jdk-sandbox: src/java.base/share/classes/sun/security/ssl/CertificateStatus.java@68fa3d4026ea (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.nio.ByteBuffer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.text.MessageFormat;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.util.List;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.util.ArrayList;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.util.Locale;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import javax.net.ssl.SSLHandshakeException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35	import java.security.cert.X509Certificate;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import sun.security.provider.certpath.OCSPResponse;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import sun.security.ssl.SSLHandshake.HandshakeMessage;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38	import static sun.security.ssl.CertStatusExtension.*;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import static sun.security.ssl.CertificateMessage.*;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	42	* Consumers and producers for the CertificateStatus handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	* This message takes one of two related but slightly different forms,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	44	* depending on the type of stapling selected by the server. The message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	* data will be of the form(s):
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	* [status_request, RFC 6066]
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49	* struct {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	* CertificateStatusType status_type;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51	* select (status_type) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	* case ocsp: OCSPResponse;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	* } response;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	* } CertificateStatus;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56	* opaque OCSPResponse<1..2^24-1>;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	57	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	* [status_request_v2, RFC 6961]
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60	* struct {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	* CertificateStatusType status_type;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62	* select (status_type) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63	* case ocsp: OCSPResponse;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	* case ocsp_multi: OCSPResponseList;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65	* } response;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	66	* } CertificateStatus;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	67	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	68	* opaque OCSPResponse<0..2^24-1>;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	69	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	70	* struct {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	71	* OCSPResponse ocsp_response_list<1..2^24-1>;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	72	* } OCSPResponseList;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	73	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	74	final class CertificateStatus {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	75	static final SSLConsumer handshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	new CertificateStatusConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77	static final HandshakeProducer handshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78	new CertificateStatusProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	79	static final HandshakeAbsence handshakeAbsence =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80	new CertificateStatusAbsence();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83	* The CertificateStatus handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85	static final class CertificateStatusMessage extends HandshakeMessage {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87	final CertStatusRequestType statusType;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	88	int encodedResponsesLen = 0;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	89	int messageLength = -1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	final List<byte[]> encodedResponses = new ArrayList<>();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	CertificateStatusMessage(HandshakeContext handshakeContext) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93	super(handshakeContext);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95	ServerHandshakeContext shc =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96	(ServerHandshakeContext)handshakeContext;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	// Get the Certificates from the SSLContextImpl amd the Stapling
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99	// parameters
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	100	StatusResponseManager.StaplingParameters stapleParams =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	shc.stapleParams;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	if (stapleParams == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104	"Unexpected null stapling parameters");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	X509Certificate[] certChain =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	108	(X509Certificate[])shc.handshakeSession.getLocalCertificates();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	109	if (certChain == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	"Unexpected null certificate chain");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	// Walk the certificate list and add the correct encoded responses
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	// to the encoded responses list
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116	statusType = stapleParams.statReqType;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	if (statusType == CertStatusRequestType.OCSP) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	// Just worry about the first cert in the chain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	byte[] resp = stapleParams.responseMap.get(certChain[0]);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120	if (resp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	// A not-found return status means we should include
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122	// a zero-length response in CertificateStatus.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123	// This is highly unlikely to happen in practice.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124	resp = new byte[0];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126	encodedResponses.add(resp);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	encodedResponsesLen += resp.length + 3;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	129	for (X509Certificate cert : certChain) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	byte[] resp = stapleParams.responseMap.get(cert);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131	if (resp == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	resp = new byte[0];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134	encodedResponses.add(resp);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	135	encodedResponsesLen += resp.length + 3;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138	throw new IllegalArgumentException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139	"Unsupported StatusResponseType: " + statusType);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	142	messageLength = messageLength();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	143	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	144
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	145	CertificateStatusMessage(HandshakeContext handshakeContext,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	146	ByteBuffer m) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	147	super(handshakeContext);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149	statusType = CertStatusRequestType.valueOf((byte)Record.getInt8(m));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	if (statusType == CertStatusRequestType.OCSP) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151	byte[] respDER = Record.getBytes24(m);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	152	// Convert the incoming bytes to a OCSPResponse strucutre
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	if (respDER.length > 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154	encodedResponses.add(respDER);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	155	encodedResponsesLen = 3 + respDER.length;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157	handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	"Zero-length OCSP Response");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	159	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	int respListLen = Record.getInt24(m);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162	encodedResponsesLen = respListLen;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	// Add each OCSP reponse into the array list in the order
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	// we receive them off the wire. A zero-length array is
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	// allowed for ocsp_multi, and means that a response for
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167	// a given certificate is not available.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168	while (respListLen > 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169	byte[] respDER = Record.getBytes24(m);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170	encodedResponses.add(respDER);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171	respListLen -= (respDER.length + 3);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	174	if (respListLen != 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176	"Bad OCSP response list length");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	180	"Unsupported StatusResponseType: " + statusType);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182	messageLength = messageLength();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	public SSLHandshake handshakeType() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	return SSLHandshake.CERTIFICATE_STATUS;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	public int messageLength() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	int len = 1;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194	if (messageLength == -1) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	if (statusType == CertStatusRequestType.OCSP) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196	len += encodedResponsesLen;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	len += 3 + encodedResponsesLen;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200	messageLength = len;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203	return messageLength;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	public void send(HandshakeOutStream s) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	208	s.putInt8(statusType.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	if (statusType == CertStatusRequestType.OCSP) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210	s.putBytes24(encodedResponses.get(0));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	s.putInt24(encodedResponsesLen);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213	for (byte[] respBytes : encodedResponses) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214	if (respBytes != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215	s.putBytes24(respBytes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217	s.putBytes24(null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	220	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	221	// It is highly unlikely that we will fall into this section
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	// of the code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	throw new SSLHandshakeException("Unsupported status_type: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	statusType.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	public String toString() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230	StringBuilder sb = new StringBuilder();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	231
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	232	// Stringify the encoded OCSP response list
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	233	for (byte[] respDER : encodedResponses) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	234	if (respDER.length > 0) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	235	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	236	OCSPResponse oResp = new OCSPResponse(respDER);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	237	sb.append(oResp.toString()).append("\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	238	} catch (IOException ioe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	239	sb.append("OCSP Response Exception: ").append(ioe)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	240	.append("\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	241	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	242	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	243	sb.append("<Zero-length entry>\n");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	244	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	245	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247	MessageFormat messageFormat = new MessageFormat(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	"\"CertificateStatus\": '{'\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249	" \"type\" : \"{0}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	" \"responses \" : [\n" + "{1}\n" + " ]\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251	"'}'",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252	Locale.ENGLISH);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253	Object[] messageFields = {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	statusType.name,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	Utilities.indent(Utilities.indent(sb.toString()))
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258	return messageFormat.format(messageFields);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	* The CertificateStatus handshake message consumer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265	private static final class CertificateStatusConsumer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	implements SSLConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	268	private CertificateStatusConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	CertificateStatusMessage cst =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	new CertificateStatusMessage(chc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	// Log the message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	"Consuming server CertificateStatus handshake message",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283	cst);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	// Pin the received responses to the SSLSessionImpl. It will
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	// be retrieved by the X509TrustManagerImpl during the certficicate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	// checking phase.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	chc.handshakeSession.setStatusResponses(cst.encodedResponses);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291	// Now perform the check
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292	T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	296	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297	* The CertificateStatus handshake message consumer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299	private static final class CertificateStatusProducer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	private CertificateStatusProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309	// Only the server-side should be a producer of this message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	ServerHandshakeContext shc = (ServerHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312	// If stapling is not active, immediately return without producing
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	313	// a message or any further processing.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	if (!shc.staplingActive) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	318	// Create the CertificateStatus message from info in the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	CertificateStatusMessage csm = new CertificateStatusMessage(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	320	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	321	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322	"Produced server CertificateStatus handshake message", csm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	csm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	private static final class CertificateStatusAbsence
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335	implements HandshakeAbsence {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	// Prevent instantiation of this class
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	private CertificateStatusAbsence() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	public void absent(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346	// Processing should only continue if stapling is active
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347	if (chc.staplingActive) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	// Because OCSP stapling is active, it means two things
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	// if we're here: 1) The server hello asserted the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	// status_request[_v2] extension. 2) The CertificateStatus
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351	// message was not sent. This means that cert path checking
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	// was deferred, but must happen immediately.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	SSLLogger.fine("Server did not send CertificateStatus, " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	"checking cert chain without status info.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362

author	xuelei
	Mon, 25 Jun 2018 13:41:39 -0700
changeset 50768	68fa3d4026ea
child 53064	103ed9569fc8
permissions	-rw-r--r--