Add resilient OCSP certificate revocation checker#99
Open
madislm wants to merge 24 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
Open
Add resilient OCSP certificate revocation checker#99madislm wants to merge 24 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
madislm wants to merge 24 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
Conversation
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
0e6161a to
e927de2
Compare
madislm
force-pushed
the
AUT-2514
branch
5 times, most recently
from
e96286a to
a324e96
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
10a405b to
74e7af2
Compare
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
9cdcc89 to
ef4ae35
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
74e7af2 to
f55d636
Compare
Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…OCSP certificate revocation checker Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…n into eu.webeid.ocsp.service
mrts
requested changes
Mar 20, 2026
mrts
reviewed
Mar 20, 2026
…tificateRevocationChecker
…llows old OCSP responses
mrts
requested changes
Apr 14, 2026
|
|
||
| @Override | ||
| public Optional<FallbackOcspService> getFallbackService() { | ||
| return Optional.of(fallbackOcspService); |
Member
There was a problem hiding this comment.
fallbackOcspService can be null, so
Suggested change
| return Optional.of(fallbackOcspService); | |
| return Optional.ofNullable(fallbackOcspService); |
Optional.of(null) throws NPE while Optional.ofNullable(null) returns Optional.empty().
| } | ||
| this.doesSupportNonce = doesSupportNonce; | ||
| this.nextFallbackConfiguration = nextFallbackConfiguration; | ||
| this.issuerDN = issuerDN; |
Member
There was a problem hiding this comment.
Assert non-null check here as well, issuerDN can be misconfigured to null:
Suggested change
| this.issuerDN = issuerDN; | |
| this.issuerDN = Objects.requireNonNull(issuerDN, "issuerDN"); |
Comment on lines
+59
to
+60
| this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors); | ||
| this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore); |
Member
There was a problem hiding this comment.
Add parameter name to requireNonNull:
Suggested change
| this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors); | |
| this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore); | |
| this.trustedCACertificateAnchors = Objects.requireNonNull(trustedCACertificateAnchors, "trustedCACertificateAnchors"); | |
| this.trustedCACertificateCertStore = Objects.requireNonNull(trustedCACertificateCertStore, "trustedCACertificateCertStore"); |
Without it you will get a plain NPE with no message, with it a much more clear
java.lang.NullPointerException: trustedCACertificateAnchors
| package eu.webeid.ocsp; | ||
|
|
||
| import eu.webeid.ocsp.client.OcspClient; | ||
| import eu.webeid.ocsp.client.OcspClient;import eu.webeid.ocsp.exceptions.OCSPClientException; |
| @@ -26,7 +26,11 @@ | |||
|
|
|||
| public record RevocationInfo(URI ocspResponderUri, Map<String, Object> ocspResponseAttributes) { | |||
Member
There was a problem hiding this comment.
Should we make ocspResponseAttributes immutable with Map.copyOf()?
Also List<RevocationInfo> revocationInfoList should be immutable in ValidationInfo with List.copyOf().
Comment on lines
+11
to
+18
| public static Optional<X500Name> getIssuerDistinguishedName(X509Certificate certificate) { | ||
| Objects.requireNonNull(certificate, "certificate"); | ||
| String issuerDN = certificate.getIssuerX500Principal().getName(); | ||
| if (issuerDN.isEmpty()) { | ||
| return Optional.empty(); | ||
| } | ||
| return Optional.of(new X500Name(issuerDN)); | ||
| } |
Member
There was a problem hiding this comment.
As far as I understand, getIssuerX500Principal() does not return null for a valid X509Certificate, so Optional is probably not justified.
A cleaner helper that does not rely on string parsing would be:
Suggested change
| public static Optional<X500Name> getIssuerDistinguishedName(X509Certificate certificate) { | |
| Objects.requireNonNull(certificate, "certificate"); | |
| String issuerDN = certificate.getIssuerX500Principal().getName(); | |
| if (issuerDN.isEmpty()) { | |
| return Optional.empty(); | |
| } | |
| return Optional.of(new X500Name(issuerDN)); | |
| } | |
| public static X500Name getIssuerDistinguishedName(X509Certificate certificate) { | |
| Objects.requireNonNull(certificate, "certificate"); | |
| return X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded()); | |
| } |
Comment on lines
+296
to
+305
| ResilientUserCertificateOCSPCheckFailedException exception = new ResilientUserCertificateOCSPCheckFailedException("Response status: " + ocspStatusToString(response.getStatus())); | ||
| RevocationInfo revocationInfo = new RevocationInfo(ocspService.getAccessLocation(), new HashMap<>(Map.ofEntries( | ||
| Map.entry(RevocationInfo.KEY_OCSP_ERROR, exception), | ||
| Map.entry(RevocationInfo.KEY_OCSP_REQUEST, request), | ||
| Map.entry(RevocationInfo.KEY_OCSP_RESPONSE, response), | ||
| Map.entry(RevocationInfo.KEY_REQUEST_DURATION, requestDuration), | ||
| Map.entry(RevocationInfo.KEY_OCSP_RESPONSE_TIME, responseTime) | ||
| ))); | ||
| exception.setValidationInfo(new ValidationInfo(subjectCertificate, List.of(revocationInfo))); | ||
| throw exception; |
Member
There was a problem hiding this comment.
Here and in other error cases below, the code could be simplified and made immutable-friendlier.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AUT-2514
Signed-off-by: Madis Jaagup Laurson madisjaagup.laurson@nortal.com