRequestTimeout(Duration ocspRequestTime
         return this;
     }
 
-    public AuthTokenValidatorBuilder withAiaOcspServiceConfiguration(AiaOcspServiceConfiguration serviceConfiguration) {
-        configuration.setAiaOcspServiceConfiguration(serviceConfiguration);
-        LOG.debug("Using AIA OCSP service configuration");
-        return this;
-    }
-
     public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(DesignatedOcspServiceConfiguration serviceConfiguration) {
         configuration.setDesignatedOcspServiceConfiguration(serviceConfiguration);
         LOG.debug("Using designated OCSP service configuration");

src/main/java/org/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -22,7 +22,6 @@
 
 package org.webeid.security.validator;
 
-import com.google.common.base.Suppliers;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.webeid.security.exceptions.JceException;
@@ -31,13 +30,20 @@
 import org.webeid.security.validator.ocsp.OcspClient;
 import org.webeid.security.validator.ocsp.OcspClientImpl;
 import org.webeid.security.validator.ocsp.OcspServiceProvider;
-import org.webeid.security.validator.validators.*;
+import org.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
+import org.webeid.security.validator.validators.FunctionalSubjectCertificateValidators;
+import org.webeid.security.validator.validators.NonceValidator;
+import org.webeid.security.validator.validators.OriginValidator;
+import org.webeid.security.validator.validators.SiteCertificateFingerprintValidator;
+import org.webeid.security.validator.validators.SubjectCertificateNotRevokedValidator;
+import org.webeid.security.validator.validators.SubjectCertificatePolicyValidator;
+import org.webeid.security.validator.validators.SubjectCertificateTrustedValidator;
+import org.webeid.security.validator.validators.ValidatorBatch;
 
 import java.security.cert.CertStore;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Set;
-import java.util.function.Supplier;
 
 import static org.webeid.security.certificate.CertificateValidator.buildCertStoreFromCertificates;
 import static org.webeid.security.certificate.CertificateValidator.buildTrustAnchorsFromCertificates;
@@ -52,14 +58,15 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenValidatorImpl.class);
 
     private final AuthTokenValidationConfiguration configuration;
-    // OkHttp performs best when a single OkHttpClient instance is created and reused for all HTTP calls.
-    // This is because each client holds its own connection pool and thread pools.
-    // Reusing connections and threads reduces latency and saves memory.
-    private final Supplier<OcspClient> ocspClientSupplier;
     private final ValidatorBatch simpleSubjectCertificateValidators;
     private final ValidatorBatch tokenBodyValidators;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
+    // OcspClient uses OkHttp internally.
+    // OkHttp performs best when a single OkHttpClient instance is created and reused for all HTTP calls.
+    // This is because each client holds its own connection pool and thread pools.
+    // Reusing connections and threads reduces latency and saves memory.
+    private OcspClient ocspClientSupplier;
     private OcspServiceProvider ocspServiceProvider;
 
     /**
@@ -68,11 +75,6 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     AuthTokenValidatorImpl(AuthTokenValidationConfiguration configuration) throws JceException {
         // Copy the configuration object to make AuthTokenValidatorImpl immutable and thread-safe.
         this.configuration = configuration.copy();
-        // Lazy initialization, avoid constructing the OkHttpClient object when certificate revocation check is not enabled.
-        // Returns a supplier which caches the instance retrieved during the first call to get() and returns
-        // that value on subsequent calls to get(). The returned supplier is thread-safe.
-        // The OkHttpClient build() method will be invoked at most once.
-        this.ocspClientSupplier = Suppliers.memoize(() -> OcspClientImpl.build(configuration.getOcspRequestTimeout()));
 
         simpleSubjectCertificateValidators = ValidatorBatch.createFrom(
             FunctionalSubjectCertificateValidators::validateCertificateExpiry,
@@ -86,14 +88,17 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
             new SiteCertificateFingerprintValidator(configuration.getSiteCertificateSha256Fingerprint())::validateSiteCertificateFingerprint
         );
 
-        // Create and cache trusted CA certificate JCA objects for SubjectCertificateTrustedValidator.
+        // Create and cache trusted CA certificate JCA objects for SubjectCertificateTrustedValidator and AiaOcspService.
         trustedCACertificateAnchors = buildTrustAnchorsFromCertificates(configuration.getTrustedCACertificates());
         trustedCACertificateCertStore = buildCertStoreFromCertificates(configuration.getTrustedCACertificates());
 
         if (configuration.isUserCertificateRevocationCheckWithOcspEnabled()) {
-            ocspServiceProvider = configuration.getAiaOcspServiceConfiguration() != null ?
-                new OcspServiceProvider(configuration.getAiaOcspServiceConfiguration()) :
-                new OcspServiceProvider(configuration.getDesignatedOcspServiceConfiguration());
+            ocspClientSupplier = OcspClientImpl.build(configuration.getOcspRequestTimeout());
+            ocspServiceProvider = new OcspServiceProvider(
+                configuration.getDesignatedOcspServiceConfiguration(),
+                new AiaOcspServiceConfiguration(configuration.getNonceDisabledOcspUrls(),
+                    trustedCACertificateAnchors,
+                    trustedCACertificateCertStore));
         }
     }
 
@@ -145,7 +150,7 @@ private ValidatorBatch getCertTrustValidators() {
         return ValidatorBatch.createFrom(
             certTrustedValidator::validateCertificateTrusted
         ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-            new SubjectCertificateNotRevokedValidator(certTrustedValidator, ocspClientSupplier.get(), ocspServiceProvider)::validateCertificateNotRevoked
+            new SubjectCertificateNotRevokedValidator(certTrustedValidator, ocspClientSupplier, ocspServiceProvider)::validateCertificateNotRevoked
         );
     }
 }

src/main/java/org/webeid/security/validator/ocsp/OcspServiceProvider.java

@@ -7,27 +7,36 @@
 import org.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import org.webeid.security.validator.ocsp.service.OcspService;
 
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.util.Objects;
 
 public class OcspServiceProvider {
 
-    private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
     private final DesignatedOcspService designatedOcspService;
+    private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
 
-    public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration) {
-        this.designatedOcspService = new DesignatedOcspService(designatedOcspServiceConfiguration);
-        this.aiaOcspServiceConfiguration = null;
-    }
-
-    public OcspServiceProvider(AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
-        this.aiaOcspServiceConfiguration = aiaOcspServiceConfiguration;
-        this.designatedOcspService = null;
+    public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration, AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
+        designatedOcspService = designatedOcspServiceConfiguration != null ?
+            new DesignatedOcspService(designatedOcspServiceConfiguration)
+            : null;
+        this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");
     }
 
-    public OcspService getService(X509Certificate certificate) throws TokenValidationException {
-        return designatedOcspService != null ?
-            designatedOcspService :
-            new AiaOcspService(aiaOcspServiceConfiguration, certificate);
+    /**
+     * A static factory method that returns either the designated or AIA OCSP service instance depending on whether
+     * the designated OCSP service is configured and supports the issuer of the certificate.
+     *
+     * @param certificate subject certificate that is to be checked with OCSP
+     * @return either the designated or AIA OCSP service instance
+     * @throws TokenValidationException when AIA URL is not found in certificate
+     * @throws CertificateEncodingException when certificate is invalid
+     */
+    public OcspService getService(X509Certificate certificate) throws TokenValidationException, CertificateEncodingException {
+        if (designatedOcspService != null && designatedOcspService.supportsIssuerOf(certificate)) {
+            return designatedOcspService;
+        }
+        return new AiaOcspService(aiaOcspServiceConfiguration, certificate);
     }
 
 }

src/main/java/org/webeid/security/validator/ocsp/OcspUtils.java

@@ -54,6 +54,7 @@
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.Objects;
 
 public final class OcspUtils {
 
@@ -71,10 +72,11 @@ public final class OcspUtils {
     private static final ASN1ObjectIdentifier OCSP_RESPONDER_OID
         = new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1").intern();
 
-    public static void validateHasSigningExtension(X509Certificate cert) throws OCSPCertificateException {
+    public static void validateHasSigningExtension(X509Certificate certificate) throws OCSPCertificateException {
+        Objects.requireNonNull(certificate, "certificate");
         try {
-            if (cert.getExtendedKeyUsage() == null || !cert.getExtendedKeyUsage().contains(OID_OCSP_SIGNING)) {
-                throw new OCSPCertificateException("Certificate " + cert.getSubjectDN() +
+            if (certificate.getExtendedKeyUsage() == null || !certificate.getExtendedKeyUsage().contains(OID_OCSP_SIGNING)) {
+                throw new OCSPCertificateException("Certificate " + certificate.getSubjectDN() +
                     " does not contain the key usage extension for OCSP response signing");
             }
         } catch (CertificateParsingException e) {
@@ -85,7 +87,8 @@ public static void validateHasSigningExtension(X509Certificate cert) throws OCSP
     /**
      * Returns the OCSP responder {@link URI} or {@code null} if it doesn't have one.
      */
-    public static URI ocspUri(X509Certificate certificate)  {
+    public static URI getOcspUri(X509Certificate certificate)  {
+        Objects.requireNonNull(certificate, "certificate");
         final byte[] value = certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
         if (value == null) {
             return null;