jdk-sandbox: src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java@c3ee22c3a0f6 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26	package sun.security.ssl;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	import java.io.IOException;
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	29	import java.io.ByteArrayInputStream;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	30	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	31	import java.security.cert.Extension;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	32	import java.security.cert.CertificateFactory;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	33	import java.security.cert.CertificateException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	34	import java.security.cert.X509Certificate;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	35	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	36	import java.util.ArrayList;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	37	import java.util.List;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	38	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	39	import javax.net.ssl.SSLProtocolException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	40	import sun.security.provider.certpath.OCSPResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	41	import sun.security.provider.certpath.ResponderId;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	42	import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	43	import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	44	import sun.security.ssl.SSLExtension.ExtensionConsumer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	45	import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	46	import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	47	import sun.security.ssl.SSLExtension.SSLExtensionSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	48	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	49	import sun.security.util.DerInputStream;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	50	import sun.security.util.DerValue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	51	import sun.security.util.HexDumpEncoder;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	53	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	54	* Pack of "status_request" and "status_request_v2" extensions.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	56	final class CertStatusExtension {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	57	static final HandshakeProducer chNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	58	new CHCertStatusReqProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	59	static final ExtensionConsumer chOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	60	new CHCertStatusReqConsumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	62	static final HandshakeProducer shNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	63	new SHCertStatusReqProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	64	static final ExtensionConsumer shOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	65	new SHCertStatusReqConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	66
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	67	static final HandshakeProducer ctNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	68	new CTCertStatusResponseProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	69	static final ExtensionConsumer ctOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	70	new CTCertStatusResponseConsumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	72	static final SSLStringize certStatusReqStringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	73	new CertStatusRequestStringize();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	74
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	75	static final HandshakeProducer chV2NetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	76	new CHCertStatusReqV2Producer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	77	static final ExtensionConsumer chV2OnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	78	new CHCertStatusReqV2Consumer();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	80	static final HandshakeProducer shV2NetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	81	new SHCertStatusReqV2Producer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	82	static final ExtensionConsumer shV2OnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	83	new SHCertStatusReqV2Consumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	84
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	85	static final SSLStringize certStatusReqV2Stringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	86	new CertStatusRequestsStringize();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	87
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	88	static final SSLStringize certStatusRespStringize =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	89	new CertStatusRespStringize();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	92	* The "status_request" extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	93	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	94	* RFC6066 defines the TLS extension,"status_request" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	95	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	96	* on the client's behalf.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	97	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	98	* The "extension data" field of this extension contains a
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	99	* "CertificateStatusRequest" structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	100	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	101	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	102	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	103	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	104	* case ocsp: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	105	* } request;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	106	* } CertificateStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	107	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	108	* enum { ocsp(1), (255) } CertificateStatusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	109	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	110	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	111	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	112	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	113	* } OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	114	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	115	* opaque ResponderID<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	116	* opaque Extensions<0..2^16-1>;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	118	static final class CertStatusRequestSpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	119	static final CertStatusRequestSpec DEFAULT =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	120	new CertStatusRequestSpec(OCSPStatusRequest.EMPTY_OCSP);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	121
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	122	final CertStatusRequest statusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	123
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	124	private CertStatusRequestSpec(CertStatusRequest statusRequest) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	125	this.statusRequest = statusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	126	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	127
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	128	private CertStatusRequestSpec(ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	129	// Is it a empty extension_data?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	130	if (buffer.remaining() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	131	// server response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	132	this.statusRequest = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	133	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	134	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	135
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	136	if (buffer.remaining() < 1) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	137	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	138	"Invalid status_request extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	139	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	140
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	141	byte statusType = (byte)Record.getInt8(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	142	byte[] encoded = new byte[buffer.remaining()];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	143	if (encoded.length != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	144	buffer.get(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	145	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	146	if (statusType == CertStatusRequestType.OCSP.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	147	this.statusRequest = new OCSPStatusRequest(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	148	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	149	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	150	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	151	"Unknown certificate status request " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	152	"(status type: " + statusType + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	153	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	154
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	155	this.statusRequest = new CertStatusRequest(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	156	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	157	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	158
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	159	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	160	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	161	return statusRequest == null ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	162	"<empty>" : statusRequest.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	163	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	167	* Defines the CertificateStatus response structure as outlined in
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	168	* RFC 6066. This will contain a status response type, plus a single,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	169	* non-empty OCSP response in DER-encoded form.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	171	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	172	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	173	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	174	* case ocsp: OCSPResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	175	* } response;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	176	* } CertificateStatus;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	177	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	178	static final class CertStatusResponseSpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	179	final CertStatusResponse statusResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	180
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	181	private CertStatusResponseSpec(CertStatusResponse resp) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	182	this.statusResponse = resp;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	183	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	184
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	185	private CertStatusResponseSpec(ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	186	if (buffer.remaining() < 2) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	187	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	188	"Invalid status_request extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	189	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	190
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	191	// Get the status type (1 byte) and response data (vector)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	192	byte type = (byte)Record.getInt8(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	193	byte[] respData = Record.getBytes24(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	194
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	195	// Create the CertStatusResponse based on the type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	196	if (type == CertStatusRequestType.OCSP.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	197	this.statusResponse = new OCSPStatusResponse(type, respData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	198	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	199	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	200	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	201	"Unknown certificate status response " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	202	"(status type: " + type + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	203	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	204
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	205	this.statusResponse = new CertStatusResponse(type, respData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	206	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	207	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	208
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	209	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	210	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	211	return statusResponse == null ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	212	"<empty>" : statusResponse.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	213	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	214	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	215
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	216	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	217	class CertStatusRequestStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	218	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	219	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	220	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	221	return (new CertStatusRequestSpec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	222	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	223	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	224	return ioe.getMessage();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	225	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	226	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	227	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	228
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	229	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	230	class CertStatusRespStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	231	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	232	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	233	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	234	return (new CertStatusResponseSpec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	235	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	236	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	237	return ioe.getMessage();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	238	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	239	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	240	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	241
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	242	static enum CertStatusRequestType {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	243	OCSP ((byte)0x01, "ocsp"), // RFC 6066/6961
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	244	OCSP_MULTI ((byte)0x02, "ocsp_multi"); // RFC 6961
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	245
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	246	final byte id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	247	final String name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	248
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	249	private CertStatusRequestType(byte id, String name) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	250	this.id = id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	251	this.name = name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	252	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	253
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	254	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	255	* Returns the enum constant of the specified id (see RFC 6066).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	256	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	257	static CertStatusRequestType valueOf(byte id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	258	for (CertStatusRequestType srt : CertStatusRequestType.values()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	259	if (srt.id == id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	260	return srt;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	261	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	262	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	263
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	264	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	265	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	266
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	267	static String nameOf(byte id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	268	for (CertStatusRequestType srt : CertStatusRequestType.values()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	269	if (srt.id == id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	270	return srt.name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	271	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	272	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	273
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	274	return "UNDEFINED-CERT-STATUS-TYPE(" + id + ")";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	275	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	276	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	277
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	278	static class CertStatusRequest {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	279	final byte statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	280	final byte[] encodedRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	281
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	282	protected CertStatusRequest(byte statusType, byte[] encodedRequest) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	283	this.statusType = statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	284	this.encodedRequest = encodedRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	285	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	286
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	287	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	288	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	289	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	290	"\"certificate status type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	291	"\"encoded certificate status\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	292	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	293	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	294	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	295
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	296	HexDumpEncoder hexEncoder = new HexDumpEncoder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	297	String encoded = hexEncoder.encodeBuffer(encodedRequest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	298
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	299	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	300	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	301	Utilities.indent(encoded)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	302	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	303
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	304	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	305	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	306	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	307
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	308	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	309	* RFC6066 defines the TLS extension,"status_request" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	310	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	311	* on the client's behalf.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	312	*
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	313	* The RFC defines an OCSPStatusRequest structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	314	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	315	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	316	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	317	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	318	* } OCSPStatusRequest;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	320	static final class OCSPStatusRequest extends CertStatusRequest {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	321	static final OCSPStatusRequest EMPTY_OCSP;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	322	static final OCSPStatusRequest EMPTY_OCSP_MULTI;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	323
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	324	final List<ResponderId> responderIds;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	325	final List<Extension> extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	326	private final int ridListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	327	private final int extListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	328
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	329	static {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	330	OCSPStatusRequest ocspReq = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	331	OCSPStatusRequest multiReq = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	332
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	333	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	334	ocspReq = new OCSPStatusRequest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	335	CertStatusRequestType.OCSP.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	336	new byte[] {0x00, 0x00, 0x00, 0x00});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	337	multiReq = new OCSPStatusRequest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	338	CertStatusRequestType.OCSP_MULTI.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	339	new byte[] {0x00, 0x00, 0x00, 0x00});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	340	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	341	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	342	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	343
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	344	EMPTY_OCSP = ocspReq;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	345	EMPTY_OCSP_MULTI = multiReq;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	346	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	347
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	348	private OCSPStatusRequest(byte statusType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	349	byte[] encoded) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	350	super(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	351
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	352	if (encoded == null \|\| encoded.length < 4) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	353	// 2: length of responder_id_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	354	// +2: length of request_extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	355	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	356	"Invalid OCSP status request: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	357	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	358
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	359	List<ResponderId> rids = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	360	List<Extension> exts = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	361	ByteBuffer m = ByteBuffer.wrap(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	362
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	363	this.ridListLen = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	364	if (m.remaining() < (ridListLen + 2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	365	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	366	"Invalid OCSP status request: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	367	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	368
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	369	int ridListBytesRemaining = ridListLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	370	while (ridListBytesRemaining >= 2) { // 2: length of responder_id
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	371	byte[] ridBytes = Record.getBytes16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	372	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	373	rids.add(new ResponderId(ridBytes));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	374	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	375	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	376	"Invalid OCSP status request: invalid responder ID");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	377	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	378	ridListBytesRemaining -= ridBytes.length + 2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	379	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	380
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	381	if (ridListBytesRemaining != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	382	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	383	"Invalid OCSP status request: incomplete data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	384	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	385
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	386	byte[] extListBytes = Record.getBytes16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	387	this.extListLen = extListBytes.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	388	if (extListLen > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	389	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	390	DerInputStream dis = new DerInputStream(extListBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	391	DerValue[] extSeqContents =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	392	dis.getSequence(extListBytes.length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	393	for (DerValue extDerVal : extSeqContents) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	394	exts.add(new sun.security.x509.Extension(extDerVal));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	395	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	396	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	397	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	398	"Invalid OCSP status request: invalid extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	399	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	400	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	401
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	402	this.responderIds = rids;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	403	this.extensions = exts;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	404	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	405
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	406	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	407	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	408	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	409	"\"certificate status type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	410	"\"OCSP status request\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	411	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	412	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	413	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	414
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	415	MessageFormat requestFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	416	"\"responder_id\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	417	"\"request extensions\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	418	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	419	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	420	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	421
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	422	String ridStr = "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	423	if (!responderIds.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	424	ridStr = responderIds.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	425	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	426
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	427	String extsStr = "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	428	if (!extensions.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	429	StringBuilder extBuilder = new StringBuilder(512);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	430	boolean isFirst = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	431	for (Extension ext : this.extensions) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	432	if (isFirst) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	433	isFirst = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	434	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	435	extBuilder.append(",\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	436	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	437	extBuilder.append(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	438	"{\n" + Utilities.indent(ext.toString()) + "}");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	439	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	440
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	441	extsStr = extBuilder.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	442	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	443
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	444	Object[] requestFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	445	ridStr,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	446	Utilities.indent(extsStr)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	447	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	448	String ocspStatusRequest = requestFormat.format(requestFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	449
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	450	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	451	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	452	Utilities.indent(ocspStatusRequest)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	453	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	454
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	455	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	456	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	457	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	458
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	459	static class CertStatusResponse {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	460	final byte statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	461	final byte[] encodedResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	462
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	463	protected CertStatusResponse(byte statusType, byte[] respDer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	464	this.statusType = statusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	465	this.encodedResponse = respDer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	466	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	467
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	468	byte[] toByteArray() throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	469	// Create a byte array large enough to handle the status_type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	470	// field (1) + OCSP length (3) + OCSP data (variable)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	471	byte[] outData = new byte[encodedResponse.length + 4];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	472	ByteBuffer buf = ByteBuffer.wrap(outData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	473	Record.putInt8(buf, statusType);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	474	Record.putBytes24(buf, encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	475	return buf.array();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	476	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	477
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	478	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	479	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	480	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	481	"\"certificate status response type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	482	"\"encoded certificate status\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	483	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	484	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	485	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	486
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	487	HexDumpEncoder hexEncoder = new HexDumpEncoder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	488	String encoded = hexEncoder.encodeBuffer(encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	489
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	490	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	491	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	492	Utilities.indent(encoded)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	493	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	494
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	495	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	496	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	497	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	498
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	499	static final class OCSPStatusResponse extends CertStatusResponse {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	500	final OCSPResponse ocspResponse;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	501
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	502	private OCSPStatusResponse(byte statusType,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	503	byte[] encoded) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	504	super(statusType, encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	505
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	506	// The DER-encoded OCSP response must not be zero length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	507	if (encoded == null \|\| encoded.length < 1) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	508	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	509	"Invalid OCSP status response: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	510	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	511
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	512	// Otherwise, make an OCSPResponse object from the data
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	513	ocspResponse = new OCSPResponse(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	514	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	515
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	516	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	517	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	518	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	519	"\"certificate status response type\": {0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	520	"\"OCSP status response\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	521	"{1}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	522	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	523	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	524
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	525	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	526	CertStatusRequestType.nameOf(statusType),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	527	Utilities.indent(ocspResponse.toString())
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	528	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	529
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	530	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	531	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	532	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	533
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	534	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	535	* Network data producer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	536	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	537	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	538	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	539	class CHCertStatusReqProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	540	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	541	private CHCertStatusReqProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	542	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	543	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	544
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	545	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	546	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	547	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	548	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	549	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	550
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	551	if (!chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	552	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	553	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	554
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	555	if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	556	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	557	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	558	"Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	559	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	560	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	561	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	562	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	563
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	564	// Produce the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	565	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	566	// We are using empty OCSPStatusRequest at present. May extend to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	567	// support specific responder or extensions later.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	568	byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	569
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	570	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	571	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	572	CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	573
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	574	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	575	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	576	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	577
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	578	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	579	* Network data consumer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	580	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	581	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	582	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	583	class CHCertStatusReqConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	584	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	585	private CHCertStatusReqConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	586	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	587	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	588
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	589	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	590	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	591	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	592
56704 c3ee22c3a0f6 Minor nits and cleanup across SSLExtension classes jnimeh parents: 56702 diff changeset	593	// The consuming happens in server side only.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	594	ServerHandshakeContext shc = (ServerHandshakeContext)context;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	595
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	596	if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	597	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	598	SSLLogger.fine("Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	599	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	600	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	601	return; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	602	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	603
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	604	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	605	CertStatusRequestSpec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	606	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	607	spec = new CertStatusRequestSpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	608	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	609	shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	610	return; // fatal() always throws, make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	611	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	612
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	613	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	614	shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
56702 75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	615	if (!shc.isResumption &&
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	616	!shc.negotiatedProtocol.useTLS13PlusSpec()) {
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	617	shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	618	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	619	} // Otherwise, the certificate status presents in server cert.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	620
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	621	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	622	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	623	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	624
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	625	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	626	* Network data producer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	627	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	628	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	629	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	630	class SHCertStatusReqProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	631	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	632	private SHCertStatusReqProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	633	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	634	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	635
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	636	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	637	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	638	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	639	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	640	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	641
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	642	// The StaplingParameters in the ServerHandshakeContext will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	643	// contain the info about what kind of stapling (if any) to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	644	// perform and whether this status_request extension should be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	645	// produced or the status_request_v2 (found in a different producer)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	646	// No explicit check is required for isStaplingEnabled here. If
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	647	// it is false then stapleParams will be null. If it is true
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	648	// then stapleParams may or may not be false and the check below
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	649	// is sufficient.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	650	if ((shc.stapleParams == null) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	651	(shc.stapleParams.statusRespExt !=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	652	SSLExtension.CH_STATUS_REQUEST)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	653	return null; // Do not produce status_request in ServerHello
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	654	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	655
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	656	// In response to "status_request" extension request only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	657	CertStatusRequestSpec spec = (CertStatusRequestSpec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	658	shc.handshakeExtensions.get(CH_STATUS_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	659	if (spec == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	660	// Ignore, no status_request extension requested.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	661	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	662	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	663	"Ignore unavailable extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	664	CH_STATUS_REQUEST.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	665	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	666
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	667	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	668	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	669
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	670	// Is it a session resuming?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	671	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	672	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	673	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	674	"No status_request response for session resuming");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	675	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	676
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	677	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	678	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	679
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	680	// The "extension_data" in the extended ServerHello handshake
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	681	// message MUST be empty.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	682	byte[] extData = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	683
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	684	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	685	shc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	686	SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	687
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	688	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	689	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	690	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	691
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	692	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	693	* Network data consumer of a "status_request" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	694	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	695	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	696	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	697	class SHCertStatusReqConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	698	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	699	private SHCertStatusReqConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	700	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	701	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	702
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	703	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	704	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	705	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	706
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	707	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	708	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	709
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	710	// In response to "status_request" extension request only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	711	CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	712	chc.handshakeExtensions.get(CH_STATUS_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	713	if (requestedCsr == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	714	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	715	"Unexpected status_request extension in ServerHello");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	716	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	717
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	718	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	719	if (buffer.hasRemaining()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	720	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	721	"Invalid status_request extension in ServerHello message: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	722	"the extension data must be empty");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	723	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	724
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	725	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	726	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	727	SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	728	chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	729	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	730
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	731	// Since we've received a legitimate status_request in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	732	// ServerHello, stapling is active if it's been enabled.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	733	chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	734
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	735	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	736	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	737	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	738
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	739	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	740	* The "status_request_v2" extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	741	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	742	* RFC6961 defines the TLS extension,"status_request_v2" (type 0x5),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	743	* which allows the client to request that the server perform OCSP
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	744	* on the client's behalf.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	745	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	746	* The RFC defines an CertStatusReqItemV2 structure:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	747	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	748	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	749	* CertificateStatusType status_type;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	750	* uint16 request_length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	751	* select (status_type) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	752	* case ocsp: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	753	* case ocsp_multi: OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	754	* } request;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	755	* } CertificateStatusRequestItemV2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	756	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	757	* enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	758	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	759	* ResponderID responder_id_list<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	760	* Extensions request_extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	761	* } OCSPStatusRequest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	762	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	763	* opaque ResponderID<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	764	* opaque Extensions<0..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	765	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	766	* struct {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	767	* CertificateStatusRequestItemV2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	768	* certificate_status_req_list<1..2^16-1>;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	769	* } CertificateStatusRequestListV2;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	770	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	771	static final class CertStatusRequestV2Spec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	772	static final CertStatusRequestV2Spec DEFAULT =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	773	new CertStatusRequestV2Spec(new CertStatusRequest[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	774	OCSPStatusRequest.EMPTY_OCSP_MULTI});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	775
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	776	final CertStatusRequest[] certStatusRequests;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	777
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	778	private CertStatusRequestV2Spec(CertStatusRequest[] certStatusRequests) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	779	this.certStatusRequests = certStatusRequests;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	780	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	781
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	782	private CertStatusRequestV2Spec(ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	783	// Is it a empty extension_data?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	784	if (message.remaining() == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	785	// server response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	786	this.certStatusRequests = new CertStatusRequest[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	787	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	788	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	789
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	790	if (message.remaining() < 5) { // 2: certificate_status_req_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	791	// +1: status_type
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	792	// +2: request_length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	793	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	794	"Invalid status_request_v2 extension: insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	795	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	796
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	797	int listLen = Record.getInt16(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	798	if (listLen <= 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	799	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	800	"certificate_status_req_list length must be positive " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	801	"(received length: " + listLen + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	802	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	803
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	804	int remaining = listLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	805	List<CertStatusRequest> statusRequests = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	806	while (remaining > 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	807	byte statusType = (byte)Record.getInt8(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	808	int requestLen = Record.getInt16(message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	809
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	810	if (message.remaining() < requestLen) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	811	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	812	"Invalid status_request_v2 extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	813	"insufficient data (request_length=" + requestLen +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	814	", remining=" + message.remaining() + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	815	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	816
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	817	byte[] encoded = new byte[requestLen];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	818	if (encoded.length != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	819	message.get(encoded);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	820	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	821	remaining -= 3; // 1(status type) + 2(request_length) bytes
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	822	remaining -= requestLen;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	823
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	824	if (statusType == CertStatusRequestType.OCSP.id \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	825	statusType == CertStatusRequestType.OCSP_MULTI.id) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	826	if (encoded.length < 4) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	827	// 2: length of responder_id_list
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	828	// +2: length of request_extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	829	throw new SSLProtocolException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	830	"Invalid status_request_v2 extension: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	831	"insufficient data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	832	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	833	statusRequests.add(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	834	new OCSPStatusRequest(statusType, encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	835	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	836	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	837	SSLLogger.info(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	838	"Unknown certificate status request " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	839	"(status type: " + statusType + ")");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	840	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	841	statusRequests.add(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	842	new CertStatusRequest(statusType, encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	843	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	844	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	845
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	846	certStatusRequests =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	847	statusRequests.toArray(new CertStatusRequest[0]);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	848	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	849
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	850	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	851	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	852	if (certStatusRequests == null \|\| certStatusRequests.length == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	853	return "<empty>";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	854	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	855	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	856	"\"cert status request\": '{'\n{0}\n'}'", Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	857
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	858	StringBuilder builder = new StringBuilder(512);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	859	boolean isFirst = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	860	for (CertStatusRequest csr : certStatusRequests) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	861	if (isFirst) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	862	isFirst = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	863	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	864	builder.append(", ");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	865	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	866	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	867	Utilities.indent(csr.toString())
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	868	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	869	builder.append(messageFormat.format(messageFields));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	870	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	871
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	872	return builder.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	873	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	874	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	875	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	876
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	877	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	878	class CertStatusRequestsStringize implements SSLStringize {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	879	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	880	public String toString(ByteBuffer buffer) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	881	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	882	return (new CertStatusRequestV2Spec(buffer)).toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	883	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	884	// For debug logging only, so please swallow exceptions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	885	return ioe.getMessage();
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	886	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	887	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	888	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	889
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	890	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	891	* Network data producer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	892	* ClientHello handshake message.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	893	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	894	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	895	class CHCertStatusReqV2Producer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	896	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	897	private CHCertStatusReqV2Producer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	898	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	899	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	900
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	901	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	902	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	903	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	904	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	905	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	906
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	907	if (!chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	908	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	909	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	910
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	911	if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	912	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	913	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	914	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	915	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	916
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	917	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	918	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	919
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	920	// Produce the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	921	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	922	// We are using empty OCSPStatusRequest at present. May extend to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	923	// support specific responder or extensions later.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	924	byte[] extData = new byte[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	925	0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	926
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	927	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	928	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	929	CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	930
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	931	return extData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	932	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	933	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	934
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	935	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	936	* Network data consumer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	937	* ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	938	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	939	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	940	class CHCertStatusReqV2Consumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	941	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	942	private CHCertStatusReqV2Consumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	943	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	944	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	945
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	946	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	947	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	948	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	949
56704 c3ee22c3a0f6 Minor nits and cleanup across SSLExtension classes jnimeh parents: 56702 diff changeset	950	// The consuming happens in server side only.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	951	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	952
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	953	if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	954	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	955	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	956	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	957	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	958
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	959	return; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	960	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	961
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	962	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	963	CertStatusRequestV2Spec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	964	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	965	spec = new CertStatusRequestV2Spec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	966	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	967	shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	968	return; // fatal() always throws, make the compiler happy.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	969	}
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	970
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	971	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	972	shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
56702 75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	973	if (!shc.isResumption) {
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	974	shc.handshakeProducers.putIfAbsent(
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	975	SSLHandshake.CERTIFICATE_STATUS.id,
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	976	SSLHandshake.CERTIFICATE_STATUS);
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	977	}
75527e40bdfd Updates for session resumption and key update xuelei parents: 56651 diff changeset	978
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	979	// No impact on session resumption.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	980	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	981	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	982
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	983	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	984	* Network data producer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	985	* ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	986	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	987	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	988	class SHCertStatusReqV2Producer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	989	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	990	private SHCertStatusReqV2Producer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	991	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	992	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	993
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	994	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	995	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	996	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	997	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	998
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	999	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1000	// The StaplingParameters in the ServerHandshakeContext will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1001	// contain the info about what kind of stapling (if any) to
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1002	// perform and whether this status_request extension should be
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1003	// produced or the status_request_v2 (found in a different producer)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1004	// No explicit check is required for isStaplingEnabled here. If
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1005	// it is false then stapleParams will be null. If it is true
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1006	// then stapleParams may or may not be false and the check below
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1007	// is sufficient.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1008	if ((shc.stapleParams == null) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1009	(shc.stapleParams.statusRespExt !=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1010	SSLExtension.CH_STATUS_REQUEST_V2)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1011	return null; // Do not produce status_request_v2 in SH
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1012	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1013
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1014	// In response to "status_request_v2" extension request only
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1015	CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1016	shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1017	if (spec == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1018	// Ignore, no status_request_v2 extension requested.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1019	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1020	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1021	"Ignore unavailable status_request_v2 extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1022	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1023
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1024	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1025	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1026
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1027	// Is it a session resuming?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1028	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1029	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1030	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1031	"No status_request_v2 response for session resumption");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1032	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1033	return null; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1034	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1035
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1036	// The "extension_data" in the extended ServerHello handshake
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1037	// message MUST be empty.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1038	byte[] extData = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1039
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1040	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1041	shc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1042	SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1043
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1044	return extData;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1045	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1046	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1047
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1048	/**
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1049	* Network data consumer of a "status_request_v2" extension in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1050	* ServerHello handshake message.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1051	*/
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1052	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1053	class SHCertStatusReqV2Consumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1054	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1055	private SHCertStatusReqV2Consumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1056	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1057	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1058
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1059	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1060	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1061	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1062
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1063	// The consumption happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1064	ClientHandshakeContext chc = (ClientHandshakeContext)context;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1065
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1066	// In response to "status_request" extension request only
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1067	CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1068	chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1069	if (requestedCsr == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1070	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1071	"Unexpected status_request_v2 extension in ServerHello");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1072	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1073
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1074	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1075	if (buffer.hasRemaining()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1076	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1077	"Invalid status_request_v2 extension in ServerHello: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1078	"the extension data must be empty");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1079	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1080
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1081	// Update the context.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1082	chc.handshakeExtensions.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1083	SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1084	chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1085	SSLHandshake.CERTIFICATE_STATUS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1086
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1087	// Since we've received a legitimate status_request in the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1088	// ServerHello, stapling is active if it's been enabled.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1089	chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1090
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1091	// No impact on session resumption.
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1092	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1093	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1094
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1095	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1096	class CTCertStatusResponseProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1097	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1098	private CTCertStatusResponseProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1099	// blank
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1100	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1101
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1102	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1103	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1104	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1105	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1106	byte[] producedData = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1107
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1108	// Stapling needs to be active and have valid data to proceed
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1109	if (shc.stapleParams == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1110	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1111	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1112	"Stapling is disabled for this connection");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1113	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1114	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1115	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1116
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1117	// There needs to be a non-null CertificateEntry to proceed
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1118	if (shc.currentCertEntry == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1119	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1120	SSLLogger.finest("Found null CertificateEntry in context");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1121	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1122	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1123	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1124
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1125	// Pull the certificate from the CertificateEntry and find
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1126	// a response from the response map. If one exists we will
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1127	// staple it.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1128	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1129	CertificateFactory cf = CertificateFactory.getInstance("X.509");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1130	X509Certificate x509Cert =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1131	(X509Certificate)cf.generateCertificate(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1132	new ByteArrayInputStream(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1133	shc.currentCertEntry.encoded));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1134	byte[] respBytes = shc.stapleParams.responseMap.get(x509Cert);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1135	if (respBytes == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1136	// We're done with this entry. Clear it from the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1137	if (SSLLogger.isOn &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1138	SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1139	SSLLogger.finest("No status response found for " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1140	x509Cert.getSubjectX500Principal());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1141	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1142	shc.currentCertEntry = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1143	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1144	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1145
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1146	// Build a proper response buffer from the stapling information
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1147	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1148	SSLLogger.finest("Found status response for " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1149	x509Cert.getSubjectX500Principal() +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1150	", response length: " + respBytes.length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1151	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1152	CertStatusResponse certResp = (shc.stapleParams.statReqType ==
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1153	CertStatusRequestType.OCSP) ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1154	new OCSPStatusResponse(shc.stapleParams.statReqType.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1155	respBytes) :
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1156	new CertStatusResponse(shc.stapleParams.statReqType.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1157	respBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1158	producedData = certResp.toByteArray();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1159	} catch (CertificateException ce) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1160	shc.conContext.fatal(Alert.BAD_CERTIFICATE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1161	"Failed to parse server certificates", ce);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1162	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1163	shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1164	"Failed to parse certificate status response", ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1165	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1166
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1167	// Clear the pinned CertificateEntry from the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1168	shc.currentCertEntry = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1169	return producedData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1170	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1171	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1172
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1173	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1174	class CTCertStatusResponseConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1175	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1176	private CTCertStatusResponseConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1177	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1178	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1179
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1180	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1181	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1182	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1183	// The consumption happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1184	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1185
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1186	// Parse the extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1187	CertStatusResponseSpec spec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1188	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1189	spec = new CertStatusResponseSpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1190	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1191	chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1192	return; // fatal() always throws, make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1193	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1194
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1195	if (chc.sslContext.isStaplingEnabled(true)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1196	// Activate stapling
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1197	chc.staplingActive = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1198	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1199	// Do no further processing of stapled responses
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1200	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1201	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1202
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1203	// Get response list from the session. This is unmodifiable
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1204	// so we need to create a new list. Then add this new response
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1205	// to the end and submit it back to the session object.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1206	if ((chc.handshakeSession != null) && (!chc.isResumption)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1207	List<byte[]> respList = new ArrayList<>(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1208	chc.handshakeSession.getStatusResponses());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1209	respList.add(spec.statusResponse.encodedResponse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1210	chc.handshakeSession.setStatusResponses(respList);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1211	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1212	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1213	SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1214	"Ignoring stapled data on resumed session");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1215	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1216	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: 47216 diff changeset	1217	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1218	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1219	}

author	jnimeh
	Thu, 07 Jun 2018 21:55:35 -0700
branch	JDK-8145252-TLS13-branch
changeset 56704	c3ee22c3a0f6
parent 56702	75527e40bdfd
child 56708	25178bb3e8f5
permissions	-rw-r--r--