stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8268193: Improve requests of certificates

Browse Source 
Reviewed-by: xuelei, rhalade, ahgross
This commit is contained in:
Jamil Nimeh 2021-07-08 16:14:37 +00:00 committed by Henry Jen
parent c714707eac
commit 9c4988daeb
3 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
View File

@ -333,6 +333,16 @@ final class CertificateRequest {
// clean up this consumer // clean up this consumer
chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id); chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
chc.receivedCertReq = true;
// If we're processing this message and the server's certificate
// message consumer has not already run then this is a state
// machine violation.
if (chc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE.id)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateRequest handshake message");
}
SSLConsumer certStatCons = chc.handshakeConsumers.remove( SSLConsumer certStatCons = chc.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_STATUS.id); SSLHandshake.CERTIFICATE_STATUS.id);
@ -659,6 +669,16 @@ final class CertificateRequest {
// clean up this consumer // clean up this consumer
chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id); chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
chc.receivedCertReq = true;
// If we're processing this message and the server's certificate
// message consumer has not already run then this is a state
// machine violation.
if (chc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE.id)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateRequest handshake message");
}
SSLConsumer certStatCons = chc.handshakeConsumers.remove( SSLConsumer certStatCons = chc.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_STATUS.id); SSLHandshake.CERTIFICATE_STATUS.id);
@ -920,6 +940,15 @@ final class CertificateRequest {
// clean up this consumer // clean up this consumer
chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id); chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
chc.receivedCertReq = true;
// Ensure that the CertificateRequest has not been sent prior
// to EncryptedExtensions
if (chc.handshakeConsumers.containsKey(
SSLHandshake.ENCRYPTED_EXTENSIONS.id)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateRequest handshake message");
}
T13CertificateRequestMessage crm = T13CertificateRequestMessage crm =
new T13CertificateRequestMessage(chc, message); new T13CertificateRequestMessage(chc, message);

7
src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -90,6 +90,11 @@ class ClientHandshakeContext extends HandshakeContext {
ClientHelloMessage initialClientHelloMsg = null; ClientHelloMessage initialClientHelloMsg = null;
// Flag to indicate receipt of a CertificateRequest message from
// the server. Because this is optional, we cannot guarantee
// the handshakeConsumers Map will always have it present there.
boolean receivedCertReq = false;
// PSK identity is selected in first Hello and used again after HRR // PSK identity is selected in first Hello and used again after HRR
byte[] pskIdentity; byte[] pskIdentity;

13
src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2018, 20121, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -92,6 +92,17 @@ final class ServerKeyExchange {
// clean up this consumer // clean up this consumer
chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id); chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id);
// Any receipt/consumption of the CertificateRequest before
// ServerKeyExchange is a state machine violation. We may not
// know for sure if an early CR message is a violation though until
// we have reached this point, due to other TLS features and
// optional messages.
if (chc.receivedCertReq) {
chc.receivedCertReq = false; // Reset flag
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerKeyExchange handshake message");
}
SSLConsumer certStatCons = chc.handshakeConsumers.remove( SSLConsumer certStatCons = chc.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_STATUS.id); SSLHandshake.CERTIFICATE_STATUS.id);
if (certStatCons != null) { if (certStatCons != null) {