|
 |
aa59cc |
# HG changeset patch
|
|
|
aa59cc |
# User jnimeh
|
|
|
aa59cc |
# Date 1578287079 28800
|
|
|
aa59cc |
# Sun Jan 05 21:04:39 2020 -0800
|
|
|
aa59cc |
# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1
|
|
|
aa59cc |
# Parent 3782f295811625b65d57f1aef15daa10d82a58a7
|
|
|
aa59cc |
8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
|
|
|
aa59cc |
Reviewed-by: xuelei
|
|
|
aa59cc |
|
|
|
aa59cc |
diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
|
|
|
aa59cc |
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
|
|
|
aa59cc |
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
|
|
|
aa59cc |
@@ -1,5 +1,5 @@
|
|
|
aa59cc |
/*
|
|
|
aa59cc |
- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
aa59cc |
*
|
|
|
aa59cc |
* This code is free software; you can redistribute it and/or modify it
|
|
|
aa59cc |
@@ -39,11 +39,7 @@
|
|
|
aa59cc |
import javax.net.ssl.SSLProtocolException;
|
|
|
aa59cc |
import sun.security.provider.certpath.OCSPResponse;
|
|
|
aa59cc |
import sun.security.provider.certpath.ResponderId;
|
|
|
aa59cc |
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
|
|
|
aa59cc |
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
|
|
|
aa59cc |
import sun.security.ssl.SSLExtension.ExtensionConsumer;
|
|
|
aa59cc |
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
|
|
|
aa59cc |
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
|
|
|
aa59cc |
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
|
|
|
aa59cc |
import sun.security.ssl.SSLHandshake.HandshakeMessage;
|
|
|
aa59cc |
import sun.security.util.DerInputStream;
|
|
|
aa59cc |
@@ -434,8 +430,9 @@
|
|
|
aa59cc |
} else {
|
|
|
aa59cc |
extBuilder.append(",\n");
|
|
|
aa59cc |
}
|
|
|
aa59cc |
- extBuilder.append(
|
|
|
aa59cc |
- "{\n" + Utilities.indent(ext.toString()) + "}");
|
|
|
aa59cc |
+ extBuilder.append("{\n").
|
|
|
aa59cc |
+ append(Utilities.indent(ext.toString())).
|
|
|
aa59cc |
+ append("}");
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
extsStr = extBuilder.toString();
|
|
|
aa59cc |
@@ -552,11 +549,11 @@
|
|
|
aa59cc |
return null;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
|
|
|
aa59cc |
+ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
SSLLogger.fine(
|
|
|
aa59cc |
"Ignore unavailable extension: " +
|
|
|
aa59cc |
- CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
+ SSLExtension.CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
}
|
|
|
aa59cc |
return null;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -568,8 +565,8 @@
|
|
|
aa59cc |
byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- chc.handshakeExtensions.put(
|
|
|
aa59cc |
- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
+ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST,
|
|
|
aa59cc |
+ CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
return extData;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -593,10 +590,10 @@
|
|
|
aa59cc |
// The consuming happens in server side only.
|
|
|
aa59cc |
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
|
|
aa59cc |
|
|
|
aa59cc |
- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
|
|
|
aa59cc |
+ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
SSLLogger.fine("Ignore unavailable extension: " +
|
|
|
aa59cc |
- CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
+ SSLExtension.CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
}
|
|
|
aa59cc |
return; // ignore the extension
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -610,7 +607,7 @@
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
|
|
|
aa59cc |
+ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec);
|
|
|
aa59cc |
if (!shc.isResumption &&
|
|
|
aa59cc |
!shc.negotiatedProtocol.useTLS13PlusSpec()) {
|
|
|
aa59cc |
shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
|
|
|
aa59cc |
@@ -654,13 +651,12 @@
|
|
|
aa59cc |
|
|
|
aa59cc |
// In response to "status_request" extension request only.
|
|
|
aa59cc |
CertStatusRequestSpec spec = (CertStatusRequestSpec)
|
|
|
aa59cc |
- shc.handshakeExtensions.get(CH_STATUS_REQUEST);
|
|
|
aa59cc |
+ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
|
|
|
aa59cc |
if (spec == null) {
|
|
|
aa59cc |
// Ignore, no status_request extension requested.
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
- SSLLogger.finest(
|
|
|
aa59cc |
- "Ignore unavailable extension: " +
|
|
|
aa59cc |
- CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
+ SSLLogger.finest("Ignore unavailable extension: " +
|
|
|
aa59cc |
+ SSLExtension.CH_STATUS_REQUEST.name);
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
return null; // ignore the extension
|
|
|
aa59cc |
@@ -681,8 +677,8 @@
|
|
|
aa59cc |
byte[] extData = new byte[0];
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- shc.handshakeExtensions.put(
|
|
|
aa59cc |
- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
+ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
|
|
|
aa59cc |
+ CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
return extData;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -708,7 +704,7 @@
|
|
|
aa59cc |
|
|
|
aa59cc |
// In response to "status_request" extension request only.
|
|
|
aa59cc |
CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
|
|
|
aa59cc |
- chc.handshakeExtensions.get(CH_STATUS_REQUEST);
|
|
|
aa59cc |
+ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
|
|
|
aa59cc |
if (requestedCsr == null) {
|
|
|
aa59cc |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
|
|
aa59cc |
"Unexpected status_request extension in ServerHello");
|
|
|
aa59cc |
@@ -722,8 +718,8 @@
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- chc.handshakeExtensions.put(
|
|
|
aa59cc |
- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
+ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
|
|
|
aa59cc |
+ CertStatusRequestSpec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
// Since we've received a legitimate status_request in the
|
|
|
aa59cc |
// ServerHello, stapling is active if it's been enabled.
|
|
|
aa59cc |
@@ -909,7 +905,7 @@
|
|
|
aa59cc |
return null;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
|
|
|
aa59cc |
+ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
SSLLogger.finest(
|
|
|
aa59cc |
"Ignore unavailable status_request_v2 extension");
|
|
|
aa59cc |
@@ -926,8 +922,8 @@
|
|
|
aa59cc |
0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- chc.handshakeExtensions.put(
|
|
|
aa59cc |
- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
+ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
|
|
|
aa59cc |
+ CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
return extData;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -951,7 +947,7 @@
|
|
|
aa59cc |
// The consuming happens in server side only.
|
|
|
aa59cc |
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
|
|
aa59cc |
|
|
|
aa59cc |
- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
|
|
|
aa59cc |
+ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
SSLLogger.finest(
|
|
|
aa59cc |
"Ignore unavailable status_request_v2 extension");
|
|
|
aa59cc |
@@ -969,7 +965,8 @@
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
|
|
|
aa59cc |
+ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
|
|
|
aa59cc |
+ spec);
|
|
|
aa59cc |
if (!shc.isResumption) {
|
|
|
aa59cc |
shc.handshakeProducers.putIfAbsent(
|
|
|
aa59cc |
SSLHandshake.CERTIFICATE_STATUS.id,
|
|
|
aa59cc |
@@ -1013,7 +1010,7 @@
|
|
|
aa59cc |
|
|
|
aa59cc |
// In response to "status_request_v2" extension request only
|
|
|
aa59cc |
CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
|
|
|
aa59cc |
- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
|
|
|
aa59cc |
+ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
|
|
|
aa59cc |
if (spec == null) {
|
|
|
aa59cc |
// Ignore, no status_request_v2 extension requested.
|
|
|
aa59cc |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
|
|
aa59cc |
@@ -1038,8 +1035,8 @@
|
|
|
aa59cc |
byte[] extData = new byte[0];
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- shc.handshakeExtensions.put(
|
|
|
aa59cc |
- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
+ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
|
|
|
aa59cc |
+ CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
return extData;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
@@ -1065,7 +1062,7 @@
|
|
|
aa59cc |
|
|
|
aa59cc |
// In response to "status_request" extension request only
|
|
|
aa59cc |
CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
|
|
|
aa59cc |
- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
|
|
|
aa59cc |
+ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
|
|
|
aa59cc |
if (requestedCsr == null) {
|
|
|
aa59cc |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
|
|
aa59cc |
"Unexpected status_request_v2 extension in ServerHello");
|
|
|
aa59cc |
@@ -1079,8 +1076,8 @@
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
// Update the context.
|
|
|
aa59cc |
- chc.handshakeExtensions.put(
|
|
|
aa59cc |
- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
+ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
|
|
|
aa59cc |
+ CertStatusRequestV2Spec.DEFAULT);
|
|
|
aa59cc |
|
|
|
aa59cc |
// Since we've received a legitimate status_request in the
|
|
|
aa59cc |
// ServerHello, stapling is active if it's been enabled. If it
|
|
|
aa59cc |
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
|
|
|
aa59cc |
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
|
|
|
aa59cc |
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
|
|
|
aa59cc |
@@ -1,5 +1,5 @@
|
|
|
aa59cc |
/*
|
|
|
aa59cc |
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
aa59cc |
*
|
|
|
aa59cc |
* This code is free software; you can redistribute it and/or modify it
|
|
|
aa59cc |
@@ -113,7 +113,6 @@
|
|
|
aa59cc |
null,
|
|
|
aa59cc |
null,
|
|
|
aa59cc |
CertStatusExtension.certStatusReqStringizer),
|
|
|
aa59cc |
-
|
|
|
aa59cc |
CR_STATUS_REQUEST (0x0005, "status_request"),
|
|
|
aa59cc |
CT_STATUS_REQUEST (0x0005, "status_request",
|
|
|
aa59cc |
SSLHandshake.CERTIFICATE,
|
|
|
aa59cc |
@@ -124,6 +123,7 @@
|
|
|
aa59cc |
null,
|
|
|
aa59cc |
null,
|
|
|
aa59cc |
CertStatusExtension.certStatusRespStringizer),
|
|
|
aa59cc |
+
|
|
|
aa59cc |
// extensions defined in RFC 4681
|
|
|
aa59cc |
USER_MAPPING (0x0006, "user_mapping"),
|
|
|
aa59cc |
|
|
|
aa59cc |
@@ -515,6 +515,16 @@
|
|
|
aa59cc |
return null;
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
+ static String nameOf(int extensionType) {
|
|
|
aa59cc |
+ for (SSLExtension ext : SSLExtension.values()) {
|
|
|
aa59cc |
+ if (ext.id == extensionType) {
|
|
|
aa59cc |
+ return ext.name;
|
|
|
aa59cc |
+ }
|
|
|
aa59cc |
+ }
|
|
|
aa59cc |
+
|
|
|
aa59cc |
+ return "unknown extension";
|
|
|
aa59cc |
+ }
|
|
|
aa59cc |
+
|
|
|
aa59cc |
static boolean isConsumable(int extensionType) {
|
|
|
aa59cc |
for (SSLExtension ext : SSLExtension.values()) {
|
|
|
aa59cc |
if (ext.id == extensionType &&
|
|
|
aa59cc |
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
|
|
|
aa59cc |
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
|
|
|
aa59cc |
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
|
|
|
aa59cc |
@@ -1,5 +1,5 @@
|
|
|
aa59cc |
/*
|
|
|
aa59cc |
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
+ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved.
|
|
|
aa59cc |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
aa59cc |
*
|
|
|
aa59cc |
* This code is free software; you can redistribute it and/or modify it
|
|
|
aa59cc |
@@ -86,11 +86,14 @@
|
|
|
aa59cc |
"Received buggy supported_groups extension " +
|
|
|
aa59cc |
"in the ServerHello handshake message");
|
|
|
aa59cc |
}
|
|
|
aa59cc |
- } else {
|
|
|
aa59cc |
+ } else if (handshakeType == SSLHandshake.SERVER_HELLO) {
|
|
|
aa59cc |
throw hm.handshakeContext.conContext.fatal(
|
|
|
aa59cc |
- Alert.UNSUPPORTED_EXTENSION,
|
|
|
aa59cc |
- "extension (" + extId +
|
|
|
aa59cc |
- ") should not be presented in " + handshakeType.name);
|
|
|
aa59cc |
+ Alert.UNSUPPORTED_EXTENSION, "extension (" +
|
|
|
aa59cc |
+ extId + ") should not be presented in " +
|
|
|
aa59cc |
+ handshakeType.name);
|
|
|
aa59cc |
+ } else {
|
|
|
aa59cc |
+ isSupported = false;
|
|
|
aa59cc |
+ // debug log to ignore unknown extension for handshakeType
|
|
|
aa59cc |
}
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
@@ -365,9 +368,10 @@
|
|
|
aa59cc |
}
|
|
|
aa59cc |
|
|
|
aa59cc |
private static String toString(int extId, byte[] extData) {
|
|
|
aa59cc |
+ String extName = SSLExtension.nameOf(extId);
|
|
|
aa59cc |
MessageFormat messageFormat = new MessageFormat(
|
|
|
aa59cc |
- "\"unknown extension ({0})\": '{'\n" +
|
|
|
aa59cc |
- "{1}\n" +
|
|
|
aa59cc |
+ "\"{0} ({1})\": '{'\n" +
|
|
|
aa59cc |
+ "{2}\n" +
|
|
|
aa59cc |
"'}'",
|
|
|
aa59cc |
Locale.ENGLISH);
|
|
|
aa59cc |
|
|
|
aa59cc |
@@ -375,6 +379,7 @@
|
|
|
aa59cc |
String encoded = hexEncoder.encodeBuffer(extData);
|
|
|
aa59cc |
|
|
|
aa59cc |
Object[] messageFields = {
|
|
|
aa59cc |
+ extName,
|
|
|
aa59cc |
extId,
|
|
|
aa59cc |
Utilities.indent(encoded)
|
|
|
aa59cc |
};
|