v3.0.0

ReleaseNotes.md

@@ -2,6 +2,14 @@
 
 # Release notes GemLibPki
 
+## Release 3.0.0
+
+- implements Afo A_23225 (OCSP Caching)
+- tolerances of producedAt in OCSP responses can be configured
+- API change of TucPki001Verifier: see TucPki001VerifierTest for usage
+- API change of TucPki018Verifier: see TucPki018VerifierTest for usage
+- refactor OcspTransceiver and OcspValidator to reduce coupling and responsibilities
+
 ## Release 2.1.8
 
 - fix required Java version in pom.xml

pom.xml

@@ -4,7 +4,7 @@
 
   <groupId>de.gematik.pki</groupId>
   <artifactId>gemLibPki</artifactId>
-  <version>2.1.8</version>
+  <version>3.0.0</version>
   <packaging>jar</packaging>
   <name>GemLibPki</name>
   <description>library for implementation and tests of the gematik pki specification</description>
@@ -44,7 +44,7 @@
   </issueManagement>
 
   <properties>
-    <project.build.outputTimestamp>1727789919</project.build.outputTimestamp>
+    <project.build.outputTimestamp>1731082890</project.build.outputTimestamp>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <maven.compiler.encoding>${project.build.sourceEncoding}</maven.compiler.encoding>
     <java.version>17</java.version>
@@ -53,17 +53,17 @@
     <!-- dependencies -->
     <version.assertj>3.26.3</version.assertj>
     <version.awaitility>4.2.2</version.awaitility>
-    <version.bouncycastle>1.78.1</version.bouncycastle>
+    <version.bouncycastle>1.79</version.bouncycastle>
     <version.commons-lang3>3.17.0</version.commons-lang3>
     <version.dss-tsl-validation>6.1</version.dss-tsl-validation>
     <version.jakarta.xml.bind-api>4.0.2</version.jakarta.xml.bind-api>
-    <version.junit-jupiter>5.11.1</version.junit-jupiter>
+    <version.junit-jupiter>5.11.3</version.junit-jupiter>
     <version.log4j>2.24.1</version.log4j>
     <version.lombok>1.18.34</version.lombok>
-    <version.mockito>5.14.0</version.mockito>
-    <version.unirest-java-core>4.4.4</version.unirest-java-core>
-    <version.wiremock>3.9.1</version.wiremock>
-    <version.xades4j>2.3.0</version.xades4j>
+    <version.mockito>5.14.2</version.mockito>
+    <version.unirest-java-core>4.4.5</version.unirest-java-core>
+    <version.wiremock>3.9.2</version.wiremock>
+    <version.xades4j>2.4.0</version.xades4j>
     <version.xmlunit>2.10.0</version.xmlunit>
 
     <!--  plugins -->
@@ -74,11 +74,11 @@
     <version.maven-enforcer-plugin>3.5.0</version.maven-enforcer-plugin>
     <version.maven-gpg-plugin>3.2.7</version.maven-gpg-plugin>
     <version.maven-jar-plugin>3.4.2</version.maven-jar-plugin>
-    <version.maven-javadoc-plugin>3.10.0</version.maven-javadoc-plugin>
+    <version.maven-javadoc-plugin>3.11.1</version.maven-javadoc-plugin>
     <version.maven-source-plugin>3.3.1</version.maven-source-plugin>
-    <version.maven-surefire-plugin>3.5.0</version.maven-surefire-plugin>
+    <version.maven-surefire-plugin>3.5.2</version.maven-surefire-plugin>
     <version.nexus-staging-maven-plugin>1.7.0</version.nexus-staging-maven-plugin>
-    <version.sonar-maven-plugin>4.0.0.4121</version.sonar-maven-plugin>
+    <version.sonar-maven-plugin>5.0.0.4389</version.sonar-maven-plugin>
     <version.spotless.google-java-format>1.17.0</version.spotless.google-java-format>
     <version.spotless-maven-plugin>2.43.0</version.spotless-maven-plugin>
 

src/main/java/de/gematik/pki/gemlibpki/certificate/TucPki018Verifier.java

@@ -16,11 +16,15 @@
 
 package de.gematik.pki.gemlibpki.certificate;
 
+import static de.gematik.pki.gemlibpki.ocsp.OcspConstants.OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_FUTURE_MILLISECONDS;
+import static de.gematik.pki.gemlibpki.ocsp.OcspConstants.OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_PAST_MILLISECONDS;
+
 import de.gematik.pki.gemlibpki.exception.GemPkiException;
 import de.gematik.pki.gemlibpki.exception.GemPkiParsingException;
 import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
 import de.gematik.pki.gemlibpki.ocsp.OcspConstants;
 import de.gematik.pki.gemlibpki.ocsp.OcspRespCache;
+import de.gematik.pki.gemlibpki.ocsp.OcspTransceiver;
 import de.gematik.pki.gemlibpki.tsl.TspInformationProvider;
 import de.gematik.pki.gemlibpki.tsl.TspService;
 import de.gematik.pki.gemlibpki.tsl.TspServiceSubset;
@@ -61,9 +65,18 @@ public class TucPki018Verifier {
   @Builder.Default
   protected final int ocspTimeoutSeconds = OcspConstants.DEFAULT_OCSP_TIMEOUT_SECONDS;
 
+  @Builder.Default
+  private final int ocspTimeToleranceProducedAtFutureMilliseconds =
+      OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_FUTURE_MILLISECONDS;
+
+  @Builder.Default
+  private final int ocspTimeToleranceProducedAtPastMilliseconds =
+      OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_PAST_MILLISECONDS;
+
   @Builder.Default protected final boolean tolerateOcspFailure = false;
 
   @Builder.Default private OcspValidator ocspValidator = null;
+  @Builder.Default private OcspTransceiver ocspTransceiver = null;
 
   /**
    * Verify given end-entity certificate against TucPki18 (Technical Use Case 18 "Zertifikatsprüfung
@@ -117,6 +130,34 @@ private void initializeValidator() {
             .ocspResponse(ocspResponse)
             .ocspRespCache(ocspRespCache)
             .ocspTimeoutSeconds(ocspTimeoutSeconds)
+            .ocspTransceiver(ocspTransceiver)
+            .tolerateOcspFailure(tolerateOcspFailure)
+            .ocspTimeToleranceProducedAtFutureMilliseconds(
+                ocspTimeToleranceProducedAtFutureMilliseconds)
+            .ocspTimeToleranceProducedAtPastMilliseconds(
+                ocspTimeToleranceProducedAtPastMilliseconds)
+            .build();
+  }
+
+  private void initializeTransceiver(@NonNull final X509Certificate x509EeCert)
+      throws GemPkiException {
+
+    if (ocspTransceiver != null) {
+      return;
+    }
+
+    final TspServiceSubset tspServiceSubset =
+        new TspInformationProvider(tspServiceList, productType)
+            .getIssuerTspServiceSubset(x509EeCert);
+    final X509Certificate x509IssuerCert = tspServiceSubset.getX509IssuerCert();
+
+    ocspTransceiver =
+        OcspTransceiver.builder()
+            .productType(productType)
+            .x509EeCert(x509EeCert)
+            .x509IssuerCert(x509IssuerCert)
+            .ssp(tspServiceSubset.getServiceSupplyPoint())
+            .ocspTimeoutSeconds(ocspTimeoutSeconds)
             .tolerateOcspFailure(tolerateOcspFailure)
             .build();
   }
@@ -129,7 +170,9 @@ private void initializeValidator() {
   protected void doOcspIfConfigured(
       @NonNull final X509Certificate x509EeCert, @NonNull final ZonedDateTime referenceDate)
       throws GemPkiException {
+    initializeTransceiver(x509EeCert);
     initializeValidator();
+
     ocspValidator.validateCertificate(x509EeCert, referenceDate);
   }
 
@@ -234,9 +277,13 @@ protected void commonChecks(
   public static boolean checkAllowedProfessionOids(
       final Admission admissionToCheck, @NonNull final Set<String> allowedProfessionOids) {
 
-    if (admissionToCheck == null) return false;
+    if (admissionToCheck == null) {
+      return false;
+    }
 
-    if (admissionToCheck.getProfessionOids().isEmpty()) return false;
+    if (admissionToCheck.getProfessionOids().isEmpty()) {
+      return false;
+    }
 
     return isPresent(admissionToCheck.getProfessionOids(), allowedProfessionOids);
   }

src/main/java/de/gematik/pki/gemlibpki/ocsp/OcspConstants.java

@@ -22,8 +22,9 @@
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class OcspConstants {
 
-  public static final int OCSP_TIME_TOLERANCE_MILLISECONDS = 37_500;
-  public static final int TIMEOUT_DELTA_MILLISECONDS = 1500;
+  public static final int OCSP_TIME_TOLERANCE_THISNEXTUPDATE_MILLISECONDS = 37_500;
+  public static final int OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_FUTURE_MILLISECONDS = 37_500;
+  public static final int OCSP_TIME_TOLERANCE_PRODUCEDAT_DEFAULT_PAST_MILLISECONDS = 37_500;
 
   public static final String MEDIA_TYPE_APPLICATION_OCSP_REQUEST = "application/ocsp-request";
   public static final String MEDIA_TYPE_APPLICATION_OCSP_RESPONSE = "application/ocsp-response";

src/main/java/de/gematik/pki/gemlibpki/ocsp/OcspTransceiver.java

@@ -19,13 +19,9 @@
 import de.gematik.pki.gemlibpki.error.ErrorCode;
 import de.gematik.pki.gemlibpki.exception.GemPkiException;
 import de.gematik.pki.gemlibpki.exception.GemPkiRuntimeException;
-import de.gematik.pki.gemlibpki.tsl.TspService;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.security.cert.X509Certificate;
-import java.time.ZoneOffset;
-import java.time.ZonedDateTime;
-import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
@@ -55,7 +51,6 @@ public final class OcspTransceiver {
 
   public static final String OCSP_SEND_RECEIVE_FAILED = "OCSP senden/empfangen fehlgeschlagen.";
   @NonNull private final String productType;
-  @NonNull private final List<TspService> tspServiceList;
   @NonNull private final X509Certificate x509EeCert;
   @NonNull private final X509Certificate x509IssuerCert;
   @NonNull private final String ssp;
@@ -65,72 +60,10 @@ public final class OcspTransceiver {
 
   @Builder.Default private final boolean tolerateOcspFailure = false;
 
-  public TucPki006OcspVerifier getTucPki006Verifier(final OCSPResp ocspResp) {
-
-    return TucPki006OcspVerifier.builder()
-        .productType(productType)
-        .tspServiceList(tspServiceList)
-        .eeCert(x509EeCert)
-        .ocspResponse(ocspResp)
-        .build();
-  }
-
-  /**
-   * Verifies OCSP status of end-entity certificate. Sends OCSP request if OCSP response is not
-   * cached.
-   *
-   * @param ocspRespCache Cache for OCSP Responses
-   * @param referenceDate date at which the ocsp response shall be valid at
-   * @throws GemPkiException during ocsp checks
-   */
-  public void verifyOcspResponse(
-      final OcspRespCache ocspRespCache, final ZonedDateTime referenceDate) throws GemPkiException {
-
+  public Optional<OCSPResp> getOcspResponse() throws GemPkiException {
     final OCSPReq ocspReq =
         OcspRequestGenerator.generateSingleOcspRequest(x509EeCert, x509IssuerCert);
-
-    if (ocspRespCache == null) {
-      log.debug("Send Ocsp req because no cache.");
-      final Optional<OCSPResp> ocspRespOpt = sendOcspRequest(ocspReq);
-      if (ocspRespOpt.isEmpty()) {
-        return;
-      }
-      log.debug("Ocsp resp from server, because no cache.");
-      getTucPki006Verifier(ocspRespOpt.get()).performTucPki006Checks(referenceDate);
-      return;
-    }
-
-    final Optional<OCSPResp> ocspRespCachedOpt =
-        ocspRespCache.getResponse(x509EeCert.getSerialNumber());
-
-    if (ocspRespCachedOpt.isPresent()) {
-      log.debug("Ocsp resp from cache: verification is not performed");
-      return;
-    }
-
-    log.debug("Send Ocsp req, because not in cache.");
-    final Optional<OCSPResp> ocspRespOpt = sendOcspRequest(ocspReq);
-
-    if (ocspRespOpt.isEmpty()) {
-      log.debug("No Ocsp resp received.");
-      return;
-    }
-
-    getTucPki006Verifier(ocspRespOpt.get()).performTucPki006Checks(referenceDate);
-
-    ocspRespCache.saveResponse(x509EeCert.getSerialNumber(), ocspRespOpt.get());
-    log.debug("Ocsp resp from server saved to cache.");
-  }
-
-  /**
-   * Verifies OCSP status of end-entity certificate for the current date time. Sends OCSP request if
-   * OCSP response is not cached.
-   *
-   * @param ocspRespCache Cache for OCSP Responses
-   * @throws GemPkiException during ocsp checks
-   */
-  public void verifyOcspResponse(final OcspRespCache ocspRespCache) throws GemPkiException {
-    verifyOcspResponse(ocspRespCache, ZonedDateTime.now(ZoneOffset.UTC));
+    return sendOcspRequest(ocspReq);
   }
 
   private void handleWithTolerateOcspFailure() throws GemPkiException {

src/main/java/de/gematik/pki/gemlibpki/ocsp/OcspUtils.java

@@ -56,7 +56,8 @@ public static Req getFirstSingleReq(@NonNull final OCSPReq ocspReq) {
     final Req[] singleReqs = ocspReq.getRequestList();
 
     if (singleReqs.length != 1) {
-      throw new GemPkiRuntimeException("Mehr als eine OCSP Request erhalten: " + singleReqs.length);
+      throw new GemPkiRuntimeException(
+          "Mehr als einen OCSP Request erhalten: " + singleReqs.length);
     }
 
     return singleReqs[0];