| /* |
| * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| package sun.security.ssl; |
| |
| import java.io.IOException; |
| import java.net.URI; |
| import java.net.URISyntaxException; |
| import java.security.AccessController; |
| import java.security.cert.Extension; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.Collections; |
| import java.util.Date; |
| import java.util.HashMap; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Objects; |
| import java.util.concurrent.Callable; |
| import java.util.concurrent.ExecutionException; |
| import java.util.concurrent.Executors; |
| import java.util.concurrent.Future; |
| import java.util.concurrent.ScheduledThreadPoolExecutor; |
| import java.util.concurrent.ThreadFactory; |
| import java.util.concurrent.ThreadPoolExecutor; |
| import java.util.concurrent.TimeUnit; |
| import sun.security.action.GetBooleanAction; |
| import sun.security.action.GetIntegerAction; |
| import sun.security.action.GetPropertyAction; |
| import sun.security.provider.certpath.CertId; |
| import sun.security.provider.certpath.OCSP; |
| import sun.security.provider.certpath.OCSPResponse; |
| import sun.security.provider.certpath.ResponderId; |
| import sun.security.util.Cache; |
| import sun.security.x509.PKIXExtensions; |
| import sun.security.x509.SerialNumber; |
| import sun.security.ssl.X509Authentication.X509Possession; |
| import static sun.security.ssl.CertStatusExtension.*; |
| |
| final class StatusResponseManager { |
| private static final int DEFAULT_CORE_THREADS = 8; |
| private static final int DEFAULT_CACHE_SIZE = 256; |
| private static final int DEFAULT_CACHE_LIFETIME = 3600; // seconds |
| |
| private final ScheduledThreadPoolExecutor threadMgr; |
| private final Cache<CertId, ResponseCacheEntry> responseCache; |
| private final URI defaultResponder; |
| private final boolean respOverride; |
| private final int cacheCapacity; |
| private final int cacheLifetime; |
| private final boolean ignoreExtensions; |
| |
| /** |
| * Create a StatusResponseManager with default parameters. |
| */ |
| StatusResponseManager() { |
| int cap = AccessController.doPrivileged( |
| new GetIntegerAction("jdk.tls.stapling.cacheSize", |
| DEFAULT_CACHE_SIZE)); |
| cacheCapacity = cap > 0 ? cap : 0; |
| |
| int life = AccessController.doPrivileged( |
| new GetIntegerAction("jdk.tls.stapling.cacheLifetime", |
| DEFAULT_CACHE_LIFETIME)); |
| cacheLifetime = life > 0 ? life : 0; |
| |
| String uriStr = GetPropertyAction |
| .privilegedGetProperty("jdk.tls.stapling.responderURI"); |
| URI tmpURI; |
| try { |
| tmpURI = ((uriStr != null && !uriStr.isEmpty()) ? |
| new URI(uriStr) : null); |
| } catch (URISyntaxException urise) { |
| tmpURI = null; |
| } |
| defaultResponder = tmpURI; |
| |
| respOverride = AccessController.doPrivileged( |
| new GetBooleanAction("jdk.tls.stapling.responderOverride")); |
| ignoreExtensions = AccessController.doPrivileged( |
| new GetBooleanAction("jdk.tls.stapling.ignoreExtensions")); |
| |
| threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS, |
| new ThreadFactory() { |
| @Override |
| public Thread newThread(Runnable r) { |
| Thread t = Executors.defaultThreadFactory().newThread(r); |
| t.setDaemon(true); |
| return t; |
| } |
| }, new ThreadPoolExecutor.DiscardPolicy()); |
| threadMgr.setExecuteExistingDelayedTasksAfterShutdownPolicy(false); |
| threadMgr.setContinueExistingPeriodicTasksAfterShutdownPolicy( |
| false); |
| threadMgr.setKeepAliveTime(5000, TimeUnit.MILLISECONDS); |
| threadMgr.allowCoreThreadTimeOut(true); |
| responseCache = Cache.newSoftMemoryCache( |
| cacheCapacity, cacheLifetime); |
| } |
| |
| /** |
| * Get the current cache lifetime setting |
| * |
| * @return the current cache lifetime value |
| */ |
| int getCacheLifetime() { |
| return cacheLifetime; |
| } |
| |
| /** |
| * Get the current maximum cache size. |
| * |
| * @return the current maximum cache size |
| */ |
| int getCacheCapacity() { |
| return cacheCapacity; |
| } |
| |
| /** |
| * Get the default OCSP responder URI, if previously set. |
| * |
| * @return the current default OCSP responder URI, or {@code null} if |
| * it has not been set. |
| */ |
| URI getDefaultResponder() { |
| return defaultResponder; |
| } |
| |
| /** |
| * Get the URI override setting |
| * |
| * @return {@code true} if URI override has been set, {@code false} |
| * otherwise. |
| */ |
| boolean getURIOverride() { |
| return respOverride; |
| } |
| |
| /** |
| * Get the ignore extensions setting. |
| * |
| * @return {@code true} if the {@code StatusResponseManager} will not |
| * pass OCSP Extensions in the TLS {@code status_request[_v2]} |
| * extensions, {@code false} if extensions will be passed (the default). |
| */ |
| boolean getIgnoreExtensions() { |
| return ignoreExtensions; |
| } |
| |
| /** |
| * Clear the status response cache |
| */ |
| void clear() { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Clearing response cache"); |
| } |
| responseCache.clear(); |
| } |
| |
| /** |
| * Returns the number of currently valid objects in the response cache. |
| * |
| * @return the number of valid objects in the response cache. |
| */ |
| int size() { |
| return responseCache.size(); |
| } |
| |
| /** |
| * Obtain the URI use by the {@code StatusResponseManager} during |
| * lookups. |
| * |
| * This method takes into account not only the AIA extension from a |
| * certificate to be checked, but also any default URI and possible |
| * override settings for the response manager. |
| * |
| * @param cert the subject to get the responder URI from |
| * |
| * @return a {@code URI} containing the address to the OCSP responder, |
| * or {@code null} if no AIA extension exists in the certificate |
| * and no default responder has been configured. |
| * |
| * @throws NullPointerException if {@code cert} is {@code null}. |
| */ |
| URI getURI(X509Certificate cert) { |
| Objects.requireNonNull(cert); |
| |
| if (cert.getExtensionValue( |
| PKIXExtensions.OCSPNoCheck_Id.toString()) != null) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "OCSP NoCheck extension found. OCSP will be skipped"); |
| } |
| return null; |
| } else if (defaultResponder != null && respOverride) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Responder override: URI is " + defaultResponder); |
| } |
| return defaultResponder; |
| } else { |
| URI certURI = OCSP.getResponderURI(cert); |
| return (certURI != null ? certURI : defaultResponder); |
| } |
| } |
| |
| /** |
| * Shutdown the thread pool |
| */ |
| void shutdown() { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Shutting down " + threadMgr.getActiveCount() + |
| " active threads"); |
| } |
| threadMgr.shutdown(); |
| } |
| |
| /** |
| * Get a list of responses for a chain of certificates. |
| * |
| * This will find OCSP responses from the cache, or failing that, |
| * directly contact the OCSP responder. It is assumed that the |
| * certificates in the provided chain are in their proper order |
| * (from end-entity to trust anchor). |
| * |
| * @param type the type of request being made of the |
| * {@code StatusResponseManager} |
| * @param request the {@code CertStatusRequest} from the |
| * status_request or status_request_v2 ClientHello extension. |
| * A value of {@code null} is interpreted as providing no |
| * responder IDs or extensions. |
| * @param chain an array of 2 or more certificates. Each certificate |
| * must be issued by the next certificate in the chain. |
| * @param delay the number of time units to delay before returning |
| * responses. |
| * @param unit the unit of time applied to the {@code delay} parameter |
| * |
| * @return an unmodifiable {@code Map} containing the certificate and |
| * its usually |
| * |
| * @throws SSLHandshakeException if an unsupported |
| * {@code CertStatusRequest} is provided. |
| */ |
| Map<X509Certificate, byte[]> get(CertStatusRequestType type, |
| CertStatusRequest request, X509Certificate[] chain, long delay, |
| TimeUnit unit) { |
| Map<X509Certificate, byte[]> responseMap = new HashMap<>(); |
| List<OCSPFetchCall> requestList = new ArrayList<>(); |
| |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Beginning check: Type = " + type + ", Chain length = " + |
| chain.length); |
| } |
| |
| // It is assumed that the caller has ordered the certs in the chain |
| // in the proper order (each certificate is issued by the next entry |
| // in the provided chain). |
| if (chain.length < 2) { |
| return Collections.emptyMap(); |
| } |
| |
| if (type == CertStatusRequestType.OCSP) { |
| try { |
| // For type OCSP, we only check the end-entity certificate |
| OCSPStatusRequest ocspReq = (OCSPStatusRequest)request; |
| CertId cid = new CertId(chain[1], |
| new SerialNumber(chain[0].getSerialNumber())); |
| ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq); |
| if (cacheEntry != null) { |
| responseMap.put(chain[0], cacheEntry.ocspBytes); |
| } else { |
| StatusInfo sInfo = new StatusInfo(chain[0], cid); |
| requestList.add(new OCSPFetchCall(sInfo, ocspReq)); |
| } |
| } catch (IOException exc) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Exception during CertId creation: ", exc); |
| } |
| } |
| } else if (type == CertStatusRequestType.OCSP_MULTI) { |
| // For type OCSP_MULTI, we check every cert in the chain that |
| // has a direct issuer at the next index. We won't have an |
| // issuer certificate for the last certificate in the chain |
| // and will not be able to create a CertId because of that. |
| OCSPStatusRequest ocspReq = (OCSPStatusRequest)request; |
| int ctr; |
| for (ctr = 0; ctr < chain.length - 1; ctr++) { |
| try { |
| // The cert at "ctr" is the subject cert, "ctr + 1" |
| // is the issuer certificate. |
| CertId cid = new CertId(chain[ctr + 1], |
| new SerialNumber(chain[ctr].getSerialNumber())); |
| ResponseCacheEntry cacheEntry = |
| getFromCache(cid, ocspReq); |
| if (cacheEntry != null) { |
| responseMap.put(chain[ctr], cacheEntry.ocspBytes); |
| } else { |
| StatusInfo sInfo = new StatusInfo(chain[ctr], cid); |
| requestList.add(new OCSPFetchCall(sInfo, ocspReq)); |
| } |
| } catch (IOException exc) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Exception during CertId creation: ", exc); |
| } |
| } |
| } |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Unsupported status request type: " + type); |
| } |
| } |
| |
| // If we were able to create one or more Fetches, go and run all |
| // of them in separate threads. For all the threads that completed |
| // in the allotted time, put those status responses into the |
| // returned Map. |
| if (!requestList.isEmpty()) { |
| try { |
| // Set a bunch of threads to go do the fetching |
| List<Future<StatusInfo>> resultList = |
| threadMgr.invokeAll(requestList, delay, unit); |
| |
| // Go through the Futures and from any non-cancelled task, |
| // get the bytes and attach them to the responseMap. |
| for (Future<StatusInfo> task : resultList) { |
| if (!task.isDone()) { |
| continue; |
| } |
| |
| if (!task.isCancelled()) { |
| StatusInfo info = task.get(); |
| if (info != null && info.responseData != null) { |
| responseMap.put(info.cert, |
| info.responseData.ocspBytes); |
| } else if (SSLLogger.isOn && |
| SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Completed task had no response data"); |
| } |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Found cancelled task"); |
| } |
| } |
| } |
| } catch (InterruptedException | ExecutionException exc) { |
| // Not sure what else to do here |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Exception when getting data: ", exc); |
| } |
| } |
| } |
| |
| return Collections.unmodifiableMap(responseMap); |
| } |
| |
| /** |
| * Check the cache for a given {@code CertId}. |
| * |
| * @param cid the CertId of the response to look up |
| * @param ocspRequest the OCSP request structure sent by the client |
| * in the TLS status_request[_v2] hello extension. |
| * |
| * @return the {@code ResponseCacheEntry} for a specific CertId, or |
| * {@code null} if it is not found or a nonce extension has been |
| * requested by the caller. |
| */ |
| private ResponseCacheEntry getFromCache(CertId cid, |
| OCSPStatusRequest ocspRequest) { |
| // Determine if the nonce extension is present in the request. If |
| // so, then do not attempt to retrieve the response from the cache. |
| for (Extension ext : ocspRequest.extensions) { |
| if (ext.getId().equals( |
| PKIXExtensions.OCSPNonce_Id.toString())) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Nonce extension found, skipping cache check"); |
| } |
| return null; |
| } |
| } |
| |
| ResponseCacheEntry respEntry = responseCache.get(cid); |
| |
| // If the response entry has a nextUpdate and it has expired |
| // before the cache expiration, purge it from the cache |
| // and do not return it as a cache hit. |
| if (respEntry != null && respEntry.nextUpdate != null && |
| respEntry.nextUpdate.before(new Date())) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "nextUpdate threshold exceeded, purging from cache"); |
| } |
| respEntry = null; |
| } |
| |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Check cache for SN" + cid.getSerialNumber() + ": " + |
| (respEntry != null ? "HIT" : "MISS")); |
| } |
| return respEntry; |
| } |
| |
| @Override |
| public String toString() { |
| StringBuilder sb = new StringBuilder("StatusResponseManager: "); |
| |
| sb.append("Core threads: ").append(threadMgr.getCorePoolSize()); |
| sb.append(", Cache timeout: "); |
| if (cacheLifetime > 0) { |
| sb.append(cacheLifetime).append(" seconds"); |
| } else { |
| sb.append(" indefinite"); |
| } |
| |
| sb.append(", Cache MaxSize: "); |
| if (cacheCapacity > 0) { |
| sb.append(cacheCapacity).append(" items"); |
| } else { |
| sb.append(" unbounded"); |
| } |
| |
| sb.append(", Default URI: "); |
| if (defaultResponder != null) { |
| sb.append(defaultResponder); |
| } else { |
| sb.append("NONE"); |
| } |
| |
| return sb.toString(); |
| } |
| |
| /** |
| * Inner class used to group request and response data. |
| */ |
| class StatusInfo { |
| final X509Certificate cert; |
| final CertId cid; |
| final URI responder; |
| ResponseCacheEntry responseData; |
| |
| /** |
| * Create a StatusInfo object from certificate data. |
| * |
| * @param subjectCert the certificate to be checked for revocation |
| * @param issuerCert the issuer of the {@code subjectCert} |
| * |
| * @throws IOException if CertId creation from the certificate fails |
| */ |
| StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert) |
| throws IOException { |
| this(subjectCert, new CertId(issuerCert, |
| new SerialNumber(subjectCert.getSerialNumber()))); |
| } |
| |
| /** |
| * Create a StatusInfo object from an existing subject certificate |
| * and its corresponding CertId. |
| * |
| * @param subjectCert the certificate to be checked for revocation |
| * @param cid the CertId for {@code subjectCert} |
| */ |
| StatusInfo(X509Certificate subjectCert, CertId certId) { |
| cert = subjectCert; |
| cid = certId; |
| responder = getURI(cert); |
| responseData = null; |
| } |
| |
| /** |
| * Copy constructor (used primarily for rescheduling). |
| * This will do a member-wise copy with the exception of the |
| * responseData and extensions fields, which should not persist |
| * in a rescheduled fetch. |
| * |
| * @param orig the original {@code StatusInfo} |
| */ |
| StatusInfo(StatusInfo orig) { |
| this.cert = orig.cert; |
| this.cid = orig.cid; |
| this.responder = orig.responder; |
| this.responseData = null; |
| } |
| |
| /** |
| * Return a String representation of the {@code StatusInfo} |
| * |
| * @return a {@code String} representation of this object |
| */ |
| @Override |
| public String toString() { |
| StringBuilder sb = new StringBuilder("StatusInfo:"); |
| sb.append("\n\tCert: ").append( |
| this.cert.getSubjectX500Principal()); |
| sb.append("\n\tSerial: ").append(this.cert.getSerialNumber()); |
| sb.append("\n\tResponder: ").append(this.responder); |
| sb.append("\n\tResponse data: ").append( |
| this.responseData != null ? |
| (this.responseData.ocspBytes.length + " bytes") : |
| "<NULL>"); |
| return sb.toString(); |
| } |
| } |
| |
| /** |
| * Static nested class used as the data kept in the response cache. |
| */ |
| class ResponseCacheEntry { |
| final OCSPResponse.ResponseStatus status; |
| final byte[] ocspBytes; |
| final Date nextUpdate; |
| final OCSPResponse.SingleResponse singleResp; |
| final ResponderId respId; |
| |
| /** |
| * Create a new cache entry from the raw bytes of the response |
| * |
| * @param responseBytes the DER encoding for the OCSP response |
| * |
| * @throws IOException if an {@code OCSPResponse} cannot be |
| * created from the encoded bytes. |
| */ |
| ResponseCacheEntry(byte[] responseBytes, CertId cid) |
| throws IOException { |
| Objects.requireNonNull(responseBytes, |
| "Non-null responseBytes required"); |
| Objects.requireNonNull(cid, "Non-null Cert ID required"); |
| |
| ocspBytes = responseBytes.clone(); |
| OCSPResponse oResp = new OCSPResponse(ocspBytes); |
| status = oResp.getResponseStatus(); |
| respId = oResp.getResponderId(); |
| singleResp = oResp.getSingleResponse(cid); |
| if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) { |
| if (singleResp != null) { |
| // Pull out the nextUpdate field in advance because the |
| // Date is cloned. |
| nextUpdate = singleResp.getNextUpdate(); |
| } else { |
| throw new IOException( |
| "Unable to find SingleResponse for SN " + |
| cid.getSerialNumber()); |
| } |
| } else { |
| nextUpdate = null; |
| } |
| } |
| } |
| |
| /** |
| * Inner Callable class that does the actual work of looking up OCSP |
| * responses, first looking at the cache and doing OCSP requests if |
| * a cache miss occurs. |
| */ |
| class OCSPFetchCall implements Callable<StatusInfo> { |
| StatusInfo statInfo; |
| OCSPStatusRequest ocspRequest; |
| List<Extension> extensions; |
| List<ResponderId> responderIds; |
| |
| /** |
| * A constructor that builds the OCSPFetchCall from the provided |
| * StatusInfo and information from the status_request[_v2] |
| * extension. |
| * |
| * @param info the {@code StatusInfo} containing the subject |
| * certificate, CertId, and other supplemental info. |
| * @param request the {@code OCSPStatusRequest} containing any |
| * responder IDs and extensions. |
| */ |
| public OCSPFetchCall(StatusInfo info, OCSPStatusRequest request) { |
| statInfo = Objects.requireNonNull(info, |
| "Null StatusInfo not allowed"); |
| ocspRequest = Objects.requireNonNull(request, |
| "Null OCSPStatusRequest not allowed"); |
| extensions = ocspRequest.extensions; |
| responderIds = ocspRequest.responderIds; |
| } |
| |
| /** |
| * Get an OCSP response, either from the cache or from a responder. |
| * |
| * @return The StatusInfo object passed into the |
| * {@code OCSPFetchCall} constructor, with the |
| * {@code responseData} field filled in with the response |
| * or {@code null} if no response can be obtained. |
| */ |
| @Override |
| public StatusInfo call() { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Starting fetch for SN " + |
| statInfo.cid.getSerialNumber()); |
| } |
| try { |
| ResponseCacheEntry cacheEntry; |
| List<Extension> extsToSend; |
| |
| if (statInfo.responder == null) { |
| // If we have no URI then there's nothing to do |
| // but return. |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Null URI detected, OCSP fetch aborted"); |
| } |
| return statInfo; |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Attempting fetch from " + statInfo.responder); |
| } |
| } |
| |
| // If the StatusResponseManager has been configured to not |
| // forward extensions, then set extensions to an empty |
| // list. |
| // |
| // We will forward the extensions unless one of two |
| // conditions occur: |
| // (1) The jdk.tls.stapling.ignoreExtensions property is |
| // true, or |
| // (2) There is a non-empty ResponderId list. |
| // |
| // ResponderId selection is a feature that will be |
| // supported in the future. |
| extsToSend = (ignoreExtensions || !responderIds.isEmpty()) ? |
| Collections.emptyList() : extensions; |
| |
| byte[] respBytes = OCSP.getOCSPBytes( |
| Collections.singletonList(statInfo.cid), |
| statInfo.responder, extsToSend); |
| |
| if (respBytes != null) { |
| // Place the data into the response cache |
| cacheEntry = new ResponseCacheEntry(respBytes, |
| statInfo.cid); |
| |
| // Get the response status and act on it appropriately |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("OCSP Status: " + cacheEntry.status + |
| " (" + respBytes.length + " bytes)"); |
| } |
| if (cacheEntry.status == |
| OCSPResponse.ResponseStatus.SUCCESSFUL) { |
| // Set the response in the returned StatusInfo |
| statInfo.responseData = cacheEntry; |
| |
| // Add the response to the cache (if applicable) |
| addToCache(statInfo.cid, cacheEntry); |
| } |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "No data returned from OCSP Responder"); |
| } |
| } |
| } catch (IOException ioe) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Caught exception: ", ioe); |
| } |
| } |
| |
| return statInfo; |
| } |
| |
| /** |
| * Add a response to the cache. |
| * |
| * @param certId The {@code CertId} for the OCSP response |
| * @param entry A cache entry containing the response bytes and |
| * the {@code OCSPResponse} built from those bytes. |
| */ |
| private void addToCache(CertId certId, ResponseCacheEntry entry) { |
| // If no cache lifetime has been set on entries then |
| // don't cache this response if there is no nextUpdate field |
| if (entry.nextUpdate == null && cacheLifetime == 0) { |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine("Not caching this OCSP response"); |
| } |
| } else { |
| responseCache.put(certId, entry); |
| if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) { |
| SSLLogger.fine( |
| "Added response for SN " + |
| certId.getSerialNumber() + |
| " to cache"); |
| } |
| } |
| } |
| |
| /** |
| * Determine the delay to use when scheduling the task that will |
| * update the OCSP response. This is the shorter time between the |
| * cache lifetime and the nextUpdate. If no nextUpdate is present |
| * in the response, then only the cache lifetime is used. |
| * If cache timeouts are disabled (a zero value) and there's no |
| * nextUpdate, then the entry is not cached and no rescheduling |
| * will take place. |
| * |
| * @param nextUpdate a {@code Date} object corresponding to the |
| * next update time from a SingleResponse. |
| * |
| * @return the number of seconds of delay before the next fetch |
| * should be executed. A zero value means that the fetch |
| * should happen immediately, while a value less than zero |
| * indicates no rescheduling should be done. |
| */ |
| private long getNextTaskDelay(Date nextUpdate) { |
| long delaySec; |
| int lifetime = getCacheLifetime(); |
| |
| if (nextUpdate != null) { |
| long nuDiffSec = (nextUpdate.getTime() - |
| System.currentTimeMillis()) / 1000; |
| delaySec = lifetime > 0 ? Long.min(nuDiffSec, lifetime) : |
| nuDiffSec; |
| } else { |
| delaySec = lifetime > 0 ? lifetime : -1; |
| } |
| |
| return delaySec; |
| } |
| } |
| |
| static final StaplingParameters processStapling( |
| ServerHandshakeContext shc) { |
| StaplingParameters params = null; |
| SSLExtension ext = null; |
| CertStatusRequestType type = null; |
| CertStatusRequest req = null; |
| Map<X509Certificate, byte[]> responses; |
| |
| // If this feature has not been enabled, then no more processing |
| // is necessary. Also we will only staple if we're doing a full |
| // handshake. |
| if (!shc.sslContext.isStaplingEnabled(false) || shc.isResumption) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine("Staping disabled or is a resumed session"); |
| } |
| return null; |
| } |
| |
| // Check if the client has asserted the status_request[_v2] extension(s) |
| Map<SSLExtension, SSLExtension.SSLExtensionSpec> exts = |
| shc.handshakeExtensions; |
| CertStatusRequestSpec statReq = (CertStatusRequestSpec)exts.get( |
| SSLExtension.CH_STATUS_REQUEST); |
| CertStatusRequestV2Spec statReqV2 = (CertStatusRequestV2Spec) |
| exts.get(SSLExtension.CH_STATUS_REQUEST_V2); |
| |
| // Determine which type of stapling we are doing and assert the |
| // proper extension in the server hello. |
| // Favor status_request_v2 over status_request and ocsp_multi |
| // over ocsp. |
| // If multiple ocsp or ocsp_multi types exist, select the first |
| // instance of a given type. Also since we don't support ResponderId |
| // selection yet, only accept a request if the ResponderId field |
| // is empty. Finally, we'll only do this in (D)TLS 1.2 or earlier. |
| if (statReqV2 != null && !shc.negotiatedProtocol.useTLS13PlusSpec()) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) { |
| SSLLogger.fine("SH Processing status_request_v2 extension"); |
| } |
| // RFC 6961 stapling |
| ext = SSLExtension.CH_STATUS_REQUEST_V2; |
| int ocspIdx = -1; |
| int ocspMultiIdx = -1; |
| CertStatusRequest[] reqItems = statReqV2.certStatusRequests; |
| for (int pos = 0; (pos < reqItems.length && |
| (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) { |
| CertStatusRequest item = reqItems[pos]; |
| CertStatusRequestType curType = |
| CertStatusRequestType.valueOf(item.statusType); |
| if (ocspIdx < 0 && curType == CertStatusRequestType.OCSP) { |
| OCSPStatusRequest ocspReq = (OCSPStatusRequest)item; |
| // We currently only accept empty responder ID lists |
| // but may support them in the future |
| if (ocspReq.responderIds.isEmpty()) { |
| ocspIdx = pos; |
| } |
| } else if (ocspMultiIdx < 0 && |
| curType == CertStatusRequestType.OCSP_MULTI) { |
| OCSPStatusRequest ocspReq = (OCSPStatusRequest)item; |
| // We currently only accept empty responder ID lists |
| // but may support them in the future |
| if (ocspReq.responderIds.isEmpty()) { |
| ocspMultiIdx = pos; |
| } |
| } |
| } |
| if (ocspMultiIdx >= 0) { |
| req = reqItems[ocspMultiIdx]; |
| type = CertStatusRequestType.valueOf(req.statusType); |
| } else if (ocspIdx >= 0) { |
| req = reqItems[ocspIdx]; |
| type = CertStatusRequestType.valueOf(req.statusType); |
| } else { |
| if (SSLLogger.isOn && |
| SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: No suitable request " + |
| "found in the status_request_v2 extension."); |
| } |
| } |
| } |
| |
| // Only attempt to process a status_request extension if: |
| // * The status_request extension is set AND |
| // * either the status_request_v2 extension is not present OR |
| // * none of the underlying OCSPStatusRequest structures is |
| // suitable for stapling. |
| // If either of the latter two bullet items is true the ext, |
| // type and req variables should all be null. If any are null |
| // we will try processing an asserted status_request. |
| if ((statReq != null) && |
| (ext == null || type == null || req == null)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) { |
| SSLLogger.fine("SH Processing status_request extension"); |
| } |
| ext = SSLExtension.CH_STATUS_REQUEST; |
| type = CertStatusRequestType.valueOf( |
| statReq.statusRequest.statusType); |
| if (type == CertStatusRequestType.OCSP) { |
| // If the type is OCSP, then the request is guaranteed |
| // to be OCSPStatusRequest |
| OCSPStatusRequest ocspReq = |
| (OCSPStatusRequest)statReq.statusRequest; |
| if (ocspReq.responderIds.isEmpty()) { |
| req = ocspReq; |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: No suitable request " + |
| "found in the status_request extension."); |
| } |
| } |
| } |
| } |
| |
| // If, after walking through the extensions we were unable to |
| // find a suitable StatusRequest, then stapling is disabled. |
| // The ext, type and req variables must have been set to continue. |
| if (type == null || req == null || ext == null) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine("No suitable status_request or " + |
| "status_request_v2, stapling is disabled"); |
| } |
| return null; |
| } |
| |
| // Get the cert chain since we'll need it for OCSP checking |
| X509Possession x509Possession = null; |
| for (SSLPossession possession : shc.handshakePossessions) { |
| if (possession instanceof X509Possession) { |
| x509Possession = (X509Possession)possession; |
| break; |
| } |
| } |
| |
| if (x509Possession == null) { // unlikely |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: no X.509 certificates found. " + |
| "Stapling is disabled."); |
| } |
| return null; |
| } |
| |
| // Get the OCSP responses from the StatusResponseManager |
| X509Certificate[] certs = x509Possession.popCerts; |
| StatusResponseManager statRespMgr = |
| shc.sslContext.getStatusResponseManager(); |
| if (statRespMgr != null) { |
| // For the purposes of the fetch from the SRM, override the |
| // type when it is TLS 1.3 so it always gets responses for |
| // all certs it can. This should not change the type field |
| // in the StaplingParameters though. |
| CertStatusRequestType fetchType = |
| shc.negotiatedProtocol.useTLS13PlusSpec() ? |
| CertStatusRequestType.OCSP_MULTI : type; |
| responses = statRespMgr.get(fetchType, req, certs, |
| shc.statusRespTimeout, TimeUnit.MILLISECONDS); |
| if (!responses.isEmpty()) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Response manager returned " + |
| responses.size() + " entries."); |
| } |
| // If this RFC 6066-style stapling (SSL cert only) then the |
| // response cannot be zero length |
| if (type == CertStatusRequestType.OCSP) { |
| byte[] respDER = responses.get(certs[0]); |
| if (respDER == null || respDER.length <= 0) { |
| if (SSLLogger.isOn && |
| SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: Null or zero-length " + |
| "response found for leaf certificate. " + |
| "Stapling is disabled."); |
| } |
| return null; |
| } |
| } |
| params = new StaplingParameters(ext, type, req, responses); |
| } else { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: no OCSP responses obtained. " + |
| "Stapling is disabled."); |
| } |
| } |
| } else { |
| // This should not happen, but if lazy initialization of the |
| // StatusResponseManager doesn't occur we should turn off stapling. |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.finest("Warning: lazy initialization " + |
| "of the StatusResponseManager failed. " + |
| "Stapling is disabled."); |
| } |
| params = null; |
| } |
| |
| return params; |
| } |
| |
| /** |
| * Inner class used to hold stapling parameters needed by the handshaker |
| * when stapling is active. |
| */ |
| static final class StaplingParameters { |
| final SSLExtension statusRespExt; |
| final CertStatusRequestType statReqType; |
| final CertStatusRequest statReqData; |
| final Map<X509Certificate, byte[]> responseMap; |
| |
| StaplingParameters(SSLExtension ext, CertStatusRequestType type, |
| CertStatusRequest req, Map<X509Certificate, byte[]> responses) { |
| statusRespExt = ext; |
| statReqType = type; |
| statReqData = req; |
| responseMap = responses; |
| } |
| } |
| } |
| |