Skip to content

Use platform OCSP implementation by default#95

Open
mrts wants to merge 2 commits intov4from
WE2-1030-use-platform-ocsp
Open

Use platform OCSP implementation by default#95
mrts wants to merge 2 commits intov4from
WE2-1030-use-platform-ocsp

Conversation

@mrts
Copy link
Member

@mrts mrts commented Dec 15, 2025

WE2-1030

Signed-off-by: Mart Somermaa mrts@users.noreply.github.com

@mrts mrts marked this pull request as draft December 15, 2025 13:58
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch 6 times, most recently from ed385dd to 2c1de73 Compare December 16, 2025 13:49
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 16, 2025
View reviewed changes
src/main/java/eu/webeid/ocsp/DefaultOcspCertificateRevocationChecker.java Outdated
* @throws AuthTokenException when user certificate is revoked or revocation check fails.
*/
public void validateCertificateNotRevoked(X509Certificate subjectCertificate) throws AuthTokenException {
public RevocationInfo validateCertificateNotRevoked(X509Certificate subjectCertificate, X509Certificate issuerCertificate) throws AuthTokenException {

Check notice

Code scanning / CodeQL

Missing Override annotation

This method overrides [OcspCertificateRevocationChecker.validateCertificateNotRevoked](1); it is advisable to add an Override annotation.
src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java Outdated
private static class OcpClientThatThrowsException extends IOException {
}

public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient(OcspClient ocspClient) throws CertificateException, JceException, IOException {

Check notice

Code scanning / CodeQL

Useless parameter

The parameter 'ocspClient' is never used.

Copilot Autofix

AI about 2 months ago

The best way to fix this problem is to remove the unused parameter from the method signature and update all method calls to stop passing the unnecessary argument. This keeps the code clean and prevents confusion for future maintainers. Specifically, in src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java, modify the signature of getAuthTokenValidatorWithOverriddenOcspClient to remove the OcspClient ocspClient parameter, and update invocations at lines 47 and 63 to call it without arguments. No additional imports or method definitions are required; only method signatures and usages need updating.

Suggested changeset 1
src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java b/src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java
--- a/src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java
+++ b/src/test/java/eu/webeid/ocsp/client/OcspClientOverrideTest.java
@@ -44,7 +44,7 @@
 
     @Test
     void whenOcspClientIsOverridden_thenItIsUsed() throws JceException, CertificateException, IOException {
-        final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient(new OcpClientThatThrows());
+        final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient();
         assertThatThrownBy(() -> validator.validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .cause()
             .isInstanceOf(OcpClientThatThrowsException.class);
@@ -60,9 +60,7 @@
     @Test
     @Disabled("Demonstrates how to configure the built-in HttpClient instance for OcspClientImpl")
     void whenOcspClientIsConfiguredWithCustomHttpClient_thenOcspCallSucceeds() throws JceException, CertificateException, IOException {
-        final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient(
-            new OcspClientImpl(HttpClient.newBuilder().build(), Duration.ofSeconds(5))
-        );
+        final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient();
         assertThatCode(() -> validator.validate(validAuthToken, VALID_CHALLENGE_NONCE))
             .doesNotThrowAnyException();
     }
@@ -77,7 +75,7 @@
     private static class OcpClientThatThrowsException extends IOException {
     }
 
-    public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient(OcspClient ocspClient) throws CertificateException, JceException, IOException {
+    public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient() throws CertificateException, JceException, IOException {
         // FIXME: test override
         return AuthTokenValidators.getAuthTokenValidator();
     }
EOF
@@ -44,7 +44,7 @@

@Test
void whenOcspClientIsOverridden_thenItIsUsed() throws JceException, CertificateException, IOException {
final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient(new OcpClientThatThrows());
final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient();
assertThatThrownBy(() -> validator.validate(validAuthToken, VALID_CHALLENGE_NONCE))
.cause()
.isInstanceOf(OcpClientThatThrowsException.class);
@@ -60,9 +60,7 @@
@Test
@Disabled("Demonstrates how to configure the built-in HttpClient instance for OcspClientImpl")
void whenOcspClientIsConfiguredWithCustomHttpClient_thenOcspCallSucceeds() throws JceException, CertificateException, IOException {
final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient(
new OcspClientImpl(HttpClient.newBuilder().build(), Duration.ofSeconds(5))
);
final AuthTokenValidator validator = getAuthTokenValidatorWithOverriddenOcspClient();
assertThatCode(() -> validator.validate(validAuthToken, VALID_CHALLENGE_NONCE))
.doesNotThrowAnyException();
}
@@ -77,7 +75,7 @@
private static class OcpClientThatThrowsException extends IOException {
}

public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient(OcspClient ocspClient) throws CertificateException, JceException, IOException {
public static AuthTokenValidator getAuthTokenValidatorWithOverriddenOcspClient() throws CertificateException, JceException, IOException {
// FIXME: test override
return AuthTokenValidators.getAuthTokenValidator();
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@mrts mrts changed the base branch from main to v4 December 16, 2025 13:56
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch 7 times, most recently from 9f7fb95 to 2e783f3 Compare December 19, 2025 19:46
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch 4 times, most recently from 20426da to 7e98567 Compare January 8, 2026 12:51
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch 3 times, most recently from daf2a6c to d6eebea Compare January 20, 2026 14:34
@mrts mrts marked this pull request as ready for review January 20, 2026 14:35
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch 3 times, most recently from b7b0220 to 10e86be Compare January 20, 2026 15:03
@mrts
Use plaform OCSP implementation by default, move custom OCSP implemen…
310224e 
…tation to eu.webeid.ocsp and make it optional

WE2-1030

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
@mrts mrts force-pushed the WE2-1030-use-platform-ocsp branch from 10e86be to 310224e Compare January 20, 2026 15:19
mrts
mrts commented Jan 26, 2026
View reviewed changes
src/main/java/eu/webeid/security/certificate/CertificateValidator.java
* depending on {@code revocationMode}.
* <p>
* Trust validation is performed by building a certification path from {@code certificate} to one of the
* configured {@code trustedCACertificateAnchors} using the supplied {@code trustedCACertificateCertStore}.
Copy link
Member Author

@mrts mrts Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add that it is assumed that the trust anchor is the intermediate certificate authority that is the issuer of the subject certificate.

@svenzik
refactor: replace NullPointerException with more suitable IllegalArgu…
10a405b 
…mentException

WE2-1030

Signed-off-by: Sven Mitt <svenzik@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
14 Accepted issues

Measures
0 Security Hotspots
84.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

svenzik
svenzik requested changes Feb 6, 2026
View reviewed changes
src/main/java/eu/webeid/ocsp/exceptions/OcspResponderUriMessage.java
if (ocspResponderUri == null) {
return message;
}
return message + " (OCSP responder: " + ocspResponderUri + ")";
Copy link
Contributor

@svenzik svenzik Feb 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class name is OcspResponderUriMessage, but content is used like formatter.

First method argument is never null, Is this class even needed?

If it is, then

I suggest we rename the method formatResponderUri and class to OcspResponderUriMessageFormatter or similar.

I would suggest we improve API by having two methods, one for each usecase:

static String formatResponderUri(URI ocspResponderUri)
static String formatResponderUri(String message, URI ocspResponderUri)

Usage in code:
formatResponderUri(ocspResponderUri)
formatResponderUri("User certificate has been revoked", ocspResponderUri)

src/main/java/eu/webeid/security/certificate/CertificateValidator.java
final X509Certificate trustedCACert = result.getTrustAnchor().getTrustedCert();
List<RevocationInfo> revocationInfoList = List.of();

switch (revocationMode) {
Copy link
Contributor

@svenzik svenzik Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assigning a variable revocationInfoList and returning it later is a code smell.

This switch should be refactored into a separate method.

For example:

            List<RevocationInfo> revocationInfoList = getRevocationInfos(revocationMode, certificateRevocationChecker, customPkixRevocationChecker, pkixBuilderParameters, certPathBuilder);

This allows the code flow at the end of the method to be more readable:

            if (revocationMode == RevocationMode.CUSTOM_CHECKER) {
                if (!certificate.getIssuerX500Principal().equals(trustedCACert.getSubjectX500Principal())) {
                    throw new IllegalStateException(
                            "Trust anchor is not the issuer of the subject certificate, check your configured certificate authorities. " +
                                    "Subject issuer=" + certificate.getIssuerX500Principal() +
                                    ", trust anchor subject=" + trustedCACert.getSubjectX500Principal()
                    );
                }
                return certificateRevocationChecker.validateCertificateNotRevoked(certificate, trustedCACert);
            } else {
                return getRevocationInfos(revocationMode, certificateRevocationChecker, customPkixRevocationChecker, pkixBuilderParameters, certPathBuilder);
            }

This will make code readable, the method responsiblity is now to choose between custom or default implementation and default implementation is properly isolated into method.

NB! Spring usually introduces a delegator pattern, which only purpose is to choose which implementation to use. Currently this class chooses the implementation and is the default implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svenzik svenzik svenzik requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrts @svenzik