Add resilient OCSP certificate revocation checker

pom.xml

@@ -16,6 +16,7 @@
         <bouncycastle.version>1.81</bouncycastle.version>
         <jackson.version>2.19.1</jackson.version>
         <slf4j.version>2.0.17</slf4j.version>
+        <resilience4j.version>2.3.0</resilience4j.version>
         <junit-jupiter.version>5.13.3</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
         <mockito.version>5.18.0</mockito.version>
@@ -65,6 +66,34 @@
             <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-all</artifactId>
+            <version>${resilience4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-bulkhead</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-cache</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-ratelimiter</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-timelimiter</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-vavr</artifactId>
+            <version>${resilience4j.version}</version>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/eu/webeid/ocsp/OcspCertificateRevocationChecker.java

@@ -64,7 +64,7 @@
 import static eu.webeid.security.util.DateAndTime.requirePositiveDuration;
 import static java.util.Objects.requireNonNull;
 
-public final class OcspCertificateRevocationChecker implements CertificateRevocationChecker {
+public class OcspCertificateRevocationChecker implements CertificateRevocationChecker {
 
     public static final Duration DEFAULT_TIME_SKEW = Duration.ofMinutes(15);
     public static final Duration DEFAULT_THIS_UPDATE_AGE = Duration.ofMinutes(2);
@@ -131,7 +131,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
             }
             LOG.debug("OCSP response received successfully");
 
-            verifyOcspResponse(basicResponse, ocspService, certificateId);
+            verifyOcspResponse(basicResponse, ocspService, certificateId, false, false);
             if (ocspService.doesSupportNonce()) {
                 checkNonce(request, basicResponse, ocspResponderUri);
             }
@@ -144,7 +144,7 @@ public List<RevocationInfo> validateCertificateNotRevoked(X509Certificate subjec
         }
     }
 
-    private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
+    protected void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspService, CertificateID requestCertificateId, boolean rejectUnknownOcspResponseStatus, boolean allowThisUpdateInPast) throws AuthTokenException, OCSPException, CertificateException, OperatorCreationException {
         // The verification algorithm follows RFC 2560, https://www.ietf.org/rfc/rfc2560.txt.
         //
         // 3.2.  Signed Response Acceptance Requirements
@@ -195,14 +195,14 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
         //      be available about the status of the certificate (nextUpdate) is
         //      greater than the current time.
 
-        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation());
+        OcspResponseValidator.validateCertificateStatusUpdateTime(certStatusResponse, allowedOcspResponseTimeSkew, maxOcspResponseThisUpdateAge, ocspService.getAccessLocation(), allowThisUpdateInPast);
 
         // Now we can accept the signed response as valid and validate the certificate status.
-        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation());
+        OcspResponseValidator.validateSubjectCertificateStatus(certStatusResponse, ocspService.getAccessLocation(), rejectUnknownOcspResponseStatus);
         LOG.debug("OCSP check result is GOOD");
     }
 
-    private static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
+    protected static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocspResponderUri) throws UserCertificateOCSPCheckFailedException {
         final Extension requestNonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
         final Extension responseNonce = response.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
         if (requestNonce == null || responseNonce == null) {
@@ -215,14 +215,14 @@ private static void checkNonce(OCSPReq request, BasicOCSPResp response, URI ocsp
         }
     }
 
-    private static CertificateID getCertificateId(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws CertificateEncodingException, IOException, OCSPException {
+    protected static CertificateID getCertificateId(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws CertificateEncodingException, IOException, OCSPException {
         final BigInteger serial = subjectCertificate.getSerialNumber();
         final DigestCalculator digestCalculator = DigestCalculatorImpl.sha1();
         return new CertificateID(digestCalculator,
             new X509CertificateHolder(issuerCertificate.getEncoded()), serial);
     }
 
-    private static String ocspStatusToString(int status) {
+    protected static String ocspStatusToString(int status) {
         return switch (status) {
             case OCSPResp.MALFORMED_REQUEST -> "malformed request";
             case OCSPResp.INTERNAL_ERROR -> "internal error";
@@ -233,4 +233,11 @@ private static String ocspStatusToString(int status) {
         };
     }
 
+    protected OcspClient getOcspClient() {
+        return ocspClient;
+    }
+
+    protected OcspServiceProvider getOcspServiceProvider() {
+        return ocspServiceProvider;
+    }
 }

src/main/java/eu/webeid/ocsp/client/OcspClient.java

@@ -22,14 +22,14 @@
 
 package eu.webeid.ocsp.client;
 
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 
-import java.io.IOException;
 import java.net.URI;
 
 public interface OcspClient {
 
-    OCSPResp request(URI url, OCSPReq request) throws IOException;
+    OCSPResp request(URI url, OCSPReq request) throws OCSPClientException;
 
 }

src/main/java/eu/webeid/ocsp/client/OcspClientImpl.java

@@ -22,6 +22,7 @@
 
 package eu.webeid.ocsp.client;
 
+import eu.webeid.ocsp.exceptions.OCSPClientException;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.slf4j.Logger;
@@ -62,15 +63,21 @@ public static OcspClient build(Duration ocspRequestTimeout) {
      * @param uri     OCSP server URL
      * @param ocspReq OCSP request
      * @return OCSP response from the server
-     * @throws IOException if the request could not be executed due to cancellation, a connectivity problem or timeout,
+     * @throws OCSPClientException if the request could not be executed due to cancellation, a connectivity problem or timeout,
      *                     or if the response status is not successful, or if response has wrong content type.
      */
     @Override
-    public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
+    public OCSPResp request(URI uri, OCSPReq ocspReq) throws OCSPClientException {
+        byte[] encodedOcspReq;
+        try {
+            encodedOcspReq = ocspReq.getEncoded();
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
+        }
         final HttpRequest request = HttpRequest.newBuilder()
             .uri(uri)
             .header(CONTENT_TYPE, OCSP_REQUEST_TYPE)
-            .POST(HttpRequest.BodyPublishers.ofByteArray(ocspReq.getEncoded()))
+            .POST(HttpRequest.BodyPublishers.ofByteArray(encodedOcspReq))
             .timeout(ocspRequestTimeout)
             .build();
 
@@ -79,19 +86,28 @@ public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
             response = httpClient.send(request, HttpResponse.BodyHandlers.ofByteArray());
         } catch (InterruptedException e) {
             Thread.currentThread().interrupt();
-            throw new IOException("Interrupted while sending OCSP request", e);
+            throw new OCSPClientException("Interrupted while sending OCSP request", e);
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
         }
 
         if (response.statusCode() != 200) {
-            throw new IOException("OCSP request was not successful, response: " + response);
+            throw new OCSPClientException("OCSP request was not successful", response.body(), response.statusCode());
         } else {
             LOG.debug("OCSP response: {}", response);
         }
         final String contentType = response.headers().firstValue(CONTENT_TYPE).orElse("");
         if (!contentType.startsWith(OCSP_RESPONSE_TYPE)) {
-            throw new IOException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
+            throw new OCSPClientException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
+        }
+
+        OCSPResp ocspResp;
+        try {
+            ocspResp = new OCSPResp(response.body());
+        } catch (IOException e) {
+            throw new OCSPClientException(e);
         }
-        return new OCSPResp(response.body());
+        return ocspResp;
     }
 
     public OcspClientImpl(HttpClient httpClient, Duration ocspRequestTimeout) {

src/main/java/eu/webeid/ocsp/exceptions/OCSPClientException.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.exceptions;
+
+public class OCSPClientException extends RuntimeException {
+
+    private byte[] responseBody;
+
+    private Integer statusCode;
+
+    public OCSPClientException() {
+    }
+
+    public OCSPClientException(String message) {
+        super(message);
+    }
+
+    public OCSPClientException(Throwable cause) {
+        super(cause);
+    }
+
+    public OCSPClientException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public OCSPClientException(String message, byte[] responseBody, int statusCode) {
+        super(message);
+        this.responseBody = responseBody;
+        this.statusCode = statusCode;
+    }
+
+    public byte[] getResponseBody() {
+        return responseBody;
+    }
+
+    public Integer getStatusCode() {
+        return statusCode;
+    }
+}

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateOCSPCheckFailedException.java

@@ -33,6 +33,10 @@
  */
 public class UserCertificateOCSPCheckFailedException extends AuthTokenException {
 
+    public UserCertificateOCSPCheckFailedException() {
+        super("User certificate revocation check has failed");
+    }
+
     public UserCertificateOCSPCheckFailedException(Throwable cause, URI ocspResponderUri) {
         super(appendResponderUri("User certificate revocation check has failed", ocspResponderUri), cause);
     }

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateRevokedException.java

@@ -33,6 +33,10 @@
  */
 public class UserCertificateRevokedException extends AuthTokenException {
 
+    public UserCertificateRevokedException() {
+        super("User certificate has been revoked");
+    }
+
     public UserCertificateRevokedException(URI ocspResponderUri) {
         super(appendResponderUri("User certificate has been revoked", ocspResponderUri));
     }

src/main/java/eu/webeid/ocsp/exceptions/UserCertificateUnknownException.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.exceptions;
+
+import eu.webeid.security.exceptions.AuthTokenException;
+
+import java.net.URI;
+
+import static eu.webeid.ocsp.exceptions.OcspResponderUriMessageAppender.appendResponderUri;
+
+public class UserCertificateUnknownException extends AuthTokenException {
+
+    public UserCertificateUnknownException(String msg, URI ocspResponderUri) {
+        super(appendResponderUri("User certificate status is unknown: " + msg, ocspResponderUri));
+    }
+}

src/main/java/eu/webeid/ocsp/protocol/IssuerCommonName.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.ocsp.protocol;
+
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+import java.util.Optional;
+
+public class IssuerCommonName {
+
+    public static Optional<String> getIssuerCommonName(X509Certificate certificate) {
+        Objects.requireNonNull(certificate, "certificate");
+        try {
+            X500Name x500Name = new JcaX509CertificateHolder(certificate).getIssuer();
+            final RDN cn = x500Name.getRDNs(BCStyle.CN)[0];
+            return Optional.of(IETFUtils.valueToString(cn.getFirst().getValue()));
+        } catch (CertificateEncodingException e) {
+            return Optional.empty();
+        }
+    }
+
+    private IssuerCommonName() {
+        throw new IllegalStateException("Utility class");
+    }
+}