/*

 * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.provider.certpath;

import java.io.IOException;

import java.math.BigInteger;

import java.net.URI;

import java.net.URISyntaxException;

import java.security.AccessController;

import java.security.InvalidAlgorithmParameterException;

import java.security.NoSuchAlgorithmException;

import java.security.PrivilegedAction;

import java.security.PublicKey;

import java.security.Security;

import java.security.cert.CertPathValidatorException.BasicReason;

import java.security.cert.Extension;

import java.security.cert.*;

import java.util.*;

import javax.security.auth.x500.X500Principal;

import static sun.security.provider.certpath.OCSP.*;

import static sun.security.provider.certpath.PKIX.*;

import sun.security.x509.*;

import static sun.security.x509.PKIXExtensions.*;

import sun.security.util.Debug;

class RevocationChecker extends PKIXRevocationChecker {

    private static final Debug debug = Debug.getInstance("certpath");

    private TrustAnchor anchor;

    private ValidatorParams params;

    private boolean onlyEE;

    private boolean softFail;

    private boolean crlDP;

    private URI responderURI;

    private X509Certificate responderCert;

    private List<CertStore> certStores;

    private Map<X509Certificate, byte[]> ocspResponses;

    private List<Extension> ocspExtensions;

    private final boolean legacy;

    private LinkedList<CertPathValidatorException> softFailExceptions =

        new LinkedList<>();

    // state variables

    private OCSPResponse.IssuerInfo issuerInfo;

    private PublicKey prevPubKey;

    private boolean crlSignFlag;

    private int certIndex;

    private enum Mode { PREFER_OCSP, PREFER_CRLS, ONLY_CRLS, ONLY_OCSP };

    private Mode mode = Mode.PREFER_OCSP;

    private static class RevocationProperties {

        boolean onlyEE;

        boolean ocspEnabled;

        boolean crlDPEnabled;

        String ocspUrl;

        String ocspSubject;

        String ocspIssuer;

        String ocspSerial;

    }

    RevocationChecker() {

        legacy = false;

    }

    RevocationChecker(TrustAnchor anchor, ValidatorParams params)

        throws CertPathValidatorException

    {

        legacy = true;

        init(anchor, params);

    }

    void init(TrustAnchor anchor, ValidatorParams params)

        throws CertPathValidatorException

    {

        RevocationProperties rp = getRevocationProperties();

        URI uri = getOcspResponder();

        responderURI = (uri == null) ? toURI(rp.ocspUrl) : uri;

        X509Certificate cert = getOcspResponderCert();

        responderCert = (cert == null)

                        ? getResponderCert(rp, params.trustAnchors(),

                                           params.certStores())

                        : cert;

        Set<Option> options = getOptions();

        for (Option option : options) {

            switch (option) {

            case ONLY_END_ENTITY:

            case PREFER_CRLS:

            case SOFT_FAIL:

            case NO_FALLBACK:

                break;

            default:

                throw new CertPathValidatorException(

                    "Unrecognized revocation parameter option: " + option);

            }

        }

        softFail = options.contains(Option.SOFT_FAIL);

        // set mode, only end entity flag

        if (legacy) {

            mode = (rp.ocspEnabled) ? Mode.PREFER_OCSP : Mode.ONLY_CRLS;

            onlyEE = rp.onlyEE;

        } else {

            if (options.contains(Option.NO_FALLBACK)) {

                if (options.contains(Option.PREFER_CRLS)) {

                    mode = Mode.ONLY_CRLS;

                } else {

                    mode = Mode.ONLY_OCSP;

                }

            } else if (options.contains(Option.PREFER_CRLS)) {

                mode = Mode.PREFER_CRLS;

            }

            onlyEE = options.contains(Option.ONLY_END_ENTITY);

        }

        if (legacy) {

            crlDP = rp.crlDPEnabled;

        } else {

            crlDP = true;

        }

        ocspResponses = getOcspResponses();

        ocspExtensions = getOcspExtensions();

        this.anchor = anchor;

        this.params = params;

        this.certStores = new ArrayList<>(params.certStores());

        try {

            this.certStores.add(CertStore.getInstance("Collection",

                new CollectionCertStoreParameters(params.certificates())));

        } catch (InvalidAlgorithmParameterException |

                 NoSuchAlgorithmException e) {

            // should never occur but not necessarily fatal, so log it,

            // ignore and continue

            if (debug != null) {

                debug.println("RevocationChecker: " +

                              "error creating Collection CertStore: " + e);

            }

        }

    }

    private static URI toURI(String uriString)

        throws CertPathValidatorException

    {

        try {

            if (uriString != null) {

                return new URI(uriString);

            }

            return null;

        } catch (URISyntaxException e) {

            throw new CertPathValidatorException(

                "cannot parse ocsp.responderURL property", e);

        }

    }

    private static RevocationProperties getRevocationProperties() {

        return AccessController.doPrivileged(

            new PrivilegedAction<RevocationProperties>() {

                public RevocationProperties run() {

                    RevocationProperties rp = new RevocationProperties();

                    String onlyEE = Security.getProperty(

                        "com.sun.security.onlyCheckRevocationOfEECert");

                    rp.onlyEE = onlyEE != null

                                && onlyEE.equalsIgnoreCase("true");

                    String ocspEnabled = Security.getProperty("ocsp.enable");

                    rp.ocspEnabled = ocspEnabled != null

                                     && ocspEnabled.equalsIgnoreCase("true");

                    rp.ocspUrl = Security.getProperty("ocsp.responderURL");

                    rp.ocspSubject

                        = Security.getProperty("ocsp.responderCertSubjectName");

                    rp.ocspIssuer

                        = Security.getProperty("ocsp.responderCertIssuerName");

                    rp.ocspSerial

                        = Security.getProperty("ocsp.responderCertSerialNumber");

                    rp.crlDPEnabled

                        = Boolean.getBoolean("com.sun.security.enableCRLDP");

                    return rp;

                }

            }

        );

    }

    private static X509Certificate getResponderCert(RevocationProperties rp,

                                                    Set<TrustAnchor> anchors,

                                                    List<CertStore> stores)

        throws CertPathValidatorException

    {

        if (rp.ocspSubject != null) {

            return getResponderCert(rp.ocspSubject, anchors, stores);

        } else if (rp.ocspIssuer != null && rp.ocspSerial != null) {

            return getResponderCert(rp.ocspIssuer, rp.ocspSerial,

                                    anchors, stores);

        } else if (rp.ocspIssuer != null || rp.ocspSerial != null) {

            throw new CertPathValidatorException(

                "Must specify both ocsp.responderCertIssuerName and " +

                "ocsp.responderCertSerialNumber properties");

        }

        return null;

    }

    private static X509Certificate getResponderCert(String subject,

                                                    Set<TrustAnchor> anchors,

                                                    List<CertStore> stores)

        throws CertPathValidatorException

    {

        X509CertSelector sel = new X509CertSelector();

        try {

            sel.setSubject(new X500Principal(subject));

        } catch (IllegalArgumentException e) {

            throw new CertPathValidatorException(

                "cannot parse ocsp.responderCertSubjectName property", e);

        }

        return getResponderCert(sel, anchors, stores);

    }

    private static X509Certificate getResponderCert(String issuer,

                                                    String serial,

                                                    Set<TrustAnchor> anchors,

                                                    List<CertStore> stores)

        throws CertPathValidatorException

    {

        X509CertSelector sel = new X509CertSelector();

        try {

            sel.setIssuer(new X500Principal(issuer));

        } catch (IllegalArgumentException e) {

            throw new CertPathValidatorException(

                "cannot parse ocsp.responderCertIssuerName property", e);

        }

        try {

            sel.setSerialNumber(new BigInteger(stripOutSeparators(serial), 16));

        } catch (NumberFormatException e) {

            throw new CertPathValidatorException(

                "cannot parse ocsp.responderCertSerialNumber property", e);

        }

        return getResponderCert(sel, anchors, stores);

    }

    private static X509Certificate getResponderCert(X509CertSelector sel,

                                                    Set<TrustAnchor> anchors,

                                                    List<CertStore> stores)

        throws CertPathValidatorException

    {

        // first check TrustAnchors

        for (TrustAnchor anchor : anchors) {

            X509Certificate cert = anchor.getTrustedCert();

            if (cert == null) {

                continue;

            }

            if (sel.match(cert)) {

                return cert;

            }

        }

        // now check CertStores

        for (CertStore store : stores) {

            try {

                Collection<? extends Certificate> certs =

                    store.getCertificates(sel);

                if (!certs.isEmpty()) {

                    return (X509Certificate)certs.iterator().next();

                }

            } catch (CertStoreException e) {

                // ignore and try next CertStore

                if (debug != null) {

                    debug.println("CertStore exception:" + e);

                }

                continue;

            }

        }

        throw new CertPathValidatorException(

            "Cannot find the responder's certificate " +

            "(set using the OCSP security properties).");

    }

    @Override

    public void init(boolean forward) throws CertPathValidatorException {

        if (forward) {

            throw new

                CertPathValidatorException("forward checking not supported");

        }

        if (anchor != null) {

            issuerInfo = new OCSPResponse.IssuerInfo(anchor);

            prevPubKey = issuerInfo.getPublicKey();

        }

        crlSignFlag = true;

        if (params != null && params.certPath() != null) {

            certIndex = params.certPath().getCertificates().size() - 1;

        } else {

            certIndex = -1;

        }

        softFailExceptions.clear();

    }

    @Override

    public boolean isForwardCheckingSupported() {

        return false;

    }

    @Override

    public Set<String> getSupportedExtensions() {

        return null;

    }

    @Override

    public List<CertPathValidatorException> getSoftFailExceptions() {

        return Collections.unmodifiableList(softFailExceptions);

    }

    @Override

    public void check(Certificate cert, Collection<String> unresolvedCritExts)

        throws CertPathValidatorException

    {

        check((X509Certificate)cert, unresolvedCritExts,

              prevPubKey, crlSignFlag);

    }

    private void check(X509Certificate xcert,

                       Collection<String> unresolvedCritExts,

                       PublicKey pubKey, boolean crlSignFlag)

        throws CertPathValidatorException

    {

        if (debug != null) {

            debug.println("RevocationChecker.check: checking cert" +

                "\n  SN: " + Debug.toHexString(xcert.getSerialNumber()) +

                "\n  Subject: " + xcert.getSubjectX500Principal() +

                "\n  Issuer: " + xcert.getIssuerX500Principal());

        }

        try {

            if (onlyEE && xcert.getBasicConstraints() != -1) {

                if (debug != null) {

                    debug.println("Skipping revocation check; cert is not " +

                                  "an end entity cert");

                }

                return;

            }

            switch (mode) {

                case PREFER_OCSP:

                case ONLY_OCSP:

                    checkOCSP(xcert, unresolvedCritExts);

                    break;

                case PREFER_CRLS:

                case ONLY_CRLS:

                    checkCRLs(xcert, unresolvedCritExts, null,

                              pubKey, crlSignFlag);

                    break;

            }

        } catch (CertPathValidatorException e) {

            if (e.getReason() == BasicReason.REVOKED) {

                throw e;

            }

            boolean eSoftFail = isSoftFailException(e);

            if (eSoftFail) {

                if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {

                    return;

                }

            } else {

                if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {

                    throw e;

                }

            }

            CertPathValidatorException cause = e;

            // Otherwise, failover

            if (debug != null) {

                debug.println("RevocationChecker.check() " + e.getMessage());

                debug.println("RevocationChecker.check() preparing to failover");

            }

            try {

                switch (mode) {

                    case PREFER_OCSP:

                        checkCRLs(xcert, unresolvedCritExts, null,

                                  pubKey, crlSignFlag);

                        break;

                    case PREFER_CRLS:

                        checkOCSP(xcert, unresolvedCritExts);

                        break;

                }

            } catch (CertPathValidatorException x) {

                if (debug != null) {

                    debug.println("RevocationChecker.check() failover failed");

                    debug.println("RevocationChecker.check() " + x.getMessage());

                }

                if (x.getReason() == BasicReason.REVOKED) {

                    throw x;

                }

                if (!isSoftFailException(x)) {

                    cause.addSuppressed(x);

                    throw cause;

                } else {

                    // only pass if both exceptions were soft failures

                    if (!eSoftFail) {

                        throw cause;

                    }

                }

            }

        } finally {

            updateState(xcert);

        }

    }

    private boolean isSoftFailException(CertPathValidatorException e) {

        if (softFail &&

            e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)

        {

            // recreate exception with correct index

            CertPathValidatorException e2 = new CertPathValidatorException(

                e.getMessage(), e.getCause(), params.certPath(), certIndex,

                e.getReason());

            softFailExceptions.addFirst(e2);

            return true;

        }

        return false;

    }

    private void updateState(X509Certificate cert)

        throws CertPathValidatorException

    {

        issuerInfo = new OCSPResponse.IssuerInfo(anchor, cert);

        // Make new public key if parameters are missing

        PublicKey pubKey = cert.getPublicKey();

        if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {

            // pubKey needs to inherit DSA parameters from prev key

            pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);

        }

        prevPubKey = pubKey;

        crlSignFlag = certCanSignCrl(cert);

        if (certIndex > 0) {

            certIndex--;

        }

    }

    // Maximum clock skew in milliseconds (15 minutes) allowed when checking

    // validity of CRLs

    private static final long MAX_CLOCK_SKEW = 900000;

    private void checkCRLs(X509Certificate cert,

                           Collection<String> unresolvedCritExts,

                           Set<X509Certificate> stackedCerts,

                           PublicKey pubKey, boolean signFlag)

        throws CertPathValidatorException

    {

        checkCRLs(cert, pubKey, null, signFlag, true,

                  stackedCerts, params.trustAnchors());

    }

    static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {

        boolean result;

        Throwable t = cse.getCause();

        switch (type) {

            case "LDAP":

                if (t != null) {

                    // These two exception classes are inside java.naming module

                    String cn = t.getClass().getName();

                    result = (cn.equals("javax.naming.ServiceUnavailableException") ||

                        cn.equals("javax.naming.CommunicationException"));

                } else {

                    result = false;

                }

                break;

            case "SSLServer":

                result = (t != null && t instanceof IOException);

                break;

            case "URI":

                result = (t != null && t instanceof IOException);

                break;

            default:

                // we don't know about any other remote CertStore types

                return false;

        }

        return result;

    }

    private void checkCRLs(X509Certificate cert, PublicKey prevKey,

                           X509Certificate prevCert, boolean signFlag,

                           boolean allowSeparateKey,

                           Set<X509Certificate> stackedCerts,

                           Set<TrustAnchor> anchors)

        throws CertPathValidatorException

    {

        if (debug != null) {

            debug.println("RevocationChecker.checkCRLs()" +

                          " ---checking revocation status ...");

        }

        // Reject circular dependencies - RFC 5280 is not explicit on how

        // to handle this, but does suggest that they can be a security

        // risk and can create unresolvable dependencies

        if (stackedCerts != null && stackedCerts.contains(cert)) {

            if (debug != null) {

                debug.println("RevocationChecker.checkCRLs()" +

                              " circular dependency");

            }