jdk-sandbox: src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java@71c04702a3d5 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
39317 fbda4d400372 8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died jnimeh parents: 37781 diff changeset	2	* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26	package sun.security.ssl;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	import java.io.IOException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	29	import java.net.URI;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	30	import java.net.URISyntaxException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	31	import java.security.AccessController;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	32	import java.security.cert.X509Certificate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	33	import java.security.cert.Extension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	34	import java.util.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	35	import java.util.concurrent.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	36
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	37	import sun.security.provider.certpath.CertId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	38	import sun.security.provider.certpath.OCSP;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	39	import sun.security.provider.certpath.OCSPResponse;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	40	import sun.security.provider.certpath.ResponderId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	41	import sun.security.util.Cache;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	42	import sun.security.x509.PKIXExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	43	import sun.security.x509.SerialNumber;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	44	import sun.security.action.GetBooleanAction;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	45	import sun.security.action.GetIntegerAction;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	46	import sun.security.action.GetPropertyAction;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	47
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	48	final class StatusResponseManager {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	49	private static final int DEFAULT_CORE_THREADS = 8;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	50	private static final int DEFAULT_CACHE_SIZE = 256;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	51	private static final int DEFAULT_CACHE_LIFETIME = 3600; // seconds
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52	private static final Debug debug = Debug.getInstance("ssl");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	53
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	54	private final ScheduledThreadPoolExecutor threadMgr;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	private final Cache<CertId, ResponseCacheEntry> responseCache;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	56	private final URI defaultResponder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	57	private final boolean respOverride;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	58	private final int cacheCapacity;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	59	private final int cacheLifetime;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	60	private final boolean ignoreExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	62	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	63	* Create a StatusResponseManager with default parameters.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	64	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	65	StatusResponseManager() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	66	int cap = AccessController.doPrivileged(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	67	new GetIntegerAction("jdk.tls.stapling.cacheSize",
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	68	DEFAULT_CACHE_SIZE));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	69	cacheCapacity = cap > 0 ? cap : 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	70
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71	int life = AccessController.doPrivileged(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	72	new GetIntegerAction("jdk.tls.stapling.cacheLifetime",
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	73	DEFAULT_CACHE_LIFETIME));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	74	cacheLifetime = life > 0 ? life : 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	75
37781 71ed5645f17c 8155775: Re-examine naming of privileged methods to access System properties redestad parents: 37593 diff changeset	76	String uriStr = GetPropertyAction
71ed5645f17c 8155775: Re-examine naming of privileged methods to access System properties redestad parents: 37593 diff changeset	77	.privilegedGetProperty("jdk.tls.stapling.responderURI");
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	78	URI tmpURI;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	80	tmpURI = ((uriStr != null && !uriStr.isEmpty()) ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	81	new URI(uriStr) : null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	82	} catch (URISyntaxException urise) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	83	tmpURI = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	84	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	85	defaultResponder = tmpURI;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	86
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	87	respOverride = AccessController.doPrivileged(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	88	new GetBooleanAction("jdk.tls.stapling.responderOverride"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	89	ignoreExtensions = AccessController.doPrivileged(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90	new GetBooleanAction("jdk.tls.stapling.ignoreExtensions"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	92	threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	93	new ThreadFactory() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	94	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	95	public Thread newThread(Runnable r) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	96	Thread t = Executors.defaultThreadFactory().newThread(r);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	97	t.setDaemon(true);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	98	return t;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	99	}
39317 fbda4d400372 8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died jnimeh parents: 37781 diff changeset	100	}, new ThreadPoolExecutor.DiscardPolicy());
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	101	threadMgr.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	102	threadMgr.setContinueExistingPeriodicTasksAfterShutdownPolicy(false);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	103	threadMgr.setKeepAliveTime(5000, TimeUnit.MILLISECONDS);
39317 fbda4d400372 8143302: javax/net/ssl/Stapling/SSLSocketWithStapling.java fails intermittently: Server died jnimeh parents: 37781 diff changeset	104	threadMgr.allowCoreThreadTimeOut(true);
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	105	responseCache = Cache.newSoftMemoryCache(cacheCapacity, cacheLifetime);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	106	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	107
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	108	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	109	* Get the current cache lifetime setting
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	110	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	111	* @return the current cache lifetime value
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	112	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	113	int getCacheLifetime() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	114	return cacheLifetime;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	115	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	116
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	118	* Get the current maximum cache size.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	119	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	120	* @return the current maximum cache size
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	121	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	122	int getCacheCapacity() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	123	return cacheCapacity;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	124	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	125
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	126	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	127	* Get the default OCSP responder URI, if previously set.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	128	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	129	* @return the current default OCSP responder URI, or {@code null} if
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	130	* it has not been set.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	131	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	132	URI getDefaultResponder() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	133	return defaultResponder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	134	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	135
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	136	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	137	* Get the URI override setting
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	138	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	139	* @return {@code true} if URI override has been set, {@code false}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	140	* otherwise.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	141	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	142	boolean getURIOverride() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	143	return respOverride;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	144	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	145
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	146	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	147	* Get the ignore extensions setting.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	148	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	149	* @return {@code true} if the {@code StatusResponseManager} will not
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	150	* pass OCSP Extensions in the TLS {@code status_request[_v2]} extensions,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	151	* {@code false} if extensions will be passed (the default).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	152	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	153	boolean getIgnoreExtensions() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	154	return ignoreExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	155	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	156
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	157	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	158	* Clear the status response cache
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	159	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	160	void clear() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	161	debugLog("Clearing response cache");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	162	responseCache.clear();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	163	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	* Returns the number of currently valid objects in the response cache.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	167	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	168	* @return the number of valid objects in the response cache.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	169	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	int size() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	171	return responseCache.size();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	172	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	173
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	174	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	175	* Obtain the URI use by the {@code StatusResponseManager} during lookups.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	176	* This method takes into account not only the AIA extension from a
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	177	* certificate to be checked, but also any default URI and possible
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	178	* override settings for the response manager.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	179	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	180	* @param cert the subject to get the responder URI from
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	181	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	182	* @return a {@code URI} containing the address to the OCSP responder, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	183	* {@code null} if no AIA extension exists in the certificate and no
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	184	* default responder has been configured.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	185	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	186	* @throws NullPointerException if {@code cert} is {@code null}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	187	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	188	URI getURI(X509Certificate cert) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	189	Objects.requireNonNull(cert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	190
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	191	if (cert.getExtensionValue(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	192	PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	193	debugLog("OCSP NoCheck extension found. OCSP will be skipped");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	194	return null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	195	} else if (defaultResponder != null && respOverride) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	196	debugLog("Responder override: URI is " + defaultResponder);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	197	return defaultResponder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	198	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	199	URI certURI = OCSP.getResponderURI(cert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	200	return (certURI != null ? certURI : defaultResponder);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	201	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	202	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	203
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	204	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	205	* Shutdown the thread pool
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	206	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	207	void shutdown() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	208	debugLog("Shutting down " + threadMgr.getActiveCount() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	209	" active threads");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	210	threadMgr.shutdown();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	211	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	212
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	213	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	214	* Get a list of responses for a chain of certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	215	* This will find OCSP responses from the cache, or failing that, directly
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	216	* contact the OCSP responder. It is assumed that the certificates in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	217	* the provided chain are in their proper order (from end-entity to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	218	* trust anchor).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	219	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	220	* @param type the type of request being made of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	221	* {@code StatusResponseManager}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	222	* @param request the {@code StatusRequest} from the status_request or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	223	* status_request_v2 ClientHello extension. A value of {@code null}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	224	* is interpreted as providing no responder IDs or extensions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	225	* @param chain an array of 2 or more certificates. Each certificate must
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	226	* be issued by the next certificate in the chain.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	227	* @param delay the number of time units to delay before returning
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	228	* responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	229	* @param unit the unit of time applied to the {@code delay} parameter
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	230	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	231	* @return an unmodifiable {@code Map} containing the certificate and
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	232	* its usually
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	233	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	234	* @throws SSLHandshakeException if an unsupported {@code StatusRequest}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	235	* is provided.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	236	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	237	Map<X509Certificate, byte[]> get(StatusRequestType type,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	238	StatusRequest request, X509Certificate[] chain, long delay,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	239	TimeUnit unit) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	240	Map<X509Certificate, byte[]> responseMap = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	241	List<OCSPFetchCall> requestList = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	242
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	243	debugLog("Beginning check: Type = " + type + ", Chain length = " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	244	chain.length);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	245
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	246	// It is assumed that the caller has ordered the certs in the chain
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	247	// in the proper order (each certificate is issued by the next entry
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	248	// in the provided chain).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	249	if (chain.length < 2) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	250	return Collections.emptyMap();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	251	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	252
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	253	if (type == StatusRequestType.OCSP) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	254	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	255	// For type OCSP, we only check the end-entity certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	256	OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	257	CertId cid = new CertId(chain[1],
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	258	new SerialNumber(chain[0].getSerialNumber()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	259	ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	260	if (cacheEntry != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	261	responseMap.put(chain[0], cacheEntry.ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	262	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	263	StatusInfo sInfo = new StatusInfo(chain[0], cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	264	requestList.add(new OCSPFetchCall(sInfo, ocspReq));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	265	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	266	} catch (IOException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	267	debugLog("Exception during CertId creation: " + exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	268	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	269	} else if (type == StatusRequestType.OCSP_MULTI) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	270	// For type OCSP_MULTI, we check every cert in the chain that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	271	// has a direct issuer at the next index. We won't have an issuer
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	272	// certificate for the last certificate in the chain and will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	273	// not be able to create a CertId because of that.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	274	OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	275	int ctr;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	276	for (ctr = 0; ctr < chain.length - 1; ctr++) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	277	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	278	// The cert at "ctr" is the subject cert, "ctr + 1" is the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	279	// issuer certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	280	CertId cid = new CertId(chain[ctr + 1],
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	281	new SerialNumber(chain[ctr].getSerialNumber()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	282	ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	283	if (cacheEntry != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	284	responseMap.put(chain[ctr], cacheEntry.ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	285	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	286	StatusInfo sInfo = new StatusInfo(chain[ctr], cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	287	requestList.add(new OCSPFetchCall(sInfo, ocspReq));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	288	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	289	} catch (IOException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	290	debugLog("Exception during CertId creation: " + exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	291	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	292	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	293	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	294	debugLog("Unsupported status request type: " + type);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	295	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	296
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	297	// If we were able to create one or more Fetches, go and run all
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	298	// of them in separate threads. For all the threads that completed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	299	// in the allotted time, put those status responses into the returned
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	300	// Map.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	301	if (!requestList.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	302	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	303	// Set a bunch of threads to go do the fetching
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	304	List<Future<StatusInfo>> resultList =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	305	threadMgr.invokeAll(requestList, delay, unit);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	306
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	307	// Go through the Futures and from any non-cancelled task,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	308	// get the bytes and attach them to the responseMap.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	309	for (Future<StatusInfo> task : resultList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	310	if (task.isDone()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	311	if (!task.isCancelled()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	312	StatusInfo info = task.get();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	313	if (info != null && info.responseData != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	314	responseMap.put(info.cert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	315	info.responseData.ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	316	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	317	debugLog("Completed task had no response data");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	318	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	320	debugLog("Found cancelled task");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	321	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	322	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	323	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	324	} catch (InterruptedException \| ExecutionException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	325	// Not sure what else to do here
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	326	debugLog("Exception when getting data: " + exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	327	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	328	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	329
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	330	return Collections.unmodifiableMap(responseMap);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	331	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	332
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	333	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	334	* Check the cache for a given {@code CertId}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	335	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	336	* @param cid the CertId of the response to look up
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	337	* @param ocspRequest the OCSP request structure sent by the client
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	338	* in the TLS status_request[_v2] hello extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	339	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	340	* @return the {@code ResponseCacheEntry} for a specific CertId, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	341	* {@code null} if it is not found or a nonce extension has been
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	342	* requested by the caller.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	343	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	344	private ResponseCacheEntry getFromCache(CertId cid,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	345	OCSPStatusRequest ocspRequest) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	346	// Determine if the nonce extension is present in the request. If
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	347	// so, then do not attempt to retrieve the response from the cache.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	348	for (Extension ext : ocspRequest.getExtensions()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	349	if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	350	debugLog("Nonce extension found, skipping cache check");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	351	return null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	352	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	353	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	354
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	355	ResponseCacheEntry respEntry = responseCache.get(cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	356
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	357	// If the response entry has a nextUpdate and it has expired
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	358	// before the cache expiration, purge it from the cache
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	359	// and do not return it as a cache hit.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	360	if (respEntry != null && respEntry.nextUpdate != null &&
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	361	respEntry.nextUpdate.before(new Date())) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	362	debugLog("nextUpdate threshold exceeded, purging from cache");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	363	respEntry = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	364	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	365
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	366	debugLog("Check cache for SN" + cid.getSerialNumber() + ": " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	367	(respEntry != null ? "HIT" : "MISS"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	368	return respEntry;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	369	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	370
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	371	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	372	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	373	StringBuilder sb = new StringBuilder("StatusResponseManager: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	374
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	375	sb.append("Core threads: ").append(threadMgr.getCorePoolSize());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	376	sb.append(", Cache timeout: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	377	if (cacheLifetime > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	378	sb.append(cacheLifetime).append(" seconds");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	379	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	380	sb.append(" indefinite");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	381	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	382
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	383	sb.append(", Cache MaxSize: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	384	if (cacheCapacity > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	385	sb.append(cacheCapacity).append(" items");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	386	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	387	sb.append(" unbounded");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	388	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	389
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	390	sb.append(", Default URI: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	391	if (defaultResponder != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	392	sb.append(defaultResponder);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	393	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	394	sb.append("NONE");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	395	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	396
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	397	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	398	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	399
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	400	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	401	* Log messages through the SSL Debug facility.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	402	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	403	* @param message the message to be displayed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	404	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	405	static void debugLog(String message) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	406	if (debug != null && Debug.isOn("respmgr")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	407	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	408	sb.append("[").append(Thread.currentThread().getName());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	409	sb.append("] ").append(message);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	410	System.out.println(sb.toString());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	411	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	412	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	413
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	414	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	415	* Inner class used to group request and response data.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	416	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	417	class StatusInfo {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	418	final X509Certificate cert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	419	final CertId cid;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	420	final URI responder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	421	ResponseCacheEntry responseData;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	422
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	423	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	424	* Create a StatusInfo object from certificate data.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	425	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	426	* @param subjectCert the certificate to be checked for revocation
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	427	* @param issuerCert the issuer of the {@code subjectCert}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	428	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	429	* @throws IOException if CertId creation from the certificates fails
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	430	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	431	StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	432	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	433	this(subjectCert, new CertId(issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	434	new SerialNumber(subjectCert.getSerialNumber())));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	435	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	436
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	437	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	438	* Create a StatusInfo object from an existing subject certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	439	* and its corresponding CertId.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	440	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	441	* @param subjectCert the certificate to be checked for revocation
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	442	* @param cid the CertId for {@code subjectCert}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	443	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	444	StatusInfo(X509Certificate subjectCert, CertId certId) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	445	cert = subjectCert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	446	cid = certId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	447	responder = getURI(cert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	448	responseData = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	449	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	450
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	451	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	452	* Copy constructor (used primarily for rescheduling).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	453	* This will do a member-wise copy with the exception of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	454	* responseData and extensions fields, which should not persist
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	455	* in a rescheduled fetch.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	456	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	457	* @param orig the original {@code StatusInfo}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	458	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	459	StatusInfo(StatusInfo orig) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	460	this.cert = orig.cert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	461	this.cid = orig.cid;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	462	this.responder = orig.responder;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	463	this.responseData = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	464	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	465
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	466	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	467	* Return a String representation of the {@code StatusInfo}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	468	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	469	* @return a {@code String} representation of this object
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	470	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	471	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	472	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	473	StringBuilder sb = new StringBuilder("StatusInfo:");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	474	sb.append("\n\tCert: ").append(this.cert.getSubjectX500Principal());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	475	sb.append("\n\tSerial: ").append(this.cert.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	476	sb.append("\n\tResponder: ").append(this.responder);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	477	sb.append("\n\tResponse data: ").append(this.responseData != null ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	478	(this.responseData.ocspBytes.length + " bytes") : "<NULL>");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	479	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	480	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	481	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	482
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	483	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	484	* Static nested class used as the data kept in the response cache.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	485	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	486	static class ResponseCacheEntry {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	487	final OCSPResponse.ResponseStatus status;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	488	final byte[] ocspBytes;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	489	final Date nextUpdate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	490	final OCSPResponse.SingleResponse singleResp;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	491	final ResponderId respId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	492
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	493	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	494	* Create a new cache entry from the raw bytes of the response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	495	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	496	* @param responseBytes the DER encoding for the OCSP response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	497	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	498	* @throws IOException if an {@code OCSPResponse} cannot be created from
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	499	* the encoded bytes.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	500	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	501	ResponseCacheEntry(byte[] responseBytes, CertId cid)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	502	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	503	Objects.requireNonNull(responseBytes,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	504	"Non-null responseBytes required");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	505	Objects.requireNonNull(cid, "Non-null Cert ID required");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	506
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	507	ocspBytes = responseBytes.clone();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	508	OCSPResponse oResp = new OCSPResponse(ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	509	status = oResp.getResponseStatus();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	510	respId = oResp.getResponderId();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	511	singleResp = oResp.getSingleResponse(cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	512	if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	513	if (singleResp != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	514	// Pull out the nextUpdate field in advance because the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	515	// Date is cloned.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	516	nextUpdate = singleResp.getNextUpdate();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	517	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	518	throw new IOException("Unable to find SingleResponse for " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	519	"SN " + cid.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	520	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	521	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	522	nextUpdate = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	523	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	524	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	525	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	526
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	527	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	528	* Inner Callable class that does the actual work of looking up OCSP
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	529	* responses, first looking at the cache and doing OCSP requests if
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	530	* a cache miss occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	531	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	532	class OCSPFetchCall implements Callable<StatusInfo> {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	533	StatusInfo statInfo;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	534	OCSPStatusRequest ocspRequest;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	535	List<Extension> extensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	536	List<ResponderId> responderIds;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	537
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	538	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	539	* A constructor that builds the OCSPFetchCall from the provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	540	* StatusInfo and information from the status_request[_v2] extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	541	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	542	* @param info the {@code StatusInfo} containing the subject
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	543	* certificate, CertId, and other supplemental info.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	544	* @param request the {@code OCSPStatusRequest} containing any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	545	* responder IDs and extensions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	546	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	547	public OCSPFetchCall(StatusInfo info, OCSPStatusRequest request) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	548	statInfo = Objects.requireNonNull(info,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	549	"Null StatusInfo not allowed");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	550	ocspRequest = Objects.requireNonNull(request,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	551	"Null OCSPStatusRequest not allowed");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	552	extensions = ocspRequest.getExtensions();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	553	responderIds = ocspRequest.getResponderIds();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	554	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	555
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	556	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	557	* Get an OCSP response, either from the cache or from a responder.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	558	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	559	* @return The StatusInfo object passed into the {@code OCSPFetchCall}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	560	* constructor, with the {@code responseData} field filled in with the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	561	* response or {@code null} if no response can be obtained.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	562	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	563	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	564	public StatusInfo call() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	565	debugLog("Starting fetch for SN " + statInfo.cid.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	566	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	567	ResponseCacheEntry cacheEntry;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	568	List<Extension> extsToSend;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	569
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	570	if (statInfo.responder == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	571	// If we have no URI then there's nothing to do but return
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	572	debugLog("Null URI detected, OCSP fetch aborted.");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	573	return statInfo;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	574	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	575	debugLog("Attempting fetch from " + statInfo.responder);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	576	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	577
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	578	// If the StatusResponseManager has been configured to not
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	579	// forward extensions, then set extensions to an empty list.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	580	// We will forward the extensions unless one of two conditions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	581	// occur: (1) The jdk.tls.stapling.ignoreExtensions property is
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	582	// true or (2) There is a non-empty ResponderId list.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	583	// ResponderId selection is a feature that will be
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	584	// supported in the future.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	585	extsToSend = (ignoreExtensions \|\| !responderIds.isEmpty()) ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	586	Collections.emptyList() : extensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	587
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	588	byte[] respBytes = OCSP.getOCSPBytes(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	589	Collections.singletonList(statInfo.cid),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	590	statInfo.responder, extsToSend);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	591
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	592	if (respBytes != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	593	// Place the data into the response cache
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	594	cacheEntry = new ResponseCacheEntry(respBytes,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	595	statInfo.cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	596
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	597	// Get the response status and act on it appropriately
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	598	debugLog("OCSP Status: " + cacheEntry.status +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	599	" (" + respBytes.length + " bytes)");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	600	if (cacheEntry.status ==
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	601	OCSPResponse.ResponseStatus.SUCCESSFUL) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	602	// Set the response in the returned StatusInfo
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	603	statInfo.responseData = cacheEntry;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	604
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	605	// Add the response to the cache (if applicable)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	606	addToCache(statInfo.cid, cacheEntry);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	607	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	608	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	609	debugLog("No data returned from OCSP Responder");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	610	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	611	} catch (IOException ioe) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	612	debugLog("Caught exception: " + ioe);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	613	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	614
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	615	return statInfo;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	616	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	617
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	618	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	619	* Add a response to the cache.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	620	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	621	* @param certId The {@code CertId} for the OCSP response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	622	* @param entry A cache entry containing the response bytes and
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	623	* the {@code OCSPResponse} built from those bytes.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	624	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	625	private void addToCache(CertId certId, ResponseCacheEntry entry) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	626	// If no cache lifetime has been set on entries then
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	627	// don't cache this response if there is no nextUpdate field
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	628	if (entry.nextUpdate == null && cacheLifetime == 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	629	debugLog("Not caching this OCSP response");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	630	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	631	responseCache.put(certId, entry);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	632	debugLog("Added response for SN " + certId.getSerialNumber() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	633	" to cache");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	634	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	635	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	636
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	637	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	638	* Determine the delay to use when scheduling the task that will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	639	* update the OCSP response. This is the shorter time between the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	640	* cache lifetime and the nextUpdate. If no nextUpdate is present in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	641	* the response, then only the cache lifetime is used.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	642	* If cache timeouts are disabled (a zero value) and there's no
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	643	* nextUpdate, then the entry is not cached and no rescheduling will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	644	* take place.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	645	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	646	* @param nextUpdate a {@code Date} object corresponding to the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	647	* next update time from a SingleResponse.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	648	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	649	* @return the number of seconds of delay before the next fetch
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	650	* should be executed. A zero value means that the fetch
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	651	* should happen immediately, while a value less than zero
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	652	* indicates no rescheduling should be done.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	653	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	654	private long getNextTaskDelay(Date nextUpdate) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	655	long delaySec;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	656	int lifetime = getCacheLifetime();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	657
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	658	if (nextUpdate != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	659	long nuDiffSec = (nextUpdate.getTime() -
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	660	System.currentTimeMillis()) / 1000;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	661	delaySec = lifetime > 0 ? Long.min(nuDiffSec, lifetime) :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	662	nuDiffSec;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	663	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	664	delaySec = lifetime > 0 ? lifetime : -1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	665	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	666
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	667	return delaySec;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	668	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	669	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	670	}

author	erikj
	Tue, 12 Sep 2017 19:03:39 +0200
changeset 47216	71c04702a3d5
parent 39317	jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java@fbda4d400372
child 50768	68fa3d4026ea
permissions	-rw-r--r--