jdk-sandbox: src/java.base/share/classes/sun/security/ssl/CertificateStatus.java@56aaa6cb3693 (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.util.List;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.util.ArrayList;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import javax.net.ssl.SSLHandshakeException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.security.cert.X509Certificate;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import sun.security.provider.certpath.OCSPResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import static sun.security.ssl.CertStatusExtension.*;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import static sun.security.ssl.CertificateMessage.*;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42	* Pack of the CertificateStatus handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	final class CertificateStatus {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45	static final SSLConsumer handshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	new CertificateStatusConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47	static final HandshakeProducer handshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	new CertificateStatusProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49	static final HandshakeAbsence handshakeAbsence =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	new CertificateStatusAbsence();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53	* The CertificateStatus handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	static final class CertificateStatusMessage extends HandshakeMessage {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	final CertStatusRequestType statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	int encodedResponsesLen = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	int messageLength = -1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60	final List<byte[]> encodedResponses = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62	CertificateStatusMessage(HandshakeContext handshakeContext) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	super(handshakeContext);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65	ServerHandshakeContext shc =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	(ServerHandshakeContext)handshakeContext;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	// Get the Certificates from the SSLContextImpl amd the Stapling
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	// parameters
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70	StatusResponseManager.StaplingParameters stapleParams =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71	shc.stapleParams;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	if (stapleParams == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74	"Unexpected null stapling parameters");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77	X509Certificate[] certChain =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78	(X509Certificate[])shc.handshakeSession.getLocalCertificates();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	if (certChain == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	"Unexpected null certificate chain");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	// Walk the certificate list and add the correct encoded responses
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	// to the encoded responses list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	statusType = stapleParams.statReqType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87	if (statusType == CertStatusRequestType.OCSP) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	// Just worry about the first cert in the chain
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	byte[] resp = stapleParams.responseMap.get(certChain[0]);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	if (resp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	// A not-found return status means we should include
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	// a zero-length response in CertificateStatus.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	// This is highly unlikely to happen in practice.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94	resp = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	encodedResponses.add(resp);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	encodedResponsesLen += resp.length + 3;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99	for (X509Certificate cert : certChain) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	byte[] resp = stapleParams.responseMap.get(cert);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	if (resp == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	resp = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	encodedResponses.add(resp);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105	encodedResponsesLen += resp.length + 3;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	throw new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	"Unsupported StatusResponseType: " + statusType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	messageLength = messageLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	CertificateStatusMessage(HandshakeContext handshakeContext,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	ByteBuffer m) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	super(handshakeContext);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	statusType = CertStatusRequestType.valueOf((byte)Record.getInt8(m));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120	if (statusType == CertStatusRequestType.OCSP) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	byte[] respDER = Record.getBytes24(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122	// Convert the incoming bytes to a OCSPResponse strucutre
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123	if (respDER.length > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124	encodedResponses.add(respDER);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	encodedResponsesLen = 3 + respDER.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	"Zero-length OCSP Response");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	int respListLen = Record.getInt24(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	encodedResponsesLen = respListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134	// Add each OCSP reponse into the array list in the order
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135	// we receive them off the wire. A zero-length array is
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	// allowed for ocsp_multi, and means that a response for
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	// a given certificate is not available.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	while (respListLen > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139	byte[] respDER = Record.getBytes24(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	encodedResponses.add(respDER);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	respListLen -= (respDER.length + 3);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144	if (respListLen != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	"Bad OCSP response list length");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149	handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	"Unsupported StatusResponseType: " + statusType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	messageLength = messageLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	public SSLHandshake handshakeType() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157	return SSLHandshake.CERTIFICATE_STATUS;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	public int messageLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162	int len = 1;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	if (messageLength == -1) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165	if (statusType == CertStatusRequestType.OCSP) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166	len += encodedResponsesLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168	len += 3 + encodedResponsesLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	messageLength = len;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	return messageLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	public void send(HandshakeOutStream s) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	s.putInt8(statusType.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	if (statusType == CertStatusRequestType.OCSP) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	s.putBytes24(encodedResponses.get(0));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	s.putInt24(encodedResponsesLen);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	for (byte[] respBytes : encodedResponses) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	if (respBytes != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	s.putBytes24(respBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	s.putBytes24(null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191	// It is highly unlikely that we will fall into this section
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	// of the code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	throw new SSLHandshakeException("Unsupported status_type: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194	statusType.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	StringBuilder sb = new StringBuilder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	// Stringify the encoded OCSP response list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	for (byte[] respDER : encodedResponses) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	if (respDER.length > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	OCSPResponse oResp = new OCSPResponse(respDER);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	sb.append(oResp.toString()).append("\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	sb.append("OCSP Response Exception: ").append(ioe)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	.append("\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213	sb.append("<Zero-length entry>\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	"\"CertificateStatus\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	" \"type\" : \"{0}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	" \"responses \" : [\n" + "{1}\n" + " ]\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	statusType.name,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	Utilities.indent(Utilities.indent(sb.toString()))
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	* The CertificateStatus handshake message consumer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	private static final class CertificateStatusConsumer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	implements SSLConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238	private CertificateStatusConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	CertificateStatusMessage cst =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247	new CertificateStatusMessage(chc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	// Log the message
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	"Consuming server CertificateStatus handshake message",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	cst);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	// Pin the received responses to the SSLSessionImpl. It will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	// be retrieved by the X509TrustManagerImpl during the certficicate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	// checking phase.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	chc.handshakeSession.setStatusResponses(cst.encodedResponses);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	// Now perform the check
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	* The CertificateStatus handshake message consumer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	private static final class CertificateStatusProducer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270	implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	private CertificateStatusProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	// Only the server-side should be a producer of this message
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	// If stapling is not active, immediately return without producing
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	// a message or any further processing.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	if (!shc.staplingActive) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	// Create the CertificateStatus message from info in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	CertificateStatusMessage csm = new CertificateStatusMessage(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	"Produced server CertificateStatus handshake message", csm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	csm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	private static final class CertificateStatusAbsence
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	implements HandshakeAbsence {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	// Prevent instantiation of this class
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	private CertificateStatusAbsence() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	public void absent(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	// Processing should only continue if stapling is active
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317	if (chc.staplingActive) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	// Because OCSP stapling is active, it means two things
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	// if we're here: 1) The server hello asserted the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320	// status_request[_v2] extension. 2) The CertificateStatus
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	// message was not sent. This means that cert path checking
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	// was deferred, but must happen immediately.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	SSLLogger.fine("Server did not send CertificateStatus, " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325	"checking cert chain without status info.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
child 56651	0c13b82d3274
permissions	-rw-r--r--