Disable designated OCSP responder tests that depend on hardwired certificates and revert attempt to use the newer OCSP responder certificate from ebd6985 (#42)

As new designated test OCSP responder certificates are issued more frequently now, it is no longer feasible to keep the certificates up to date.

WE2-764

Signed-off-by: Mart Somermaa <[email protected]>
Co-authored-by: Mart Somermaa <[email protected]>

Author: mrts

pom.xml

@@ -18,7 +18,6 @@
         <jackson.version>2.13.4.2</jackson.version>
         <slf4j.version>1.7.36</slf4j.version>
         <bouncycastle.version>1.70</bouncycastle.version>
-        <guava.version>31.1-jre</guava.version>
         <okhttp.version>4.10.0</okhttp.version>
         <junit-jupiter.version>5.8.2</junit-jupiter.version>
         <assertj.version>3.23.1</assertj.version>

src/test/java/eu/webeid/security/testutil/Certificates.java

@@ -41,13 +41,13 @@ public class Certificates {
     private static X509Certificate jaakKristjanEsteid2018Cert;
     private static X509Certificate mariliisEsteid2015Cert;
     private static X509Certificate organizationCert;
-    private static X509Certificate testSkOcspResponder2023;
+    private static X509Certificate testSkOcspResponder2020;
 
     static void loadCertificates() throws CertificateException, IOException {
-        X509Certificate[] certificates = CertificateLoader.loadCertificatesFromResources("TEST_of_ESTEID-SK_2015.cer", "TEST_of_ESTEID2018.cer", "TEST_of_ESTEID-SK_2018_AIA_OCSP_RESPONDER_202304.der");
+        X509Certificate[] certificates = CertificateLoader.loadCertificatesFromResources("TEST_of_ESTEID-SK_2015.cer", "TEST_of_ESTEID2018.cer", "TEST_of_SK_OCSP_RESPONDER_2020.cer");
         testEsteid2015CA = certificates[0];
         testEsteid2018CA = certificates[1];
-        testSkOcspResponder2023 = certificates[2];
+        testSkOcspResponder2020 = certificates[2];
     }
 
     public static X509Certificate getTestEsteid2018CA() throws CertificateException, IOException {
@@ -64,11 +64,11 @@ public static X509Certificate getTestEsteid2015CA() throws CertificateException,
         return testEsteid2015CA;
     }
 
-    public static X509Certificate getTestSkOcspResponder2023() throws CertificateException, IOException {
-        if (testSkOcspResponder2023 == null) {
+    public static X509Certificate getTestSkOcspResponder2020() throws CertificateException, IOException {
+        if (testSkOcspResponder2020 == null) {
             loadCertificates();
         }
-        return testSkOcspResponder2023;
+        return testSkOcspResponder2020;
     }
 
     public static X509Certificate getJaakKristjanEsteid2018Cert() throws CertificateDecodingException {

src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java

@@ -93,7 +93,7 @@ private static DesignatedOcspServiceConfiguration getDesignatedOcspServiceConfig
     private static DesignatedOcspServiceConfiguration getDesignatedOcspServiceConfiguration(boolean doesSupportNonce, String ocspServiceAccessLocation) throws CertificateException, IOException, OCSPCertificateException {
         return new DesignatedOcspServiceConfiguration(
             URI.create(ocspServiceAccessLocation),
-            getTestSkOcspResponder2023(),
+            getTestSkOcspResponder2020(),
             TRUSTED_CA_CERTIFICATES,
             doesSupportNonce);
     }

src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java

@@ -244,6 +244,7 @@ void whenTrustedCACertificateIsNoLongerValid_thenValidationFails() {
     }
 
     @Test
+    @Disabled("A new designated test OCSP responder certificate was issued whose validity period no longer overlaps with the revoked certificate")
     void whenCertificateIsRevoked_thenOcspCheckFails() throws Exception {
         mockDate("2020-01-01");
         final AuthTokenValidator validatorWithOcspCheck = AuthTokenValidators.getAuthTokenValidatorWithOcspCheck();

src/test/java/eu/webeid/security/validator/AuthTokenStructureTest.java

@@ -22,11 +22,11 @@
 
 package eu.webeid.security.validator;
 
-import eu.webeid.security.testutil.AbstractTestWithValidator;
-import org.junit.jupiter.api.Test;
 import eu.webeid.security.authtoken.WebEidAuthToken;
-import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.exceptions.AuthTokenParseException;
+import eu.webeid.security.testutil.AbstractTestWithValidator;
+import org.junit.jupiter.api.Test;
 
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 

src/test/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.java

@@ -81,6 +81,7 @@ void whenValidAiaOcspResponderConfiguration_thenSucceeds() throws Exception {
     }
 
     @Test
+    @Disabled("As new designated test OCSP responder certificates are issued more frequently now, it is no longer feasible to keep the certificates up to date")
     void whenValidDesignatedOcspResponderConfiguration_thenSucceeds() throws Exception {
         final OcspServiceProvider ocspServiceProvider = getDesignatedOcspServiceProvider();
         final SubjectCertificateNotRevokedValidator validator = new SubjectCertificateNotRevokedValidator(trustedValidator, ocspClient, ocspServiceProvider);
@@ -90,6 +91,7 @@ void whenValidDesignatedOcspResponderConfiguration_thenSucceeds() throws Excepti
     }
 
     @Test
+    @Disabled("As new designated test OCSP responder certificates are issued more frequently now, it is no longer feasible to keep the certificates up to date")
     void whenValidOcspNonceDisabledConfiguration_thenSucceeds() throws Exception {
         final OcspServiceProvider ocspServiceProvider = getDesignatedOcspServiceProvider(false);
         final SubjectCertificateNotRevokedValidator validator = new SubjectCertificateNotRevokedValidator(trustedValidator, ocspClient, ocspServiceProvider);
@@ -238,7 +240,6 @@ void whenOcspResponseRevoked_thenThrows() throws Exception {
     }
 
     @Test
-    @Disabled("A new designated test OCSP responder certificate was issued so the responder certificate in ocsp_response_unknown.der is no longer valid")
     void whenOcspResponseUnknown_thenThrows() throws Exception {
         final OcspServiceProvider ocspServiceProvider = getDesignatedOcspServiceProvider("https://web-eid-test.free.beeceptor.com");
         try (final Response response = getResponseBuilder()

src/test/java/eu/webeid/security/validator/ocsp/OcspServiceProviderTest.java

@@ -44,7 +44,7 @@ void whenDesignatedOcspServiceConfigurationProvided_thenCreatesDesignatedOcspSer
         assertThat(service.getAccessLocation()).isEqualTo(new URI("http://demo.sk.ee/ocsp"));
         assertThat(service.doesSupportNonce()).isTrue();
         assertThatCode(() ->
-            service.validateResponderCertificate(new X509CertificateHolder(getTestSkOcspResponder2023().getEncoded()), new Date(1681000000000L)))
+            service.validateResponderCertificate(new X509CertificateHolder(getTestSkOcspResponder2020().getEncoded()), new Date(1630000000000L)))
             .doesNotThrowAnyException();
         assertThatCode(() ->
             service.validateResponderCertificate(new X509CertificateHolder(getTestEsteid2018CA().getEncoded()), new Date(1630000000000L)))