Add resilient OCSP certificate revocation checker#99
Open
madislm wants to merge 31 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
Open
Add resilient OCSP certificate revocation checker#99madislm wants to merge 31 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
madislm wants to merge 31 commits intoweb-eid:WE2-1030-use-platform-ocspfrom
Conversation
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
0e6161a to
e927de2
Compare
madislm
force-pushed
the
AUT-2514
branch
5 times, most recently
from
e96286a to
a324e96
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
10a405b to
74e7af2
Compare
madislm
force-pushed
the
AUT-2514
branch
2 times, most recently
from
9cdcc89 to
ef4ae35
Compare
mrts
force-pushed
the
WE2-1030-use-platform-ocsp
branch
from
74e7af2 to
f55d636
Compare
Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…OCSP certificate revocation checker Co-authored-by: Madis Jaagup Laurson <madisjaagup.laurson@nortal.com>
…n into eu.webeid.ocsp.service
mrts
requested changes
Mar 20, 2026
mrts
reviewed
Mar 20, 2026
…tificateRevocationChecker
…llows old OCSP responses
mrts
requested changes
Apr 14, 2026
…tificateRevocationChecker
mrts
requested changes
Apr 24, 2026
| */ | ||
| package eu.webeid.security.validator.revocationcheck; | ||
|
|
||
| import eu.webeid.resilientocsp.ResilientOcspCertificateRevocationChecker; |
Member
There was a problem hiding this comment.
Avoid depending on resilientocsp here, this creates a cyclic dependency between two separate libraries.
| // Users must not be able to modify this value. | ||
| .ignoreExceptions(ResilientUserCertificateRevokedException.class) | ||
| .build(); | ||
| } |
Member
There was a problem hiding this comment.
Let's move the helpers from RevocationInfo here:
Suggested change
| } | |
| } | |
| private static RevocationInfo withOcspResponse(RevocationInfo revocationInfo, byte[] ocspResponse) { | |
| return revocationInfo.withAdditionalOcspResponseAttribute(RevocationInfo.KEY_OCSP_RESPONSE, ocspResponse); | |
| } | |
| private static RevocationInfo withHttpStatusCode(RevocationInfo revocationInfo, Integer statusCode) { | |
| return revocationInfo.withAdditionalOcspResponseAttribute(RevocationInfo.KEY_HTTP_STATUS_CODE, statusCode); | |
| } | |
| private static RevocationInfo withCircuitBreakerStatistics(RevocationInfo revocationInfo, CircuitBreakerStatistics circuitBreakerStatistics) { | |
| return revocationInfo.withAdditionalOcspResponseAttribute(RevocationInfo.KEY_CIRCUIT_BREAKER_STATISTICS, circuitBreakerStatistics); | |
| } |
| if (result.isSuccess()) { | ||
| RevocationInfo revocationInfo = result.get(); | ||
| if (revocationInfoList.isEmpty()) { | ||
| revocationInfo = revocationInfo.withCircuitBreakerStatistics(circuitBreakerStatistics); |
Member
There was a problem hiding this comment.
Use the local helper instead:
Suggested change
| revocationInfo = revocationInfo.withCircuitBreakerStatistics(circuitBreakerStatistics); | |
| revocationInfo = withCircuitBreakerStatistics(revocationInfo, circuitBreakerStatistics); |
Comment on lines
+46
to
+57
|
|
||
| public RevocationInfo withCircuitBreakerStatistics(ResilientOcspCertificateRevocationChecker.CircuitBreakerStatistics circuitBreakerStatistics) { | ||
| return withAdditionalField(KEY_CIRCUIT_BREAKER_STATISTICS, circuitBreakerStatistics); | ||
| } | ||
|
|
||
| public RevocationInfo withOcspResponse(byte[] ocspResponse) { | ||
| return withAdditionalField(KEY_OCSP_RESPONSE, ocspResponse); | ||
| } | ||
|
|
||
| public RevocationInfo withHttpStatusCode(Integer statusCode) { | ||
| return withAdditionalField(KEY_HTTP_STATUS_CODE, statusCode); | ||
| } |
Member
There was a problem hiding this comment.
As circuit breaker is not conceptually part of the base library, it is best to move these methods to ResilientOcspCertificateRevocationChecker.
Suggested change
| public RevocationInfo withCircuitBreakerStatistics(ResilientOcspCertificateRevocationChecker.CircuitBreakerStatistics circuitBreakerStatistics) { | |
| return withAdditionalField(KEY_CIRCUIT_BREAKER_STATISTICS, circuitBreakerStatistics); | |
| } | |
| public RevocationInfo withOcspResponse(byte[] ocspResponse) { | |
| return withAdditionalField(KEY_OCSP_RESPONSE, ocspResponse); | |
| } | |
| public RevocationInfo withHttpStatusCode(Integer statusCode) { | |
| return withAdditionalField(KEY_HTTP_STATUS_CODE, statusCode); | |
| } |
| } | ||
|
|
||
| } No newline at end of file | ||
| private RevocationInfo withAdditionalField(String key, Object value) { |
| if (value == null) { | ||
| return this; | ||
| } | ||
| Map<String, Object> newOcspResponseAttributes = new HashMap<>(ocspResponseAttributes); |
Member
There was a problem hiding this comment.
ocspResponseAttributes can be null, so null check is needed here:
Suggested change
| Map<String, Object> newOcspResponseAttributes = new HashMap<>(ocspResponseAttributes); | |
| Map<String, Object> newOcspResponseAttributes = ocspResponseAttributes != null | |
| ? new HashMap<>(ocspResponseAttributes) | |
| : new HashMap<>(); |
new HashMap<>(null) throws NullPointerException.
| CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(primaryService.getAccessLocation().toASCIIString()); | ||
|
|
||
| Optional<FallbackOcspService> firstFallbackServiceOpt = primaryService.getFallbackService(); | ||
| if (firstFallbackServiceOpt.isEmpty()) { |
Member
There was a problem hiding this comment.
I think a comment here is needed to clarify that without a configured fallback the primary service is used directly:
Suggested change
| if (firstFallbackServiceOpt.isEmpty()) { | |
| if (firstFallbackServiceOpt.isEmpty()) { | |
| // Without a configured fallback, use the primary service directly without retry or circuit-breaker. |
As this is may be non-obvious, maybe add this to the class-level Javadoc as well:
/**
* OCSP revocation checker that falls back to configured fallback OCSP responders when the primary OCSP service fails.
*
* <p>Retry and circuit-breaker handling are applied only when a fallback OCSP service is configured for the
* certificate issuer. If no fallback is configured, validation is handled by the primary OCSP service directly.
*/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AUT-2514
Signed-off-by: Madis Jaagup Laurson madisjaagup.laurson@nortal.com