jdk-sandbox: comparison jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java

equal deleted inserted replaced

-:5fe35861f07e
+:9ffbd4e43413
 /*
-* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 import java.security.cert.CertificateParsingException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CRLReason;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.security.auth.x500.X500Principal;
 import sun.misc.HexDumpEncoder;
 import sun.security.x509.*;
 import sun.security.util.*;
 /**
 SIG_REQUIRED,          // Must sign the request
 UNAUTHORIZED           // Request unauthorized
 };
 private static ResponseStatus[] rsvalues = ResponseStatus.values();
-private static final Debug DEBUG = Debug.getInstance("certpath");
+private static final Debug debug = Debug.getInstance("certpath");
 private static final boolean dump = false;
 private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
 ObjectIdentifier.newInternal(new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
-private static final ObjectIdentifier OCSP_NONCE_EXTENSION_OID =
-ObjectIdentifier.newInternal(new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
 private static final int CERT_STATUS_GOOD = 0;
 private static final int CERT_STATUS_REVOKED = 1;
 private static final int CERT_STATUS_UNKNOWN = 2;
 // ResponderID CHOICE tags
 private static final int KEY_TAG = 2;
 // Object identifier for the OCSPSigning key purpose
 private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
-private final ResponseStatus responseStatus;
-private final Map<CertId, SingleResponse> singleResponseMap;
 // Maximum clock skew in milliseconds (15 minutes) allowed when checking
 // validity of OCSP responses
 private static final long MAX_CLOCK_SKEW = 900000;
 // an array of all of the CRLReasons (used in SingleResponse)
 private static CRLReason[] values = CRLReason.values();
+private final ResponseStatus responseStatus;
+private final Map<CertId, SingleResponse> singleResponseMap;
+private final List<X509CertImpl> certs;
+private final AlgorithmId sigAlgId;
+private final byte[] signature;
+private final byte[] tbsResponseData;
+private final X500Principal responderName;
+private final byte[] responderKey;
+private final byte[] responseNonce;
 /*
 * Create an OCSP response from its ASN.1 DER encoding.
 */
-OCSPResponse(byte[] bytes, Date dateCheckedAgainst,
+OCSPResponse(byte[] bytes) throws IOException {
-X509Certificate responderCert)
-throws IOException, CertPathValidatorException {
-// OCSPResponse
 if (dump) {
 HexDumpEncoder hexEnc = new HexDumpEncoder();
 System.out.println("OCSPResponse bytes are...");
 System.out.println(hexEnc.encode(bytes));
 }
 responseStatus = rsvalues[status];
 } else {
 // unspecified responseStatus
 throw new IOException("Unknown OCSPResponse status: " + status);
 }
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("OCSP response status: " + responseStatus);
+debug.println("OCSP response status: " + responseStatus);
 }
 if (responseStatus != ResponseStatus.SUCCESSFUL) {
 // no need to continue, responseBytes are not set.
 singleResponseMap = Collections.emptyMap();
+certs = Collections.<X509CertImpl>emptyList();
+sigAlgId = null;
+signature = null;
+tbsResponseData = null;
+responderName = null;
+responderKey = null;
+responseNonce = null;
 return;
 }
 // responseBytes
 der = derIn.getDerValue();
 // responseType
 derIn = tmp.data;
 ObjectIdentifier responseType = derIn.getOID();
 if (responseType.equals((Object)OCSP_BASIC_RESPONSE_OID)) {
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("OCSP response type: basic");
+debug.println("OCSP response type: basic");
 }
 } else {
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("OCSP response type: " + responseType);
+debug.println("OCSP response type: " + responseType);
 }
 throw new IOException("Unsupported OCSP response type: " +
 responseType);
 }
 // BasicOCSPResponse
 DerInputStream basicOCSPResponse =
 new DerInputStream(derIn.getOctetString());
 }
 DerValue responseData = seqTmp[0];
 // Need the DER encoded ResponseData to verify the signature later
-byte[] responseDataDer = seqTmp[0].toByteArray();
+tbsResponseData = seqTmp[0].toByteArray();
 // tbsResponseData
 if (responseData.tag != DerValue.tag_Sequence) {
 throw new IOException("Bad encoding in tbsResponseData " +
 "element of OCSP response: expected ASN.1 SEQUENCE tag.");
 }
 // responderID
 short tag = (byte)(seq.tag & 0x1f);
 if (tag == NAME_TAG) {
-if (DEBUG != null) {
+responderName =
-X500Name responderName = new X500Name(seq.getData());
+new X500Principal(new ByteArrayInputStream(seq.toByteArray()));
-DEBUG.println("OCSP Responder name: " + responderName);
+if (debug != null) {
-}
+debug.println("OCSP Responder name: " + responderName);
+}
+responderKey = null;
 } else if (tag == KEY_TAG) {
-// Ignore, for now
+responderKey = seq.getOctetString();
+responderName = null;
 } else {
 throw new IOException("Bad encoding in responderID element of " +
 "OCSP response: expected ASN.1 context specific tag 0 or 1");
 }
 // producedAt
 seq = seqDerIn.getDerValue();
-if (DEBUG != null) {
+if (debug != null) {
 Date producedAtDate = seq.getGeneralizedTime();
-DEBUG.println("OCSP response produced at: " + producedAtDate);
+debug.println("OCSP response produced at: " + producedAtDate);
 }
 // responses
 DerValue[] singleResponseDer = seqDerIn.getSequence(1);
-singleResponseMap
+singleResponseMap = new HashMap<>(singleResponseDer.length);
-= new HashMap<CertId, SingleResponse>(singleResponseDer.length);
+if (debug != null) {
-if (DEBUG != null) {
+debug.println("OCSP number of SingleResponses: "
-DEBUG.println("OCSP number of SingleResponses: "
++ singleResponseDer.length);
-+ singleResponseDer.length);
 }
 for (int i = 0; i < singleResponseDer.length; i++) {
-SingleResponse singleResponse
+SingleResponse singleResponse =
-= new SingleResponse(singleResponseDer[i]);
+new SingleResponse(singleResponseDer[i]);
 singleResponseMap.put(singleResponse.getCertId(), singleResponse);
 }
 // responseExtensions
+byte[] nonce = null;
 if (seqDerIn.available() > 0) {
 seq = seqDerIn.getDerValue();
 if (seq.isContextSpecific((byte)1)) {
 DerValue[] responseExtDer = seq.data.getSequence(3);
 for (int i = 0; i < responseExtDer.length; i++) {
-Extension responseExtension
+Extension ext = new Extension(responseExtDer[i]);
-= new Extension(responseExtDer[i]);
+if (debug != null) {
-if (DEBUG != null) {
+debug.println("OCSP extension: " + ext);
-DEBUG.println("OCSP extension: " + responseExtension);
 }
-if (responseExtension.getExtensionId().equals((Object)
+// Only the NONCE extension is recognized
-OCSP_NONCE_EXTENSION_OID)) {
+if (ext.getExtensionId().equals((Object)
-/*
+OCSP.NONCE_EXTENSION_OID))
-ocspNonce =
+{
-responseExtension[i].getExtensionValue();
+nonce = ext.getExtensionValue();
-*/
+} else if (ext.isCritical())  {
-} else if (responseExtension.isCritical())  {
 throw new IOException(
 "Unsupported OCSP critical extension: " +
-responseExtension.getExtensionId());
+ext.getExtensionId());
 }
 }
 }
 }
+responseNonce = nonce;
 // signatureAlgorithmId
-AlgorithmId sigAlgId = AlgorithmId.parse(seqTmp[1]);
+sigAlgId = AlgorithmId.parse(seqTmp[1]);
 // signature
-byte[] signature = seqTmp[2].getBitString();
+signature = seqTmp[2].getBitString();
-X509CertImpl[] x509Certs = null;
 // if seq[3] is available , then it is a sequence of certificates
 if (seqTmp.length > 3) {
 // certs are available
 DerValue seqCert = seqTmp[3];
 if (!seqCert.isContextSpecific((byte)0)) {
 throw new IOException("Bad encoding in certs element of " +
 "OCSP response: expected ASN.1 context specific tag 0.");
 }
-DerValue[] certs = seqCert.getData().getSequence(3);
+DerValue[] derCerts = seqCert.getData().getSequence(3);
-x509Certs = new X509CertImpl[certs.length];
+certs = new ArrayList<X509CertImpl>(derCerts.length);
 try {
-for (int i = 0; i < certs.length; i++) {
+for (int i = 0; i < derCerts.length; i++) {
-x509Certs[i] = new X509CertImpl(certs[i].toByteArray());
+certs.add(new X509CertImpl(derCerts[i].toByteArray()));
 }
 } catch (CertificateException ce) {
 throw new IOException("Bad encoding in X509 Certificate", ce);
 }
-}
+} else {
+certs = Collections.<X509CertImpl>emptyList();
+}
+}
+void verify(List<CertId> certIds, X509Certificate responderCert,
+Date date, byte[] nonce)
+throws CertPathValidatorException
+{
+if (responseStatus != ResponseStatus.SUCCESSFUL) {
+throw new CertPathValidatorException
+("OCSP response error: " + responseStatus);
+}
+// Check that the response includes a response for all of the
+// certs that were supplied in the request
+for (CertId certId : certIds) {
+SingleResponse sr = getSingleResponse(certId);
+if (sr == null) {
+if (debug != null) {
+debug.println("No response found for CertId: " + certId);
+}
+throw new CertPathValidatorException(
+"OCSP response does not include a response for a " +
+"certificate supplied in the OCSP request");
+}
+if (debug != null) {
+debug.println("Status of certificate (with serial number " +
+certId.getSerialNumber() + ") is: " + sr.getCertStatus());
+}
+}
 // Check whether the cert returned by the responder is trusted
-if (x509Certs != null && x509Certs[0] != null) {
+if (!certs.isEmpty()) {
-X509CertImpl cert = x509Certs[0];
+X509CertImpl cert = certs.get(0);
+// First check if the cert matches the expected responder cert
-// First check if the cert matches the responder cert which
-// was set locally.
 if (cert.equals(responderCert)) {
 // cert is trusted, now verify the signed response
 // Next check if the cert was issued by the responder cert
 // which was set locally.
 } else if (cert.getIssuerX500Principal().equals(
 responderCert.getSubjectX500Principal())) {
 // Check for the OCSPSigning key purpose
 try {
 List<String> keyPurposes = cert.getExtendedKeyUsage();
 if (keyPurposes == null ||
 algChecker.init(false);
 algChecker.check(cert, Collections.<String>emptySet());
 // check the validity
 try {
-if (dateCheckedAgainst == null) {
+if (date == null) {
 cert.checkValidity();
 } else {
-cert.checkValidity(dateCheckedAgainst);
+cert.checkValidity(date);
 }
-} catch (GeneralSecurityException e) {
+} catch (CertificateException e) {
 throw new CertPathValidatorException(
 "Responder's certificate not within the " +
 "validity period", e);
 }
 // extension id-pkix-ocsp-nocheck.
 //
 Extension noCheck =
 cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
 if (noCheck != null) {
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("Responder's certificate includes " +
+debug.println("Responder's certificate includes " +
 "the extension id-pkix-ocsp-nocheck.");
 }
 } else {
 // we should do the revocation checking of the
 // authorized responder in a future update.
 if (responderCert != null) {
 // Check algorithm constraints specified in security property
 // "jdk.certpath.disabledAlgorithms".
 AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId);
-if (!verifyResponse(responseDataDer, responderCert,
+if (!verifySignature(responderCert)) {
-sigAlgId, signature)) {
 throw new CertPathValidatorException(
-"Error verifying OCSP Responder's signature");
+"Error verifying OCSP Response's signature");
 }
 } else {
 // Need responder's cert in order to verify the signature
 throw new CertPathValidatorException(
-"Unable to verify OCSP Responder's signature");
+"Unable to verify OCSP Response's signature");
+}
+// Check freshness of OCSPResponse
+if (nonce != null) {
+if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
+throw new CertPathValidatorException("Nonces don't match");
+}
+}
+long now = (date == null) ? System.currentTimeMillis() : date.getTime();
+Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
+Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
+for (SingleResponse sr : singleResponseMap.values()) {
+if (debug != null) {
+String until = "";
+if (sr.nextUpdate != null) {
+until = " until " + sr.nextUpdate;
+}
+debug.println("Response's validity interval is from " +
+sr.thisUpdate + until);
+}
+// Check that the test date is within the validity interval
+if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) ||
+(sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate)))
+{
+throw new CertPathValidatorException(
+"Response is unreliable: its validity " +
+"interval is out-of-date");
+}
 }
 }
 /**
 * Returns the OCSP ResponseStatus.
 /*
 * Verify the signature of the OCSP response.
 * The responder's cert is implicitly trusted.
 */
-private boolean verifyResponse(byte[] responseData, X509Certificate cert,
+private boolean verifySignature(X509Certificate cert)
-AlgorithmId sigAlgId, byte[] signBytes)
 throws CertPathValidatorException {
 try {
 Signature respSignature = Signature.getInstance(sigAlgId.getName());
 respSignature.initVerify(cert);
-respSignature.update(responseData);
+respSignature.update(tbsResponseData);
-if (respSignature.verify(signBytes)) {
+if (respSignature.verify(signature)) {
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("Verified signature of OCSP Responder");
+debug.println("Verified signature of OCSP Response");
 }
 return true;
 } else {
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println(
+debug.println(
-"Error verifying signature of OCSP Responder");
+"Error verifying signature of OCSP Response");
 }
 return false;
 }
-} catch (InvalidKeyException ike) {
+} catch (InvalidKeyException | NoSuchAlgorithmException |
-throw new CertPathValidatorException(ike);
+SignatureException e)
-} catch (NoSuchAlgorithmException nsae) {
+{
-throw new CertPathValidatorException(nsae);
+throw new CertPathValidatorException(e);
-} catch (SignatureException se) {
-throw new CertPathValidatorException(se);
 }
 }
 /**
 * Returns the SingleResponse of the specified CertId, or null if
 }
 } else {
 revocationReason = CRLReason.UNSPECIFIED;
 }
 // RevokedInfo
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("Revocation time: " + revocationTime);
+debug.println("Revocation time: " + revocationTime);
-DEBUG.println("Revocation reason: " + revocationReason);
+debug.println("Revocation reason: " + revocationReason);
 }
 } else {
 revocationTime = null;
 revocationReason = CRLReason.UNSPECIFIED;
 if (tag == CERT_STATUS_GOOD) {
 singleExtensions =
 new HashMap<String, java.security.cert.Extension>
 (singleExtDer.length);
 for (int i = 0; i < singleExtDer.length; i++) {
 Extension ext = new Extension(singleExtDer[i]);
-if (DEBUG != null) {
+if (debug != null) {
-DEBUG.println("OCSP single extension: " + ext);
+debug.println("OCSP single extension: " + ext);
 }
 // We don't support any extensions yet. Therefore, if it
 // is critical we must throw an exception because we
 // don't know how to process it.
 if (ext.isCritical()) {
 singleExtensions = Collections.emptyMap();
 }
 } else {
 singleExtensions = Collections.emptyMap();
 }
-long now = System.currentTimeMillis();
-Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
-Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
-if (DEBUG != null) {
-String until = "";
-if (nextUpdate != null) {
-until = " until " + nextUpdate;
-}
-DEBUG.println("Response's validity interval is from " +
-thisUpdate + until);
-}
-// Check that the test date is within the validity interval
-if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) ||
-(nextUpdate != null && nowMinusSkew.after(nextUpdate))) {
-if (DEBUG != null) {
-DEBUG.println("Response is unreliable: its validity " +
-"interval is out-of-date");
-}
-throw new IOException("Response is unreliable: its validity " +
-"interval is out-of-date");
-}
 }
 /*
 * Return the certificate's revocation status code
 */

changeset 12860	9ffbd4e43413
parent 10336	0bb1999251f8
child 13402	794d9fb379d2