Add resilient OCSP certificate revocation checker#99
Add resilient OCSP certificate revocation checker#99madislm wants to merge 24 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
Conversation
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
0e6161a to
e927de2
Compare
madislm
force-pushed
the
AUT-2514
branch
5 times, most recently
from
e96286a to
a324e96
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
10a405b to
74e7af2
Compare
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
9cdcc89 to
ef4ae35
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
74e7af2 to
f55d636
Compare
Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…OCSP certificate revocation checker Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…n into eu.webeid.ocsp.service
| throw new OCSPCertificateException("Responder certificate from the OCSP response is not equal to " + | ||
| "the configured fallback OCSP responder certificate"); | ||
| } | ||
| return; |
There was a problem hiding this comment.
The early return is not wrong, but it would perhaps be clearer to structure pinned and trusted CA validation as explicit branches:
if (trustedResponderCertificate != null) {
validatePinnedResponderCertificate(responderCertificate);
} else {
validateResponderCertificateAgainstTrustedCa(responderCertificate, now);
}There was a problem hiding this comment.
Created separate branches and methods.
| void validateResponderCertificate(X509CertificateHolder cert, Date now) throws AuthTokenException; | ||
|
|
||
| default FallbackOcspService getFallbackService() { | ||
| return null; |
There was a problem hiding this comment.
Returning null from the default getFallbackService() is not ideal as absence of a fallback is part of the contract. Optional would express that perhaps more clearly.
There was a problem hiding this comment.
Now using Optional for that purpose.
There was a problem hiding this comment.
Shouldn't you catch OCSPClientException here as well, is the IOException catch still needed?
There was a problem hiding this comment.
Added OCSPClientException; IOException is thrown by getCertificateId.
| "latest allowed: '" + latestAcceptableTimeSkew + "'", ocspResponderUri); | ||
| } | ||
| if (thisUpdate.isBefore(minimumValidThisUpdateTime)) { | ||
| if (!allowThisUpdateInPast && thisUpdate.isBefore(minimumValidThisUpdateTime)) { |
There was a problem hiding this comment.
allowThisUpdateInPast = true is used in fallback mode, this means accepting indefinitely stale OCSP responses, which is a security risk.
My preference would be that primary OCSP uses the current short age limit and fallback OCSP uses a configurable separate, much larger maxThisUpdateAge (90 days or whatnot) and there is no boolean bypass.
There was a problem hiding this comment.
Added a separate fallbackMaxOcspResponseThisUpdateAge parameter and removed the flag.
| Objects.requireNonNull(certificate, "certificate"); | ||
| try { | ||
| X500Name x500Name = new JcaX509CertificateHolder(certificate).getIssuer(); | ||
| final RDN cn = x500Name.getRDNs(BCStyle.CN)[0]; |
There was a problem hiding this comment.
This will throw ArrayIndexOutOfBoundsException on certificates without CN.
There was a problem hiding this comment.
Does not apply after moving to distinguished names.
|
|
||
| public class IssuerCommonName { | ||
|
|
||
| public static Optional<String> getIssuerCommonName(X509Certificate certificate) { |
There was a problem hiding this comment.
Using only Common Name seems error-prone, using the full normalized Distinguished Name seems much safer.
For example, in the following (hypothetical) case there would be CN collision, but DN would work:
CN=ESTEID2025, O=AS Sertifitseerimiskeskus, C=EE
CN=ESTEID2025, O=Zetes Estonia OÜ, C=EE
This applies to all locations where CN is used for lookup like OcspServiceProvider, AiaOcspService, FallbackOcspServiceConfiguration and AiaOcspServiceConfiguration.
There was a problem hiding this comment.
Now using DNs for all lookups that used CNs.
|
|
||
| public class OCSPClientException extends RuntimeException { | ||
|
|
||
| private byte[] responseBody; |
There was a problem hiding this comment.
The fields should be final/immutable.
|
|
||
| package eu.webeid.ocsp.exceptions; | ||
|
|
||
| public class OCSPClientException extends RuntimeException { |
There was a problem hiding this comment.
OCSPClientException looks more like a checked exception than a RuntimeException. Failures are part of the OcspClient contract and callers are supposed to handle them rather than let them escape accidentally.
| public class OCSPClientException extends RuntimeException { | |
| public class OCSPClientException extends Exception { |
There was a problem hiding this comment.
Made it an Exception instead of a RuntimeException.
…tificateRevocationChecker
…llows old OCSP responses
3 participants
AUT-2514
Signed-off-by: Madis Jaagup Laurson madisjaagup.laurson@nortal.com