web-eid
diff --git a/‎src/main/java/eu/webeid/ocsp/service/FallbackOcspService.java‎
Lines changed: 29 additions & 6 deletions b/‎src/main/java/eu/webeid/ocsp/service/FallbackOcspService.java‎
Lines changed: 29 additions & 6 deletions
diff --git a/‎src/main/java/eu/webeid/ocsp/service/FallbackOcspServiceConfiguration.java‎
Lines changed: 28 additions & 3 deletions b/‎src/main/java/eu/webeid/ocsp/service/FallbackOcspServiceConfiguration.java‎
Lines changed: 28 additions & 3 deletions
diff --git a/‎src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java‎
Lines changed: 1 addition & 3 deletions b/‎src/main/java/eu/webeid/ocsp/service/OcspServiceProvider.java‎
Lines changed: 1 addition & 3 deletions
@@ -23,14 +23,20 @@
 package eu.webeid.ocsp.service;
 
 import eu.webeid.ocsp.exceptions.OCSPCertificateException;
+import eu.webeid.ocsp.protocol.OcspResponseValidator;
+import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.revocationcheck.RevocationMode;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 
 import java.net.URI;
+import java.security.cert.CertStore;
 import java.security.cert.CertificateException;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Date;
+import java.util.Set;
 
 
 import static eu.webeid.security.certificate.CertificateValidator.requireCertificateIsValidOnDate;
@@ -42,6 +48,8 @@ public class FallbackOcspService implements OcspService {
  private final boolean supportsNonce;
  private final X509Certificate trustedResponderCertificate;
  private final FallbackOcspService nextFallback;
+ private final Set<TrustAnchor> trustedCACertificateAnchors;
+ private final CertStore trustedCACertificateCertStore;
 
  public FallbackOcspService(FallbackOcspServiceConfiguration configuration) {
  this.url = configuration.getAccessLocation();
@@ -50,6 +58,8 @@ public FallbackOcspService(FallbackOcspServiceConfiguration configuration) {
  this.nextFallback = configuration.getNextFallbackConfiguration() != null
  ? new FallbackOcspService(configuration.getNextFallbackConfiguration())
  : null;
+ this.trustedCACertificateAnchors = configuration.getTrustedCACertificateAnchors();
+ this.trustedCACertificateCertStore = configuration.getTrustedCACertificateCertStore();
  }
 
  @Override
@@ -66,13 +76,26 @@ public URI getAccessLocation() {
  public void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException {
  try {
  final X509Certificate responderCertificate = certificateConverter.getCertificate(cert);
- // Certificate pinning is implemented simply by comparing the certificates or their public keys,
- // see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
- if (!trustedResponderCertificate.equals(responderCertificate)) {
- throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to " +
- "the configured fallback OCSP responder certificate");
- }
  requireCertificateIsValidOnDate(responderCertificate, now, "Fallback OCSP responder");
+ if (trustedResponderCertificate != null) {
+ // Certificate pinning is implemented simply by comparing the certificates or their public keys,
+ // see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning.
+ if (!trustedResponderCertificate.equals(responderCertificate)) {
+ throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to " +
+ "the configured fallback OCSP responder certificate");
+ }
+ return;
+ }
+ OcspResponseValidator.validateHasSigningExtension(responderCertificate);
+ CertificateValidator.validateCertificateTrustAndRevocation(
+ responderCertificate,
+ trustedCACertificateAnchors,
+ trustedCACertificateCertStore,
+ now,
+ RevocationMode.DISABLED,
+ null,
+ null
+ );
  } catch (CertificateException e) {
  throw new OCSPCertificateException("X509CertificateHolder conversion to X509Certificate failed", e);
  }
 
@@ -26,24 +26,37 @@
 import eu.webeid.ocsp.protocol.OcspResponseValidator;
 
 import java.net.URI;
+import java.security.cert.CertStore;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Objects;
+import java.util.Set;
 
 public class FallbackOcspServiceConfiguration {
 
  private final URI accessLocation;
  private final X509Certificate responderCertificate;
  private final boolean doesSupportNonce;
  private final FallbackOcspServiceConfiguration nextFallbackConfiguration;
+ private final String issuerCN;
+ private final Set<TrustAnchor> trustedCACertificateAnchors;
+ private final CertStore trustedCACertificateCertStore;
 
  public FallbackOcspServiceConfiguration(URI accessLocation, X509Certificate responderCertificate,
  boolean doesSupportNonce,
- FallbackOcspServiceConfiguration nextFallbackConfiguration) throws OCSPCertificateException {
+ FallbackOcspServiceConfiguration nextFallbackConfiguration,
+ String issuerCN, Set<TrustAnchor> trustedCACertificateAnchors,
+ CertStore trustedCACertificateCertStore) throws OCSPCertificateException {
  this.accessLocation = Objects.requireNonNull(accessLocation, "Fallback OCSP service access location");
- this.responderCertificate = Objects.requireNonNull(responderCertificate, "Fallback OCSP responder certificate");
- OcspResponseValidator.validateHasSigningExtension(responderCertificate);
+ this.responderCertificate = responderCertificate;
+ if (responderCertificate != null) {
+ OcspResponseValidator.validateHasSigningExtension(responderCertificate);
+ }
  this.doesSupportNonce = doesSupportNonce;
  this.nextFallbackConfiguration = nextFallbackConfiguration;
+ this.issuerCN = issuerCN;
+ this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors);
+ this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore);
  }
 
  public URI getAccessLocation() {
@@ -61,4 +74,16 @@ public boolean doesSupportNonce() {
  public FallbackOcspServiceConfiguration getNextFallbackConfiguration() {
  return nextFallbackConfiguration;
  }
+
+ public String getIssuerCN() {
+ return issuerCN;
+ }
+
+ public Set<TrustAnchor> getTrustedCACertificateAnchors() {
+ return trustedCACertificateAnchors;
+ }
+
+ public CertStore getTrustedCACertificateCertStore() {
+ return trustedCACertificateCertStore;
+ }
 }
@@ -51,9 +51,7 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ
  this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");
  if (fallbackOcspServiceConfigurations != null) {
  for (FallbackOcspServiceConfiguration configuration : fallbackOcspServiceConfigurations) {
- String issuerCN = getIssuerCommonName(configuration.getResponderCertificate()).orElseThrow(() ->
- new RuntimeException("Certificate does not contain issuer CN"));
- fallbackOcspServiceMap.put(issuerCN, new FallbackOcspService(configuration));
+ fallbackOcspServiceMap.put(configuration.getIssuerCN(), new FallbackOcspService(configuration));
  }
  }
  }
Original file line number	Diff line number	Diff line change
`@@ -51,9 +51,7 @@ public OcspServiceProvider(DesignatedOcspServiceConfiguration designatedOcspServ`
`51`	`51`	`this.aiaOcspServiceConfiguration = Objects.requireNonNull(aiaOcspServiceConfiguration, "aiaOcspServiceConfiguration");`
`52`	`52`	`if (fallbackOcspServiceConfigurations != null) {`
`53`	`53`	`for (FallbackOcspServiceConfiguration configuration : fallbackOcspServiceConfigurations) {`
`54`		`- String issuerCN = getIssuerCommonName(configuration.getResponderCertificate()).orElseThrow(() ->`
`55`		`- new RuntimeException("Certificate does not contain issuer CN"));`
`56`		`- fallbackOcspServiceMap.put(issuerCN, new FallbackOcspService(configuration));`
	`54`	`+ fallbackOcspServiceMap.put(configuration.getIssuerCN(), new FallbackOcspService(configuration));`
`57`	`55`	`}`
`58`	`56`	`}`
`59`	`57`	`}`