feat(OCSP): add AuthTokenValidatorBuilder.withOcspClient() for overriding the OCSP client. Fixes #31

Author: mrts

src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -23,6 +23,8 @@
 package eu.webeid.security.validator;
 
 import eu.webeid.security.exceptions.JceException;
+import eu.webeid.security.validator.ocsp.OcspClient;
+import eu.webeid.security.validator.ocsp.OcspClientImpl;
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.slf4j.Logger;
@@ -42,6 +44,7 @@ public class AuthTokenValidatorBuilder {
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenValidatorBuilder.class);
 
     private final AuthTokenValidationConfiguration configuration = new AuthTokenValidationConfiguration();
+    private OcspClient ocspClient;
 
     /**
      * Sets the expected site origin, i.e. the domain that the application is running on.
@@ -152,6 +155,19 @@ public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(Designat
         return this;
     }
 
+    /**
+     * Uses the provided OCSP client instance during user certificate revocation check with OCSP.
+     * The provided client instance must be thread-safe.
+     *
+     * @param ocspClient OCSP client instance
+     * @return the builder instance for method chaining
+     */
+    public AuthTokenValidatorBuilder withOcspClient(OcspClient ocspClient) {
+        this.ocspClient = ocspClient;
+        LOG.debug("Using the OCSP client provided by API consumer");
+        return this;
+    }
+
     /**
      * Validates the configuration and builds the {@link AuthTokenValidator} object with it.
      * The returned {@link AuthTokenValidator} object is immutable/thread-safe.
@@ -163,7 +179,10 @@ public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(Designat
      */
     public AuthTokenValidator build() throws NullPointerException, IllegalArgumentException, JceException {
         configuration.validate();
-        return new AuthTokenValidatorImpl(configuration);
+        if (ocspClient == null) {
+            ocspClient = OcspClientImpl.build(configuration.getOcspRequestTimeout());
+        }
+        return new AuthTokenValidatorImpl(configuration, ocspClient);
     }
 
 }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -36,7 +36,6 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateTrustedValidator;
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
-import eu.webeid.security.validator.ocsp.OcspClientImpl;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
 import org.slf4j.Logger;
@@ -73,8 +72,9 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
 
     /**
      * @param configuration configuration parameters for the token validator
+     * @param ocspClient client for communicating with the OCSP service
      */
-    AuthTokenValidatorImpl(AuthTokenValidationConfiguration configuration) throws JceException {
+    AuthTokenValidatorImpl(AuthTokenValidationConfiguration configuration, OcspClient ocspClient) throws JceException {
         // Copy the configuration object to make AuthTokenValidatorImpl immutable and thread-safe.
         this.configuration = configuration.copy();
 
@@ -89,7 +89,8 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
         );
 
         if (configuration.isUserCertificateRevocationCheckWithOcspEnabled()) {
-            ocspClient = OcspClientImpl.build(configuration.getOcspRequestTimeout());
+            // The OCSP client may be provided by the API consumer.
+            this.ocspClient = ocspClient;
             ocspServiceProvider = new OcspServiceProvider(
                 configuration.getDesignatedOcspServiceConfiguration(),
                 new AiaOcspServiceConfiguration(configuration.getNonceDisabledOcspUrls(),

src/test/java/eu/webeid/security/testutil/AuthTokenValidators.java

@@ -27,6 +27,7 @@
 import eu.webeid.security.exceptions.OCSPCertificateException;
 import eu.webeid.security.validator.AuthTokenValidator;
 import eu.webeid.security.validator.AuthTokenValidatorBuilder;
+import eu.webeid.security.validator.ocsp.OcspClient;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 import java.io.IOException;
@@ -59,6 +60,12 @@ public static AuthTokenValidator getAuthTokenValidator(String url, X509Certifica
             .build();
     }
 
+    public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient(OcspClient ocspClient) throws CertificateException, JceException, IOException {
+        return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, getCACertificates())
+            .withOcspClient(ocspClient)
+            .build();
+    }
+
     public static AuthTokenValidator getAuthTokenValidatorWithOcspCheck() throws CertificateException, JceException, IOException {
         return getAuthTokenValidatorBuilder(TOKEN_ORIGIN_URL, getCACertificates())
             .build();

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -91,11 +91,11 @@ void whenCertificateFieldIsEmpty_thenParsingFails() throws AuthTokenException {
     }
 
     @Test
-    void whenCertificateFieldIsArray_thenParsingFails() throws AuthTokenException {
+    void whenCertificateFieldIsArray_thenParsingFails() {
         assertThatThrownBy(() -> replaceTokenField(AUTH_TOKEN, "\"X5C\"", "[1,2,3,4]"))
             .isInstanceOf(AuthTokenParseException.class)
             .hasMessage("Error parsing Web eID authentication token")
-            .getCause()
+            .cause()
             .isInstanceOf(MismatchedInputException.class)
             .hasMessageStartingWith("Cannot deserialize value of type `java.lang.String` from Array value");
     }
@@ -106,7 +106,7 @@ void whenCertificateFieldIsNumber_thenParsingFails() throws AuthTokenException {
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateDecodingException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(CertificateException.class)
             .hasMessage("Could not parse certificate: java.io.IOException: Empty input");
     }
@@ -117,7 +117,7 @@ void whenCertificateFieldIsNotBase64_thenParsingFails() throws AuthTokenExceptio
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateDecodingException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(IllegalArgumentException.class)
             .hasMessage("Illegal base64 character 20");
     }
@@ -128,7 +128,7 @@ void whenCertificateFieldIsNotCertificate_thenParsingFails() throws AuthTokenExc
         assertThatThrownBy(() -> validator
             .validate(token, VALID_CHALLENGE_NONCE))
             .isInstanceOf(CertificateDecodingException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(CertificateException.class)
             .hasMessage("Could not parse certificate: java.io.IOException: Empty input");
     }

src/test/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.java

@@ -102,7 +102,7 @@ void whenOcspUrlIsInvalid_thenThrows() throws Exception {
         assertThatCode(() ->
             validator.validateCertificateNotRevoked(estEid2018Cert))
             .isInstanceOf(UserCertificateOCSPCheckFailedException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(IOException.class)
             .hasMessageMatching("invalid.invalid: (Name or service not known|"
                 + "Temporary failure in name resolution)");
@@ -115,7 +115,7 @@ void whenOcspRequestFails_thenThrows() throws Exception {
         assertThatCode(() ->
             validator.validateCertificateNotRevoked(estEid2018Cert))
             .isInstanceOf(UserCertificateOCSPCheckFailedException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(IOException.class)
             .hasMessageStartingWith("OCSP request was not successful, response: Response{");
     }
@@ -129,7 +129,7 @@ void whenOcspRequestHasInvalidBody_thenThrows() throws Exception {
         assertThatCode(() ->
             validator.validateCertificateNotRevoked(estEid2018Cert))
             .isInstanceOf(UserCertificateOCSPCheckFailedException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(IOException.class)
             .hasMessage("DEF length 110 object truncated by 105");
     }
@@ -179,7 +179,7 @@ void whenOcspResponseHasInvalidResponderCert_thenThrows() throws Exception {
         assertThatCode(() ->
             validator.validateCertificateNotRevoked(estEid2018Cert))
             .isInstanceOf(UserCertificateOCSPCheckFailedException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(OCSPException.class)
             .hasMessage("exception processing sig: java.lang.IllegalArgumentException: invalid info structure in RSA public key");
     }
@@ -193,7 +193,7 @@ void whenOcspResponseHasInvalidTag_thenThrows() throws Exception {
         assertThatCode(() ->
             validator.validateCertificateNotRevoked(estEid2018Cert))
             .isInstanceOf(UserCertificateOCSPCheckFailedException.class)
-            .getCause()
+            .cause()
             .isInstanceOf(OCSPException.class)
             .hasMessage("problem decoding object: java.io.IOException: unknown tag 23 encountered");
     }

src/test/java/eu/webeid/security/validator/ocsp/OcspClientOverrideTest.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2022 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.security.validator.ocsp;
+
+import eu.webeid.security.exceptions.JceException;
+import eu.webeid.security.testutil.AbstractTestWithValidator;
+import eu.webeid.security.testutil.AuthTokenValidators;
+import eu.webeid.security.validator.AuthTokenValidator;
+import org.bouncycastle.cert.ocsp.OCSPReq;
+import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.net.URI;
+import java.security.cert.CertificateException;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+class OcspClientOverrideTest extends AbstractTestWithValidator {
+
+    @Test
+    void whenOcspClientIsOverridden_thenItIsUsed() throws JceException, CertificateException, IOException {
+        final AuthTokenValidator validator = AuthTokenValidators.getAuthTokenValidatorWithOverriddenOcspClient(new OcpClientThatThrows());
+        assertThatThrownBy(() -> validator.validate(validAuthToken, VALID_CHALLENGE_NONCE))
+            .cause()
+            .isInstanceOf(OcpClientThatThrowsException.class);
+    }
+
+    private static class OcpClientThatThrows implements OcspClient {
+        @Override
+        public OCSPResp request(URI url, OCSPReq request) throws IOException {
+            throw new OcpClientThatThrowsException();
+        }
+    }
+
+    private static class OcpClientThatThrowsException extends IOException {
+    }
+}