|
27 | 27 | import eu.webeid.security.testutil.AbstractTestWithValidator; |
28 | 28 | import eu.webeid.security.testutil.AuthTokenValidators; |
29 | 29 | import eu.webeid.security.util.DateAndTime; |
| 30 | +import eu.webeid.security.validator.ocsp.OcspClient; |
| 31 | +import org.bouncycastle.cert.ocsp.OCSPResp; |
30 | 32 | import org.junit.jupiter.api.AfterEach; |
31 | 33 | import org.junit.jupiter.api.BeforeEach; |
| 34 | +import org.junit.jupiter.api.Disabled; |
32 | 35 | import org.junit.jupiter.api.Test; |
33 | 36 | import org.mockito.MockedStatic; |
34 | 37 |
|
35 | 38 | import java.io.IOException; |
| 39 | +import java.io.InputStream; |
36 | 40 | import java.security.cert.CertificateException; |
| 41 | +import java.util.Objects; |
37 | 42 |
|
38 | 43 | import static eu.webeid.security.testutil.DateMocker.mockDate; |
39 | 44 | import static org.assertj.core.api.Assertions.assertThatCode; |
@@ -96,4 +101,32 @@ void whenIdCardSignatureCertificateWithG4RootCertificateIsValidated_thenValidati |
96 | 101 | .doesNotThrowAnyException(); |
97 | 102 | } |
98 | 103 |
|
| 104 | + @Disabled(""" |
| 105 | + Disabled because the certificate ID equality check in SubjectCertificateNotRevokedValidator rejects the OCSP |
| 106 | + response: CertificateID.equals() compares the complete ASN.1 structure, which treats absent and explicit NULL SHA-1 |
| 107 | + AlgorithmIdentifier parameters as different. CertID.equals() treats those forms as equivalent while still comparing |
| 108 | + the algorithm identifier, issuer hashes and certificate serial number.""") |
| 109 | + @Test |
| 110 | + void whenIdCardIsValidatedWithAiaOcspCheck_thenDelegatedResponderIsAuthorizedAndValidationSucceeds() throws AuthTokenException, CertificateException, IOException { |
| 111 | + // The OCSP response was recorded from the card's AIA OCSP responder at http://ocsptest.fineid.fi/dvvtp5ec |
| 112 | + // on 2026-07-02. Its responder certificate is issued by DVV TEST Certificates - G5E, the issuer of the |
| 113 | + // authentication certificate, so the RFC 6960 delegated-responder authorization check in AiaOcspService |
| 114 | + // must accept it. The clock is set to the recording time as the response thisUpdate age is limited. |
| 115 | + mockDate("2026-07-02T08:39:30Z", mockedClock); |
| 116 | + final OcspClient recordedResponseClient = (url, request) -> |
| 117 | + new OCSPResp(getOcspResponseBytesFromResources("ocsp_response_finnish_test_id_card.der")); |
| 118 | + final AuthTokenValidator validator = AuthTokenValidators.getAuthTokenValidatorForFinnishIdCardWithOcspCheck(recordedResponseClient); |
| 119 | + final WebEidAuthToken token = validator.parse(FINNISH_TEST_ID_CARD_BACKMAN_JUHANI_AUTH_TOKEN); |
| 120 | + |
| 121 | + assertThatCode(() -> validator |
| 122 | + .validate(token, "x9qZDRO/ao2zprt3Z0bkW4CvvE/gALFtUIf3tcC0XxY=")) |
| 123 | + .doesNotThrowAnyException(); |
| 124 | + } |
| 125 | + |
| 126 | + private static byte[] getOcspResponseBytesFromResources(String resource) throws IOException { |
| 127 | + try (final InputStream resourceAsStream = ClassLoader.getSystemResourceAsStream(resource)) { |
| 128 | + return Objects.requireNonNull(resourceAsStream).readAllBytes(); |
| 129 | + } |
| 130 | + } |
| 131 | + |
99 | 132 | } |
0 commit comments