Back to index...
/*
 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
package sun.security.ssl;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.cert.Extension;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetIntegerAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.CertId;
import sun.security.provider.certpath.OCSP;
import sun.security.provider.certpath.OCSPResponse;
import sun.security.provider.certpath.ResponderId;
import sun.security.util.Cache;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.SerialNumber;
import sun.security.ssl.X509Authentication.X509Possession;
import static sun.security.ssl.CertStatusExtension.*;
final class StatusResponseManager {
    private static final int DEFAULT_CORE_THREADS = 8;
    private static final int DEFAULT_CACHE_SIZE = 256;
    private static final int DEFAULT_CACHE_LIFETIME = 3600;     // seconds
    private final ScheduledThreadPoolExecutor threadMgr;
    private final Cache<CertId, ResponseCacheEntry> responseCache;
    private final URI defaultResponder;
    private final boolean respOverride;
    private final int cacheCapacity;
    private final int cacheLifetime;
    private final boolean ignoreExtensions;
    /**
     * Create a StatusResponseManager with default parameters.
     */
    StatusResponseManager() {
        int cap = AccessController.doPrivileged(
                new GetIntegerAction("jdk.tls.stapling.cacheSize",
                    DEFAULT_CACHE_SIZE));
        cacheCapacity = cap > 0 ? cap : 0;
        int life = AccessController.doPrivileged(
                new GetIntegerAction("jdk.tls.stapling.cacheLifetime",
                    DEFAULT_CACHE_LIFETIME));
        cacheLifetime = life > 0 ? life : 0;
        String uriStr = GetPropertyAction
                .privilegedGetProperty("jdk.tls.stapling.responderURI");
        URI tmpURI;
        try {
            tmpURI = ((uriStr != null && !uriStr.isEmpty()) ?
                    new URI(uriStr) : null);
        } catch (URISyntaxException urise) {
            tmpURI = null;
        }
        defaultResponder = tmpURI;
        respOverride = AccessController.doPrivileged(
                new GetBooleanAction("jdk.tls.stapling.responderOverride"));
        ignoreExtensions = AccessController.doPrivileged(
                new GetBooleanAction("jdk.tls.stapling.ignoreExtensions"));
        threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS,
                new ThreadFactory() {
            @Override
            public Thread newThread(Runnable r) {
                Thread t = Executors.defaultThreadFactory().newThread(r);
                t.setDaemon(true);
                return t;
            }
        }, new ThreadPoolExecutor.DiscardPolicy());
        threadMgr.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);
        threadMgr.setContinueExistingPeriodicTasksAfterShutdownPolicy(
                false);
        threadMgr.setKeepAliveTime(5000, TimeUnit.MILLISECONDS);
        threadMgr.allowCoreThreadTimeOut(true);
        responseCache = Cache.newSoftMemoryCache(
                cacheCapacity, cacheLifetime);
    }
    /**
     * Get the current cache lifetime setting
     *
     * @return the current cache lifetime value
     */
    int getCacheLifetime() {
        return cacheLifetime;
    }
    /**
     * Get the current maximum cache size.
     *
     * @return the current maximum cache size
     */
    int getCacheCapacity() {
        return cacheCapacity;
    }
    /**
     * Get the default OCSP responder URI, if previously set.
     *
     * @return the current default OCSP responder URI, or {@code null} if
     *      it has not been set.
     */
    URI getDefaultResponder() {
        return defaultResponder;
    }
    /**
     * Get the URI override setting
     *
     * @return {@code true} if URI override has been set, {@code false}
     * otherwise.
     */
    boolean getURIOverride() {
        return respOverride;
    }
    /**
     * Get the ignore extensions setting.
     *
     * @return {@code true} if the {@code StatusResponseManager} will not
     * pass OCSP Extensions in the TLS {@code status_request[_v2]}
     * extensions, {@code false} if extensions will be passed (the default).
     */
    boolean getIgnoreExtensions() {
        return ignoreExtensions;
    }
    /**
     * Clear the status response cache
     */
    void clear() {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine("Clearing response cache");
        }
        responseCache.clear();
    }
    /**
     * Returns the number of currently valid objects in the response cache.
     *
     * @return the number of valid objects in the response cache.
     */
    int size() {
        return responseCache.size();
    }
    /**
     * Obtain the URI use by the {@code StatusResponseManager} during
     * lookups.
     *
     * This method takes into account not only the AIA extension from a
     * certificate to be checked, but also any default URI and possible
     * override settings for the response manager.
     *
     * @param cert the subject to get the responder URI from
     *
     * @return a {@code URI} containing the address to the OCSP responder,
     *      or {@code null} if no AIA extension exists in the certificate
     *      and no default responder has been configured.
     *
     * @throws NullPointerException if {@code cert} is {@code null}.
     */
    URI getURI(X509Certificate cert) {
        Objects.requireNonNull(cert);
        if (cert.getExtensionValue(
                PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                    "OCSP NoCheck extension found.  OCSP will be skipped");
            }
            return null;
        } else if (defaultResponder != null && respOverride) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
              SSLLogger.fine(
                    "Responder override: URI is " + defaultResponder);
            }
            return defaultResponder;
        } else {
            URI certURI = OCSP.getResponderURI(cert);
            return (certURI != null ? certURI : defaultResponder);
        }
    }
    /**
     * Shutdown the thread pool
     */
    void shutdown() {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine("Shutting down " + threadMgr.getActiveCount() +
                    " active threads");
        }
        threadMgr.shutdown();
    }
    /**
     * Get a list of responses for a chain of certificates.
     *
     * This will find OCSP responses from the cache, or failing that,
     * directly contact the OCSP responder.  It is assumed that the
     * certificates in the provided chain are in their proper order
     * (from end-entity to trust anchor).
     *
     * @param type the type of request being made of the
     *      {@code StatusResponseManager}
     * @param request the {@code CertStatusRequest} from the
     *      status_request or status_request_v2 ClientHello extension.
     *      A value of {@code null} is interpreted as providing no
     *      responder IDs or extensions.
     * @param chain an array of 2 or more certificates.  Each certificate
     *      must be issued by the next certificate in the chain.
     * @param delay the number of time units to delay before returning
     *      responses.
     * @param unit the unit of time applied to the {@code delay} parameter
     *
     * @return an unmodifiable {@code Map} containing the certificate and
     *      its usually
     *
     * @throws SSLHandshakeException if an unsupported
     *      {@code CertStatusRequest} is provided.
     */
    Map<X509Certificate, byte[]> get(CertStatusRequestType type,
            CertStatusRequest request, X509Certificate[] chain, long delay,
            TimeUnit unit) {
        Map<X509Certificate, byte[]> responseMap = new HashMap<>();
        List<OCSPFetchCall> requestList = new ArrayList<>();
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "Beginning check: Type = " + type + ", Chain length = " +
                chain.length);
        }
        // It is assumed that the caller has ordered the certs in the chain
        // in the proper order (each certificate is issued by the next entry
        // in the provided chain).
        if (chain.length < 2) {
            return Collections.emptyMap();
        }
        if (type == CertStatusRequestType.OCSP) {
            try {
                // For type OCSP, we only check the end-entity certificate
                OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
                CertId cid = new CertId(chain[1],
                        new SerialNumber(chain[0].getSerialNumber()));
                ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq);
                if (cacheEntry != null) {
                    responseMap.put(chain[0], cacheEntry.ocspBytes);
                } else {
                    StatusInfo sInfo = new StatusInfo(chain[0], cid);
                    requestList.add(new OCSPFetchCall(sInfo, ocspReq));
                }
            } catch (IOException exc) {
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine(
                        "Exception during CertId creation: ", exc);
                }
            }
        } else if (type == CertStatusRequestType.OCSP_MULTI) {
            // For type OCSP_MULTI, we check every cert in the chain that
            // has a direct issuer at the next index.  We won't have an
            // issuer certificate for the last certificate in the chain
            // and will not be able to create a CertId because of that.
            OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
            int ctr;
            for (ctr = 0; ctr < chain.length - 1; ctr++) {
                try {
                    // The cert at "ctr" is the subject cert, "ctr + 1"
                    // is the issuer certificate.
                    CertId cid = new CertId(chain[ctr + 1],
                        new SerialNumber(chain[ctr].getSerialNumber()));
                    ResponseCacheEntry cacheEntry =
                        getFromCache(cid, ocspReq);
                    if (cacheEntry != null) {
                        responseMap.put(chain[ctr], cacheEntry.ocspBytes);
                    } else {
                        StatusInfo sInfo = new StatusInfo(chain[ctr], cid);
                        requestList.add(new OCSPFetchCall(sInfo, ocspReq));
                    }
                } catch (IOException exc) {
                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                        SSLLogger.fine(
                            "Exception during CertId creation: ", exc);
                    }
                }
            }
        } else {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine("Unsupported status request type: " + type);
            }
        }
        // If we were able to create one or more Fetches, go and run all
        // of them in separate threads.  For all the threads that completed
        // in the allotted time, put those status responses into the
        // returned Map.
        if (!requestList.isEmpty()) {
            try {
                // Set a bunch of threads to go do the fetching
                List<Future<StatusInfo>> resultList =
                        threadMgr.invokeAll(requestList, delay, unit);
                // Go through the Futures and from any non-cancelled task,
                // get the bytes and attach them to the responseMap.
                for (Future<StatusInfo> task : resultList) {
                    if (!task.isDone()) {
                        continue;
                    }
                    if (!task.isCancelled()) {
                        StatusInfo info = task.get();
                        if (info != null && info.responseData != null) {
                            responseMap.put(info.cert,
                                    info.responseData.ocspBytes);
                        } else if (SSLLogger.isOn &&
                                SSLLogger.isOn("respmgr")) {
                            SSLLogger.fine(
                                "Completed task had no response data");
                        }
                    } else {
                        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                            SSLLogger.fine("Found cancelled task");
                        }
                    }
                }
            } catch (InterruptedException | ExecutionException exc) {
                // Not sure what else to do here
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine("Exception when getting data: ", exc);
                }
            }
        }
        return Collections.unmodifiableMap(responseMap);
    }
    /**
     * Check the cache for a given {@code CertId}.
     *
     * @param cid the CertId of the response to look up
     * @param ocspRequest the OCSP request structure sent by the client
     *      in the TLS status_request[_v2] hello extension.
     *
     * @return the {@code ResponseCacheEntry} for a specific CertId, or
     *      {@code null} if it is not found or a nonce extension has been
     *      requested by the caller.
     */
    private ResponseCacheEntry getFromCache(CertId cid,
            OCSPStatusRequest ocspRequest) {
        // Determine if the nonce extension is present in the request.  If
        // so, then do not attempt to retrieve the response from the cache.
        for (Extension ext : ocspRequest.extensions) {
            if (ext.getId().equals(
                    PKIXExtensions.OCSPNonce_Id.toString())) {
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine(
                            "Nonce extension found, skipping cache check");
                }
                return null;
            }
        }
        ResponseCacheEntry respEntry = responseCache.get(cid);
        // If the response entry has a nextUpdate and it has expired
        // before the cache expiration, purge it from the cache
        // and do not return it as a cache hit.
        if (respEntry != null && respEntry.nextUpdate != null &&
                respEntry.nextUpdate.before(new Date())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                    "nextUpdate threshold exceeded, purging from cache");
            }
            respEntry = null;
        }
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                    "Check cache for SN" + cid.getSerialNumber() + ": " +
                    (respEntry != null ? "HIT" : "MISS"));
        }
        return respEntry;
    }
    @Override
    public String toString() {
        StringBuilder sb = new StringBuilder("StatusResponseManager: ");
        sb.append("Core threads: ").append(threadMgr.getCorePoolSize());
        sb.append(", Cache timeout: ");
        if (cacheLifetime > 0) {
            sb.append(cacheLifetime).append(" seconds");
        } else {
            sb.append(" indefinite");
        }
        sb.append(", Cache MaxSize: ");
        if (cacheCapacity > 0) {
            sb.append(cacheCapacity).append(" items");
        } else {
            sb.append(" unbounded");
        }
        sb.append(", Default URI: ");
        if (defaultResponder != null) {
            sb.append(defaultResponder);
        } else {
            sb.append("NONE");
        }
        return sb.toString();
    }
    /**
     * Inner class used to group request and response data.
     */
    class StatusInfo {
        final X509Certificate cert;
        final CertId cid;
        final URI responder;
        ResponseCacheEntry responseData;
        /**
         * Create a StatusInfo object from certificate data.
         *
         * @param subjectCert the certificate to be checked for revocation
         * @param issuerCert the issuer of the {@code subjectCert}
         *
         * @throws IOException if CertId creation from the certificate fails
         */
        StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert)
                throws IOException {
            this(subjectCert, new CertId(issuerCert,
                    new SerialNumber(subjectCert.getSerialNumber())));
        }
        /**
         * Create a StatusInfo object from an existing subject certificate
         * and its corresponding CertId.
         *
         * @param subjectCert the certificate to be checked for revocation
         * @param cid the CertId for {@code subjectCert}
         */
        StatusInfo(X509Certificate subjectCert, CertId certId) {
            cert = subjectCert;
            cid = certId;
            responder = getURI(cert);
            responseData = null;
        }
        /**
         * Copy constructor (used primarily for rescheduling).
         * This will do a member-wise copy with the exception of the
         * responseData and extensions fields, which should not persist
         * in a rescheduled fetch.
         *
         * @param orig the original {@code StatusInfo}
         */
        StatusInfo(StatusInfo orig) {
            this.cert = orig.cert;
            this.cid = orig.cid;
            this.responder = orig.responder;
            this.responseData = null;
        }
        /**
         * Return a String representation of the {@code StatusInfo}
         *
         * @return a {@code String} representation of this object
         */
        @Override
        public String toString() {
            StringBuilder sb = new StringBuilder("StatusInfo:");
            sb.append("\n\tCert: ").append(
                    this.cert.getSubjectX500Principal());
            sb.append("\n\tSerial: ").append(this.cert.getSerialNumber());
            sb.append("\n\tResponder: ").append(this.responder);
            sb.append("\n\tResponse data: ").append(
                    this.responseData != null ?
                        (this.responseData.ocspBytes.length + " bytes") :
                        "<NULL>");
            return sb.toString();
        }
    }
    /**
     * Static nested class used as the data kept in the response cache.
     */
    class ResponseCacheEntry {
        final OCSPResponse.ResponseStatus status;
        final byte[] ocspBytes;
        final Date nextUpdate;
        final OCSPResponse.SingleResponse singleResp;
        final ResponderId respId;
        /**
         * Create a new cache entry from the raw bytes of the response
         *
         * @param responseBytes the DER encoding for the OCSP response
         *
         * @throws IOException if an {@code OCSPResponse} cannot be
         *         created from the encoded bytes.
         */
        ResponseCacheEntry(byte[] responseBytes, CertId cid)
                throws IOException {
            Objects.requireNonNull(responseBytes,
                    "Non-null responseBytes required");
            Objects.requireNonNull(cid, "Non-null Cert ID required");
            ocspBytes = responseBytes.clone();
            OCSPResponse oResp = new OCSPResponse(ocspBytes);
            status = oResp.getResponseStatus();
            respId = oResp.getResponderId();
            singleResp = oResp.getSingleResponse(cid);
            if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) {
                if (singleResp != null) {
                    // Pull out the nextUpdate field in advance because the
                    // Date is cloned.
                    nextUpdate = singleResp.getNextUpdate();
                } else {
                    throw new IOException(
                            "Unable to find SingleResponse for SN " +
                            cid.getSerialNumber());
                }
            } else {
                nextUpdate = null;
            }
        }
    }
    /**
     * Inner Callable class that does the actual work of looking up OCSP
     * responses, first looking at the cache and doing OCSP requests if
     * a cache miss occurs.
     */
    class OCSPFetchCall implements Callable<StatusInfo> {
        StatusInfo statInfo;
        OCSPStatusRequest ocspRequest;
        List<Extension> extensions;
        List<ResponderId> responderIds;
        /**
         * A constructor that builds the OCSPFetchCall from the provided
         * StatusInfo and information from the status_request[_v2]
         * extension.
         *
         * @param info the {@code StatusInfo} containing the subject
         * certificate, CertId, and other supplemental info.
         * @param request the {@code OCSPStatusRequest} containing any
         * responder IDs and extensions.
         */
        public OCSPFetchCall(StatusInfo info, OCSPStatusRequest request) {
            statInfo = Objects.requireNonNull(info,
                    "Null StatusInfo not allowed");
            ocspRequest = Objects.requireNonNull(request,
                    "Null OCSPStatusRequest not allowed");
            extensions = ocspRequest.extensions;
            responderIds = ocspRequest.responderIds;
        }
        /**
         * Get an OCSP response, either from the cache or from a responder.
         *
         * @return The StatusInfo object passed into the
         *         {@code OCSPFetchCall} constructor, with the
         *         {@code responseData} field filled in with the response
         *         or {@code null} if no response can be obtained.
         */
        @Override
        public StatusInfo call() {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                    "Starting fetch for SN " +
                    statInfo.cid.getSerialNumber());
            }
            try {
                ResponseCacheEntry cacheEntry;
                List<Extension> extsToSend;
                if (statInfo.responder == null) {
                    // If we have no URI then there's nothing to do
                    // but return.
                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                        SSLLogger.fine(
                            "Null URI detected, OCSP fetch aborted");
                    }
                    return statInfo;
                } else {
                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                        SSLLogger.fine(
                            "Attempting fetch from " + statInfo.responder);
                    }
                }
                // If the StatusResponseManager has been configured to not
                // forward extensions, then set extensions to an empty
                // list.
                //
                // We will forward the extensions unless one of two
                // conditions occur:
                // (1) The jdk.tls.stapling.ignoreExtensions property is
                //     true, or
                // (2) There is a non-empty ResponderId list.
                //
                // ResponderId selection is a feature that will be
                // supported in the future.
                extsToSend = (ignoreExtensions || !responderIds.isEmpty()) ?
                        Collections.emptyList() : extensions;
                byte[] respBytes = OCSP.getOCSPBytes(
                        Collections.singletonList(statInfo.cid),
                        statInfo.responder, extsToSend);
                if (respBytes != null) {
                    // Place the data into the response cache
                    cacheEntry = new ResponseCacheEntry(respBytes,
                            statInfo.cid);
                    // Get the response status and act on it appropriately
                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                        SSLLogger.fine("OCSP Status: " + cacheEntry.status +
                            " (" + respBytes.length + " bytes)");
                    }
                    if (cacheEntry.status ==
                            OCSPResponse.ResponseStatus.SUCCESSFUL) {
                        // Set the response in the returned StatusInfo
                        statInfo.responseData = cacheEntry;
                        // Add the response to the cache (if applicable)
                        addToCache(statInfo.cid, cacheEntry);
                    }
                } else {
                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                        SSLLogger.fine(
                            "No data returned from OCSP Responder");
                    }
                }
            } catch (IOException ioe) {
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine("Caught exception: ", ioe);
                }
            }
            return statInfo;
        }
        /**
         * Add a response to the cache.
         *
         * @param certId The {@code CertId} for the OCSP response
         * @param entry A cache entry containing the response bytes and
         *      the {@code OCSPResponse} built from those bytes.
         */
        private void addToCache(CertId certId, ResponseCacheEntry entry) {
            // If no cache lifetime has been set on entries then
            // don't cache this response if there is no nextUpdate field
            if (entry.nextUpdate == null && cacheLifetime == 0) {
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine("Not caching this OCSP response");
                }
            } else {
                responseCache.put(certId, entry);
                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                    SSLLogger.fine(
                        "Added response for SN " +
                        certId.getSerialNumber() +
                        " to cache");
                }
            }
        }
        /**
         * Determine the delay to use when scheduling the task that will
         * update the OCSP response.  This is the shorter time between the
         * cache lifetime and the nextUpdate.  If no nextUpdate is present
         * in the response, then only the cache lifetime is used.
         * If cache timeouts are disabled (a zero value) and there's no
         * nextUpdate, then the entry is not cached and no rescheduling
         * will take place.
         *
         * @param nextUpdate a {@code Date} object corresponding to the
         *      next update time from a SingleResponse.
         *
         * @return the number of seconds of delay before the next fetch
         *      should be executed.  A zero value means that the fetch
         *      should happen immediately, while a value less than zero
         *      indicates no rescheduling should be done.
         */
        private long getNextTaskDelay(Date nextUpdate) {
            long delaySec;
            int lifetime = getCacheLifetime();
            if (nextUpdate != null) {
                long nuDiffSec = (nextUpdate.getTime() -
                        System.currentTimeMillis()) / 1000;
                delaySec = lifetime > 0 ? Long.min(nuDiffSec, lifetime) :
                        nuDiffSec;
            } else {
                delaySec = lifetime > 0 ? lifetime : -1;
            }
            return delaySec;
        }
    }
    static final StaplingParameters processStapling(
            ServerHandshakeContext shc) {
        StaplingParameters params = null;
        SSLExtension ext = null;
        CertStatusRequestType type = null;
        CertStatusRequest req = null;
        Map<X509Certificate, byte[]> responses;
        // If this feature has not been enabled, then no more processing
        // is necessary.  Also we will only staple if we're doing a full
        // handshake.
        if (!shc.sslContext.isStaplingEnabled(false) || shc.isResumption) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Staping disabled or is a resumed session");
            }
            return null;
        }
        // Check if the client has asserted the status_request[_v2] extension(s)
        Map<SSLExtension, SSLExtension.SSLExtensionSpec> exts =
                shc.handshakeExtensions;
        CertStatusRequestSpec statReq = (CertStatusRequestSpec)exts.get(
                SSLExtension.CH_STATUS_REQUEST);
        CertStatusRequestV2Spec statReqV2 = (CertStatusRequestV2Spec)
                exts.get(SSLExtension.CH_STATUS_REQUEST_V2);
        // Determine which type of stapling we are doing and assert the
        // proper extension in the server hello.
        // Favor status_request_v2 over status_request and ocsp_multi
        // over ocsp.
        // If multiple ocsp or ocsp_multi types exist, select the first
        // instance of a given type.  Also since we don't support ResponderId
        // selection yet, only accept a request if the ResponderId field
        // is empty.  Finally, we'll only do this in (D)TLS 1.2 or earlier.
        if (statReqV2 != null && !shc.negotiatedProtocol.useTLS13PlusSpec()) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
                SSLLogger.fine("SH Processing status_request_v2 extension");
            }
            // RFC 6961 stapling
            ext = SSLExtension.CH_STATUS_REQUEST_V2;
            int ocspIdx = -1;
            int ocspMultiIdx = -1;
            CertStatusRequest[] reqItems = statReqV2.certStatusRequests;
            for (int pos = 0; (pos < reqItems.length &&
                    (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) {
                CertStatusRequest item = reqItems[pos];
                CertStatusRequestType curType =
                        CertStatusRequestType.valueOf(item.statusType);
                if (ocspIdx < 0 && curType == CertStatusRequestType.OCSP) {
                    OCSPStatusRequest ocspReq = (OCSPStatusRequest)item;
                    // We currently only accept empty responder ID lists
                    // but may support them in the future
                    if (ocspReq.responderIds.isEmpty()) {
                        ocspIdx = pos;
                    }
                } else if (ocspMultiIdx < 0 &&
                        curType == CertStatusRequestType.OCSP_MULTI) {
                    OCSPStatusRequest ocspReq = (OCSPStatusRequest)item;
                    // We currently only accept empty responder ID lists
                    // but may support them in the future
                    if (ocspReq.responderIds.isEmpty()) {
                        ocspMultiIdx = pos;
                    }
                }
            }
            if (ocspMultiIdx >= 0) {
                req = reqItems[ocspMultiIdx];
                type = CertStatusRequestType.valueOf(req.statusType);
            } else if (ocspIdx >= 0) {
                req = reqItems[ocspIdx];
                type = CertStatusRequestType.valueOf(req.statusType);
            } else {
                if (SSLLogger.isOn &&
                        SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.finest("Warning: No suitable request " +
                            "found in the status_request_v2 extension.");
                }
            }
        }
        // Only attempt to process a status_request extension if:
        // * The status_request extension is set AND
        // * either the status_request_v2 extension is not present OR
        // * none of the underlying OCSPStatusRequest structures is
        // suitable for stapling.
        // If either of the latter two bullet items is true the ext,
        // type and req variables should all be null.  If any are null
        // we will try processing an asserted status_request.
        if ((statReq != null) &&
                (ext == null || type == null || req == null)) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
                SSLLogger.fine("SH Processing status_request extension");
            }
            ext = SSLExtension.CH_STATUS_REQUEST;
            type = CertStatusRequestType.valueOf(
                    statReq.statusRequest.statusType);
            if (type == CertStatusRequestType.OCSP) {
                // If the type is OCSP, then the request is guaranteed
                // to be OCSPStatusRequest
                OCSPStatusRequest ocspReq =
                        (OCSPStatusRequest)statReq.statusRequest;
                if (ocspReq.responderIds.isEmpty()) {
                    req = ocspReq;
                } else {
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.finest("Warning: No suitable request " +
                            "found in the status_request extension.");
                    }
                }
            }
        }
        // If, after walking through the extensions we were unable to
        // find a suitable StatusRequest, then stapling is disabled.
        // The ext, type and req variables must have been set to continue.
        if (type == null || req == null || ext == null) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("No suitable status_request or " +
                        "status_request_v2, stapling is disabled");
            }
            return null;
        }
        // Get the cert chain since we'll need it for OCSP checking
        X509Possession x509Possession = null;
        for (SSLPossession possession : shc.handshakePossessions) {
            if (possession instanceof X509Possession) {
                x509Possession = (X509Possession)possession;
                break;
            }
        }
        if (x509Possession == null) {       // unlikely
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.finest("Warning: no X.509 certificates found.  " +
                        "Stapling is disabled.");
            }
            return null;
        }
        // Get the OCSP responses from the StatusResponseManager
        X509Certificate[] certs = x509Possession.popCerts;
        StatusResponseManager statRespMgr =
                shc.sslContext.getStatusResponseManager();
        if (statRespMgr != null) {
            // For the purposes of the fetch from the SRM, override the
            // type when it is TLS 1.3 so it always gets responses for
            // all certs it can.  This should not change the type field
            // in the StaplingParameters though.
            CertStatusRequestType fetchType =
                    shc.negotiatedProtocol.useTLS13PlusSpec() ?
                    CertStatusRequestType.OCSP_MULTI : type;
            responses = statRespMgr.get(fetchType, req, certs,
                    shc.statusRespTimeout, TimeUnit.MILLISECONDS);
            if (!responses.isEmpty()) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.finest("Response manager returned " +
                            responses.size() + " entries.");
                }
                // If this RFC 6066-style stapling (SSL cert only) then the
                // response cannot be zero length
                if (type == CertStatusRequestType.OCSP) {
                    byte[] respDER = responses.get(certs[0]);
                    if (respDER == null || respDER.length <= 0) {
                        if (SSLLogger.isOn &&
                                SSLLogger.isOn("ssl,handshake")) {
                            SSLLogger.finest("Warning: Null or zero-length " +
                                    "response found for leaf certificate. " +
                                    "Stapling is disabled.");
                        }
                        return null;
                    }
                }
                params = new StaplingParameters(ext, type, req, responses);
            } else {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.finest("Warning: no OCSP responses obtained.  " +
                            "Stapling is disabled.");
                }
            }
        } else {
            // This should not happen, but if lazy initialization of the
            // StatusResponseManager doesn't occur we should turn off stapling.
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.finest("Warning: lazy initialization " +
                        "of the StatusResponseManager failed.  " +
                        "Stapling is disabled.");
            }
            params = null;
        }
        return params;
    }
    /**
     * Inner class used to hold stapling parameters needed by the handshaker
     * when stapling is active.
     */
    static final class StaplingParameters {
        final SSLExtension statusRespExt;
        final CertStatusRequestType statReqType;
        final CertStatusRequest statReqData;
        final Map<X509Certificate, byte[]> responseMap;
        StaplingParameters(SSLExtension ext, CertStatusRequestType type,
                CertStatusRequest req, Map<X509Certificate, byte[]> responses) {
            statusRespExt = ext;
            statReqType = type;
            statReqData = req;
            responseMap = responses;
        }
    }
}
Back to index...