jdk-sandbox: src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java@56aaa6cb3693 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26	package sun.security.ssl;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	import java.io.IOException;
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	29	import java.io.ByteArrayInputStream;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	30	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	31	import java.security.cert.Extension;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	32	import java.security.cert.CertificateFactory;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	33	import java.security.cert.CertificateException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	34	import java.security.cert.X509Certificate;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	35	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	36	import java.util.ArrayList;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	37	import java.util.List;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	38	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	39	import javax.net.ssl.SSLProtocolException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	40	import sun.security.provider.certpath.OCSPResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	41	import sun.security.provider.certpath.ResponderId;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	42	import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	43	import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	44	import sun.security.ssl.SSLExtension.ExtensionConsumer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	45	import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	46	import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	47	import sun.security.ssl.SSLExtension.SSLExtensionSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	48	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	49	import sun.security.util.DerInputStream;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	50	import sun.security.util.DerValue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	51	import sun.security.util.HexDumpEncoder;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	53	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	54	* Pack of "status_request" and "status_request_v2" extensions.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	56	final class CertStatusExtension {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	57	static final HandshakeProducer chNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	58	new CHCertStatusReqProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	59	static final ExtensionConsumer chOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	60	new CHCertStatusReqConsumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	62	static final HandshakeProducer shNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	63	new SHCertStatusReqProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	64	static final ExtensionConsumer shOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	65	new SHCertStatusReqConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	66
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	67	static final HandshakeProducer ctNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	68	new CTCertStatusResponseProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	69	static final ExtensionConsumer ctOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	70	new CTCertStatusResponseConsumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	72	static final SSLStringize certStatusReqStringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	73	new CertStatusRequestStringize();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	74
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	75	static final HandshakeProducer chV2NetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	76	new CHCertStatusReqV2Producer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	77	static final ExtensionConsumer chV2OnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	78	new CHCertStatusReqV2Consumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	80	static final HandshakeProducer shV2NetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	81	new SHCertStatusReqV2Producer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	82	static final ExtensionConsumer shV2OnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	83	new SHCertStatusReqV2Consumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	84
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	85	static final SSLStringize certStatusReqV2Stringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	86	new CertStatusRequestsStringize();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	87
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	88	static final SSLStringize certStatusRespStringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	89	new CertStatusRespStringize();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	92	* The "status_request" extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	93	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	94	* RFC6066 defines the TLS extension,"status_request" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	95	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	96	* on the client's behalf.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	97	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	98	* The "extension data" field of this extension contains a
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	99	* "CertificateStatusRequest" structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	100	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	101	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	102	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	103	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	104	* case ocsp: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	105	* } request;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	106	* } CertificateStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	107	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	108	* enum { ocsp(1), (255) } CertificateStatusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	109	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	110	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	111	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	112	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	113	* } OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	114	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	115	* opaque ResponderID<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	116	* opaque Extensions<0..2^16-1>;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	118	static final class CertStatusRequestSpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	119	static final CertStatusRequestSpec DEFAULT =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	120	new CertStatusRequestSpec(OCSPStatusRequest.EMPTY_OCSP);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	121
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	122	final CertStatusRequest statusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	123
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	124	private CertStatusRequestSpec(CertStatusRequest statusRequest) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	125	this.statusRequest = statusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	126	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	127
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	128	private CertStatusRequestSpec(ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	129	// Is it a empty extension_data?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	130	if (buffer.remaining() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	131	// server response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	132	this.statusRequest = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	133	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	134	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	135
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	136	if (buffer.remaining() < 1) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	137	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	138	"Invalid status_request extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	139	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	140
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	141	byte statusType = (byte)Record.getInt8(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	142	byte[] encoded = new byte[buffer.remaining()];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	143	if (encoded.length != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	144	buffer.get(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	145	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	146	if (statusType == CertStatusRequestType.OCSP.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	147	this.statusRequest = new OCSPStatusRequest(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	148	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	149	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	150	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	151	"Unknown certificate status request " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	152	"(status type: " + statusType + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	153	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	154
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	155	this.statusRequest = new CertStatusRequest(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	156	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	157	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	158
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	159	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	160	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	161	return statusRequest == null ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	162	"<empty>" : statusRequest.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	163	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	167	* Defines the CertificateStatus response structure as outlined in
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	168	* RFC 6066. This will contain a status response type, plus a single,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	169	* non-empty OCSP response in DER-encoded form.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	171	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	172	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	173	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	174	* case ocsp: OCSPResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	175	* } response;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	176	* } CertificateStatus;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	177	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	178	static final class CertStatusResponseSpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	179	final CertStatusResponse statusResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	180
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	181	private CertStatusResponseSpec(CertStatusResponse resp) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	182	this.statusResponse = resp;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	183	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	184
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	185	private CertStatusResponseSpec(ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	186	if (buffer.remaining() < 2) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	187	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	188	"Invalid status_request extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	189	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	190
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	191	// Get the status type (1 byte) and response data (vector)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	192	byte type = (byte)Record.getInt8(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	193	byte[] respData = Record.getBytes24(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	194
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	195	// Create the CertStatusResponse based on the type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	196	if (type == CertStatusRequestType.OCSP.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	197	this.statusResponse = new OCSPStatusResponse(type, respData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	198	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	199	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	200	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	201	"Unknown certificate status response " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	202	"(status type: " + type + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	203	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	204
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	205	this.statusResponse = new CertStatusResponse(type, respData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	206	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	207	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	208
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	209	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	210	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	211	return statusResponse == null ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	212	"<empty>" : statusResponse.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	213	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	214	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	215
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	216	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	217	class CertStatusRequestStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	218	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	219	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	220	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	221	return (new CertStatusRequestSpec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	222	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	223	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	224	return ioe.getMessage();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	225	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	226	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	227	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	228
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	229	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	230	class CertStatusRespStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	231	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	232	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	233	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	234	return (new CertStatusResponseSpec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	235	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	236	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	237	return ioe.getMessage();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	238	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	239	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	240	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	241
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	242	static enum CertStatusRequestType {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	243	OCSP ((byte)0x01, "ocsp"), // RFC 6066/6961
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	244	OCSP_MULTI ((byte)0x02, "ocsp_multi"); // RFC 6961
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	245
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	246	final byte id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	247	final String name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	248
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	249	private CertStatusRequestType(byte id, String name) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	250	this.id = id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	251	this.name = name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	252	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	253
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	254	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	255	* Returns the enum constant of the specified id (see RFC 6066).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	256	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	257	static CertStatusRequestType valueOf(byte id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	258	for (CertStatusRequestType srt : CertStatusRequestType.values()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	259	if (srt.id == id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	260	return srt;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	261	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	262	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	263
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	264	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	265	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	266
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	267	static String nameOf(byte id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	268	for (CertStatusRequestType srt : CertStatusRequestType.values()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	269	if (srt.id == id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	270	return srt.name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	271	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	272	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	273
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	274	return "UNDEFINED-CERT-STATUS-TYPE(" + id + ")";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	275	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	276	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	277
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	278	static class CertStatusRequest {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	279	final byte statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	280	final byte[] encodedRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	281
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	282	protected CertStatusRequest(byte statusType, byte[] encodedRequest) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	283	this.statusType = statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	284	this.encodedRequest = encodedRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	285	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	286
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	287	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	288	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	289	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	290	"\"certificate status type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	291	"\"encoded certificate status\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	292	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	293	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	294	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	295
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	296	HexDumpEncoder hexEncoder = new HexDumpEncoder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	297	String encoded = hexEncoder.encodeBuffer(encodedRequest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	298
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	299	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	300	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	301	Utilities.indent(encoded)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	302	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	303
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	304	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	305	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	306	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	307
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	308	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	309	* RFC6066 defines the TLS extension,"status_request" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	310	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	311	* on the client's behalf.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	312	*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	313	* The RFC defines an OCSPStatusRequest structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	314	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	315	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	316	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	317	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	318	* } OCSPStatusRequest;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	320	static final class OCSPStatusRequest extends CertStatusRequest {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	321	static final OCSPStatusRequest EMPTY_OCSP;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	322	static final OCSPStatusRequest EMPTY_OCSP_MULTI;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	323
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	324	final List<ResponderId> responderIds;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	325	final List<Extension> extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	326	private final int encodedLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	327	private final int ridListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	328	private final int extListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	329
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	330	static {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	331	OCSPStatusRequest ocspReq = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	332	OCSPStatusRequest multiReq = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	333
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	334	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	335	ocspReq = new OCSPStatusRequest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	336	CertStatusRequestType.OCSP.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	337	new byte[] {0x00, 0x00, 0x00, 0x00});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	338	multiReq = new OCSPStatusRequest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	339	CertStatusRequestType.OCSP_MULTI.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	340	new byte[] {0x00, 0x00, 0x00, 0x00});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	341	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	342	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	343	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	344
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	345	EMPTY_OCSP = ocspReq;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	346	EMPTY_OCSP_MULTI = multiReq;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	347	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	348
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	349	private OCSPStatusRequest(byte statusType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	350	byte[] encoded) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	351	super(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	352
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	353	if (encoded == null \|\| encoded.length < 4) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	354	// 2: length of responder_id_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	355	// +2: length of request_extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	356	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	357	"Invalid OCSP status request: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	358	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	359	this.encodedLen = encoded.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	360
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	361	List<ResponderId> rids = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	362	List<Extension> exts = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	363	ByteBuffer m = ByteBuffer.wrap(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	364
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	365	this.ridListLen = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	366	if (m.remaining() < (ridListLen + 2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	367	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	368	"Invalid OCSP status request: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	369	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	370
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	371	int ridListBytesRemaining = ridListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	372	while (ridListBytesRemaining >= 2) { // 2: length of responder_id
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	373	byte[] ridBytes = Record.getBytes16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	374	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	375	rids.add(new ResponderId(ridBytes));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	376	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	377	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	378	"Invalid OCSP status request: invalid responder ID");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	379	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	380	ridListBytesRemaining -= ridBytes.length + 2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	381	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	382
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	383	if (ridListBytesRemaining != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	384	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	385	"Invalid OCSP status request: incomplete data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	386	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	387
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	388	byte[] extListBytes = Record.getBytes16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	389	this.extListLen = extListBytes.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	390	if (extListLen > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	391	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	392	DerInputStream dis = new DerInputStream(extListBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	393	DerValue[] extSeqContents =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	394	dis.getSequence(extListBytes.length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	395	for (DerValue extDerVal : extSeqContents) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	396	exts.add(new sun.security.x509.Extension(extDerVal));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	397	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	398	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	399	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	400	"Invalid OCSP status request: invalid extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	401	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	402	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	403
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	404	this.responderIds = rids;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	405	this.extensions = exts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	406	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	407
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	408	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	409	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	410	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	411	"\"certificate status type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	412	"\"OCSP status request\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	413	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	414	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	415	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	416
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	417	MessageFormat requestFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	418	"\"responder_id\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	419	"\"request extensions\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	420	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	421	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	422	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	423
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	424	String ridStr = "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	425	if (!responderIds.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	426	ridStr = responderIds.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	427
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	428	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	429
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	430	String extsStr = "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	431	if (!extensions.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	432	StringBuilder extBuilder = new StringBuilder(512);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	433	boolean isFirst = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	434	for (Extension ext : this.extensions) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	435	if (isFirst) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	436	isFirst = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	437	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	438	extBuilder.append(",\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	439	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	440	extBuilder.append(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	441	"{\n" + Utilities.indent(ext.toString()) + "}");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	442	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	443
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	444	extsStr = extBuilder.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	445	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	446
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	447	Object[] requestFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	448	ridStr,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	449	Utilities.indent(extsStr)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	450	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	451	String ocspStatusRequest = requestFormat.format(requestFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	452
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	453	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	454	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	455	Utilities.indent(ocspStatusRequest)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	456	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	457
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	458	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	459	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	460	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	461
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	462	static class CertStatusResponse {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	463	final byte statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	464	final byte[] encodedResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	465
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	466	protected CertStatusResponse(byte statusType, byte[] respDer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	467	this.statusType = statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	468	this.encodedResponse = respDer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	469	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	470
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	471	byte[] toByteArray() throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	472	// Create a byte array large enough to handle the status_type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	473	// field (1) + OCSP length (3) + OCSP data (variable)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	474	byte[] outData = new byte[encodedResponse.length + 4];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	475	ByteBuffer buf = ByteBuffer.wrap(outData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	476	Record.putInt8(buf, statusType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	477	Record.putBytes24(buf, encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	478	return buf.array();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	479	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	480
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	481	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	482	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	483	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	484	"\"certificate status response type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	485	"\"encoded certificate status\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	486	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	487	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	488	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	489
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	490	HexDumpEncoder hexEncoder = new HexDumpEncoder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	491	String encoded = hexEncoder.encodeBuffer(encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	492
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	493	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	494	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	495	Utilities.indent(encoded)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	496	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	497
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	498	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	499	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	500	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	501
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	502	static final class OCSPStatusResponse extends CertStatusResponse {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	503	final OCSPResponse ocspResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	504
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	505	private OCSPStatusResponse(byte statusType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	506	byte[] encoded) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	507	super(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	508
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	509	// The DER-encoded OCSP response must not be zero length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	510	if (encoded == null \|\| encoded.length < 1) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	511	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	512	"Invalid OCSP status response: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	513	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	514
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	515	// Otherwise, make an OCSPResponse object from the data
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	516	ocspResponse = new OCSPResponse(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	517	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	518
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	519	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	520	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	521	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	522	"\"certificate status response type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	523	"\"OCSP status response\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	524	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	525	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	526	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	527
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	528	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	529	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	530	Utilities.indent(ocspResponse.toString())
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	531	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	532
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	533	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	534	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	535	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	536
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	537	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	538	* Network data producer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	539	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	540	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	541	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	542	class CHCertStatusReqProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	543	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	544	private CHCertStatusReqProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	545	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	546	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	547
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	548	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	549	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	550	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	551	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	552	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	553
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	554	if (!chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	555	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	556	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	557
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	558	if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	559	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	560	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	561	"Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	562	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	563	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	564	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	565	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	566
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	567	// Produce the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	568	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	569	// We are using empty OCSPStatusRequest at present. May extend to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	570	// support specific responder or extensions later.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	571	byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	572
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	573	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	574	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	575	CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	576
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	577	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	578	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	579	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	580
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	581	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	582	* Network data consumer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	583	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	584	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	585	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	586	class CHCertStatusReqConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	587	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	588	private CHCertStatusReqConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	589	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	590	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	591
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	592	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	593	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	594	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	595
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	596	// The comsuming happens in server side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	597	ServerHandshakeContext shc = (ServerHandshakeContext)context;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	598
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	599	if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	600	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	601	SSLLogger.fine("Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	602	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	603	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	604	return; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	605	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	606
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	607	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	608	CertStatusRequestSpec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	609	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	610	spec = new CertStatusRequestSpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	611	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	612	shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	613	return; // fatal() always throws, make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	614	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	615
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	616	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	617	shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	618	if (!shc.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	619	shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	620	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	621	} // Otherwise, the certificate status presents in server cert.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	622
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	623	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	624	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	625	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	626
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	627	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	628	* Network data producer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	629	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	630	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	631	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	632	class SHCertStatusReqProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	633	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	634	private SHCertStatusReqProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	635	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	636	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	637
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	638	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	639	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	640	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	641	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	642	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	643
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	644	// The StaplingParameters in the ServerHandshakeContext will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	645	// contain the info about what kind of stapling (if any) to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	646	// perform and whether this status_request extension should be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	647	// produced or the status_request_v2 (found in a different producer)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	648	// No explicit check is required for isStaplingEnabled here. If
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	649	// it is false then stapleParams will be null. If it is true
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	650	// then stapleParams may or may not be false and the check below
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	651	// is sufficient.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	652	if ((shc.stapleParams == null) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	653	(shc.stapleParams.statusRespExt !=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	654	SSLExtension.CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	655	return null; // Do not produce status_request in ServerHello
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	656	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	657
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	658	// In response to "status_request" extension request only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	659	CertStatusRequestSpec spec = (CertStatusRequestSpec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	660	shc.handshakeExtensions.get(CH_STATUS_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	661	if (spec == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	662	// Ignore, no status_request extension requested.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	663	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	664	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	665	"Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	666	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	667	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	668
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	669	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	670	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	671
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	672	// Is it a session resuming?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	673	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	674	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	675	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	676	"No status_request response for session resuming");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	677	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	678
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	679	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	680	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	681
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	682	// The "extension_data" in the extended ServerHello handshake
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	683	// message MUST be empty.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	684	byte[] extData = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	685
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	686	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	687	shc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	688	SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	689
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	690	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	691	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	692	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	693
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	694	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	695	* Network data consumer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	696	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	697	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	698	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	699	class SHCertStatusReqConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	700	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	701	private SHCertStatusReqConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	702	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	703	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	704
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	705	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	706	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	707	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	708
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	709	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	710	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	711
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	712	// In response to "status_request" extension request only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	713	CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	714	chc.handshakeExtensions.get(CH_STATUS_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	715	if (requestedCsr == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	716	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	717	"Unexpected status_request extension in ServerHello");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	718	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	719
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	720	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	721	if (buffer.hasRemaining()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	722	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	723	"Invalid status_request extension in ServerHello message: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	724	"the extension data must be empty");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	725	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	726
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	727	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	728	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	729	SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	730	chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	731	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	732
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	733	// Since we've received a legitimate status_request in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	734	// ServerHello, stapling is active if it's been enabled.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	735	chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	736
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	737	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	738	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	739	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	740
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	741	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	742	* The "status_request_v2" extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	743	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	744	* RFC6961 defines the TLS extension,"status_request_v2" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	745	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	746	* on the client's behalf.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	747	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	748	* The RFC defines an CertStatusReqItemV2 structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	749	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	750	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	751	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	752	* uint16 request_length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	753	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	754	* case ocsp: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	755	* case ocsp_multi: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	756	* } request;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	757	* } CertificateStatusRequestItemV2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	758	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	759	* enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	760	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	761	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	762	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	763	* } OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	764	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	765	* opaque ResponderID<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	766	* opaque Extensions<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	767	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	768	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	769	* CertificateStatusRequestItemV2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	770	* certificate_status_req_list<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	771	* } CertificateStatusRequestListV2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	772	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	773	static final class CertStatusRequestV2Spec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	774	static final CertStatusRequestV2Spec DEFAULT =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	775	new CertStatusRequestV2Spec(new CertStatusRequest[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	776	OCSPStatusRequest.EMPTY_OCSP_MULTI});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	777
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	778	final CertStatusRequest[] certStatusRequests;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	779
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	780	private CertStatusRequestV2Spec(CertStatusRequest[] certStatusRequests) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	781	this.certStatusRequests = certStatusRequests;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	782	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	783
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	784	private CertStatusRequestV2Spec(ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	785	// Is it a empty extension_data?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	786	if (message.remaining() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	787	// server response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	788	this.certStatusRequests = new CertStatusRequest[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	789	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	790	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	791
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	792	if (message.remaining() < 5) { // 2: certificate_status_req_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	793	// +1: status_type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	794	// +2: request_length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	795	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	796	"Invalid status_request_v2 extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	797	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	798
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	799	int listLen = Record.getInt16(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	800	if (listLen <= 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	801	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	802	"certificate_status_req_list length must be positive " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	803	"(received length: " + listLen + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	804	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	805
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	806	int remaining = listLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	807	List<CertStatusRequest> statusRequests = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	808	while (remaining > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	809	byte statusType = (byte)Record.getInt8(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	810	int requestLen = Record.getInt16(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	811
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	812	if (message.remaining() < requestLen) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	813	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	814	"Invalid status_request_v2 extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	815	"insufficient data (request_length=" + requestLen +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	816	", remining=" + message.remaining() + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	817	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	818
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	819	byte[] encoded = new byte[requestLen];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	820	if (encoded.length != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	821	message.get(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	822	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	823	remaining -= 3; // 1(status type) + 2(request_length) bytes
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	824	remaining -= requestLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	825
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	826	if (statusType == CertStatusRequestType.OCSP.id \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	827	statusType == CertStatusRequestType.OCSP_MULTI.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	828	if (encoded.length < 4) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	829	// 2: length of responder_id_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	830	// +2: length of request_extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	831	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	832	"Invalid status_request_v2 extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	833	"insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	834	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	835	statusRequests.add(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	836	new OCSPStatusRequest(statusType, encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	837	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	838	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	839	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	840	"Unknown certificate status request " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	841	"(status type: " + statusType + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	842	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	843	statusRequests.add(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	844	new CertStatusRequest(statusType, encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	845	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	846	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	847
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	848	certStatusRequests =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	849	statusRequests.toArray(new CertStatusRequest[0]);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	850	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	851
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	852	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	853	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	854	if (certStatusRequests == null \|\| certStatusRequests.length == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	855	return "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	856	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	857	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	858	"\"cert status request\": '{'\n{0}\n'}'", Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	859
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	860	StringBuilder builder = new StringBuilder(512);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	861	boolean isFirst = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	862	for (CertStatusRequest csr : certStatusRequests) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	863	if (isFirst) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	864	isFirst = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	865	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	866	builder.append(", ");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	867	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	868	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	869	Utilities.indent(csr.toString())
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	870	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	871	builder.append(messageFormat.format(messageFields));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	872	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	873
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	874	return builder.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	875	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	876	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	877	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	878
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	879	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	880	class CertStatusRequestsStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	881	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	882	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	883	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	884	return (new CertStatusRequestV2Spec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	885	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	886	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	887	return ioe.getMessage();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	888	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	889	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	890	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	891
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	892	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	893	* Network data producer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	894	* ClientHello handshake message.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	895	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	896	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	897	class CHCertStatusReqV2Producer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	898	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	899	private CHCertStatusReqV2Producer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	900	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	901	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	902
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	903	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	904	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	905	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	906	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	907	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	908
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	909	if (!chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	910	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	911	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	912
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	913	if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	914	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	915	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	916	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	917	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	918
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	919	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	920	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	921
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	922	// Produce the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	923	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	924	// We are using empty OCSPStatusRequest at present. May extend to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	925	// support specific responder or extensions later.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	926	byte[] extData = new byte[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	927	0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	928
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	929	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	930	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	931	CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	932
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	933	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	934	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	935	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	936
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	937	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	938	* Network data consumer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	939	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	940	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	941	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	942	class CHCertStatusReqV2Consumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	943	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	944	private CHCertStatusReqV2Consumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	945	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	946	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	947
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	948	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	949	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	950	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	951
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	952	// The comsuming happens in server side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	953	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	954
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	955	if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	956	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	957	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	958	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	959	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	960
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	961	return; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	962	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	963
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	964	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	965	CertStatusRequestV2Spec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	966	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	967	spec = new CertStatusRequestV2Spec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	968	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	969	shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	970	return; // fatal() always throws, make the compiler happy.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	971	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	972
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	973	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	974	shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	975	shc.handshakeProducers.putIfAbsent(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	976	SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	977	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	978	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	979	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	980	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	981
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	982	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	983	* Network data producer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	984	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	985	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	986	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	987	class SHCertStatusReqV2Producer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	988	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	989	private SHCertStatusReqV2Producer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	990	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	991	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	992
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	993	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	994	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	995	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	996	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	997
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	998	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	999	// The StaplingParameters in the ServerHandshakeContext will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1000	// contain the info about what kind of stapling (if any) to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1001	// perform and whether this status_request extension should be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1002	// produced or the status_request_v2 (found in a different producer)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1003	// No explicit check is required for isStaplingEnabled here. If
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1004	// it is false then stapleParams will be null. If it is true
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1005	// then stapleParams may or may not be false and the check below
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1006	// is sufficient.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1007	if ((shc.stapleParams == null) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1008	(shc.stapleParams.statusRespExt !=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1009	SSLExtension.CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1010	return null; // Do not produce status_request_v2 in SH
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1011	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1012
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1013	// In response to "status_request_v2" extension request only
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1014	CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1015	shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1016	if (spec == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1017	// Ignore, no status_request_v2 extension requested.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1018	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1019	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1020	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1021	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1022
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1023	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1024	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1025
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1026	// Is it a session resuming?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1027	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1028	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1029	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1030	"No status_request_v2 response for session resumption");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1031	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1032	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1033	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1034
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1035	// The "extension_data" in the extended ServerHello handshake
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1036	// message MUST be empty.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1037	byte[] extData = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1038
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1039	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1040	shc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1041	SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1042
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1043	return extData;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1044	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1045	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1046
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1047	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1048	* Network data consumer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1049	* ServerHello handshake message.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1050	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1051	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1052	class SHCertStatusReqV2Consumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1053	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1054	private SHCertStatusReqV2Consumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1055	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1056	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1057
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1058	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1059	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1060	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1061
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1062	// The consumption happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1063	ClientHandshakeContext chc = (ClientHandshakeContext)context;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1064
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1065	// In response to "status_request" extension request only
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1066	CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1067	chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1068	if (requestedCsr == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1069	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1070	"Unexpected status_request_v2 extension in ServerHello");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1071	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1072
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1073	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1074	if (buffer.hasRemaining()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1075	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1076	"Invalid status_request_v2 extension in ServerHello: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1077	"the extension data must be empty");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1078	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1079
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1080	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1081	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1082	SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1083	chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1084	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1085
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1086	// Since we've received a legitimate status_request in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1087	// ServerHello, stapling is active if it's been enabled.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1088	chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1089
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1090	// No impact on session resumption.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1091	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1092	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1093
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1094	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1095	class CTCertStatusResponseProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1096	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1097	private CTCertStatusResponseProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1098	// blank
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1099	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1100
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1101	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1102	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1103	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1104	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1105	byte[] producedData = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1106
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1107	// Stapling needs to be active and have valid data to proceed
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1108	if (shc.stapleParams == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1109	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1110	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1111	"Stapling is disabled for this connection");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1112	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1113	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1114	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1115
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1116	// There needs to be a non-null CertificateEntry to proceed
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1117	if (shc.currentCertEntry == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1118	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1119	SSLLogger.finest("Found null CertificateEntry in context");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1120	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1121	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1122	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1123
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1124	// Pull the certificate from the CertificateEntry and find
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1125	// a response from the response map. If one exists we will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1126	// staple it.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1127	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1128	CertificateFactory cf = CertificateFactory.getInstance("X.509");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1129	X509Certificate x509Cert =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1130	(X509Certificate)cf.generateCertificate(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1131	new ByteArrayInputStream(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1132	shc.currentCertEntry.encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1133	byte[] respBytes = shc.stapleParams.responseMap.get(x509Cert);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1134	if (respBytes == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1135	// We're done with this entry. Clear it from the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1136	if (SSLLogger.isOn &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1137	SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1138	SSLLogger.finest("No status response found for " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1139	x509Cert.getSubjectX500Principal());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1140	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1141	shc.currentCertEntry = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1142	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1143	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1144
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1145	// Build a proper response buffer from the stapling information
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1146	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1147	SSLLogger.finest("Found status response for " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1148	x509Cert.getSubjectX500Principal() +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1149	", response length: " + respBytes.length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1150	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1151	CertStatusResponse certResp = (shc.stapleParams.statReqType ==
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1152	CertStatusRequestType.OCSP) ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1153	new OCSPStatusResponse(shc.stapleParams.statReqType.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1154	respBytes) :
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1155	new CertStatusResponse(shc.stapleParams.statReqType.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1156	respBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1157	producedData = certResp.toByteArray();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1158	} catch (CertificateException ce) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1159	shc.conContext.fatal(Alert.BAD_CERTIFICATE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1160	"Failed to parse server certificates", ce);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1161	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1162	shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1163	"Failed to parse certificate status response", ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1164	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1165
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1166	// Clear the pinned CertificateEntry from the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1167	shc.currentCertEntry = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1168	return producedData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1169	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1170	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1171
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1172	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1173	class CTCertStatusResponseConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1174	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1175	private CTCertStatusResponseConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1176	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1177	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1178
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1179	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1180	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1181	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1182	// The consumption happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1183	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1184
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1185	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1186	CertStatusResponseSpec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1187	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1188	spec = new CertStatusResponseSpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1189	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1190	chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1191	return; // fatal() always throws, make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1192	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1193
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1194	if (chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1195	// Activate stapling
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1196	chc.staplingActive = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1197	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1198	// Do no further processing of stapled responses
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1199	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1200	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1201
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1202	// Get response list from the session. This is unmodifiable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1203	// so we need to create a new list. Then add this new response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1204	// to the end and submit it back to the session object.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1205	if ((chc.handshakeSession != null) && (!chc.isResumption)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1206	List<byte[]> respList = new ArrayList<>(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1207	chc.handshakeSession.getStatusResponses());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1208	respList.add(spec.statusResponse.encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1209	chc.handshakeSession.setStatusResponses(respList);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1210	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1211	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1212	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1213	"Ignoring stapled data on resumed session");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1214	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1215	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1216	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1217	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1218	}

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47216	src/java.base/share/classes/sun/security/ssl/CertStatusReqExtension.java@71c04702a3d5
child 56651	0c13b82d3274
permissions	-rw-r--r--