jdk-sandbox: jdk/test/java/security/testlibrary/SimpleOCSPServer.java@8f530b9d18f4 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	2	* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26	package sun.security.testlibrary;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	import java.io.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	29	import java.net.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	30	import java.security.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	31	import java.security.cert.CRLReason;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	32	import java.security.cert.X509Certificate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	33	import java.security.cert.Extension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	34	import java.security.cert.CertificateException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	35	import java.security.cert.CertificateEncodingException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	36	import java.security.Signature;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	37	import java.util.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	38	import java.util.concurrent.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	39	import java.text.SimpleDateFormat;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	40	import java.math.BigInteger;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	41
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	42	import sun.security.x509.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	43	import sun.security.x509.PKIXExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	44	import sun.security.provider.certpath.ResponderId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	45	import sun.security.provider.certpath.CertId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	46	import sun.security.provider.certpath.OCSPResponse;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	47	import sun.security.provider.certpath.OCSPResponse.ResponseStatus;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	48	import sun.security.util.Debug;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	49	import sun.security.util.DerInputStream;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	50	import sun.security.util.DerOutputStream;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	51	import sun.security.util.DerValue;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52	import sun.security.util.ObjectIdentifier;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	53
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	54
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	56	* This is a simple OCSP server designed to listen and respond to incoming
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	57	* requests.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	58	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	59	public class SimpleOCSPServer {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	60	private final Debug debug = Debug.getInstance("oserv");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61	private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	62	ObjectIdentifier.newInternal(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	63	new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	64	private static final SimpleDateFormat utcDateFmt =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	65	new SimpleDateFormat("MMM dd yyyy, HH:mm:ss z");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	66
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	67	// CertStatus values
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	68	public static enum CertStatus {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	69	CERT_STATUS_GOOD,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	70	CERT_STATUS_REVOKED,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71	CERT_STATUS_UNKNOWN,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	72	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	73
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	74	// Fields used for the networking portion of the responder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	75	private ServerSocket servSocket;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	76	private InetAddress listenAddress;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	77	private int listenPort;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	78
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79	// Keystore information (certs, keys, etc.)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	80	private KeyStore keystore;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	81	private X509Certificate issuerCert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	82	private X509Certificate signerCert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	83	private PrivateKey signerKey;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	84
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	85	// Fields used for the operational portions of the server
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	86	private boolean logEnabled = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	87	private ExecutorService threadPool;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	88	private volatile boolean started = false;
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	89	private volatile boolean serverReady = false;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90	private volatile boolean receivedShutdown = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91	private long delayMsec = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	92
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	93	// Fields used in the generation of responses
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	94	private long nextUpdateInterval = -1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	95	private Date nextUpdate = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	96	private ResponderId respId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	97	private AlgorithmId sigAlgId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	98	private Map<CertId, CertStatusInfo> statusDb =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	99	Collections.synchronizedMap(new HashMap<>());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	100
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	101	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	102	* Construct a SimpleOCSPServer using keystore, password, and alias
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	103	* parameters.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	104	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	105	* @param ks the keystore to be used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	106	* @param password the password to access key material in the keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	107	* @param issuerAlias the alias of the issuer certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	108	* @param signerAlias the alias of the signer certificate and key. A
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	109	* value of {@code null} means that the {@code issuerAlias} will be used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	110	* to look up the signer key.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	111	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	112	* @throws GeneralSecurityException if there are problems accessing the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	113	* keystore or finding objects within the keystore.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	114	* @throws IOException if a {@code ResponderId} cannot be generated from
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	115	* the signer certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	116	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	public SimpleOCSPServer(KeyStore ks, String password, String issuerAlias,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	118	String signerAlias) throws GeneralSecurityException, IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	119	this(null, 0, ks, password, issuerAlias, signerAlias);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	120	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	121
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	122	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	123	* Construct a SimpleOCSPServer using specific network parameters,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	124	* keystore, password, and alias.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	125	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	126	* @param addr the address to bind the server to. A value of {@code null}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	127	* means the server will bind to all interfaces.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	128	* @param port the port to listen on. A value of {@code 0} will mean that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	129	* the server will randomly pick an open ephemeral port to bind to.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	130	* @param ks the keystore to be used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	131	* @param password the password to access key material in the keystore
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	132	* @param issuerAlias the alias of the issuer certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	133	* @param signerAlias the alias of the signer certificate and key. A
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	134	* value of {@code null} means that the {@code issuerAlias} will be used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	135	* to look up the signer key.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	136	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	137	* @throws GeneralSecurityException if there are problems accessing the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	138	* keystore or finding objects within the keystore.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	139	* @throws IOException if a {@code ResponderId} cannot be generated from
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	140	* the signer certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	141	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	142	public SimpleOCSPServer(InetAddress addr, int port, KeyStore ks,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	143	String password, String issuerAlias, String signerAlias)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	144	throws GeneralSecurityException, IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	145	Objects.requireNonNull(ks, "Null keystore provided");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	146	Objects.requireNonNull(issuerAlias, "Null issuerName provided");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	147
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	148	utcDateFmt.setTimeZone(TimeZone.getTimeZone("GMT"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	149
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	150	keystore = ks;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	151	issuerCert = (X509Certificate)ks.getCertificate(issuerAlias);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	152	if (issuerCert == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	153	throw new IllegalArgumentException("Certificate for alias " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	154	issuerAlias + " not found");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	155	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	156
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	157	if (signerAlias != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	158	signerCert = (X509Certificate)ks.getCertificate(signerAlias);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	159	if (signerCert == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	160	throw new IllegalArgumentException("Certificate for alias " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	161	signerAlias + " not found");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	162	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	163	signerKey = (PrivateKey)ks.getKey(signerAlias,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164	password.toCharArray());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165	if (signerKey == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	throw new IllegalArgumentException("PrivateKey for alias " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	167	signerAlias + " not found");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	168	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	169	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	signerCert = issuerCert;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	171	signerKey = (PrivateKey)ks.getKey(issuerAlias,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	172	password.toCharArray());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	173	if (signerKey == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	174	throw new IllegalArgumentException("PrivateKey for alias " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	175	issuerAlias + " not found");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	176	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	177	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	178
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	179	sigAlgId = AlgorithmId.get("Sha256withRSA");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	180	respId = new ResponderId(signerCert.getSubjectX500Principal());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	181	listenAddress = addr;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	182	listenPort = port;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	183	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	184
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	185	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	186	* Start the server. The server will bind to the specified network
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	187	* address and begin listening for incoming connections.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	188	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	189	* @throws IOException if any number of things go wonky.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	190	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	191	public synchronized void start() throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	192	// You cannot start the server twice.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	193	if (started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	194	log("Server has already been started");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	195	return;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	196	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	197	started = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	198	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	199
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	200	// Create and start the thread pool
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	201	threadPool = Executors.newFixedThreadPool(32, new ThreadFactory() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	202	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	203	public Thread newThread(Runnable r) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	204	Thread t = Executors.defaultThreadFactory().newThread(r);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	205	t.setDaemon(true);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	206	return t;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	207	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	208	});
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	209
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	210	threadPool.submit(new Runnable() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	211	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	212	public void run() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	213	try (ServerSocket sSock = new ServerSocket()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	214	servSocket = sSock;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	215	servSocket.setReuseAddress(true);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	216	servSocket.setSoTimeout(500);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	217	servSocket.bind(new InetSocketAddress(listenAddress,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	218	listenPort), 128);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	219	log("Listening on " + servSocket.getLocalSocketAddress());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	220
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	221	// Singal ready
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	222	serverReady = true;
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	223
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	224	// Update the listenPort with the new port number. If
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	225	// the server is restarted, it will bind to the same
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	226	// port rather than picking a new one.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	227	listenPort = servSocket.getLocalPort();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	228
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	229	// Main dispatch loop
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	230	while (!receivedShutdown) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	231	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	232	Socket newConnection = servSocket.accept();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	233	threadPool.submit(new OcspHandler(newConnection));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	234	} catch (SocketTimeoutException timeout) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	235	// Nothing to do here. If receivedShutdown
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	236	// has changed to true then the loop will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	237	// exit on its own.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	238	} catch (IOException ioe) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	239	// Something bad happened, log and force a shutdown
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	240	log("Unexpected Exception: " + ioe);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	241	stop();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	242	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	243	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	244
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	245	log("Shutting down...");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	246	threadPool.shutdown();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	247	} catch (IOException ioe) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	248	err(ioe);
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	249	} finally {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	250	// Reset state variables so the server can be restarted
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	251	receivedShutdown = false;
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	252	started = false;
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	253	serverReady = false;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	254	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	255	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	256	});
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	257	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	258
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	259	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	260	* Stop the OCSP server.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	261	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	262	public synchronized void stop() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	263	if (started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	264	receivedShutdown = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	265	log("Received shutdown notification");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	266	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	267	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	268
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	269	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	270	* Print {@code SimpleOCSPServer} operating parameters.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	271	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	272	* @return the {@code SimpleOCSPServer} operating parameters in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	273	* {@code String} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	274	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	275	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	276	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	277	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	278	sb.append("OCSP Server:\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	279	sb.append("----------------------------------------------\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	280	sb.append("issuer: ").append(issuerCert.getSubjectX500Principal()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	281	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	282	sb.append("signer: ").append(signerCert.getSubjectX500Principal()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	283	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	284	sb.append("ResponderId: ").append(respId).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	285	sb.append("----------------------------------------------");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	286
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	287	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	288	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	289
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	290	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	291	* Helpful debug routine to hex dump byte arrays.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	292	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	293	* @param data the array of bytes to dump to stdout.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	294	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	295	* @return the hexdump of the byte array
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	296	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	297	private static String dumpHexBytes(byte[] data) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	298	return dumpHexBytes(data, 16, "\n", " ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	299	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	300
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	301	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	302	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	303	* @param data the array of bytes to dump to stdout.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	304	* @param itemsPerLine the number of bytes to display per line
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	305	* if the {@code lineDelim} character is blank then all bytes will be
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	306	* printed on a single line.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	307	* @param lineDelim the delimiter between lines
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	308	* @param itemDelim the delimiter between bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	309	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	310	* @return The hexdump of the byte array
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	311	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	312	private static String dumpHexBytes(byte[] data, int itemsPerLine,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	313	String lineDelim, String itemDelim) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	314	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	315	if (data != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	316	for (int i = 0; i < data.length; i++) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	317	if (i % itemsPerLine == 0 && i != 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	318	sb.append(lineDelim);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	320	sb.append(String.format("%02X", data[i])).append(itemDelim);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	321	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	322	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	323
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	324	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	325	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	326
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	327	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	328	* Enable or disable the logging feature.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	329	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	330	* @param enable {@code true} to enable logging, {@code false} to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	331	* disable it. The setting must be activated before the server calls
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	332	* its start method. Any calls after that have no effect.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	333	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	334	public void enableLog(boolean enable) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	335	if (!started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	336	logEnabled = enable;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	337	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	338	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	339
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	340	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	341	* Sets the nextUpdate interval. Intervals will be calculated relative
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	342	* to the server startup time. When first set, the nextUpdate date is
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	343	* calculated based on the current time plus the interval. After that,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	344	* calls to getNextUpdate() will return this date if it is still
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	345	* later than current time. If not, the Date will be updated to the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	346	* next interval that is later than current time. This value must be set
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	347	* before the server has had its start method called. Calls made after
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	348	* the server has been started have no effect.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	349	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	350	* @param interval the recurring time interval in seconds used to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	351	* calculate nextUpdate times. A value less than or equal to 0 will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	352	* disable the nextUpdate feature.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	353	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	354	public synchronized void setNextUpdateInterval(long interval) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	355	if (!started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	356	if (interval <= 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	357	nextUpdateInterval = -1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	358	nextUpdate = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	359	log("nexUpdate support has been disabled");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	360	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	361	nextUpdateInterval = interval * 1000;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	362	nextUpdate = new Date(System.currentTimeMillis() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	363	nextUpdateInterval);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	364	log("nextUpdate set to " + nextUpdate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	365	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	366	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	367	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	368
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	369	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	370	* Return the nextUpdate {@code Date} object for this server. If the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	371	* nextUpdate date has already passed, set a new nextUpdate based on
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	372	* the nextUpdate interval and return that date.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	373	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	374	* @return a {@code Date} object set to the nextUpdate field for OCSP
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	375	* responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	376	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	377	private synchronized Date getNextUpdate() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	378	if (nextUpdate != null && nextUpdate.before(new Date())) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	379	long nuEpochTime = nextUpdate.getTime();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	380	long currentTime = System.currentTimeMillis();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	381
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	382	// Keep adding nextUpdate intervals until you reach a date
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	383	// that is later than current time.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	384	while (currentTime >= nuEpochTime) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	385	nuEpochTime += nextUpdateInterval;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	386	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	387
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	388	// Set the nextUpdate for future threads
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	389	nextUpdate = new Date(nuEpochTime);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	390	log("nextUpdate updated to new value: " + nextUpdate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	391	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	392	return nextUpdate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	393	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	394
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	395	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	396	* Add entries into the responder's status database.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	397	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	398	* @param newEntries a map of {@code CertStatusInfo} objects, keyed on
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	399	* their serial number (as a {@code BigInteger}). All serial numbers
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	400	* are assumed to have come from this responder's issuer certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	401	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	402	* @throws IOException if a CertId cannot be generated.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	403	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	404	public void updateStatusDb(Map<BigInteger, CertStatusInfo> newEntries)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	405	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	406	if (newEntries != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	407	for (BigInteger serial : newEntries.keySet()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	408	CertStatusInfo info = newEntries.get(serial);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	409	if (info != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	410	CertId cid = new CertId(issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	411	new SerialNumber(serial));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	412	statusDb.put(cid, info);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	413	log("Added entry for serial " + serial + "(" +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	414	info.getType() + ")");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	415	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	416	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	417	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	418	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	419
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	420	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	421	* Check the status database for revocation information one one or more
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	422	* certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	423	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	424	* @param reqList the list of {@code LocalSingleRequest} objects taken
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	425	* from the incoming OCSP request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	426	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	427	* @return a {@code Map} of {@code CertStatusInfo} objects keyed by their
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	428	* {@code CertId} values, for each single request passed in. Those
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	429	* CertIds not found in the statusDb will have returned List members with
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	430	* a status of UNKNOWN.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	431	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	432	private Map<CertId, CertStatusInfo> checkStatusDb(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	433	List<LocalOcspRequest.LocalSingleRequest> reqList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	434	// TODO figure out what, if anything to do with request extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	435	Map<CertId, CertStatusInfo> returnMap = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	436
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	437	for (LocalOcspRequest.LocalSingleRequest req : reqList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	438	CertId cid = req.getCertId();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	439	CertStatusInfo info = statusDb.get(cid);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	440	if (info != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	441	log("Status for SN " + cid.getSerialNumber() + ": " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	442	info.getType());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	443	returnMap.put(cid, info);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	444	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	445	log("Status for SN " + cid.getSerialNumber() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	446	" not found, using CERT_STATUS_UNKNOWN");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	447	returnMap.put(cid,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	448	new CertStatusInfo(CertStatus.CERT_STATUS_UNKNOWN));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	449	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	450	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	451
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	452	return Collections.unmodifiableMap(returnMap);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	453	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	454
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	455	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	456	* Set the digital signature algorithm used to sign OCSP responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	457	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	458	* @param algName The algorithm name
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	459	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	460	* @throws NoSuchAlgorithmException if the algorithm name is invalid.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	461	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	462	public void setSignatureAlgorithm(String algName)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	463	throws NoSuchAlgorithmException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	464	if (!started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	465	sigAlgId = AlgorithmId.get(algName);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	466	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	467	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	468
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	469	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	470	* Get the port the OCSP server is running on.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	471	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	472	* @return the port that the OCSP server is running on, or -1 if the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	473	* server has not yet been bound to a port.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	474	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	475	public int getPort() {
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	476	if (serverReady) {
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	477	InetSocketAddress inetSock =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	478	(InetSocketAddress)servSocket.getLocalSocketAddress();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	479	return inetSock.getPort();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	480	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	481	return -1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	482	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	483	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	484
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	485	/**
37309 8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	486	* Use to check if OCSP server is ready to accept connection.
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	487	*
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	488	* @return true if server ready, false otherwise
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	489	*/
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	490	public boolean isServerReady() {
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	491	return serverReady;
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	492	}
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	493
8f530b9d18f4 8153829: javax/net/ssl/Stapling/HttpsUrlConnClient.java fails intermittently with NullPointerException rhalade parents: 32032 diff changeset	494	/**
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	495	* Set a delay between the reception of the request and production of
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	496	* the response.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	497	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	498	* @param delayMillis the number of milliseconds to wait before acting
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	499	* on the incoming request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	500	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	501	public void setDelay(long delayMillis) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	502	if (!started) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	503	delayMsec = delayMillis > 0 ? delayMillis : 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	504	if (delayMsec > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	505	log("OCSP latency set to " + delayMsec + " milliseconds.");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	506	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	507	log("OCSP latency disabled");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	508	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	509	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	510	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	511
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	512	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	513	* Log a message to stdout.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	514	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	515	* @param message the message to log
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	516	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	517	private synchronized void log(String message) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	518	if (logEnabled \|\| debug != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	519	System.out.println("[" + Thread.currentThread().getName() + "]: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	520	message);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	521	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	522	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	523
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	524	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	525	* Log an error message on the stderr stream.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	526	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	527	* @param message the message to log
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	528	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	529	private static synchronized void err(String message) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	530	System.out.println("[" + Thread.currentThread().getName() + "]: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	531	message);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	532	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	533
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	534	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	535	* Log exception information on the stderr stream.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	536	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	537	* @param exc the exception to dump information about
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	538	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	539	private static synchronized void err(Throwable exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	540	System.out.print("[" + Thread.currentThread().getName() +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	541	"]: Exception: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	542	exc.printStackTrace(System.out);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	543	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	544
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	545	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	546	* The {@code CertStatusInfo} class defines an object used to return
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	547	* information from the internal status database. The data in this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	548	* object may be used to construct OCSP responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	549	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	550	public static class CertStatusInfo {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	551	private CertStatus certStatusType;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	552	private CRLReason reason;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	553	private Date revocationTime;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	554
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	555	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	556	* Create a Certificate status object by providing the status only.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	557	* If the status is {@code REVOKED} then current time is assumed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	558	* for the revocation time.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	559	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	560	* @param statType the status for this entry.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	561	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	562	public CertStatusInfo(CertStatus statType) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	563	this(statType, null, null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	564	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	565
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	566	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	567	* Create a CertStatusInfo providing both type and revocation date
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	568	* (if applicable).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	569	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	570	* @param statType the status for this entry.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	571	* @param revDate if applicable, the date that revocation took place.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	572	* A value of {@code null} indicates that current time should be used.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	573	* If the value of {@code statType} is not {@code CERT_STATUS_REVOKED},
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	574	* then the {@code revDate} parameter is ignored.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	575	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	576	public CertStatusInfo(CertStatus statType, Date revDate) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	577	this(statType, revDate, null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	578	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	579
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	580	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	581	* Create a CertStatusInfo providing type, revocation date
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	582	* (if applicable) and revocation reason.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	583	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	584	* @param statType the status for this entry.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	585	* @param revDate if applicable, the date that revocation took place.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	586	* A value of {@code null} indicates that current time should be used.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	587	* If the value of {@code statType} is not {@code CERT_STATUS_REVOKED},
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	588	* then the {@code revDate} parameter is ignored.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	589	* @param revReason the reason the certificate was revoked. A value of
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	590	* {@code null} means that no reason was provided.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	591	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	592	public CertStatusInfo(CertStatus statType, Date revDate,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	593	CRLReason revReason) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	594	Objects.requireNonNull(statType, "Cert Status must be non-null");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	595	certStatusType = statType;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	596	switch (statType) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	597	case CERT_STATUS_GOOD:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	598	case CERT_STATUS_UNKNOWN:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	599	revocationTime = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	600	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	601	case CERT_STATUS_REVOKED:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	602	revocationTime = revDate != null ? (Date)revDate.clone() :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	603	new Date();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	604	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	605	default:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	606	throw new IllegalArgumentException("Unknown status type: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	607	statType);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	608	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	609	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	610
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	611	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	612	* Get the cert status type
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	613	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	614	* @return the status applied to this object (e.g.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	615	* {@code CERT_STATUS_GOOD}, {@code CERT_STATUS_UNKNOWN}, etc.)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	616	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	617	public CertStatus getType() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	618	return certStatusType;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	619	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	620
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	621	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	622	* Get the revocation time (if applicable).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	623	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	624	* @return the revocation time as a {@code Date} object, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	625	* {@code null} if not applicable (i.e. if the certificate hasn't been
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	626	* revoked).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	627	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	628	public Date getRevocationTime() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	629	return (revocationTime != null ? (Date)revocationTime.clone() :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	630	null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	631	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	632
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	633	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	634	* Get the revocation reason.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	635	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	636	* @return the revocation reason, or {@code null} if one was not
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	637	* provided.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	638	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	639	public CRLReason getRevocationReason() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	640	return reason;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	641	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	642	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	643
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	644	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	645	* Runnable task that handles incoming OCSP Requests and returns
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	646	* responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	647	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	648	private class OcspHandler implements Runnable {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	649	private final Socket sock;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	650	InetSocketAddress peerSockAddr;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	651
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	652	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	653	* Construct an {@code OcspHandler}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	654	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	655	* @param incomingSocket the socket the server created on accept()
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	656	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	657	private OcspHandler(Socket incomingSocket) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	658	sock = incomingSocket;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	659	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	660
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	661	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	662	* Run the OCSP Request parser and construct a response to be sent
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	663	* back to the client.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	664	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	665	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	666	public void run() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	667	// If we have implemented a delay to simulate network latency
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	668	// wait out the delay here before any other processing.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	669	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	670	if (delayMsec > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	671	Thread.sleep(delayMsec);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	672	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	673	} catch (InterruptedException ie) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	674	// Just log the interrupted sleep
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	675	log("Delay of " + delayMsec + " milliseconds was interrupted");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	676	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	677
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	678	try (Socket ocspSocket = sock;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	679	InputStream in = ocspSocket.getInputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	680	OutputStream out = ocspSocket.getOutputStream()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	681	peerSockAddr =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	682	(InetSocketAddress)ocspSocket.getRemoteSocketAddress();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	683	log("Received incoming connection from " + peerSockAddr);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	684	String[] headerTokens = readLine(in).split(" ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	685	LocalOcspRequest ocspReq = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	686	LocalOcspResponse ocspResp = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	687	ResponseStatus respStat = ResponseStatus.INTERNAL_ERROR;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	688	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	689	if (headerTokens[0] != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	690	switch (headerTokens[0]) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	691	case "POST":
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	692	ocspReq = parseHttpOcspPost(in);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	693	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	694	case "GET":
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	695	// req = parseHttpOcspGet(in);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	696	// TODO implement the GET parsing
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	697	throw new IOException("GET method unsupported");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	698	default:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	699	respStat = ResponseStatus.MALFORMED_REQUEST;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	700	throw new IOException("Not a GET or POST");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	701	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	702	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	703	respStat = ResponseStatus.MALFORMED_REQUEST;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	704	throw new IOException("Unable to get HTTP method");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	705	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	706
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	707	if (ocspReq != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	708	log(ocspReq.toString());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	709	// Get responses for all CertIds in the request
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	710	Map<CertId, CertStatusInfo> statusMap =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	711	checkStatusDb(ocspReq.getRequests());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	712	if (statusMap.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	713	respStat = ResponseStatus.UNAUTHORIZED;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	714	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	715	ocspResp = new LocalOcspResponse(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	716	ResponseStatus.SUCCESSFUL, statusMap,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	717	ocspReq.getExtensions());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	718	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	719	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	720	respStat = ResponseStatus.MALFORMED_REQUEST;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	721	throw new IOException("Found null request");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	722	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	723	} catch (IOException \| RuntimeException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	724	err(exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	725	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	726	if (ocspResp == null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	727	ocspResp = new LocalOcspResponse(respStat);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	728	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	729	sendResponse(out, ocspResp);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	730	} catch (IOException \| CertificateException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	731	err(exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	732	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	733	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	734
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	735	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	736	* Send an OCSP response on an {@code OutputStream}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	737	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	738	* @param out the {@code OutputStream} on which to send the response.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	739	* @param resp the OCSP response to send.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	740	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	741	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	742	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	743	public void sendResponse(OutputStream out, LocalOcspResponse resp)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	744	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	745	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	746
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	747	byte[] respBytes;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	748	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	749	respBytes = resp.getBytes();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	750	} catch (RuntimeException re) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	751	err(re);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	752	return;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	753	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	754
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	755	sb.append("HTTP/1.0 200 OK\r\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	756	sb.append("Content-Type: application/ocsp-response\r\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	757	sb.append("Content-Length: ").append(respBytes.length);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	758	sb.append("\r\n\r\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	759
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	760	out.write(sb.toString().getBytes("UTF-8"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	761	out.write(respBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	762	log(resp.toString());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	763	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	764
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	765	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	766	* Parse the incoming HTTP POST of an OCSP Request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	767	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	768	* @param inStream the input stream from the socket bound to this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	769	* {@code OcspHandler}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	770	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	771	* @return the OCSP Request as a {@code LocalOcspRequest}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	772	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	773	* @throws IOException if there are network related issues or problems
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	774	* occur during parsing of the OCSP request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	775	* @throws CertificateException if one or more of the certificates in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	776	* the OCSP request cannot be read/parsed.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	777	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	778	private LocalOcspRequest parseHttpOcspPost(InputStream inStream)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	779	throws IOException, CertificateException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	780	boolean endOfHeader = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	781	boolean properContentType = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	782	int length = -1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	783
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	784	while (!endOfHeader) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	785	String[] lineTokens = readLine(inStream).split(" ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	786	if (lineTokens[0].isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	787	endOfHeader = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	788	} else if (lineTokens[0].equalsIgnoreCase("Content-Type:")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	789	if (lineTokens[1] == null \|\|
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	790	!lineTokens[1].equals(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	791	"application/ocsp-request")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	792	log("Unknown Content-Type: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	793	(lineTokens[1] != null ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	794	lineTokens[1] : "<NULL>"));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	795	return null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	796	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	797	properContentType = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	798	log("Content-Type = " + lineTokens[1]);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	799	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	800	} else if (lineTokens[0].equalsIgnoreCase("Content-Length:")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	801	if (lineTokens[1] != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	802	length = Integer.parseInt(lineTokens[1]);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	803	log("Content-Length = " + length);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	804	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	805	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	806	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	807
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	808	// Okay, make sure we got what we needed from the header, then
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	809	// read the remaining OCSP Request bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	810	if (properContentType && length >= 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	811	byte[] ocspBytes = new byte[length];
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	812	inStream.read(ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	813	return new LocalOcspRequest(ocspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	814	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	815	return null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	816	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	817	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	818
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	819	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	820	* Read a line of text that is CRLF-delimited.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	821	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	822	* @param is the {@code InputStream} tied to the socket
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	823	* for this {@code OcspHandler}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	824	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	825	* @return a {@code String} consisting of the line of text
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	826	* read from the stream with the CRLF stripped.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	827	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	828	* @throws IOException if any I/O error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	829	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	830	private String readLine(InputStream is) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	831	PushbackInputStream pbis = new PushbackInputStream(is);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	832	ByteArrayOutputStream bos = new ByteArrayOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	833	boolean done = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	834	while (!done) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	835	byte b = (byte)pbis.read();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	836	if (b == '\r') {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	837	byte bNext = (byte)pbis.read();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	838	if (bNext == '\n' \|\| bNext == -1) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	839	done = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	840	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	841	pbis.unread(bNext);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	842	bos.write(b);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	843	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	844	} else if (b == -1) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	845	done = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	846	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	847	bos.write(b);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	848	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	849	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	850
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	851	return new String(bos.toByteArray(), "UTF-8");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	852	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	853	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	854
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	855
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	856	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	857	* Simple nested class to handle OCSP requests without making
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	858	* changes to sun.security.provider.certpath.OCSPRequest
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	859	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	860	public class LocalOcspRequest {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	861
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	862	private byte[] nonce;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	863	private byte[] signature = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	864	private AlgorithmId algId = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	865	private int version = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	866	private GeneralName requestorName = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	867	private Map<String, Extension> extensions = Collections.emptyMap();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	868	private final List<LocalSingleRequest> requestList = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	869	private final List<X509Certificate> certificates = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	870
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	871	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	872	* Construct a {@code LocalOcspRequest} from its DER encoding.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	873	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	874	* @param requestBytes the DER-encoded bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	875	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	876	* @throws IOException if decoding errors occur
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	877	* @throws CertificateException if certificates are found in the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	878	* OCSP request and they do not parse correctly.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	879	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	880	private LocalOcspRequest(byte[] requestBytes) throws IOException,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	881	CertificateException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	882	Objects.requireNonNull(requestBytes, "Received null input");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	883
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	884	DerInputStream dis = new DerInputStream(requestBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	885
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	886	// Parse the top-level structure, it should have no more than
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	887	// two elements.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	888	DerValue[] topStructs = dis.getSequence(2);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	889	for (DerValue dv : topStructs) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	890	if (dv.tag == DerValue.tag_Sequence) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	891	parseTbsRequest(dv);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	892	} else if (dv.isContextSpecific((byte)0)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	893	parseSignature(dv);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	894	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	895	throw new IOException("Unknown tag at top level: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	896	dv.tag);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	897	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	898	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	899	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	900
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	901	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	902	* Parse the signature block from an OCSP request
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	903	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	904	* @param sigSequence a {@code DerValue} containing the signature
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	905	* block at the outer sequence datum.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	906	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	907	* @throws IOException if any non-certificate-based parsing errors occur
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	908	* @throws CertificateException if certificates are found in the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	909	* OCSP request and they do not parse correctly.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	910	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	911	private void parseSignature(DerValue sigSequence)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	912	throws IOException, CertificateException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	913	DerValue[] sigItems = sigSequence.data.getSequence(3);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	914	if (sigItems.length != 3) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	915	throw new IOException("Invalid number of signature items: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	916	"expected 3, got " + sigItems.length);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	917	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	918
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	919	algId = AlgorithmId.parse(sigItems[0]);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	920	signature = sigItems[1].getBitString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	921
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	922	if (sigItems[2].isContextSpecific((byte)0)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	923	DerValue[] certDerItems = sigItems[2].data.getSequence(4);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	924	int i = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	925	for (DerValue dv : certDerItems) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	926	X509Certificate xc = new X509CertImpl(dv);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	927	certificates.add(xc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	928	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	929	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	930	throw new IOException("Invalid tag in signature block: " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	931	sigItems[2].tag);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	932	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	933	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	934
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	935	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	936	* Parse the to-be-signed request data
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	937	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	938	* @param tbsReqSeq a {@code DerValue} object containing the to-be-
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	939	* signed OCSP request at the outermost SEQUENCE tag.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	940	* @throws IOException if any parsing errors occur
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	941	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	942	private void parseTbsRequest(DerValue tbsReqSeq) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	943	while (tbsReqSeq.data.available() > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	944	DerValue dv = tbsReqSeq.data.getDerValue();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	945	if (dv.isContextSpecific((byte)0)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	946	// The version was explicitly called out
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	947	version = dv.data.getInteger();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	948	} else if (dv.isContextSpecific((byte)1)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	949	// A GeneralName was provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	950	requestorName = new GeneralName(dv.data.getDerValue());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	951	} else if (dv.isContextSpecific((byte)2)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	952	// Parse the extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	953	DerValue[] extItems = dv.data.getSequence(2);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	954	extensions = parseExtensions(extItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	955	} else if (dv.tag == DerValue.tag_Sequence) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	956	while (dv.data.available() > 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	957	requestList.add(new LocalSingleRequest(dv.data));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	958	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	959	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	960	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	961	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	962
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	963	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	964	* Parse a SEQUENCE of extensions. This routine is used both
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	965	* at the overall request level and down at the singleRequest layer.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	966	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	967	* @param extDerItems an array of {@code DerValue} items, each one
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	968	* consisting of a DER-encoded extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	969	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	970	* @return a {@code Map} of zero or more extensions,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	971	* keyed by its object identifier in {@code String} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	972	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	973	* @throws IOException if any parsing errors occur.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	974	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	975	private Map<String, Extension> parseExtensions(DerValue[] extDerItems)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	976	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	977	Map<String, Extension> extMap = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	978
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	979	if (extDerItems != null && extDerItems.length != 0) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	980	for (DerValue extDerVal : extDerItems) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	981	sun.security.x509.Extension ext =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	982	new sun.security.x509.Extension(extDerVal);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	983	extMap.put(ext.getId(), ext);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	984	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	985	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	986
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	987	return extMap;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	988	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	989
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	990	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	991	* Return the list of single request objects in this OCSP request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	992	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	993	* @return an unmodifiable {@code List} of zero or more requests.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	994	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	995	private List<LocalSingleRequest> getRequests() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	996	return Collections.unmodifiableList(requestList);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	997	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	998
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	999	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1000	* Return the list of X.509 Certificates in this OCSP request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1001	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1002	* @return an unmodifiable {@code List} of zero or more
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1003	* {@cpde X509Certificate} objects.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1004	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1005	private List<X509Certificate> getCertificates() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1006	return Collections.unmodifiableList(certificates);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1007	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1008
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1009	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1010	* Return the map of OCSP request extensions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1011	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1012	* @return an unmodifiable {@code Map} of zero or more
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1013	* {@code Extension} objects, keyed by their object identifiers
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1014	* in {@code String} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1015	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1016	private Map<String, Extension> getExtensions() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1017	return Collections.unmodifiableMap(extensions);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1018	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1019
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1020	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1021	* Display the {@code LocalOcspRequest} in human readable form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1022	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1023	* @return a {@code String} representation of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1024	* {@code LocalOcspRequest}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1025	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1026	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1027	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1028	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1029
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1030	sb.append(String.format("OCSP Request: Version %d (0x%X)",
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1031	version + 1, version)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1032	if (requestorName != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1033	sb.append("Requestor Name: ").append(requestorName).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1034	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1035	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1036
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1037	int requestCtr = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1038	for (LocalSingleRequest lsr : requestList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1039	sb.append("Request [").append(requestCtr++).append("]\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1040	sb.append(lsr).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1041	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1042	if (!extensions.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1043	sb.append("Extensions (").append(extensions.size()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1044	append(")\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1045	for (Extension ext : extensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1046	sb.append("\t").append(ext).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1047	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1048	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1049	if (signature != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1050	sb.append("Signature: ").append(algId).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1051	sb.append(dumpHexBytes(signature)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1052	int certCtr = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1053	for (X509Certificate cert : certificates) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1054	sb.append("Certificate [").append(certCtr++).append("]").
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1055	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1056	sb.append("\tSubject: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1057	sb.append(cert.getSubjectX500Principal()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1058	sb.append("\tIssuer: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1059	sb.append(cert.getIssuerX500Principal()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1060	sb.append("\tSerial: ").append(cert.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1061	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1062	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1063
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1064	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1065	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1066
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1067	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1068	* Inner class designed to handle the decoding/representation of
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1069	* single requests within a {@code LocalOcspRequest} object.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1070	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1071	public class LocalSingleRequest {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1072	private final CertId cid;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1073	private Map<String, Extension> extensions = Collections.emptyMap();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1074
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1075	private LocalSingleRequest(DerInputStream dis)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1076	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1077	DerValue[] srItems = dis.getSequence(2);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1078
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1079	// There should be 1, possibly 2 DerValue items
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1080	if (srItems.length == 1 \|\| srItems.length == 2) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1081	// The first parsable item should be the mandatory CertId
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1082	cid = new CertId(srItems[0].data);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1083	if (srItems.length == 2) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1084	if (srItems[1].isContextSpecific((byte)0)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1085	DerValue[] extDerItems = srItems[1].data.getSequence(2);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1086	extensions = parseExtensions(extDerItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1087	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1088	throw new IOException("Illegal tag in Request " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1089	"extensions: " + srItems[1].tag);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1090	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1091	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1092	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1093	throw new IOException("Invalid number of items in " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1094	"Request (" + srItems.length + ")");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1095	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1096	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1097
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1098	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1099	* Get the {@code CertId} for this single request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1100	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1101	* @return the {@code CertId} for this single request.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1102	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1103	private CertId getCertId() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1104	return cid;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1105	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1106
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1107	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1108	* Return the map of single request extensions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1109	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1110	* @return an unmodifiable {@code Map} of zero or more
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1111	* {@code Extension} objects, keyed by their object identifiers
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1112	* in {@code String} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1113	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1114	private Map<String, Extension> getExtensions() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1115	return Collections.unmodifiableMap(extensions);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1116	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1117
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1118	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1119	* Display the {@code LocalSingleRequest} in human readable form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1120	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1121	* @return a {@code String} representation of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1122	* {@code LocalSingleRequest}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1123	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1124	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1125	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1126	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1127	sb.append("CertId, Algorithm = ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1128	sb.append(cid.getHashAlgorithm()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1129	sb.append("\tIssuer Name Hash: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1130	sb.append(dumpHexBytes(cid.getIssuerNameHash(), 256, "", ""));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1131	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1132	sb.append("\tIssuer Key Hash: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1133	sb.append(dumpHexBytes(cid.getIssuerKeyHash(), 256, "", ""));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1134	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1135	sb.append("\tSerial Number: ").append(cid.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1136	if (!extensions.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1137	sb.append("Extensions (").append(extensions.size()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1138	append(")\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1139	for (Extension ext : extensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1140	sb.append("\t").append(ext).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1141	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1142	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1143
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1144	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1145	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1146	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1147	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1148
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1149	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1150	* Simple nested class to handle OCSP requests without making
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1151	* changes to sun.security.provider.certpath.OCSPResponse
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1152	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1153	public class LocalOcspResponse {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1154	private final int version = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1155	private final OCSPResponse.ResponseStatus responseStatus;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1156	private final Map<CertId, CertStatusInfo> respItemMap;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1157	private final Date producedAtDate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1158	private final List<LocalSingleResponse> singleResponseList =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1159	new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1160	private final Map<String, Extension> responseExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1161	private byte[] signature;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1162	private final List<X509Certificate> certificates;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1163	private final byte[] encodedResponse;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1164
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1165	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1166	* Constructor for the generation of non-successful responses
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1167	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1168	* @param respStat the OCSP response status.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1169	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1170	* @throws IOException if an error happens during encoding
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1171	* @throws NullPointerException if {@code respStat} is {@code null}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1172	* or {@code respStat} is successful.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1173	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1174	public LocalOcspResponse(OCSPResponse.ResponseStatus respStat)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1175	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1176	this(respStat, null, null);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1177	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1178
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1179	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1180	* Construct a response from a list of certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1181	* status objects and extensions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1182	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1183	* @param respStat the status of the entire response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1184	* @param itemMap a {@code Map} of {@code CertId} objects and their
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1185	* respective revocation statuses from the server's response DB.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1186	* @param reqExtensions a {@code Map} of request extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1187	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1188	* @throws IOException if an error happens during encoding
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1189	* @throws NullPointerException if {@code respStat} is {@code null}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1190	* or {@code respStat} is successful, and a {@code null} {@code itemMap}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1191	* has been provided.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1192	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1193	public LocalOcspResponse(OCSPResponse.ResponseStatus respStat,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1194	Map<CertId, CertStatusInfo> itemMap,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1195	Map<String, Extension> reqExtensions) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1196	responseStatus = Objects.requireNonNull(respStat,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1197	"Illegal null response status");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1198	if (responseStatus == ResponseStatus.SUCCESSFUL) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1199	respItemMap = Objects.requireNonNull(itemMap,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1200	"SUCCESSFUL responses must have a response map");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1201	producedAtDate = new Date();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1202
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1203	// Turn the answerd from the response DB query into a list
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1204	// of single responses.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1205	for (CertId id : itemMap.keySet()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1206	singleResponseList.add(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1207	new LocalSingleResponse(id, itemMap.get(id)));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1208	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1209
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1210	responseExtensions = setResponseExtensions(reqExtensions);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1211	certificates = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1212	if (signerCert != issuerCert) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1213	certificates.add(signerCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1214	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1215	certificates.add(issuerCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1216	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1217	respItemMap = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1218	producedAtDate = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1219	responseExtensions = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1220	certificates = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1221	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1222	encodedResponse = this.getBytes();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1223	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1224
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1225	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1226	* Set the response extensions based on the request extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1227	* that were received. Right now, this is limited to the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1228	* OCSP nonce extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1229	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1230	* @param reqExts a {@code Map} of zero or more request extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1231	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1232	* @return a {@code Map} of zero or more response extensions, keyed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1233	* by the extension object identifier in {@code String} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1234	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1235	private Map<String, Extension> setResponseExtensions(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1236	Map<String, Extension> reqExts) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1237	Map<String, Extension> respExts = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1238	String ocspNonceStr = PKIXExtensions.OCSPNonce_Id.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1239
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1240	if (reqExts != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1241	for (String id : reqExts.keySet()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1242	if (id.equals(ocspNonceStr)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1243	// We found a nonce, add it into the response extensions
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1244	Extension ext = reqExts.get(id);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1245	if (ext != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1246	respExts.put(id, ext);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1247	log("Added OCSP Nonce to response");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1248	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1249	log("Error: Found nonce entry, but found null " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1250	"value. Skipping");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1251	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1252	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1253	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1254	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1255
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1256	return respExts;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1257	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1258
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1259	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1260	* Get the DER-encoded response bytes for this response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1261	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1262	* @return a byte array containing the DER-encoded bytes for
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1263	* the response
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1264	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1265	* @throws IOException if any encoding errors occur
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1266	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1267	private byte[] getBytes() throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1268	DerOutputStream outerSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1269	DerOutputStream responseStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1270	responseStream.putEnumerated(responseStatus.ordinal());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1271	if (responseStatus == ResponseStatus.SUCCESSFUL &&
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1272	respItemMap != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1273	encodeResponseBytes(responseStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1274	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1275
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1276	// Commit the outermost sequence bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1277	outerSeq.write(DerValue.tag_Sequence, responseStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1278	return outerSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1279	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1280
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1281	private void encodeResponseBytes(DerOutputStream responseStream)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1282	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1283	DerOutputStream explicitZero = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1284	DerOutputStream respItemStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1285
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1286	respItemStream.putOID(OCSP_BASIC_RESPONSE_OID);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1287
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1288	byte[] basicOcspBytes = encodeBasicOcspResponse();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1289	respItemStream.putOctetString(basicOcspBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1290	explicitZero.write(DerValue.tag_Sequence, respItemStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1291	responseStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1292	true, (byte)0), explicitZero);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1293	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1294
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1295	private byte[] encodeBasicOcspResponse() throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1296	DerOutputStream outerSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1297	DerOutputStream basicORItemStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1298
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1299	// Encode the tbsResponse
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1300	byte[] tbsResponseBytes = encodeTbsResponse();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1301	basicORItemStream.write(tbsResponseBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1302
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1303	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1304	sigAlgId.derEncode(basicORItemStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1305
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1306	// Create the signature
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1307	Signature sig = Signature.getInstance(sigAlgId.getName());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1308	sig.initSign(signerKey);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1309	sig.update(tbsResponseBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1310	signature = sig.sign();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1311	basicORItemStream.putBitString(signature);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1312	} catch (GeneralSecurityException exc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1313	err(exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1314	throw new IOException(exc);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1315	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1316
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1317	// Add certificates
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1318	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1319	DerOutputStream certStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1320	ArrayList<DerValue> certList = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1321	if (signerCert != issuerCert) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1322	certList.add(new DerValue(signerCert.getEncoded()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1323	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1324	certList.add(new DerValue(issuerCert.getEncoded()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1325	DerValue[] dvals = new DerValue[certList.size()];
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1326	certStream.putSequence(certList.toArray(dvals));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1327	basicORItemStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1328	true, (byte)0), certStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1329	} catch (CertificateEncodingException cex) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1330	err(cex);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1331	throw new IOException(cex);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1332	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1333
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1334	// Commit the outermost sequence bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1335	outerSeq.write(DerValue.tag_Sequence, basicORItemStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1336	return outerSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1337	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1338
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1339	private byte[] encodeTbsResponse() throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1340	DerOutputStream outerSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1341	DerOutputStream tbsStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1342
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1343	// Note: We're not going explicitly assert the version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1344	tbsStream.write(respId.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1345	tbsStream.putGeneralizedTime(producedAtDate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1346
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1347	// Sequence of responses
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1348	encodeSingleResponses(tbsStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1349
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1350	// TODO: add response extension support
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1351	encodeExtensions(tbsStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1352
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1353	outerSeq.write(DerValue.tag_Sequence, tbsStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1354	return outerSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1355	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1356
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1357	private void encodeSingleResponses(DerOutputStream tbsStream)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1358	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1359	DerValue[] srDerVals = new DerValue[singleResponseList.size()];
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1360	int srDvCtr = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1361
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1362	for (LocalSingleResponse lsr : singleResponseList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1363	srDerVals[srDvCtr++] = new DerValue(lsr.getBytes());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1364	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1365
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1366	tbsStream.putSequence(srDerVals);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1367	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1368
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1369	private void encodeExtensions(DerOutputStream tbsStream)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1370	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1371	DerOutputStream extSequence = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1372	DerOutputStream extItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1373
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1374	for (Extension ext : responseExtensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1375	ext.encode(extItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1376	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1377	extSequence.write(DerValue.tag_Sequence, extItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1378	tbsStream.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1379	(byte)1), extSequence);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1380	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1381
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1382	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1383	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1384	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1385
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1386	sb.append("OCSP Response: ").append(responseStatus).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1387	if (responseStatus == ResponseStatus.SUCCESSFUL) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1388	sb.append("Response Type: ").
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1389	append(OCSP_BASIC_RESPONSE_OID.toString()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1390	sb.append(String.format("Version: %d (0x%X)", version + 1,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1391	version)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1392	sb.append("Responder Id: ").append(respId.toString()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1393	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1394	sb.append("Produced At: ").
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1395	append(utcDateFmt.format(producedAtDate)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1396
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1397	int srCtr = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1398	for (LocalSingleResponse lsr : singleResponseList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1399	sb.append("SingleResponse [").append(srCtr++).append("]\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1400	sb.append(lsr);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1401	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1402
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1403	if (!responseExtensions.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1404	sb.append("Extensions (").append(responseExtensions.size()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1405	append(")\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1406	for (Extension ext : responseExtensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1407	sb.append("\t").append(ext).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1408	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1409	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1410	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1411	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1412
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1413	if (signature != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1414	sb.append("Signature: ").append(sigAlgId).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1415	sb.append(dumpHexBytes(signature)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1416	int certCtr = 0;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1417	for (X509Certificate cert : certificates) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1418	sb.append("Certificate [").append(certCtr++).append("]").
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1419	append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1420	sb.append("\tSubject: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1421	sb.append(cert.getSubjectX500Principal()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1422	sb.append("\tIssuer: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1423	sb.append(cert.getIssuerX500Principal()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1424	sb.append("\tSerial: ").append(cert.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1425	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1426	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1427	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1428	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1429
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1430	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1431	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1432
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1433	private class LocalSingleResponse {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1434	private final CertId certId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1435	private final CertStatusInfo csInfo;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1436	private final Date thisUpdate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1437	private final Date lsrNextUpdate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1438	private final Map<String, Extension> singleExtensions;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1439
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1440	public LocalSingleResponse(CertId cid, CertStatusInfo info) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1441	certId = Objects.requireNonNull(cid, "CertId must be non-null");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1442	csInfo = Objects.requireNonNull(info,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1443	"CertStatusInfo must be non-null");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1444
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1445	// For now, we'll keep things simple and make the thisUpdate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1446	// field the same as the producedAt date.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1447	thisUpdate = producedAtDate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1448	lsrNextUpdate = getNextUpdate();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1449
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1450	// TODO Add extensions support
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1451	singleExtensions = Collections.emptyMap();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1452	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1453
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1454	@Override
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1455	public String toString() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1456	StringBuilder sb = new StringBuilder();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1457	sb.append("Certificate Status: ").append(csInfo.getType());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1458	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1459	if (csInfo.getType() == CertStatus.CERT_STATUS_REVOKED) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1460	sb.append("Revocation Time: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1461	sb.append(utcDateFmt.format(csInfo.getRevocationTime()));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1462	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1463	if (csInfo.getRevocationReason() != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1464	sb.append("Revocation Reason: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1465	sb.append(csInfo.getRevocationReason()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1466	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1467	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1468
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1469	sb.append("CertId, Algorithm = ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1470	sb.append(certId.getHashAlgorithm()).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1471	sb.append("\tIssuer Name Hash: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1472	sb.append(dumpHexBytes(certId.getIssuerNameHash(), 256, "", ""));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1473	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1474	sb.append("\tIssuer Key Hash: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1475	sb.append(dumpHexBytes(certId.getIssuerKeyHash(), 256, "", ""));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1476	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1477	sb.append("\tSerial Number: ").append(certId.getSerialNumber());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1478	sb.append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1479	sb.append("This Update: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1480	sb.append(utcDateFmt.format(thisUpdate)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1481	if (lsrNextUpdate != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1482	sb.append("Next Update: ");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1483	sb.append(utcDateFmt.format(lsrNextUpdate)).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1484	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1485
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1486	if (!singleExtensions.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1487	sb.append("Extensions (").append(singleExtensions.size()).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1488	append(")\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1489	for (Extension ext : singleExtensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1490	sb.append("\t").append(ext).append("\n");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1491	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1492	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1493
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1494	return sb.toString();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1495	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1496
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1497	public byte[] getBytes() throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1498	byte[] nullData = { };
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1499	DerOutputStream responseSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1500	DerOutputStream srStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1501
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1502	// Encode the CertId
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1503	certId.encode(srStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1504
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1505	// Next, encode the CertStatus field
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1506	CertStatus csiType = csInfo.getType();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1507	switch (csiType) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1508	case CERT_STATUS_GOOD:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1509	srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1510	false, (byte)0), nullData);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1511	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1512	case CERT_STATUS_REVOKED:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1513	DerOutputStream revInfo = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1514	revInfo.putGeneralizedTime(csInfo.getRevocationTime());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1515	CRLReason revReason = csInfo.getRevocationReason();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1516	if (revReason != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1517	byte[] revDer = new byte[3];
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1518	revDer[0] = DerValue.tag_Enumerated;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1519	revDer[1] = 1;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1520	revDer[2] = (byte)revReason.ordinal();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1521	revInfo.write(DerValue.createTag(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1522	DerValue.TAG_CONTEXT, true, (byte)0),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1523	revDer);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1524	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1525	srStream.write(DerValue.createTag(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1526	DerValue.TAG_CONTEXT, true, (byte)1),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1527	revInfo);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1528	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1529	case CERT_STATUS_UNKNOWN:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1530	srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1531	false, (byte)2), nullData);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1532	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1533	default:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1534	throw new IOException("Unknown CertStatus: " + csiType);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1535	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1536
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1537	// Add the necessary dates
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1538	srStream.putGeneralizedTime(thisUpdate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1539	if (lsrNextUpdate != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1540	DerOutputStream nuStream = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1541	nuStream.putGeneralizedTime(lsrNextUpdate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1542	srStream.write(DerValue.createTag(DerValue.TAG_CONTEXT,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1543	true, (byte)0), nuStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1544	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1545
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1546	// TODO add singleResponse Extension support
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1547
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1548	// Add the single response to the response output stream
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1549	responseSeq.write(DerValue.tag_Sequence, srStream);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1550	return responseSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1551	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1552	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1553	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1554	}

author	rhalade
	Tue, 12 Apr 2016 09:37:46 -0700
changeset 37309	8f530b9d18f4
parent 32032	22badc53802f
child 40390	64541737c7f7
permissions	-rw-r--r--