amend(OCSP): allow more than one responder certificate in OCSP response

WE2-703

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>2.0.0</version>
+    <version>2.0.1-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>

src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java

@@ -139,10 +139,11 @@ private void verifyOcspResponse(BasicOCSPResp basicResponse, OcspService ocspSer
         // We assume that the responder includes its certificate in the certs field of the response
         // that helps us to verify it. According to RFC 2560 this field is optional, but including it
         // is standard practice.
-        if (basicResponse.getCerts().length != 1) {
-            throw new UserCertificateOCSPCheckFailedException("OCSP response must contain one responder certificate, "
-                + "received " + basicResponse.getCerts().length + " certificates instead");
+        if (basicResponse.getCerts().length < 1) {
+            throw new UserCertificateOCSPCheckFailedException("OCSP response must contain the responder certificate, "
+                + "but none was provided");
         }
+        // The first certificate is the responder certificate, other certificates, if given, are the certificate's chain.
         final X509CertificateHolder responderCert = basicResponse.getCerts()[0];
         OcspResponseValidator.validateResponseSignature(basicResponse, responderCert);