Allow multiple responder certificates in OCSP response

[timukasr]

Some OCSP servers (e.g. http://ocsp.eparaksts.lv) add multiple responder certificates in OCSP response. This causes auth token validation error:
User certificate revocation check has failed: OCSP response must contain one responder certificate, received 2 certificates instead
due to this check:
https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidator.java#L142-L145

Is it possible to modify the check so that if at least one responder certificate is valid, then whole response is valid?

[mrts]

Thank you for the suggestion! Yes, we will modify the check as soon as possible.

[mrts]

A new pre-release version 2.0.1-SNAPSHOT has been published with the fix. The corresponding pull request is #29. It also contains dependency updates and minor refactoring.

Can you please test it? Also, would it be possible for you to provide an example Latvian EID Web eID authentication token that uses the http://ocsp.eparaksts.lv/ OCSP server, along with the corresponding issuer certificate? We would like to write an automated test in the lines of https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/test/java/eu/webeid/security/validator/AuthTokenCertificateTest.java#L243-L251 to cover this case.

[timukasr]

Thank you, OCSP part seems to working now.

Issue occurred with end user, so I cannot share their authentication token/certificate. For similar reasons, I cannot test the full authentication token validation yet.

[mrts]

Thank you for verifying! Understood, sharing the token would leak personal details.

The fix has been published in release version 2.0.1.