Merge pull request #29 from digipost/log-info-when-revoked

Log revoked as INFO instead of WARN
digipost · Dec 12, 2022 · f7091bd · f7091bd
2 parents ebc4662 + b00afec
commit f7091bd
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/src/main/java/no/digipost/security/cert/CertificateValidator.java b/src/main/java/no/digipost/security/cert/CertificateValidator.java
@@ -188,10 +188,10 @@ private CertStatus ocspLookup(TrustedCertificateAndIssuer certificateAndIssuer,
                                 if (cresp.getCertStatus() instanceof RevokedStatus) {
                                     RevokedStatus s = (RevokedStatus) cresp.getCertStatus();
                                     RevocationReason reason = Optional.of(s).filter(RevokedStatus::hasRevocationReason).map(r -> resolve(r.getRevocationReason())).orElse(unspecified);
-                                    LOG.warn("OCSP response for {} returned status revoked: {}, reason: '{}'", certificateAndIssuer, s.getRevocationTime(), reason);
+                                    LOG.info("OCSP response for {} returned status revoked: {}, reason: '{}'", certificateAndIssuer, s.getRevocationTime(), reason);
                                     return REVOKED;
                                 } else {
-                                    LOG.warn("OCSP response for {} returned status {}", certificateAndIssuer, cresp.getCertStatus().getClass().getSimpleName());
+                                    LOG.info("OCSP response for {} returned status {}", certificateAndIssuer, cresp.getCertStatus().getClass().getSimpleName());
                                     return UNDECIDED;
                                 }
                             }

diff --git a/src/test/java/no/digipost/security/cert/RealOCSPCertificateValidatorTest.java b/src/test/java/no/digipost/security/cert/RealOCSPCertificateValidatorTest.java
@@ -22,14 +22,14 @@
 import org.junit.jupiter.api.Test;
 
 import java.security.cert.X509Certificate;
-import java.time.Clock;
 import java.time.LocalDateTime;
 import java.util.Optional;
 
 import static java.time.ZoneOffset.UTC;
 import static no.digipost.security.cert.CertStatus.OK;
 import static no.digipost.security.cert.CertStatus.UNDECIDED;
 import static no.digipost.security.cert.CertStatus.UNTRUSTED;
+import static no.digipost.security.cert.OcspPolicy.NEVER_DO_OCSP_LOOKUP;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
 
@@ -61,10 +61,13 @@ public void unknown_ocsprespone_gir_undecided_for_nytt_commfides_sertifikat() {
     @Test
     public void godtar_nytt_commfides_test_sertifikat() {
         CertificateValidator validatorQaEnv = new CertificateValidator(
-                CertificateValidatorConfig.MOST_STRICT.allowOcspResults(UNDECIDED),
-                new TrustFactory(Clock.systemUTC()).seid1.buypassAndCommfidesTestEnterpriseCertificates(),
+                CertificateValidatorConfig.MOST_STRICT.withOcspPolicy(NEVER_DO_OCSP_LOOKUP),
+                new TrustFactory(clock).seid1.buypassAndCommfidesTestEnterpriseCertificates(),
                 HttpClient.create());
 
+        clock.doWithTimeAdjusted(
+                clock -> clock.set(EBOKS_COMMFIDES_TEST.getNotAfter().toInstant().plusSeconds(600)),
+                now -> assertThat(validatorQaEnv.validateCert(EBOKS_COMMFIDES_TEST), is(UNTRUSTED)));
         assertThat(validatorQaEnv.validateCert(EBOKS_COMMFIDES_TEST), is(OK));
     }