8212261: Add SSLSession accessors to HttpsURLConnection and SecureCacheResponse

Reviewed-by: mullan, chegar

src/java.base/share/classes/java/net/SecureCacheResponse.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,9 +26,11 @@
 package java.net;
 
 import java.security.cert.Certificate;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import java.security.Principal;
 import java.util.List;
+import java.util.Optional;
 
 /**
  * Represents a cache response originally retrieved through secure
@@ -105,4 +107,27 @@ public abstract class SecureCacheResponse extends CacheResponse {
       * @see #getPeerPrincipal()
       */
      public abstract Principal getLocalPrincipal();
+
+    /**
+     * Returns an {@link Optional} containing the {@code SSLSession} in
+     * use on the original connection that retrieved the network resource.
+     * Returns an empty {@code Optional} if the underlying implementation
+     * does not support this method.
+     *
+     * @implSpec For compatibility, the default implementation of this
+     *           method returns an empty {@code Optional}.  Subclasses
+     *           should override this method with an appropriate
+     *           implementation since an application may need to access
+     *           additional parameters associated with the SSL session.
+     *
+     * @return   an {@link Optional} containing the {@code SSLSession} in
+     *           use on the original connection
+     *
+     * @see SSLSession
+     *
+     * @since 12
+     */
+    public Optional<SSLSession> getSSLSession() {
+        return Optional.empty();
+    }
 }

src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java

@@ -29,6 +29,7 @@ import java.net.URL;
 import java.net.HttpURLConnection;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
+import java.util.Optional;
 
 /**
  * <code>HttpsURLConnection</code> extends <code>HttpURLConnection</code>
@@ -52,9 +53,7 @@ import java.security.cert.X509Certificate;
  *
  * @since 1.4
  */
-public abstract
+public abstract class HttpsURLConnection extends HttpURLConnection {
-class HttpsURLConnection extends HttpURLConnection
-{
     /**
      * Creates an <code>HttpsURLConnection</code> using the
      * URL specified.
@@ -378,4 +377,29 @@ class HttpsURLConnection extends HttpURLConnection
     public SSLSocketFactory getSSLSocketFactory() {
         return sslSocketFactory;
     }
+
+    /**
+     * Returns an {@link Optional} containing the {@code SSLSession} in
+     * use on this connection.  Returns an empty {@code Optional} if the
+     * underlying implementation does not support this method.
+     *
+     * @implSpec For compatibility, the default implementation of this
+     *           method returns an empty {@code Optional}.  Subclasses
+     *           should override this method with an appropriate
+     *           implementation since an application may need to access
+     *           additional parameters associated with the SSL session.
+     *
+     * @return   an {@link Optional} containing the {@code SSLSession} in
+     *           use on this connection.
+     *
+     * @throws   IllegalStateException if this method is called before
+     *           the connection has been established
+     *
+     * @see SSLSession
+     *
+     * @since 12
+     */
+    public Optional<SSLSession> getSSLSession() {
+        return Optional.empty();
+    }
 }

src/java.base/share/classes/sun/net/www/protocol/https/AbstractDelegateHttpsURLConnection.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,8 @@ import java.net.SecureCacheResponse;
 import java.security.Principal;
 import java.io.IOException;
 import java.util.List;
+import java.util.Optional;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import sun.net.www.http.*;
 import sun.net.www.protocol.http.HttpURLConnection;
@@ -296,4 +298,19 @@ public abstract class AbstractDelegateHttpsURLConnection extends
         }
     }
 
+    SSLSession getSSLSession() {
+        if (cachedResponse != null) {
+            Optional<SSLSession> option =
+                    ((SecureCacheResponse)cachedResponse).getSSLSession();
+            if (option.isPresent()) {
+                return option.orElseThrow();
+            }
+        }
+
+        if (http == null) {
+            throw new IllegalStateException("connection not yet open");
+        }
+
+        return ((HttpsClient)http).getSSLSession();
+    }
 }

src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -738,6 +738,13 @@ final class HttpsClient extends HttpClient
         return principal;
     }
 
+    /**
+     * Returns the {@code SSLSession} in use on this connection.
+     */
+    SSLSession getSSLSession() {
+        return session;
+    }
+
     /**
      * This method implements the SSL HandshakeCompleted callback,
      * remembering the resulting session so that it may be queried

src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,6 +46,7 @@ import java.security.Permission;
 import java.security.Principal;
 import java.util.Map;
 import java.util.List;
+import java.util.Optional;
 import sun.net.www.http.HttpClient;
 
 /**
@@ -533,4 +534,9 @@ public class HttpsURLConnectionImpl
     public void setAuthenticator(Authenticator auth) {
         delegate.setAuthenticator(auth);
     }
+
+    @Override
+    public Optional<SSLSession> getSSLSession() {
+        return Optional.ofNullable(delegate.getSSLSession());
+    }
 }

test/jdk/javax/net/ssl/HttpsURLConnection/DefaultCacheResponse.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8212261
+ * @summary Add SSLSession accessors to HttpsURLConnection and
+ *          SecureCacheResponse
+ */
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.SecureCacheResponse;
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+
+public class DefaultCacheResponse extends SecureCacheResponse {
+
+    public static void main(String[] args) throws Exception {
+        DefaultCacheResponse defaultImpl = new DefaultCacheResponse();
+
+        Optional<SSLSession> sslSession = defaultImpl.getSSLSession();
+        if (sslSession.isPresent()) {
+            throw new Exception(
+                "The default SecureCacheResponse.getSSLSession " +
+                "implementation should return an empty Optional");
+        }
+    }
+
+    @Override
+    public String getCipherSuite() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public List<Certificate> getLocalCertificateChain() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public List<Certificate> getServerCertificateChain()
+            throws SSLPeerUnverifiedException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Principal getLocalPrincipal() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Map<String, List<String>> getHeaders() throws IOException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public InputStream getBody() throws IOException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+}

test/jdk/javax/net/ssl/HttpsURLConnection/DummyCacheResponse.java

@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8212261
+ * @summary Add SSLSession accessors to HttpsURLConnection and
+ *          SecureCacheResponse
+ * @library /test/lib
+ * @modules jdk.httpserver
+ * @build jdk.test.lib.net.SimpleSSLContext
+ * @run main/othervm DummyCacheResponse
+ */
+
+import java.io.*;
+import java.net.*;
+import javax.net.ssl.*;
+import java.util.*;
+import java.util.concurrent.*;
+import java.security.Principal;
+import java.security.cert.Certificate;
+import jdk.test.lib.net.SimpleSSLContext;
+import com.sun.net.httpserver.*;
+
+public class DummyCacheResponse extends SecureCacheResponse {
+    static SSLContext sslContext;
+    private final SSLSession cachedSession;
+    private final Map<String, List<String>> rqstHeaders;
+
+    public static void main(String[] args) throws Exception {
+        ResponseCache reservedResponseCache = ResponseCache.getDefault();
+        HttpsServer httpsServer = null;
+        ExecutorService executor = null;
+        try {
+            ResponseCache.setDefault(new DummyResponseCache());
+
+            httpsServer = HttpsServer.create(new InetSocketAddress(0), 0);
+            HttpContext c2 =
+                    httpsServer.createContext("/test", new HttpsHandler());
+
+            executor = Executors.newCachedThreadPool();
+            httpsServer.setExecutor(executor);
+
+            sslContext = new SimpleSSLContext().get();
+            httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
+            httpsServer.start();
+
+            int httpsPort = httpsServer.getAddress().getPort();
+            System.out.println(
+                    "Server address: " + httpsServer.getAddress());
+
+            // the 1st connection
+            runTest(httpsPort, false);
+
+            // the 2nd connection that use the cache
+            runTest(httpsPort, true);
+        } finally {
+            if (httpsServer != null) {
+                httpsServer.stop(2);
+            }
+            if (executor != null) {
+                executor.shutdown();
+            }
+
+            ResponseCache.setDefault(reservedResponseCache);
+        }
+    }
+
+    private static class HttpsHandler implements HttpHandler {
+        public void handle(HttpExchange httpExchange) throws IOException {
+            InputStream is = httpExchange.getRequestBody();
+
+            while (is.read() != -1) {
+                // read to EOF
+            }
+            is.close();
+
+            httpExchange.sendResponseHeaders(200, 0);
+            httpExchange.close();
+        }
+    }
+
+    static void runTest(int port, boolean useCache) throws Exception {
+        URL url = new URL(
+                String.format("https://localhost:%s/test/", port));
+        HttpsURLConnection urlc =
+                (HttpsURLConnection)url.openConnection();
+
+        urlc.setSSLSocketFactory(sslContext.getSocketFactory());
+        urlc.setHostnameVerifier(new HostnameVerifier() {
+            public boolean verify(String s, SSLSession s1) {
+                return true;
+            }
+        });
+
+        try (InputStream is = urlc.getInputStream()) {
+            while (is.read() != -1) {
+                // read to EOF
+            }
+
+            SSLSession session = urlc.getSSLSession().orElseThrow();
+            if (!Objects.equals(urlc.getCipherSuite(),
+                    session.getCipherSuite())) {
+                throw new Exception(
+                    "Incorrect SSLSession for HTTPsURLConnection: " +
+                    urlc.getCipherSuite() + "/" + session.getCipherSuite());
+            }
+
+            // Make sure the cache implementation is used.
+            try {
+                urlc.getServerCertificates();
+                if (useCache) {
+                    throw new Exception(
+                        "The SecureCacheResponse impl should be used");
+                }
+            } catch (UnsupportedOperationException uoe) {
+                if (!useCache) {
+                    throw new Exception(
+                        "The SecureCacheResponse impl should not be used");
+                }
+            }
+        }
+    }
+
+    DummyCacheResponse(SSLSession sslSession,
+            Map<String, List<String>> rqstHeaders) {
+        this.rqstHeaders = rqstHeaders;
+        this.cachedSession = sslSession;
+    }
+
+    @Override
+    public String getCipherSuite() {
+        return cachedSession.getCipherSuite();
+    }
+
+    @Override
+    public List<Certificate> getLocalCertificateChain() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public List<Certificate> getServerCertificateChain()
+            throws SSLPeerUnverifiedException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Principal getLocalPrincipal() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public Map<String, List<String>> getHeaders() throws IOException {
+        return rqstHeaders;
+    }
+
+    @Override
+    public InputStream getBody() throws IOException {
+        return new ByteArrayInputStream(new byte[0]);
+    }
+
+    @Override
+    public Optional<SSLSession> getSSLSession() {
+        return Optional.of(cachedSession);
+    }
+
+    private static class DummyResponseCache extends ResponseCache {
+        Map<URI, SSLSession> httpsConnections = new HashMap<>();
+
+        @Override
+        public CacheResponse get(URI uri, String rqstMethod,
+                Map<String, List<String>> rqstHeaders) throws IOException {
+            if (httpsConnections.containsKey(uri)) {
+                return new DummyCacheResponse(
+                        httpsConnections.get(uri), rqstHeaders);
+            }
+
+            return null;
+        }
+
+        @Override
+        public CacheRequest put(URI uri,
+                URLConnection conn) throws IOException {
+            if (conn instanceof HttpsURLConnection) {
+                HttpsURLConnection httpsConn = (HttpsURLConnection)conn;
+                httpsConnections.putIfAbsent(
+                        uri, httpsConn.getSSLSession().orElseThrow());
+            }
+
+            return null;
+        }
+    }
+}

test/jdk/javax/net/ssl/HttpsURLConnection/HttpsSession.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8212261
+ * @summary Add SSLSession accessors to HttpsURLConnection and
+ *          SecureCacheResponse
+ * @library /test/lib
+ * @modules jdk.httpserver
+ * @build jdk.test.lib.net.SimpleSSLContext
+ * @run main/othervm HttpsSession
+ */
+import com.sun.net.httpserver.*;
+import java.net.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.util.concurrent.*;
+import java.util.Objects;
+import jdk.test.lib.net.SimpleSSLContext;
+
+public class HttpsSession {
+
+    static SSLContext sslContext;
+
+    public static void main(String[] args) throws Exception {
+        HttpsServer httpsServer = null;
+        ExecutorService executor = null;
+        try {
+            httpsServer = HttpsServer.create(new InetSocketAddress(0), 0);
+            HttpContext c2 =
+                    httpsServer.createContext("/test", new HttpsHandler());
+
+            executor = Executors.newCachedThreadPool();
+            httpsServer.setExecutor(executor);
+
+            sslContext = new SimpleSSLContext().get();
+            httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
+            httpsServer.start();
+
+            int httpsPort = httpsServer.getAddress().getPort();
+            System.out.println(
+                    "Server address: " + httpsServer.getAddress());
+
+            runTest(httpsPort);
+        } finally {
+            if (httpsServer != null) {
+                httpsServer.stop(2);
+            }
+            if (executor != null) {
+                executor.shutdown();
+            }
+        }
+    }
+
+    private static class HttpsHandler implements HttpHandler {
+        public void handle(HttpExchange httpExchange) throws IOException {
+            InputStream is = httpExchange.getRequestBody();
+
+            while (is.read() != -1) {
+                // read to EOF
+            }
+            is.close();
+
+            httpExchange.sendResponseHeaders(200, 0);
+            httpExchange.close();
+        }
+    }
+
+    static void runTest(int port) throws Exception {
+        URL url = new URL(
+                String.format("https://localhost:%s/test/", port));
+        HttpsURLConnection urlc =
+                (HttpsURLConnection)url.openConnection();
+
+        urlc.setSSLSocketFactory(sslContext.getSocketFactory());
+        urlc.setHostnameVerifier(new HostnameVerifier() {
+            public boolean verify(String s, SSLSession s1) {
+                return true;
+            }
+        });
+
+        try {
+            urlc.getSSLSession();
+            throw new Exception(
+                "HttpsURLConnection.getSSLSession() should throw " +
+                "IllegalStateException before the connection established");
+        } catch (IllegalStateException ise) {
+            // That's the expected behavior, continue.
+        }
+
+        try (InputStream is = urlc.getInputStream()) {
+            while (is.read() != -1) {
+                // read to EOF
+            }
+
+            SSLSession session = urlc.getSSLSession().orElseThrow();
+            if (!Objects.equals(urlc.getCipherSuite(),
+                    session.getCipherSuite())) {
+                throw new Exception(
+                    "Incorrect SSLSession for HTTPsURLConnection: " +
+                    urlc.getCipherSuite() + "/" + session.getCipherSuite());
+            }
+        }
+    }
+}