Skip to content

Commit

Permalink
ELY-434 [Preview] OCSP Stapling Support
Browse files Browse the repository at this point in the history
  • Loading branch information
Prarthona Paul committed Aug 1, 2024
1 parent 0c24b3f commit 22f4828
Show file tree
Hide file tree
Showing 10 changed files with 2,037 additions and 62 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@ private enum Version {
VERSION_1_4("urn:elytron:client:1.4", VERSION_1_3),
VERSION_1_5("urn:elytron:client:1.5", VERSION_1_4),
VERSION_1_6("urn:elytron:client:1.6", VERSION_1_5),
VERSION_1_7("urn:elytron:client:1.7", VERSION_1_6);
VERSION_1_7("urn:elytron:client:1.7", VERSION_1_6),
VERSION_1_8("urn:elytron:client:1.8", VERSION_1_7);

final String namespace;

Expand Down Expand Up @@ -465,6 +466,7 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
ExceptionSupplier<KeyStore, ConfigXMLParseException> trustStoreSupplier = null;
DeferredSupplier<Provider[]> providersSupplier = new DeferredSupplier<>(providers);
TrustManagerBuilder trustManagerBuilder = new TrustManagerBuilder(providersSupplier, location);
boolean acceptOcspStapling = false;

while (reader.hasNext()) {
final int tag = reader.nextTag();
Expand Down Expand Up @@ -536,6 +538,13 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
parseCertificateRevocationLists(reader, trustManagerBuilder, xmlVersion);
break;
}
case "accept-ocsp-stapling": {
if (isSet(foundBits, 10)) throw reader.unexpectedElement();
foundBits = setBit(foundBits, 10);
if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedElement();
acceptOcspStapling = parseOcspStaplingType(reader, trustManagerBuilder, xmlVersion, keyStoresMap);
break;
}
default: throw reader.unexpectedElement();
}
} else if (tag != END_ELEMENT) {
Expand All @@ -549,6 +558,8 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
final ExceptionSupplier<X509ExtendedKeyManager, ConfigXMLParseException> finalKeyManagerSupplier = keyManagerSupplier;
final ExceptionSupplier<KeyStore, ConfigXMLParseException> finalTrustStoreSupplier = trustStoreSupplier;
final boolean initTrustManager = finalTrustStoreSupplier != null || isSet(foundBits, 7);
final boolean finalAcceptOcspStapling = acceptOcspStapling;

sslContextsMap.putIfAbsent(name, () -> {
final SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
sslContextBuilder.setClientMode(true);
Expand All @@ -574,6 +585,7 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
sslContextBuilder.setProviderName(finalProviderName);
sslContextBuilder.setProviderSupplier(finalProvidersSupplier);
sslContextBuilder.setUseCipherSuitesOrder(true);
sslContextBuilder.setAcceptOCSPStapling(finalAcceptOcspStapling);
return sslContextBuilder.build();
});
return;
Expand All @@ -582,6 +594,56 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
throw reader.unexpectedDocumentEnd();
}

private static boolean parseOcspStaplingType(ConfigurationXMLStreamReader reader, TrustManagerBuilder builder, Version xmlVersion, Map<String, ExceptionSupplier<KeyStore, ConfigXMLParseException>> keyStoresMap) throws ConfigXMLParseException {
final int attributeCount = reader.getAttributeCount();
boolean acceptOcspStapling = false;
boolean softFail = false;
boolean gotResponderCertAlias = false;
boolean gotResponderKeystore = false;

for (int i = 0; i < attributeCount; i ++) {
checkAttributeNamespace(reader, i);
switch (reader.getAttributeLocalName(i)) {
case "accept-ocsp": {
if (acceptOcspStapling) throw reader.unexpectedAttribute(i);
if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedAttribute(i);
acceptOcspStapling = reader.getBooleanAttributeValueResolved(i);
builder.setOcspStapling(acceptOcspStapling);
break;
}
case "soft-fail": {
if (softFail) throw reader.unexpectedAttribute(i);
if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedAttribute(i);
softFail = reader.getBooleanAttributeValueResolved(i);
builder.setSoftFail(softFail);
break;
}
case "responder-certificate": {
if (gotResponderCertAlias) throw reader.unexpectedAttribute(i);
builder.setOcspRescponderCertAlias(reader.getAttributeValueResolved(i));
gotResponderCertAlias = true;
break;
}
case "responder-keystore": {
if (gotResponderKeystore) throw reader.unexpectedAttribute(i);
builder.setOcspResponderCertKeystoreSupplier(keyStoresMap.get(reader.getAttributeValueResolved(i)));
gotResponderKeystore = true;
break;
}
default: throw reader.unexpectedAttribute(i);
}
}
while (reader.hasNext()) {
final int tag = reader.nextTag();
if (tag == END_ELEMENT) {
return acceptOcspStapling;
} else {
throw reader.unexpectedContent();
}
}
throw reader.unexpectedDocumentEnd();
}

private static class TrustManagerBuilder {
final Supplier<Provider[]> providers;
final Location xmlLocation;
Expand All @@ -592,6 +654,7 @@ private static class TrustManagerBuilder {
List<InputStream> crlStreams = new ArrayList<>();
int maxCertPath = 5;
boolean ocsp = false;
boolean ocspStapling = false;
boolean preferCrls = false;
boolean onlyLeafCert = false;
boolean softFail = false;
Expand Down Expand Up @@ -638,6 +701,9 @@ boolean isMaxCertPathSet() {
public void setOcsp() {
this.ocsp = true;
}
public void setOcspStapling(boolean ocspStapling) {
this.ocspStapling = ocspStapling;
}

public void setPreferCrls(boolean preferCrls) {
this.preferCrls = preferCrls;
Expand Down Expand Up @@ -697,6 +763,15 @@ X509TrustManager build() throws NoSuchAlgorithmException, KeyStoreException, Con
revocationBuilder.setOcspResponderCert((X509Certificate) responderStore.getCertificate(responderCertAlias));
}

return revocationBuilder.build();
} else if (ocspStapling) {
X509RevocationTrustManager.Builder revocationBuilder = X509RevocationTrustManager.builder();
revocationBuilder.setTrustManagerFactory(trustManagerFactory);
revocationBuilder.setTrustStore(trustStore);
revocationBuilder.setCheckRevocation(true);
revocationBuilder.setSoftFail(softFail);
KeyStore responderStore = responderStoreSupplier != null ? responderStoreSupplier.get() : trustStore;
revocationBuilder.setOcspResponderCert((X509Certificate) responderStore.getCertificate(responderCertAlias));
return revocationBuilder.build();
} else {
trustManagerFactory.init(trustStore);
Expand Down
Loading

0 comments on commit 22f4828

Please sign in to comment.