mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 07:14:30 +02:00
8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension
Reviewed-by: jnimeh, mullan
This commit is contained in:
Hai-May Chao
Sean Mullan
parent
4f11ff325f
commit
8b95d9549e
5 changed files with 77 additions and 24 deletions
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -76,14 +76,16 @@ public final class OCSPNonceExtension extends Extension {
|
|||
*
|
||||
* @throws IOException if any errors happen during encoding of the
|
||||
* extension.
|
||||
* @throws IllegalArgumentException if length is not a positive integer.
|
||||
* @throws IllegalArgumentException if length is not in the range of 1 to 32.
|
||||
*/
|
||||
public OCSPNonceExtension(boolean isCritical, int length)
|
||||
throws IOException {
|
||||
this.extensionId = PKIXExtensions.OCSPNonce_Id;
|
||||
this.critical = isCritical;
|
||||
|
||||
if (length > 0) {
|
||||
// RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet
|
||||
// and can be up to 32 octets.
|
||||
if (length > 0 && length <= 32) {
|
||||
SecureRandom rng = new SecureRandom();
|
||||
this.nonceData = new byte[length];
|
||||
rng.nextBytes(nonceData);
|
||||
|
|
@ -91,7 +93,7 @@ public final class OCSPNonceExtension extends Extension {
|
|||
nonceData).toByteArray();
|
||||
} else {
|
||||
throw new IllegalArgumentException(
|
||||
"Length must be a positive integer");
|
||||
"Length of nonce must be at least 1 byte and can be up to 32 bytes");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -121,12 +123,13 @@ public final class OCSPNonceExtension extends Extension {
|
|||
* @param isCritical a boolean flag indicating whether the criticality bit
|
||||
* is set for this extension
|
||||
* @param incomingNonce The nonce data to be set for the extension. This
|
||||
* must be a non-null array of at least one byte long.
|
||||
* must be a non-null array of at least one byte long and can be up to
|
||||
* 32 bytes.
|
||||
*
|
||||
* @throws IOException if any errors happen during encoding of the
|
||||
* extension.
|
||||
* @throws IllegalArgumentException if the incomingNonce length is not a
|
||||
* positive integer.
|
||||
* @throws IllegalArgumentException if the incomingNonce length is not
|
||||
* in the range of 1 to 32.
|
||||
* @throws NullPointerException if the incomingNonce is null.
|
||||
*/
|
||||
public OCSPNonceExtension(boolean isCritical, byte[] incomingNonce)
|
||||
|
|
@ -135,13 +138,15 @@ public final class OCSPNonceExtension extends Extension {
|
|||
this.critical = isCritical;
|
||||
|
||||
Objects.requireNonNull(incomingNonce, "Nonce data must be non-null");
|
||||
if (incomingNonce.length > 0) {
|
||||
// RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet
|
||||
// and can be up to 32 octets.
|
||||
if (incomingNonce.length > 0 && incomingNonce.length <= 32) {
|
||||
this.nonceData = incomingNonce.clone();
|
||||
this.extensionValue = new DerValue(DerValue.tag_OctetString,
|
||||
nonceData).toByteArray();
|
||||
} else {
|
||||
throw new IllegalArgumentException(
|
||||
"Nonce data must be at least 1 byte in length");
|
||||
"Nonce data must be at least 1 byte and can be up to 32 bytes in length");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -83,7 +83,10 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
String ocspSubject;
|
||||
String ocspIssuer;
|
||||
String ocspSerial;
|
||||
boolean ocspNonce;
|
||||
}
|
||||
private RevocationProperties rp;
|
||||
private static final int DEFAULT_NONCE_BYTES = 16;
|
||||
|
||||
RevocationChecker() {
|
||||
legacy = false;
|
||||
|
|
@ -99,7 +102,7 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
void init(TrustAnchor anchor, ValidatorParams params)
|
||||
throws CertPathValidatorException
|
||||
{
|
||||
RevocationProperties rp = getRevocationProperties();
|
||||
rp = getRevocationProperties();
|
||||
URI uri = getOcspResponder();
|
||||
responderURI = (uri == null) ? toURI(rp.ocspUrl) : uri;
|
||||
X509Certificate cert = getOcspResponderCert();
|
||||
|
|
@ -198,6 +201,8 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
= Security.getProperty("ocsp.responderCertSerialNumber");
|
||||
rp.crlDPEnabled
|
||||
= Boolean.getBoolean("com.sun.security.enableCRLDP");
|
||||
rp.ocspNonce
|
||||
= Boolean.getBoolean("jdk.security.certpath.ocspNonce");
|
||||
return rp;
|
||||
}
|
||||
}
|
||||
|
|
@ -712,6 +717,13 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
|
||||
currCert.getSerialNumberObject());
|
||||
|
||||
byte[] nonce = null;
|
||||
for (Extension ext : ocspExtensions) {
|
||||
if (ext.getId().equals(KnownOIDs.OCSPNonceExt.value())) {
|
||||
nonce = ext.getValue();
|
||||
}
|
||||
}
|
||||
|
||||
// check if there is a cached OCSP response available
|
||||
byte[] responseBytes = ocspResponses.get(cert);
|
||||
if (responseBytes != null) {
|
||||
|
|
@ -721,12 +733,6 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
response = new OCSPResponse(responseBytes);
|
||||
|
||||
// verify the response
|
||||
byte[] nonce = null;
|
||||
for (Extension ext : ocspExtensions) {
|
||||
if (ext.getId().equals(KnownOIDs.OCSPNonceExt.value())) {
|
||||
nonce = ext.getValue();
|
||||
}
|
||||
}
|
||||
response.verify(Collections.singletonList(certId), issuerInfo,
|
||||
responderCert, params.date(), nonce, params.variant());
|
||||
|
||||
|
|
@ -740,9 +746,43 @@ class RevocationChecker extends PKIXRevocationChecker {
|
|||
null, -1);
|
||||
}
|
||||
|
||||
List<Extension> tmpExtensions = null;
|
||||
if (rp.ocspNonce) {
|
||||
if (nonce == null) {
|
||||
try {
|
||||
// create the 16-byte nonce by default
|
||||
Extension nonceExt = new OCSPNonceExtension(DEFAULT_NONCE_BYTES);
|
||||
|
||||
if (ocspExtensions.size() > 0) {
|
||||
tmpExtensions = new ArrayList<Extension>(ocspExtensions);
|
||||
tmpExtensions.add(nonceExt);
|
||||
} else {
|
||||
tmpExtensions = List.of(nonceExt);
|
||||
}
|
||||
|
||||
if (debug != null) {
|
||||
debug.println("Default nonce has been created in the OCSP extensions");
|
||||
}
|
||||
} catch (IOException e) {
|
||||
throw new CertPathValidatorException("Failed to create the default nonce " +
|
||||
"in OCSP extensions", e);
|
||||
}
|
||||
} else {
|
||||
throw new CertPathValidatorException("Application provided nonce cannot be " +
|
||||
"used if the value of the jdk.security.certpath.ocspNonce system " +
|
||||
"property is true");
|
||||
}
|
||||
} else {
|
||||
if (nonce != null) {
|
||||
if (debug != null) {
|
||||
debug.println("Using application provided nonce");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
response = OCSP.check(Collections.singletonList(certId),
|
||||
responderURI, issuerInfo, responderCert, null,
|
||||
ocspExtensions, params.variant());
|
||||
rp.ocspNonce ? tmpExtensions : ocspExtensions, params.variant());
|
||||
}
|
||||
} catch (IOException e) {
|
||||
throw new CertPathValidatorException(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue