8132942: ServerHandshaker should not throw SSLHandshakeException when CertificateStatus constructor is called with invalid arguments

Performs argument checking on inputs to the CertificateStatus constructor in order to eliminate the need for exception processing.  Also pulls stapling processing logic out to its own method.

Reviewed-by: xuelei
This commit is contained in:
Jamil Nimeh 2016-03-11 10:54:42 -08:00
parent 2fc3f9915c
commit 59eca614db
2 changed files with 141 additions and 108 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -700,7 +700,7 @@ static final class CertificateStatus extends HandshakeMessage
* OCSP response data is provided. * OCSP response data is provided.
*/ */
CertificateStatus(StatusRequestType type, X509Certificate[] chain, CertificateStatus(StatusRequestType type, X509Certificate[] chain,
Map<X509Certificate, byte[]> responses) throws SSLException { Map<X509Certificate, byte[]> responses) {
statusType = type; statusType = type;
encodedResponsesLen = 0; encodedResponsesLen = 0;
encodedResponses = new ArrayList<>(chain.length); encodedResponses = new ArrayList<>(chain.length);
@ -715,7 +715,7 @@ static final class CertificateStatus extends HandshakeMessage
encodedResponses.add(respDER); encodedResponses.add(respDER);
encodedResponsesLen = 3 + respDER.length; encodedResponsesLen = 3 + respDER.length;
} else { } else {
throw new SSLHandshakeException("Zero-length or null " + throw new IllegalArgumentException("Zero-length or null " +
"OCSP Response"); "OCSP Response");
} }
} else if (statusType == StatusRequestType.OCSP_MULTI) { } else if (statusType == StatusRequestType.OCSP_MULTI) {
@ -732,8 +732,8 @@ static final class CertificateStatus extends HandshakeMessage
} }
} }
} else { } else {
throw new SSLHandshakeException("Unsupported StatusResponseType: " + throw new IllegalArgumentException(
statusType); "Unsupported StatusResponseType: " + statusType);
} }
} }

View File

@ -36,7 +36,6 @@ import java.security.spec.ECParameterSpec;
import java.math.BigInteger; import java.math.BigInteger;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.*; import javax.net.ssl.*;
import sun.security.action.GetLongAction; import sun.security.action.GetLongAction;
@ -67,7 +66,6 @@ final class ServerHandshaker extends Handshaker {
// our authentication info // our authentication info
private X509Certificate[] certs; private X509Certificate[] certs;
private Map<X509Certificate, byte[]> responseMap;
private PrivateKey privateKey; private PrivateKey privateKey;
private Object serviceCreds; private Object serviceCreds;
@ -118,7 +116,6 @@ final class ServerHandshaker extends Handshaker {
LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
new SSLAlgorithmDecomposer()); new SSLAlgorithmDecomposer());
private boolean staplingActive = false;
private long statusRespTimeout; private long statusRespTimeout;
static { static {
@ -578,16 +575,6 @@ final class ServerHandshaker extends Handshaker {
} }
} }
// Check if the client has asserted the status_request[_v2] extension(s)
CertStatusReqExtension statReqExt = (CertStatusReqExtension)
mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
CertStatusReqListV2Extension statReqExtV2 =
(CertStatusReqListV2Extension)mesg.extensions.get(
ExtensionType.EXT_STATUS_REQUEST_V2);
// Keep stapling active if at least one of the extensions has been set
staplingActive = sslContext.isStaplingEnabled(false) &&
(statReqExt != null || statReqExtV2 != null);
/* /*
* FIRST, construct the ServerHello using the options and priorities * FIRST, construct the ServerHello using the options and priorities
* from the ClientHello. Update the (pending) cipher spec as we do * from the ClientHello. Update the (pending) cipher spec as we do
@ -883,79 +870,17 @@ final class ServerHandshaker extends Handshaker {
m1.extensions.add(maxFragLenExt); m1.extensions.add(maxFragLenExt);
} }
StatusRequestType statReqType = null; StaplingParameters staplingParams = processStapling(mesg);
StatusRequest statReqData = null; if (staplingParams != null) {
if (staplingActive && !resumingSession) { // We now can safely assert status_request[_v2] in our
ExtensionType statusRespExt = ExtensionType.EXT_STATUS_REQUEST; // ServerHello, and know for certain that we can provide
// responses back to this client for this connection.
// Determine which type of stapling we are doing and assert the if (staplingParams.statusRespExt ==
// proper extension in the server hello. ExtensionType.EXT_STATUS_REQUEST) {
// Favor status_request_v2 over status_request and ocsp_multi m1.extensions.add(new CertStatusReqExtension());
// over ocsp. } else if (staplingParams.statusRespExt ==
// If multiple ocsp or ocsp_multi types exist, select the first ExtensionType.EXT_STATUS_REQUEST_V2) {
// instance of a given type m1.extensions.add(new CertStatusReqListV2Extension());
if (statReqExtV2 != null) { // RFC 6961 stapling
statusRespExt = ExtensionType.EXT_STATUS_REQUEST_V2;
List<CertStatusReqItemV2> reqItems =
statReqExtV2.getRequestItems();
int ocspIdx = -1;
int ocspMultiIdx = -1;
for (int pos = 0; pos < reqItems.size(); pos++) {
CertStatusReqItemV2 item = reqItems.get(pos);
if (ocspIdx < 0 && item.getType() ==
StatusRequestType.OCSP) {
ocspIdx = pos;
} else if (ocspMultiIdx < 0 && item.getType() ==
StatusRequestType.OCSP_MULTI) {
ocspMultiIdx = pos;
}
}
if (ocspMultiIdx >= 0) {
statReqType = reqItems.get(ocspMultiIdx).getType();
statReqData = reqItems.get(ocspMultiIdx).getRequest();
} else if (ocspIdx >= 0) {
statReqType = reqItems.get(ocspIdx).getType();
statReqData = reqItems.get(ocspIdx).getRequest();
} else {
// Some unknown type. We will not do stapling for
// this connection since we cannot understand the
// requested type.
staplingActive = false;
}
} else { // RFC 6066 stapling
statReqType = StatusRequestType.OCSP;
statReqData = statReqExt.getRequest();
}
if (statReqType != null && statReqData != null) {
StatusResponseManager statRespMgr =
sslContext.getStatusResponseManager();
if (statRespMgr != null) {
responseMap = statRespMgr.get(statReqType, statReqData,
certs, statusRespTimeout, TimeUnit.MILLISECONDS);
if (!responseMap.isEmpty()) {
// We now can safely assert status_request[_v2] in our
// ServerHello, and know for certain that we can provide
// responses back to this client for this connection.
if (statusRespExt == ExtensionType.EXT_STATUS_REQUEST) {
m1.extensions.add(new CertStatusReqExtension());
} else if (statusRespExt ==
ExtensionType.EXT_STATUS_REQUEST_V2) {
m1.extensions.add(
new CertStatusReqListV2Extension());
}
}
} else {
// This should not happen if stapling is active, but
// if lazy initialization of the StatusResponseManager
// doesn't occur we should turn off stapling.
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Warning: lazy initialization " +
"of the StatusResponseManager failed. " +
"Stapling has been disabled.");
staplingActive = false;
}
}
} }
} }
@ -1031,24 +956,15 @@ final class ServerHandshaker extends Handshaker {
* supports status stapling and there is at least one response to * supports status stapling and there is at least one response to
* return to the client. * return to the client.
*/ */
if (staplingActive && !responseMap.isEmpty()) { if (staplingParams != null) {
try { CertificateStatus csMsg = new CertificateStatus(
CertificateStatus csMsg = new CertificateStatus(statReqType, staplingParams.statReqType, certs,
certs, responseMap); staplingParams.responseMap);
if (debug != null && Debug.isOn("handshake")) { if (debug != null && Debug.isOn("handshake")) {
csMsg.print(System.out); csMsg.print(System.out);
}
csMsg.write(output);
handshakeState.update(csMsg, resumingSession);
responseMap = null;
} catch (SSLException ssle) {
// We don't want the exception to be fatal, we just won't
// send the message if we fail on construction.
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Failed during CertificateStatus " +
"construction: " + ssle);
}
} }
csMsg.write(output);
handshakeState.update(csMsg, resumingSession);
} }
/* /*
@ -2078,4 +1994,121 @@ final class ServerHandshaker extends Handshaker {
session.setPeerCertificates(peerCerts); session.setPeerCertificates(peerCerts);
} }
private StaplingParameters processStapling(ClientHello mesg) {
StaplingParameters params = null;
ExtensionType ext;
StatusRequestType type = null;
StatusRequest req = null;
Map<X509Certificate, byte[]> responses;
// If this feature has not been enabled, then no more processing
// is necessary. Also we will only staple if we're doing a full
// handshake.
if (!sslContext.isStaplingEnabled(false) || resumingSession) {
return null;
}
// Check if the client has asserted the status_request[_v2] extension(s)
CertStatusReqExtension statReqExt = (CertStatusReqExtension)
mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
CertStatusReqListV2Extension statReqExtV2 =
(CertStatusReqListV2Extension)mesg.extensions.get(
ExtensionType.EXT_STATUS_REQUEST_V2);
// Keep processing only if either status_request or status_request_v2
// has been sent in the ClientHello.
if (statReqExt == null && statReqExtV2 == null) {
return null;
}
// Determine which type of stapling we are doing and assert the
// proper extension in the server hello.
// Favor status_request_v2 over status_request and ocsp_multi
// over ocsp.
// If multiple ocsp or ocsp_multi types exist, select the first
// instance of a given type
ext = ExtensionType.EXT_STATUS_REQUEST;
if (statReqExtV2 != null) { // RFC 6961 stapling
ext = ExtensionType.EXT_STATUS_REQUEST_V2;
List<CertStatusReqItemV2> reqItems =
statReqExtV2.getRequestItems();
int ocspIdx = -1;
int ocspMultiIdx = -1;
for (int pos = 0; pos < reqItems.size(); pos++) {
CertStatusReqItemV2 item = reqItems.get(pos);
if (ocspIdx < 0 && item.getType() ==
StatusRequestType.OCSP) {
ocspIdx = pos;
} else if (ocspMultiIdx < 0 && item.getType() ==
StatusRequestType.OCSP_MULTI) {
ocspMultiIdx = pos;
}
}
if (ocspMultiIdx >= 0) {
type = reqItems.get(ocspMultiIdx).getType();
req = reqItems.get(ocspMultiIdx).getRequest();
} else if (ocspIdx >= 0) {
type = reqItems.get(ocspIdx).getType();
req = reqItems.get(ocspIdx).getRequest();
}
} else { // RFC 6066 stapling
type = StatusRequestType.OCSP;
req = statReqExt.getRequest();
}
// If, after walking through the extensions we were unable to
// find a suitable StatusRequest, then stapling is disabled.
// Both statReqType and statReqData must have been set to continue.
if (type == null || req == null) {
return null;
}
// Get the OCSP responses from the StatusResponseManager
StatusResponseManager statRespMgr =
sslContext.getStatusResponseManager();
if (statRespMgr != null) {
responses = statRespMgr.get(type, req, certs, statusRespTimeout,
TimeUnit.MILLISECONDS);
if (!responses.isEmpty()) {
// If this RFC 6066-style stapling (SSL cert only) then the
// response cannot be zero length
if (type == StatusRequestType.OCSP) {
byte[] respDER = responses.get(certs[0]);
if (respDER == null || respDER.length <= 0) {
return null;
}
}
params = new StaplingParameters(ext, type, req, responses);
}
} else {
// This should not happen, but if lazy initialization of the
// StatusResponseManager doesn't occur we should turn off stapling.
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Warning: lazy initialization " +
"of the StatusResponseManager failed. " +
"Stapling has been disabled.");
}
}
return params;
}
/**
* Inner class used to hold stapling parameters needed by the handshaker
* when stapling is active.
*/
private class StaplingParameters {
private final ExtensionType statusRespExt;
private final StatusRequestType statReqType;
private final StatusRequest statReqData;
private final Map<X509Certificate, byte[]> responseMap;
StaplingParameters(ExtensionType ext, StatusRequestType type,
StatusRequest req, Map<X509Certificate, byte[]> responses) {
statusRespExt = ext;
statReqType = type;
statReqData = req;
responseMap = responses;
}
}
} }