feat(OCSP): implement configurable OCSP service URL, verify OCSP responder certificate and response signature

WE2-432

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>

Author: mrts

README.md

@@ -143,6 +143,11 @@ import java.security.cert.X509Certificate;
 ...
 ```
 
+## 5. Add trusted OCSP responder certificates
+
+- AIA
+- Designated
+
 ## 5. Configure the authentication token validator
 
 Once the prerequisites have been met, the authentication token validator itself can be configured.
@@ -235,6 +240,8 @@ try {
 - [Nonce generation](#nonce-generation)
   - [Basic usage](#basic-usage-1)
   - [Extended configuration](#extended-configuration-1)
+- [Frequently asked questions](#frequently-asked-questions)
+  - [How can I find the AIA OCSP service URLs?](#how-can-i-find-the-aia-ocsp-service-urls)
 
 # Introduction
 
@@ -356,3 +363,14 @@ NonceGenerator generator = new NonceGeneratorBuilder()
         .withSecureRandom(customSecureRandom)  
         .build();
 ```
+
+## Frequently asked questions
+
+### How can I find the AIA OCSP service URLs?
+
+You can find the AIA OCSP service URLs from the electronic ID certificate profile documents, in the section that describes certificate extensions.
+The AIA OCSP extension OID is 1.3.6.1.5.5.7.48.1.
+
+For example, the EstEID AIA URLs are specified in the documents
+[*Certificate, CRL and OCSP Profile for identification documents of the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID-EN-v8_4-20200630.pdf) and
+[*Certificate, CRL and OCSP Profile for ID-1 Format Identity Documents Issued by the Republic of Estonia*](https://www.skidsolutions.eu/upload/files/SK-CPR-ESTEID2018-EN-v1_2_20200630.pdf).

src/main/java/org/webeid/security/util/OcspUrls.java

@@ -24,6 +24,8 @@
 
 import com.google.common.collect.Sets;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
+import org.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import org.webeid.security.validator.validators.OriginValidator;
 
 import javax.cache.Cache;
@@ -36,8 +38,10 @@
 import java.util.Objects;
 
 import static org.webeid.security.nonce.NonceGeneratorBuilder.requirePositiveDuration;
-import static org.webeid.security.util.OcspUrls.ESTEID_2015;
-import static org.webeid.security.util.SubjectCertificatePolicies.*;
+import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY;
+import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1;
+import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V2;
+import static org.webeid.security.util.SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V3;
 
 /**
  * Stores configuration parameters for {@link AuthTokenValidatorImpl}.
@@ -50,6 +54,8 @@ final class AuthTokenValidationConfiguration {
     private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
     private Duration allowedClientClockSkew = Duration.ofMinutes(3);
+    private AiaOcspServiceConfiguration aiaOcspServiceConfiguration = new AiaOcspServiceConfiguration();
+    private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
     private boolean isSiteCertificateFingerprintValidationEnabled = false;
     private String siteCertificateSha256Fingerprint;
     // Don't allow Estonian Mobile-ID policy by default.
@@ -59,8 +65,6 @@ final class AuthTokenValidationConfiguration {
         ESTEID_SK_2015_MOBILE_ID_POLICY_V3,
         ESTEID_SK_2015_MOBILE_ID_POLICY
     );
-    // Disable OCSP nonce extension for EstEID 2015 cards by default.
-    private Collection<URI> nonceDisabledOcspUrls = Sets.newHashSet(ESTEID_2015);
 
     AuthTokenValidationConfiguration() {
     }
@@ -72,10 +76,11 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
         this.ocspRequestTimeout = other.ocspRequestTimeout;
         this.allowedClientClockSkew = other.allowedClientClockSkew;
+        this.aiaOcspServiceConfiguration = other.aiaOcspServiceConfiguration;
+        this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
         this.isSiteCertificateFingerprintValidationEnabled = other.isSiteCertificateFingerprintValidationEnabled;
         this.siteCertificateSha256Fingerprint = other.siteCertificateSha256Fingerprint;
         this.disallowedSubjectCertificatePolicies = new HashSet<>(other.disallowedSubjectCertificatePolicies);
-        this.nonceDisabledOcspUrls = new HashSet<>(other.nonceDisabledOcspUrls);
     }
 
     void setSiteOrigin(URI siteOrigin) {
@@ -122,6 +127,22 @@ Duration getAllowedClientClockSkew() {
         return allowedClientClockSkew;
     }
 
+    public AiaOcspServiceConfiguration getAiaOcspServiceConfiguration() {
+        return aiaOcspServiceConfiguration;
+    }
+
+    public void setAiaOcspServiceConfiguration(AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
+        this.aiaOcspServiceConfiguration = aiaOcspServiceConfiguration;
+    }
+
+    public DesignatedOcspServiceConfiguration getDesignatedOcspServiceConfiguration() {
+        return designatedOcspServiceConfiguration;
+    }
+
+    public void setDesignatedOcspServiceConfiguration(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration) {
+        this.designatedOcspServiceConfiguration = designatedOcspServiceConfiguration;
+    }
+
     boolean isSiteCertificateFingerprintValidationEnabled() {
         return isSiteCertificateFingerprintValidationEnabled;
     }
@@ -139,10 +160,6 @@ public Collection<ASN1ObjectIdentifier> getDisallowedSubjectCertificatePolicies(
         return disallowedSubjectCertificatePolicies;
     }
 
-    public Collection<URI> getNonceDisabledOcspUrls() {
-        return nonceDisabledOcspUrls;
-    }
-
     /**
      * Checks that the configuration parameters are valid.
      *
@@ -156,6 +173,13 @@ void validate() {
         if (trustedCACertificates.isEmpty()) {
             throw new IllegalArgumentException("At least one trusted certificate authority must be provided");
         }
+        if (aiaOcspServiceConfiguration == null && designatedOcspServiceConfiguration == null) {
+            throw new IllegalArgumentException("Either AIA or designated OCSP service configuration must be provided");
+        }
+        if (aiaOcspServiceConfiguration != null && designatedOcspServiceConfiguration != null) {
+            throw new IllegalArgumentException("AIA and designated OCSP service configuration cannot provided together, " +
+                "please provide either one or the other");
+        }
         requirePositiveDuration(ocspRequestTimeout, "OCSP request timeout");
         requirePositiveDuration(allowedClientClockSkew, "Allowed client clock skew");
         if (isSiteCertificateFingerprintValidationEnabled) {

src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -26,6 +26,9 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.webeid.security.exceptions.JceException;
+import org.webeid.security.validator.ocsp.service.AiaOcspService;
+import org.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
+import org.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 
 import javax.cache.Cache;
 import java.net.URI;
@@ -84,7 +87,10 @@ public AuthTokenValidatorBuilder withNonceCache(Cache<String, ZonedDateTime> cac
      */
     public AuthTokenValidatorBuilder withTrustedCertificateAuthorities(X509Certificate... certificates) {
         Collections.addAll(configuration.getTrustedCACertificates(), certificates);
-        LOG.debug("Trusted intermediate certificate authorities set to {}", configuration.getTrustedCACertificates());
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Trusted intermediate certificate authorities set to {}",
+                configuration.getTrustedCACertificates().stream().map(X509Certificate::getSubjectDN));
+        }
         return this;
     }
 
@@ -125,20 +131,19 @@ public AuthTokenValidatorBuilder withoutUserCertificateRevocationCheckWithOcsp()
      */
     public AuthTokenValidatorBuilder withOcspRequestTimeout(Duration ocspRequestTimeout) {
         configuration.setOcspRequestTimeout(ocspRequestTimeout);
-        LOG.debug("OCSP request timeout set to {}.", ocspRequestTimeout);
+        LOG.debug("OCSP request timeout set to {}", ocspRequestTimeout);
         return this;
     }
 
-    /**
-     * Adds the given URLs to the list of OCSP URLs for which the nonce protocol extension will be disabled.
-     * The OCSP URL is extracted from the user certificate and some OCSP services don't support the nonce extension.
-     *
-     * @param urls OCSP URLs for which the nonce protocol extension will be disabled
-     * @return the builder instance for method chaining
-     */
-    public AuthTokenValidatorBuilder withNonceDisabledOcspUrls(URI... urls) {
-        Collections.addAll(configuration.getNonceDisabledOcspUrls(), urls);
-        LOG.debug("OCSP URLs for which the nonce protocol extension is disabled set to {}", configuration.getNonceDisabledOcspUrls());
+    public AuthTokenValidatorBuilder withAiaOcspServiceConfiguration(AiaOcspServiceConfiguration serviceConfiguration) {
+        configuration.setAiaOcspServiceConfiguration(serviceConfiguration);
+        LOG.debug("Using AIA OCSP service configuration");
+        return this;
+    }
+
+    public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(DesignatedOcspServiceConfiguration serviceConfiguration) {
+        configuration.setDesignatedOcspServiceConfiguration(serviceConfiguration);
+        LOG.debug("Using designated OCSP service configuration");
         return this;
     }
 

src/main/java/org/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -29,7 +29,15 @@
 import org.webeid.security.exceptions.JceException;
 import org.webeid.security.exceptions.TokenParseException;
 import org.webeid.security.exceptions.TokenValidationException;
-import org.webeid.security.validator.validators.*;
+import org.webeid.security.validator.ocsp.OcspServiceProvider;
+import org.webeid.security.validator.validators.FunctionalSubjectCertificateValidators;
+import org.webeid.security.validator.validators.NonceValidator;
+import org.webeid.security.validator.validators.OriginValidator;
+import org.webeid.security.validator.validators.SiteCertificateFingerprintValidator;
+import org.webeid.security.validator.validators.SubjectCertificateNotRevokedValidator;
+import org.webeid.security.validator.validators.SubjectCertificatePolicyValidator;
+import org.webeid.security.validator.validators.SubjectCertificateTrustedValidator;
+import org.webeid.security.validator.validators.ValidatorBatch;
 
 import java.security.GeneralSecurityException;
 import java.security.cert.CertStore;
@@ -60,6 +68,7 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     private final ValidatorBatch tokenBodyValidators;
     private final Set<TrustAnchor> trustedCACertificateAnchors;
     private final CertStore trustedCACertificateCertStore;
+    private final OcspServiceProvider ocspServiceProvider;
 
     /**
      * @param configuration configuration parameters for the token validator
@@ -103,6 +112,9 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
         } catch (GeneralSecurityException e) {
             throw new JceException(e);
         }
+        ocspServiceProvider = configuration.getAiaOcspServiceConfiguration() != null ?
+            new OcspServiceProvider(configuration.getAiaOcspServiceConfiguration()) :
+            new OcspServiceProvider(configuration.getDesignatedOcspServiceConfiguration());
     }
 
     @Override
@@ -153,7 +165,7 @@ private ValidatorBatch getCertTrustValidators() {
         return ValidatorBatch.createFrom(
             certTrustedValidator::validateCertificateTrusted
         ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-            new SubjectCertificateNotRevokedValidator(certTrustedValidator, httpClientSupplier.get(), configuration.getNonceDisabledOcspUrls())::validateCertificateNotRevoked
+            new SubjectCertificateNotRevokedValidator(certTrustedValidator, httpClientSupplier.get(), ocspServiceProvider)::validateCertificateNotRevoked
         );
     }
 }

src/main/java/org/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -66,29 +66,11 @@ public final class OcspRequestBuilder {
 
     private static final SecureRandom GENERATOR = new SecureRandom();
 
-    private SecureRandom randomGenerator = GENERATOR;
-    private DigestCalculator digestCalculator = Digester.sha1();
-    private X509Certificate subjectCertificate;
-    private X509Certificate issuerCertificate;
     private boolean ocspNonceEnabled = true;
+    private CertificateID certificateId;
 
-    public OcspRequestBuilder generator(SecureRandom generator) {
-        this.randomGenerator = generator;
-        return this;
-    }
-
-    public OcspRequestBuilder calculator(DigestCalculator calculator) {
-        this.digestCalculator = calculator;
-        return this;
-    }
-
-    public OcspRequestBuilder certificate(X509Certificate certificate) {
-        this.subjectCertificate = certificate;
-        return this;
-    }
-
-    public OcspRequestBuilder issuer(X509Certificate issuer) {
-        this.issuerCertificate = issuer;
+    public OcspRequestBuilder withCertificateId(CertificateID certificateId) {
+        this.certificateId = certificateId;
         return this;
     }
 
@@ -98,21 +80,12 @@ public OcspRequestBuilder enableOcspNonce(boolean ocspNonceEnabled) {
     }
 
     /**
-     * ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce
-     * and CA's will (should) reject subsequent requests that have the same nonce value.
+     * The returned {@link OCSPReq} is not re-usable/cacheable. It contains a one-time nonce
+     * and responders will reject subsequent requests that have the same nonce value.
      */
     public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
-        final DigestCalculator calculator = Objects.requireNonNull(this.digestCalculator, "digestCalculator");
-        final X509Certificate certificate = Objects.requireNonNull(this.subjectCertificate, "subjectCertificate");
-        final X509Certificate issuer = Objects.requireNonNull(this.issuerCertificate, "issuerCertificate");
-
-        final BigInteger serial = certificate.getSerialNumber();
-
-        final CertificateID certId = new CertificateID(calculator,
-            new X509CertificateHolder(issuer.getEncoded()), serial);
-
         final OCSPReqBuilder builder = new OCSPReqBuilder();
-        builder.addRequest(certId);
+        builder.addRequest(Objects.requireNonNull(certificateId, "certificateId"));
 
         if (ocspNonceEnabled) {
             addNonce(builder);
@@ -122,16 +95,13 @@ public OCSPReq build() throws OCSPException, IOException, CertificateEncodingExc
     }
 
     private void addNonce(OCSPReqBuilder builder) {
-        final SecureRandom generator = Objects.requireNonNull(this.randomGenerator, "randomGenerator");
-
         final byte[] nonce = new byte[8];
-        generator.nextBytes(nonce);
+        GENERATOR.nextBytes(nonce);
 
         final Extension[] extensions = new Extension[]{
             new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
                 new DEROctetString(nonce))
         };
-
         builder.setRequestExtensions(new Extensions(extensions));
     }
 

src/main/java/org/webeid/security/validator/ocsp/OcspRequestBuilder.java

@@ -0,0 +1,36 @@
+package org.webeid.security.validator.ocsp;
+
+import org.webeid.security.exceptions.UserCertificateRevocationCheckFailedException;
+import org.webeid.security.validator.ocsp.service.AiaOcspService;
+import org.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
+import org.webeid.security.validator.ocsp.service.DesignatedOcspService;
+import org.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
+import org.webeid.security.validator.ocsp.service.OcspService;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+public class OcspServiceProvider {
+
+    private final DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
+    private final AiaOcspServiceConfiguration aiaOcspServiceConfiguration;
+
+    public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration) {
+        this.designatedOcspServiceConfiguration = designatedOcspServiceConfiguration;
+        this.aiaOcspServiceConfiguration = null;
+    }
+
+    public OcspServiceProvider(AiaOcspServiceConfiguration aiaOcspServiceConfiguration) {
+        this.aiaOcspServiceConfiguration = aiaOcspServiceConfiguration;
+        this.designatedOcspServiceConfiguration = null;
+    }
+
+    public OcspService getService(X509Certificate certificate) throws UserCertificateRevocationCheckFailedException, IOException {
+        if (designatedOcspServiceConfiguration != null) {
+            return new DesignatedOcspService(designatedOcspServiceConfiguration);
+        } else {
+            return new AiaOcspService(aiaOcspServiceConfiguration, certificate);
+        }
+    }
+
+}

src/main/java/org/webeid/security/validator/ocsp/OcspServiceProvider.java

@@ -0,0 +1,33 @@
+package org.webeid.security.validator.ocsp.service;
+
+import java.net.URI;
+import java.security.cert.X509Certificate;
+
+public class AiaOcspResponderConfiguration {
+
+    private final URI responderUrl;
+    private final X509Certificate responderTrustedCACertificate;
+    private final boolean doesSupportNonce;
+
+    public AiaOcspResponderConfiguration(URI responderUrl, X509Certificate responderTrustedCACertificate, boolean doesSupportNonce) {
+        this.responderUrl = responderUrl;
+        this.responderTrustedCACertificate = responderTrustedCACertificate;
+        this.doesSupportNonce = doesSupportNonce;
+    }
+
+    public AiaOcspResponderConfiguration(URI responderUrl, X509Certificate responderTrustedCACertificate) {
+        this(responderUrl, responderTrustedCACertificate, true);
+    }
+
+    public boolean doesSupportNonce() {
+        return doesSupportNonce;
+    }
+
+    public X509Certificate getResponderTrustedCACertificate() {
+        return responderTrustedCACertificate;
+    }
+
+    public URI getResponderUrl() {
+        return responderUrl;
+    }
+}