Exemplo n.º 1
0
/**
 * Handshaker ... processes handshake records from an SSL V3.0 data stream, handling all the details
 * of the handshake protocol.
 *
 * <p>Note that the real protocol work is done in two subclasses, the base class just provides the
 * control flow and key generation framework.
 *
 * @author David Brownell
 */
abstract class Handshaker {

  // protocol version being established using this Handshaker
  ProtocolVersion protocolVersion;

  // the currently active protocol version during a renegotiation
  ProtocolVersion activeProtocolVersion;

  // security parameters for secure renegotiation.
  boolean secureRenegotiation;
  byte[] clientVerifyData;
  byte[] serverVerifyData;

  // Is it an initial negotiation  or a renegotiation?
  boolean isInitialHandshake;

  // List of enabled protocols
  private ProtocolList enabledProtocols;

  // List of enabled CipherSuites
  private CipherSuiteList enabledCipherSuites;

  // The endpoint identification protocol
  String identificationProtocol;

  // The cryptographic algorithm constraints
  private AlgorithmConstraints algorithmConstraints = null;

  // Local supported signature and algorithms
  Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;

  // Peer supported signature and algorithms
  Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;

  /*

  /*
   * List of active protocols
   *
   * Active protocols is a subset of enabled protocols, and will
   * contain only those protocols that have vaild cipher suites
   * enabled.
   */
  private ProtocolList activeProtocols;

  /*
   * List of active cipher suites
   *
   * Active cipher suites is a subset of enabled cipher suites, and will
   * contain only those cipher suites available for the active protocols.
   */
  private CipherSuiteList activeCipherSuites;

  private boolean isClient;
  private boolean needCertVerify;

  SSLSocketImpl conn = null;
  SSLEngineImpl engine = null;

  HandshakeHash handshakeHash;
  HandshakeInStream input;
  HandshakeOutStream output;
  int state;
  SSLContextImpl sslContext;
  RandomCookie clnt_random, svr_random;
  SSLSessionImpl session;

  // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL
  CipherSuite cipherSuite;

  // current key exchange. Never null, initially K_NULL
  KeyExchange keyExchange;

  /* True if this session is being resumed (fast handshake) */
  boolean resumingSession;

  /* True if it's OK to start a new SSL session */
  boolean enableNewSession;

  // Temporary storage for the individual keys. Set by
  // calculateConnectionKeys() and cleared once the ciphers are
  // activated.
  private SecretKey clntWriteKey, svrWriteKey;
  private IvParameterSpec clntWriteIV, svrWriteIV;
  private SecretKey clntMacSecret, svrMacSecret;

  /*
   * Delegated task subsystem data structures.
   *
   * If thrown is set, we need to propagate this back immediately
   * on entry into processMessage().
   *
   * Data is protected by the SSLEngine.this lock.
   */
  private volatile boolean taskDelegated = false;
  private volatile DelegatedTask delegatedTask = null;
  private volatile Exception thrown = null;

  // Could probably use a java.util.concurrent.atomic.AtomicReference
  // here instead of using this lock.  Consider changing.
  private Object thrownLock = new Object();

  /* Class and subclass dynamic debugging support */
  static final Debug debug = Debug.getInstance("ssl");

  // By default, disable the unsafe legacy session renegotiation
  static final boolean allowUnsafeRenegotiation =
      Debug.getBooleanProperty("sun.security.ssl.allowUnsafeRenegotiation", false);

  // For maximum interoperability and backward compatibility, RFC 5746
  // allows server (or client) to accept ClientHello (or ServerHello)
  // message without the secure renegotiation_info extension or SCSV.
  //
  // For maximum security, RFC 5746 also allows server (or client) to
  // reject such message with a fatal "handshake_failure" alert.
  //
  // By default, allow such legacy hello messages.
  static final boolean allowLegacyHelloMessages =
      Debug.getBooleanProperty("sun.security.ssl.allowLegacyHelloMessages", true);

  // need to dispose the object when it is invalidated
  boolean invalidated;

  Handshaker(
      SSLSocketImpl c,
      SSLContextImpl context,
      ProtocolList enabledProtocols,
      boolean needCertVerify,
      boolean isClient,
      ProtocolVersion activeProtocolVersion,
      boolean isInitialHandshake,
      boolean secureRenegotiation,
      byte[] clientVerifyData,
      byte[] serverVerifyData) {
    this.conn = c;
    init(
        context,
        enabledProtocols,
        needCertVerify,
        isClient,
        activeProtocolVersion,
        isInitialHandshake,
        secureRenegotiation,
        clientVerifyData,
        serverVerifyData);
  }

  Handshaker(
      SSLEngineImpl engine,
      SSLContextImpl context,
      ProtocolList enabledProtocols,
      boolean needCertVerify,
      boolean isClient,
      ProtocolVersion activeProtocolVersion,
      boolean isInitialHandshake,
      boolean secureRenegotiation,
      byte[] clientVerifyData,
      byte[] serverVerifyData) {
    this.engine = engine;
    init(
        context,
        enabledProtocols,
        needCertVerify,
        isClient,
        activeProtocolVersion,
        isInitialHandshake,
        secureRenegotiation,
        clientVerifyData,
        serverVerifyData);
  }

  private void init(
      SSLContextImpl context,
      ProtocolList enabledProtocols,
      boolean needCertVerify,
      boolean isClient,
      ProtocolVersion activeProtocolVersion,
      boolean isInitialHandshake,
      boolean secureRenegotiation,
      byte[] clientVerifyData,
      byte[] serverVerifyData) {

    if (debug != null && Debug.isOn("handshake")) {
      System.out.println(
          "Allow unsafe renegotiation: "
              + allowUnsafeRenegotiation
              + "\nAllow legacy hello messages: "
              + allowLegacyHelloMessages
              + "\nIs initial handshake: "
              + isInitialHandshake
              + "\nIs secure renegotiation: "
              + secureRenegotiation);
    }

    this.sslContext = context;
    this.isClient = isClient;
    this.needCertVerify = needCertVerify;
    this.activeProtocolVersion = activeProtocolVersion;
    this.isInitialHandshake = isInitialHandshake;
    this.secureRenegotiation = secureRenegotiation;
    this.clientVerifyData = clientVerifyData;
    this.serverVerifyData = serverVerifyData;
    enableNewSession = true;
    invalidated = false;

    setCipherSuite(CipherSuite.C_NULL);
    setEnabledProtocols(enabledProtocols);

    if (conn != null) {
      algorithmConstraints = new SSLAlgorithmConstraints(conn, true);
    } else { // engine != null
      algorithmConstraints = new SSLAlgorithmConstraints(engine, true);
    }

    //
    // In addition to the connection state machine, controlling
    // how the connection deals with the different sorts of records
    // that get sent (notably handshake transitions!), there's
    // also a handshaking state machine that controls message
    // sequencing.
    //
    // It's a convenient artifact of the protocol that this can,
    // with only a couple of minor exceptions, be driven by the
    // type constant for the last message seen:  except for the
    // client's cert verify, those constants are in a convenient
    // order to drastically simplify state machine checking.
    //
    state = -2; // initialized but not activated
  }

  /*
   * Reroutes calls to the SSLSocket or SSLEngine (*SE).
   *
   * We could have also done it by extra classes
   * and letting them override, but this seemed much
   * less involved.
   */
  void fatalSE(byte b, String diagnostic) throws IOException {
    fatalSE(b, diagnostic, null);
  }

  void fatalSE(byte b, Throwable cause) throws IOException {
    fatalSE(b, null, cause);
  }

  void fatalSE(byte b, String diagnostic, Throwable cause) throws IOException {
    if (conn != null) {
      conn.fatal(b, diagnostic, cause);
    } else {
      engine.fatal(b, diagnostic, cause);
    }
  }

  void warningSE(byte b) {
    if (conn != null) {
      conn.warning(b);
    } else {
      engine.warning(b);
    }
  }

  String getRawHostnameSE() {
    if (conn != null) {
      return conn.getRawHostname();
    } else {
      return engine.getPeerHost();
    }
  }

  String getHostSE() {
    if (conn != null) {
      return conn.getHost();
    } else {
      return engine.getPeerHost();
    }
  }

  String getHostAddressSE() {
    if (conn != null) {
      return conn.getInetAddress().getHostAddress();
    } else {
      /*
       * This is for caching only, doesn't matter that's is really
       * a hostname.  The main thing is that it doesn't do
       * a reverse DNS lookup, potentially slowing things down.
       */
      return engine.getPeerHost();
    }
  }

  boolean isLoopbackSE() {
    if (conn != null) {
      return conn.getInetAddress().isLoopbackAddress();
    } else {
      return false;
    }
  }

  int getPortSE() {
    if (conn != null) {
      return conn.getPort();
    } else {
      return engine.getPeerPort();
    }
  }

  int getLocalPortSE() {
    if (conn != null) {
      return conn.getLocalPort();
    } else {
      return -1;
    }
  }

  AccessControlContext getAccSE() {
    if (conn != null) {
      return conn.getAcc();
    } else {
      return engine.getAcc();
    }
  }

  private void setVersionSE(ProtocolVersion protocolVersion) {
    if (conn != null) {
      conn.setVersion(protocolVersion);
    } else {
      engine.setVersion(protocolVersion);
    }
  }

  /**
   * Set the active protocol version and propagate it to the SSLSocket and our handshake streams.
   * Called from ClientHandshaker and ServerHandshaker with the negotiated protocol version.
   */
  void setVersion(ProtocolVersion protocolVersion) {
    this.protocolVersion = protocolVersion;
    setVersionSE(protocolVersion);

    output.r.setVersion(protocolVersion);
  }

  /**
   * Set the enabled protocols. Called from the constructor or
   * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the handshake is not yet in progress).
   */
  void setEnabledProtocols(ProtocolList enabledProtocols) {
    activeCipherSuites = null;
    activeProtocols = null;

    this.enabledProtocols = enabledProtocols;
  }

  /**
   * Set the enabled cipher suites. Called from SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites()
   * (if the handshake is not yet in progress).
   */
  void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) {
    activeCipherSuites = null;
    activeProtocols = null;
    this.enabledCipherSuites = enabledCipherSuites;
  }

  /**
   * Set the algorithm constraints. Called from the constructor or
   * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the handshake is not yet in
   * progress).
   */
  void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
    activeCipherSuites = null;
    activeProtocols = null;

    this.algorithmConstraints = new SSLAlgorithmConstraints(algorithmConstraints);
    this.localSupportedSignAlgs = null;
  }

  Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() {
    if (localSupportedSignAlgs == null) {
      localSupportedSignAlgs =
          SignatureAndHashAlgorithm.getSupportedAlgorithms(algorithmConstraints);
    }

    return localSupportedSignAlgs;
  }

  void setPeerSupportedSignAlgs(Collection<SignatureAndHashAlgorithm> algorithms) {
    peerSupportedSignAlgs = new ArrayList<SignatureAndHashAlgorithm>(algorithms);
  }

  Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() {
    return peerSupportedSignAlgs;
  }

  /**
   * Set the identification protocol. Called from the constructor or
   * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the handshake is not yet in
   * progress).
   */
  void setIdentificationProtocol(String protocol) {
    this.identificationProtocol = protocol;
  }

  /**
   * Prior to handshaking, activate the handshake and initialize the version, input stream and
   * output stream.
   */
  void activate(ProtocolVersion helloVersion) throws IOException {
    if (activeProtocols == null) {
      activeProtocols = getActiveProtocols();
    }

    if (activeProtocols.collection().isEmpty() || activeProtocols.max.v == ProtocolVersion.NONE.v) {
      throw new SSLHandshakeException("No appropriate protocol");
    }

    if (activeCipherSuites == null) {
      activeCipherSuites = getActiveCipherSuites();
    }

    if (activeCipherSuites.collection().isEmpty()) {
      throw new SSLHandshakeException("No appropriate cipher suite");
    }

    // temporary protocol version until the actual protocol version
    // is negotiated in the Hello exchange. This affects the record
    // version we sent with the ClientHello.
    if (!isInitialHandshake) {
      protocolVersion = activeProtocolVersion;
    } else {
      protocolVersion = activeProtocols.max;
    }

    if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) {
      helloVersion = activeProtocols.helloVersion;
    }

    // We accumulate digests of the handshake messages so that
    // we can read/write CertificateVerify and Finished messages,
    // getting assurance against some particular active attacks.
    Set<String> localSupportedHashAlgorithms =
        SignatureAndHashAlgorithm.getHashAlgorithmNames(getLocalSupportedSignAlgs());
    handshakeHash = new HandshakeHash(!isClient, needCertVerify, localSupportedHashAlgorithms);

    // Generate handshake input/output stream.
    input = new HandshakeInStream(handshakeHash);
    if (conn != null) {
      output = new HandshakeOutStream(protocolVersion, helloVersion, handshakeHash, conn);
      conn.getAppInputStream().r.setHandshakeHash(handshakeHash);
      conn.getAppInputStream().r.setHelloVersion(helloVersion);
      conn.getAppOutputStream().r.setHelloVersion(helloVersion);
    } else {
      output = new HandshakeOutStream(protocolVersion, helloVersion, handshakeHash, engine);
      engine.inputRecord.setHandshakeHash(handshakeHash);
      engine.inputRecord.setHelloVersion(helloVersion);
      engine.outputRecord.setHelloVersion(helloVersion);
    }

    // move state to activated
    state = -1;
  }

  /**
   * Set cipherSuite and keyExchange to the given CipherSuite. Does not perform any verification
   * that this is a valid selection, this must be done before calling this method.
   */
  void setCipherSuite(CipherSuite s) {
    this.cipherSuite = s;
    this.keyExchange = s.keyExchange;
  }

  /**
   * Check if the given ciphersuite is enabled and available. Does not check if the required server
   * certificates are available.
   */
  boolean isNegotiable(CipherSuite s) {
    if (activeCipherSuites == null) {
      activeCipherSuites = getActiveCipherSuites();
    }

    return activeCipherSuites.contains(s) && s.isNegotiable();
  }

  /** Check if the given protocol version is enabled and available. */
  boolean isNegotiable(ProtocolVersion protocolVersion) {
    if (activeProtocols == null) {
      activeProtocols = getActiveProtocols();
    }

    return activeProtocols.contains(protocolVersion);
  }

  /**
   * Select a protocol version from the list. Called from ServerHandshaker to negotiate protocol
   * version.
   *
   * <p>Return the lower of the protocol version suggested in the clien hello and the highest
   * supported by the server.
   */
  ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
    if (activeProtocols == null) {
      activeProtocols = getActiveProtocols();
    }

    return activeProtocols.selectProtocolVersion(protocolVersion);
  }

  /**
   * Get the active cipher suites.
   *
   * <p>In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, such as
   * TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT negotiate these cipher suites in
   * TLS 1.1 or later mode.
   *
   * <p>Therefore, when the active protocols only include TLS 1.1 or later, the client cannot
   * request to negotiate those obsoleted cipher suites. That is, the obsoleted suites should not be
   * included in the client hello. So we need to create a subset of the enabled cipher suites, the
   * active cipher suites, which does not contain obsoleted cipher suites of the minimum active
   * protocol.
   *
   * <p>Return empty list instead of null if no active cipher suites.
   */
  CipherSuiteList getActiveCipherSuites() {
    if (activeCipherSuites == null) {
      if (activeProtocols == null) {
        activeProtocols = getActiveProtocols();
      }

      ArrayList<CipherSuite> suites = new ArrayList<>();
      if (!(activeProtocols.collection().isEmpty())
          && activeProtocols.min.v != ProtocolVersion.NONE.v) {
        for (CipherSuite suite : enabledCipherSuites.collection()) {
          if (suite.obsoleted > activeProtocols.min.v && suite.supported <= activeProtocols.max.v) {
            if (algorithmConstraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
              suites.add(suite);
            }
          } else if (debug != null && Debug.isOn("verbose")) {
            if (suite.obsoleted <= activeProtocols.min.v) {
              System.out.println("Ignoring obsoleted cipher suite: " + suite);
            } else {
              System.out.println("Ignoring unsupported cipher suite: " + suite);
            }
          }
        }
      }
      activeCipherSuites = new CipherSuiteList(suites);
    }

    return activeCipherSuites;
  }

  /*
   * Get the active protocol versions.
   *
   * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
   * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
   * negotiate these cipher suites in TLS 1.1 or later mode.
   *
   * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the
   * only enabled cipher suite, the client cannot request TLS 1.1 or
   * later, even though TLS 1.1 or later is enabled.  We need to create a
   * subset of the enabled protocols, called the active protocols, which
   * contains protocols appropriate to the list of enabled Ciphersuites.
   *
   * Return empty list instead of null if no active protocol versions.
   */
  ProtocolList getActiveProtocols() {
    if (activeProtocols == null) {
      ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
      for (ProtocolVersion protocol : enabledProtocols.collection()) {
        boolean found = false;
        for (CipherSuite suite : enabledCipherSuites.collection()) {
          if (suite.isAvailable()
              && suite.obsoleted > protocol.v
              && suite.supported <= protocol.v) {
            if (algorithmConstraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
              protocols.add(protocol);
              found = true;
              break;
            } else if (debug != null && Debug.isOn("verbose")) {
              System.out.println("Ignoring disabled cipher suite: " + suite + " for " + protocol);
            }
          } else if (debug != null && Debug.isOn("verbose")) {
            System.out.println("Ignoring unsupported cipher suite: " + suite + " for " + protocol);
          }
        }
        if (!found && (debug != null) && Debug.isOn("handshake")) {
          System.out.println("No available cipher suite for " + protocol);
        }
      }
      activeProtocols = new ProtocolList(protocols);
    }

    return activeProtocols;
  }

  /**
   * As long as handshaking has not activated, we can change whether session creations are allowed.
   *
   * <p>Callers should do their own checking if handshaking has activated.
   */
  void setEnableSessionCreation(boolean newSessions) {
    enableNewSession = newSessions;
  }

  /** Create a new read cipher and return it to caller. */
  CipherBox newReadCipher() throws NoSuchAlgorithmException {
    BulkCipher cipher = cipherSuite.cipher;
    CipherBox box;
    if (isClient) {
      box =
          cipher.newCipher(
              protocolVersion, svrWriteKey, svrWriteIV, sslContext.getSecureRandom(), false);
      svrWriteKey = null;
      svrWriteIV = null;
    } else {
      box =
          cipher.newCipher(
              protocolVersion, clntWriteKey, clntWriteIV, sslContext.getSecureRandom(), false);
      clntWriteKey = null;
      clntWriteIV = null;
    }
    return box;
  }

  /** Create a new write cipher and return it to caller. */
  CipherBox newWriteCipher() throws NoSuchAlgorithmException {
    BulkCipher cipher = cipherSuite.cipher;
    CipherBox box;
    if (isClient) {
      box =
          cipher.newCipher(
              protocolVersion, clntWriteKey, clntWriteIV, sslContext.getSecureRandom(), true);
      clntWriteKey = null;
      clntWriteIV = null;
    } else {
      box =
          cipher.newCipher(
              protocolVersion, svrWriteKey, svrWriteIV, sslContext.getSecureRandom(), true);
      svrWriteKey = null;
      svrWriteIV = null;
    }
    return box;
  }

  /** Create a new read MAC and return it to caller. */
  MAC newReadMAC() throws NoSuchAlgorithmException, InvalidKeyException {
    MacAlg macAlg = cipherSuite.macAlg;
    MAC mac;
    if (isClient) {
      mac = macAlg.newMac(protocolVersion, svrMacSecret);
      svrMacSecret = null;
    } else {
      mac = macAlg.newMac(protocolVersion, clntMacSecret);
      clntMacSecret = null;
    }
    return mac;
  }

  /** Create a new write MAC and return it to caller. */
  MAC newWriteMAC() throws NoSuchAlgorithmException, InvalidKeyException {
    MacAlg macAlg = cipherSuite.macAlg;
    MAC mac;
    if (isClient) {
      mac = macAlg.newMac(protocolVersion, clntMacSecret);
      clntMacSecret = null;
    } else {
      mac = macAlg.newMac(protocolVersion, svrMacSecret);
      svrMacSecret = null;
    }
    return mac;
  }

  /*
   * Returns true iff the handshake sequence is done, so that
   * this freshly created session can become the current one.
   */
  boolean isDone() {
    return state == HandshakeMessage.ht_finished;
  }

  /*
   * Returns the session which was created through this
   * handshake sequence ... should be called after isDone()
   * returns true.
   */
  SSLSessionImpl getSession() {
    return session;
  }

  /*
   * Set the handshake session
   */
  void setHandshakeSessionSE(SSLSessionImpl handshakeSession) {
    if (conn != null) {
      conn.setHandshakeSession(handshakeSession);
    } else {
      engine.setHandshakeSession(handshakeSession);
    }
  }

  /*
   * Returns true if renegotiation is in use for this connection.
   */
  boolean isSecureRenegotiation() {
    return secureRenegotiation;
  }

  /*
   * Returns the verify_data from the Finished message sent by the client.
   */
  byte[] getClientVerifyData() {
    return clientVerifyData;
  }

  /*
   * Returns the verify_data from the Finished message sent by the server.
   */
  byte[] getServerVerifyData() {
    return serverVerifyData;
  }

  /*
   * This routine is fed SSL handshake records when they become available,
   * and processes messages found therein.
   */
  void process_record(InputRecord r, boolean expectingFinished) throws IOException {

    checkThrown();

    /*
     * Store the incoming handshake data, then see if we can
     * now process any completed handshake messages
     */
    input.incomingRecord(r);

    /*
     * We don't need to create a separate delegatable task
     * for finished messages.
     */
    if ((conn != null) || expectingFinished) {
      processLoop();
    } else {
      delegateTask(
          new PrivilegedExceptionAction<Void>() {
            public Void run() throws Exception {
              processLoop();
              return null;
            }
          });
    }
  }

  /*
   * On input, we hash messages one at a time since servers may need
   * to access an intermediate hash to validate a CertificateVerify
   * message.
   *
   * Note that many handshake messages can come in one record (and often
   * do, to reduce network resource utilization), and one message can also
   * require multiple records (e.g. very large Certificate messages).
   */
  void processLoop() throws IOException {

    // need to read off 4 bytes at least to get the handshake
    // message type and length.
    while (input.available() >= 4) {
      byte messageType;
      int messageLen;

      /*
       * See if we can read the handshake message header, and
       * then the entire handshake message.  If not, wait till
       * we can read and process an entire message.
       */
      input.mark(4);

      messageType = (byte) input.getInt8();
      messageLen = input.getInt24();

      if (input.available() < messageLen) {
        input.reset();
        return;
      }

      /*
       * Process the messsage.  We require
       * that processMessage() consumes the entire message.  In
       * lieu of explicit error checks (how?!) we assume that the
       * data will look like garbage on encoding/processing errors,
       * and that other protocol code will detect such errors.
       *
       * Note that digesting is normally deferred till after the
       * message has been processed, though to process at least the
       * client's Finished message (i.e. send the server's) we need
       * to acccelerate that digesting.
       *
       * Also, note that hello request messages are never hashed;
       * that includes the hello request header, too.
       */
      if (messageType == HandshakeMessage.ht_hello_request) {
        input.reset();
        processMessage(messageType, messageLen);
        input.ignore(4 + messageLen);
      } else {
        input.mark(messageLen);
        processMessage(messageType, messageLen);
        input.digestNow();
      }
    }
  }

  /**
   * Returns true iff the handshaker has been activated.
   *
   * <p>In activated state, the handshaker may not send any messages out.
   */
  boolean activated() {
    return state >= -1;
  }

  /** Returns true iff the handshaker has sent any messages. */
  boolean started() {
    return state >= 0; // 0: HandshakeMessage.ht_hello_request
    // 1: HandshakeMessage.ht_client_hello
  }

  /*
   * Used to kickstart the negotiation ... either writing a
   * ClientHello or a HelloRequest as appropriate, whichever
   * the subclass returns.  NOP if handshaking's already started.
   */
  void kickstart() throws IOException {
    if (state >= 0) {
      return;
    }

    HandshakeMessage m = getKickstartMessage();

    if (debug != null && Debug.isOn("handshake")) {
      m.print(System.out);
    }
    m.write(output);
    output.flush();

    state = m.messageType();
  }

  /**
   * Both client and server modes can start handshaking; but the message they send to do so is
   * different.
   */
  abstract HandshakeMessage getKickstartMessage() throws SSLException;

  /*
   * Client and Server side protocols are each driven though this
   * call, which processes a single message and drives the appropriate
   * side of the protocol state machine (depending on the subclass).
   */
  abstract void processMessage(byte messageType, int messageLen) throws IOException;

  /*
   * Most alerts in the protocol relate to handshaking problems.
   * Alerts are detected as the connection reads data.
   */
  abstract void handshakeAlert(byte description) throws SSLProtocolException;

  /*
   * Sends a change cipher spec message and updates the write side
   * cipher state so that future messages use the just-negotiated spec.
   */
  void sendChangeCipherSpec(Finished mesg, boolean lastMessage) throws IOException {

    output.flush(); // i.e. handshake data

    /*
     * The write cipher state is protected by the connection write lock
     * so we must grab it while making the change. We also
     * make sure no writes occur between sending the ChangeCipherSpec
     * message, installing the new cipher state, and sending the
     * Finished message.
     *
     * We already hold SSLEngine/SSLSocket "this" by virtue
     * of this being called from the readRecord code.
     */
    OutputRecord r;
    if (conn != null) {
      r = new OutputRecord(Record.ct_change_cipher_spec);
    } else {
      r = new EngineOutputRecord(Record.ct_change_cipher_spec, engine);
    }

    r.setVersion(protocolVersion);
    r.write(1); // single byte of data

    if (conn != null) {
      conn.writeLock.lock();
      try {
        conn.writeRecord(r);
        conn.changeWriteCiphers();
        if (debug != null && Debug.isOn("handshake")) {
          mesg.print(System.out);
        }
        mesg.write(output);
        output.flush();
      } finally {
        conn.writeLock.unlock();
      }
    } else {
      synchronized (engine.writeLock) {
        engine.writeRecord((EngineOutputRecord) r);
        engine.changeWriteCiphers();
        if (debug != null && Debug.isOn("handshake")) {
          mesg.print(System.out);
        }
        mesg.write(output);

        if (lastMessage) {
          output.setFinishedMsg();
        }
        output.flush();
      }
    }
  }

  /*
   * Single access point to key calculation logic.  Given the
   * pre-master secret and the nonces from client and server,
   * produce all the keying material to be used.
   */
  void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) {
    SecretKey master = calculateMasterSecret(preMasterSecret, version);
    session.setMasterSecret(master);
    calculateConnectionKeys(master);
  }

  /*
   * Calculate the master secret from its various components.  This is
   * used for key exchange by all cipher suites.
   *
   * The master secret is the catenation of three MD5 hashes, each
   * consisting of the pre-master secret and a SHA1 hash.  Those three
   * SHA1 hashes are of (different) constant strings, the pre-master
   * secret, and the nonces provided by the client and the server.
   */
  private SecretKey calculateMasterSecret(
      SecretKey preMasterSecret, ProtocolVersion requestedVersion) {

    if (debug != null && Debug.isOn("keygen")) {
      HexDumpEncoder dump = new HexDumpEncoder();

      System.out.println("SESSION KEYGEN:");

      System.out.println("PreMaster Secret:");
      printHex(dump, preMasterSecret.getEncoded());

      // Nonces are dumped with connection keygen, no
      // benefit to doing it twice
    }

    // What algs/params do we need to use?
    String masterAlg;
    PRF prf;

    if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
      masterAlg = "SunTls12MasterSecret";
      prf = cipherSuite.prfAlg;
    } else {
      masterAlg = "SunTlsMasterSecret";
      prf = P_NONE;
    }

    String prfHashAlg = prf.getPRFHashAlg();
    int prfHashLength = prf.getPRFHashLength();
    int prfBlockSize = prf.getPRFBlockSize();

    TlsMasterSecretParameterSpec spec =
        new TlsMasterSecretParameterSpec(
            preMasterSecret,
            protocolVersion.major,
            protocolVersion.minor,
            clnt_random.random_bytes,
            svr_random.random_bytes,
            prfHashAlg,
            prfHashLength,
            prfBlockSize);

    SecretKey masterSecret;
    try {
      KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
      kg.init(spec);
      masterSecret = kg.generateKey();
    } catch (GeneralSecurityException e) {
      // For RSA premaster secrets, do not signal a protocol error
      // due to the Bleichenbacher attack. See comments further down.
      if (!preMasterSecret.getAlgorithm().equals("TlsRsaPremasterSecret")) {
        throw new ProviderException(e);
      }

      if (debug != null && Debug.isOn("handshake")) {
        System.out.println("RSA master secret generation error:");
        e.printStackTrace(System.out);
        System.out.println("Generating new random premaster secret");
      }

      if (requestedVersion != null) {
        preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);
      } else {
        preMasterSecret = RSAClientKeyExchange.generateDummySecret(protocolVersion);
      }

      // recursive call with new premaster secret
      return calculateMasterSecret(preMasterSecret, null);
    }

    // if no version check requested (client side handshake), or version
    // information is not available (not an RSA premaster secret),
    // return master secret immediately.
    if ((requestedVersion == null) || !(masterSecret instanceof TlsMasterSecret)) {
      return masterSecret;
    }

    // we have checked the ClientKeyExchange message when reading TLS
    // record, the following check is necessary to ensure that
    // JCE provider does not ignore the checking, or the previous
    // checking process bypassed the premaster secret version checking.
    TlsMasterSecret tlsKey = (TlsMasterSecret) masterSecret;
    int major = tlsKey.getMajorVersion();
    int minor = tlsKey.getMinorVersion();
    if ((major < 0) || (minor < 0)) {
      return masterSecret;
    }

    // check if the premaster secret version is ok
    // the specification says that it must be the maximum version supported
    // by the client from its ClientHello message. However, many
    // implementations send the negotiated version, so accept both
    // for SSL v3.0 and TLS v1.0.
    // NOTE that we may be comparing two unsupported version numbers, which
    // is why we cannot use object reference equality in this special case.
    ProtocolVersion premasterVersion = ProtocolVersion.valueOf(major, minor);
    boolean versionMismatch = (premasterVersion.v != requestedVersion.v);

    /*
     * we never checked the client_version in server side
     * for TLS v1.0 and SSL v3.0. For compatibility, we
     * maintain this behavior.
     */
    if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
      versionMismatch = (premasterVersion.v != protocolVersion.v);
    }

    if (versionMismatch == false) {
      // check passed, return key
      return masterSecret;
    }

    // Due to the Bleichenbacher attack, do not signal a protocol error.
    // Generate a random premaster secret and continue with the handshake,
    // which will fail when verifying the finished messages.
    // For more information, see comments in PreMasterSecret.
    if (debug != null && Debug.isOn("handshake")) {
      System.out.println(
          "RSA PreMasterSecret version error: expected"
              + protocolVersion
              + " or "
              + requestedVersion
              + ", decrypted: "
              + premasterVersion);
      System.out.println("Generating new random premaster secret");
    }
    preMasterSecret = RSAClientKeyExchange.generateDummySecret(requestedVersion);

    // recursive call with new premaster secret
    return calculateMasterSecret(preMasterSecret, null);
  }

  /*
   * Calculate the keys needed for this connection, once the session's
   * master secret has been calculated.  Uses the master key and nonces;
   * the amount of keying material generated is a function of the cipher
   * suite that's been negotiated.
   *
   * This gets called both on the "full handshake" (where we exchanged
   * a premaster secret and started a new session) as well as on the
   * "fast handshake" (where we just resumed a pre-existing session).
   */
  void calculateConnectionKeys(SecretKey masterKey) {
    /*
     * For both the read and write sides of the protocol, we use the
     * master to generate MAC secrets and cipher keying material.  Block
     * ciphers need initialization vectors, which we also generate.
     *
     * First we figure out how much keying material is needed.
     */
    int hashSize = cipherSuite.macAlg.size;
    boolean is_exportable = cipherSuite.exportable;
    BulkCipher cipher = cipherSuite.cipher;
    int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;

    // Which algs/params do we need to use?
    String keyMaterialAlg;
    PRF prf;

    if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
      keyMaterialAlg = "SunTls12KeyMaterial";
      prf = cipherSuite.prfAlg;
    } else {
      keyMaterialAlg = "SunTlsKeyMaterial";
      prf = P_NONE;
    }

    String prfHashAlg = prf.getPRFHashAlg();
    int prfHashLength = prf.getPRFHashLength();
    int prfBlockSize = prf.getPRFBlockSize();

    TlsKeyMaterialParameterSpec spec =
        new TlsKeyMaterialParameterSpec(
            masterKey,
            protocolVersion.major,
            protocolVersion.minor,
            clnt_random.random_bytes,
            svr_random.random_bytes,
            cipher.algorithm,
            cipher.keySize,
            expandedKeySize,
            cipher.ivSize,
            hashSize,
            prfHashAlg,
            prfHashLength,
            prfBlockSize);

    try {
      KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
      kg.init(spec);
      TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec) kg.generateKey();

      clntWriteKey = keySpec.getClientCipherKey();
      svrWriteKey = keySpec.getServerCipherKey();

      // Return null if IVs are not supposed to be generated.
      // e.g. TLS 1.1+.
      clntWriteIV = keySpec.getClientIv();
      svrWriteIV = keySpec.getServerIv();

      clntMacSecret = keySpec.getClientMacKey();
      svrMacSecret = keySpec.getServerMacKey();
    } catch (GeneralSecurityException e) {
      throw new ProviderException(e);
    }

    //
    // Dump the connection keys as they're generated.
    //
    if (debug != null && Debug.isOn("keygen")) {
      synchronized (System.out) {
        HexDumpEncoder dump = new HexDumpEncoder();

        System.out.println("CONNECTION KEYGEN:");

        // Inputs:
        System.out.println("Client Nonce:");
        printHex(dump, clnt_random.random_bytes);
        System.out.println("Server Nonce:");
        printHex(dump, svr_random.random_bytes);
        System.out.println("Master Secret:");
        printHex(dump, masterKey.getEncoded());

        // Outputs:
        System.out.println("Client MAC write Secret:");
        printHex(dump, clntMacSecret.getEncoded());
        System.out.println("Server MAC write Secret:");
        printHex(dump, svrMacSecret.getEncoded());

        if (clntWriteKey != null) {
          System.out.println("Client write key:");
          printHex(dump, clntWriteKey.getEncoded());
          System.out.println("Server write key:");
          printHex(dump, svrWriteKey.getEncoded());
        } else {
          System.out.println("... no encryption keys used");
        }

        if (clntWriteIV != null) {
          System.out.println("Client write IV:");
          printHex(dump, clntWriteIV.getIV());
          System.out.println("Server write IV:");
          printHex(dump, svrWriteIV.getIV());
        } else {
          if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
            System.out.println("... no IV derived for this protocol");
          } else {
            System.out.println("... no IV used for this cipher");
          }
        }
        System.out.flush();
      }
    }
  }

  private static void printHex(HexDumpEncoder dump, byte[] bytes) {
    if (bytes == null) {
      System.out.println("(key bytes not available)");
    } else {
      try {
        dump.encodeBuffer(bytes, System.out);
      } catch (IOException e) {
        // just for debugging, ignore this
      }
    }
  }

  /**
   * Throw an SSLException with the specified message and cause. Shorthand until a new SSLException
   * constructor is added. This method never returns.
   */
  static void throwSSLException(String msg, Throwable cause) throws SSLException {
    SSLException e = new SSLException(msg);
    e.initCause(cause);
    throw e;
  }

  /*
   * Implement a simple task delegator.
   *
   * We are currently implementing this as a single delegator, may
   * try for parallel tasks later.  Client Authentication could
   * benefit from this, where ClientKeyExchange/CertificateVerify
   * could be carried out in parallel.
   */
  class DelegatedTask<E> implements Runnable {

    private PrivilegedExceptionAction<E> pea;

    DelegatedTask(PrivilegedExceptionAction<E> pea) {
      this.pea = pea;
    }

    public void run() {
      synchronized (engine) {
        try {
          AccessController.doPrivileged(pea, engine.getAcc());
        } catch (PrivilegedActionException pae) {
          thrown = pae.getException();
        } catch (RuntimeException rte) {
          thrown = rte;
        }
        delegatedTask = null;
        taskDelegated = false;
      }
    }
  }

  private <T> void delegateTask(PrivilegedExceptionAction<T> pea) {
    delegatedTask = new DelegatedTask<T>(pea);
    taskDelegated = false;
    thrown = null;
  }

  DelegatedTask getTask() {
    if (!taskDelegated) {
      taskDelegated = true;
      return delegatedTask;
    } else {
      return null;
    }
  }

  /*
   * See if there are any tasks which need to be delegated
   *
   * Locked by SSLEngine.this.
   */
  boolean taskOutstanding() {
    return (delegatedTask != null);
  }

  /*
   * The previous caller failed for some reason, report back the
   * Exception.  We won't worry about Error's.
   *
   * Locked by SSLEngine.this.
   */
  void checkThrown() throws SSLException {
    synchronized (thrownLock) {
      if (thrown != null) {

        String msg = thrown.getMessage();

        if (msg == null) {
          msg = "Delegated task threw Exception/Error";
        }

        /*
         * See what the underlying type of exception is.  We should
         * throw the same thing.  Chain thrown to the new exception.
         */
        Exception e = thrown;
        thrown = null;

        if (e instanceof RuntimeException) {
          throw (RuntimeException) new RuntimeException(msg).initCause(e);
        } else if (e instanceof SSLHandshakeException) {
          throw (SSLHandshakeException) new SSLHandshakeException(msg).initCause(e);
        } else if (e instanceof SSLKeyException) {
          throw (SSLKeyException) new SSLKeyException(msg).initCause(e);
        } else if (e instanceof SSLPeerUnverifiedException) {
          throw (SSLPeerUnverifiedException) new SSLPeerUnverifiedException(msg).initCause(e);
        } else if (e instanceof SSLProtocolException) {
          throw (SSLProtocolException) new SSLProtocolException(msg).initCause(e);
        } else {
          /*
           * If it's SSLException or any other Exception,
           * we'll wrap it in an SSLException.
           */
          throw (SSLException) new SSLException(msg).initCause(e);
        }
      }
    }
  }
}
Exemplo n.º 2
0
/**
 * This class is used to process an OCSP response. The OCSP Response is defined in RFC 2560 and the
 * ASN.1 encoding is as follows:
 *
 * <pre>
 *
 *  OCSPResponse ::= SEQUENCE {
 *      responseStatus         OCSPResponseStatus,
 *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
 *
 *   OCSPResponseStatus ::= ENUMERATED {
 *       successful            (0),  --Response has valid confirmations
 *       malformedRequest      (1),  --Illegal confirmation request
 *       internalError         (2),  --Internal error in issuer
 *       tryLater              (3),  --Try again later
 *                                   --(4) is not used
 *       sigRequired           (5),  --Must sign the request
 *       unauthorized          (6)   --Request unauthorized
 *   }
 *
 *   ResponseBytes ::=       SEQUENCE {
 *       responseType   OBJECT IDENTIFIER,
 *       response       OCTET STRING }
 *
 *   BasicOCSPResponse       ::= SEQUENCE {
 *      tbsResponseData      ResponseData,
 *      signatureAlgorithm   AlgorithmIdentifier,
 *      signature            BIT STRING,
 *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 *
 *   The value for signature SHALL be computed on the hash of the DER
 *   encoding ResponseData.
 *
 *   ResponseData ::= SEQUENCE {
 *      version              [0] EXPLICIT Version DEFAULT v1,
 *      responderID              ResponderID,
 *      producedAt               GeneralizedTime,
 *      responses                SEQUENCE OF SingleResponse,
 *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
 *
 *   ResponderID ::= CHOICE {
 *      byName               [1] Name,
 *      byKey                [2] KeyHash }
 *
 *   KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
 *   (excluding the tag and length fields)
 *
 *   SingleResponse ::= SEQUENCE {
 *      certID                       CertID,
 *      certStatus                   CertStatus,
 *      thisUpdate                   GeneralizedTime,
 *      nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
 *      singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }
 *
 *   CertStatus ::= CHOICE {
 *       good        [0]     IMPLICIT NULL,
 *       revoked     [1]     IMPLICIT RevokedInfo,
 *       unknown     [2]     IMPLICIT UnknownInfo }
 *
 *   RevokedInfo ::= SEQUENCE {
 *       revocationTime              GeneralizedTime,
 *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
 *
 *   UnknownInfo ::= NULL -- this can be replaced with an enumeration
 *
 * </pre>
 *
 * @author Ram Marti
 */
public final class OCSPResponse {

  public enum ResponseStatus {
    SUCCESSFUL, // Response has valid confirmations
    MALFORMED_REQUEST, // Illegal request
    INTERNAL_ERROR, // Internal error in responder
    TRY_LATER, // Try again later
    UNUSED, // is not used
    SIG_REQUIRED, // Must sign the request
    UNAUTHORIZED // Request unauthorized
  };

  private static ResponseStatus[] rsvalues = ResponseStatus.values();

  private static final Debug debug = Debug.getInstance("certpath");
  private static final boolean dump = false;
  private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID =
      ObjectIdentifier.newInternal(new int[] {1, 3, 6, 1, 5, 5, 7, 48, 1, 1});
  private static final int CERT_STATUS_GOOD = 0;
  private static final int CERT_STATUS_REVOKED = 1;
  private static final int CERT_STATUS_UNKNOWN = 2;

  // ResponderID CHOICE tags
  private static final int NAME_TAG = 1;
  private static final int KEY_TAG = 2;

  // Object identifier for the OCSPSigning key purpose
  private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";

  // Default maximum clock skew in milliseconds (15 minutes)
  // allowed when checking validity of OCSP responses
  private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;

  /**
   * Integer value indicating the maximum allowable clock skew, in seconds, to be used for the OCSP
   * check.
   */
  private static final int MAX_CLOCK_SKEW = initializeClockSkew();

  /**
   * Initialize the maximum allowable clock skew by getting the OCSP clock skew system property. If
   * the property has not been set, or if its value is negative, set the skew to the default.
   */
  private static int initializeClockSkew() {
    Integer tmp =
        java.security.AccessController.doPrivileged(
            new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
    if (tmp == null || tmp < 0) {
      return DEFAULT_MAX_CLOCK_SKEW;
    }
    // Convert to milliseconds, as the system property will be
    // specified in seconds
    return tmp * 1000;
  }

  // an array of all of the CRLReasons (used in SingleResponse)
  private static CRLReason[] values = CRLReason.values();

  private final ResponseStatus responseStatus;
  private final Map<CertId, SingleResponse> singleResponseMap;
  private final List<X509CertImpl> certs;
  private final AlgorithmId sigAlgId;
  private final byte[] signature;
  private final byte[] tbsResponseData;
  private final byte[] responseNonce;

  /*
   * Create an OCSP response from its ASN.1 DER encoding.
   */
  OCSPResponse(byte[] bytes) throws IOException {
    if (dump) {
      HexDumpEncoder hexEnc = new HexDumpEncoder();
      System.out.println("OCSPResponse bytes are...");
      System.out.println(hexEnc.encode(bytes));
    }
    DerValue der = new DerValue(bytes);
    if (der.tag != DerValue.tag_Sequence) {
      throw new IOException("Bad encoding in OCSP response: " + "expected ASN.1 SEQUENCE tag.");
    }
    DerInputStream derIn = der.getData();

    // responseStatus
    int status = derIn.getEnumerated();
    if (status >= 0 && status < rsvalues.length) {
      responseStatus = rsvalues[status];
    } else {
      // unspecified responseStatus
      throw new IOException("Unknown OCSPResponse status: " + status);
    }
    if (debug != null) {
      debug.println("OCSP response status: " + responseStatus);
    }
    if (responseStatus != ResponseStatus.SUCCESSFUL) {
      // no need to continue, responseBytes are not set.
      singleResponseMap = Collections.emptyMap();
      certs = Collections.<X509CertImpl>emptyList();
      sigAlgId = null;
      signature = null;
      tbsResponseData = null;
      responseNonce = null;
      return;
    }

    // responseBytes
    der = derIn.getDerValue();
    if (!der.isContextSpecific((byte) 0)) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 context specific tag 0.");
    }
    DerValue tmp = der.data.getDerValue();
    if (tmp.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in responseBytes element "
              + "of OCSP response: expected ASN.1 SEQUENCE tag.");
    }

    // responseType
    derIn = tmp.data;
    ObjectIdentifier responseType = derIn.getOID();
    if (responseType.equals((Object) OCSP_BASIC_RESPONSE_OID)) {
      if (debug != null) {
        debug.println("OCSP response type: basic");
      }
    } else {
      if (debug != null) {
        debug.println("OCSP response type: " + responseType);
      }
      throw new IOException("Unsupported OCSP response type: " + responseType);
    }

    // BasicOCSPResponse
    DerInputStream basicOCSPResponse = new DerInputStream(derIn.getOctetString());

    DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
    if (seqTmp.length < 3) {
      throw new IOException("Unexpected BasicOCSPResponse value");
    }

    DerValue responseData = seqTmp[0];

    // Need the DER encoded ResponseData to verify the signature later
    tbsResponseData = seqTmp[0].toByteArray();

    // tbsResponseData
    if (responseData.tag != DerValue.tag_Sequence) {
      throw new IOException(
          "Bad encoding in tbsResponseData "
              + "element of OCSP response: expected ASN.1 SEQUENCE tag.");
    }
    DerInputStream seqDerIn = responseData.data;
    DerValue seq = seqDerIn.getDerValue();

    // version
    if (seq.isContextSpecific((byte) 0)) {
      // seq[0] is version
      if (seq.isConstructed() && seq.isContextSpecific()) {
        // System.out.println ("version is available");
        seq = seq.data.getDerValue();
        int version = seq.getInteger();
        if (seq.data.available() != 0) {
          throw new IOException(
              "Bad encoding in version " + " element of OCSP response: bad format");
        }
        seq = seqDerIn.getDerValue();
      }
    }

    // responderID
    short tag = (byte) (seq.tag & 0x1f);
    if (tag == NAME_TAG) {
      if (debug != null) {
        X500Principal responderName = new X500Principal(seq.getData().toByteArray());
        debug.println("OCSP Responder name: " + responderName);
      }
    } else if (tag == KEY_TAG) {
      if (debug != null) {
        byte[] responderKey = seq.getData().getOctetString();
        debug.println("OCSP Responder key: " + Debug.toString(responderKey));
      }
    } else {
      throw new IOException(
          "Bad encoding in responderID element of "
              + "OCSP response: expected ASN.1 context specific tag 0 or 1");
    }

    // producedAt
    seq = seqDerIn.getDerValue();
    if (debug != null) {
      Date producedAtDate = seq.getGeneralizedTime();
      debug.println("OCSP response produced at: " + producedAtDate);
    }

    // responses
    DerValue[] singleResponseDer = seqDerIn.getSequence(1);
    singleResponseMap = new HashMap<>(singleResponseDer.length);
    if (debug != null) {
      debug.println("OCSP number of SingleResponses: " + singleResponseDer.length);
    }
    for (int i = 0; i < singleResponseDer.length; i++) {
      SingleResponse singleResponse = new SingleResponse(singleResponseDer[i]);
      singleResponseMap.put(singleResponse.getCertId(), singleResponse);
    }

    // responseExtensions
    byte[] nonce = null;
    if (seqDerIn.available() > 0) {
      seq = seqDerIn.getDerValue();
      if (seq.isContextSpecific((byte) 1)) {
        DerValue[] responseExtDer = seq.data.getSequence(3);
        for (int i = 0; i < responseExtDer.length; i++) {
          Extension ext = new Extension(responseExtDer[i]);
          if (debug != null) {
            debug.println("OCSP extension: " + ext);
          }
          // Only the NONCE extension is recognized
          if (ext.getExtensionId().equals((Object) OCSP.NONCE_EXTENSION_OID)) {
            nonce = ext.getExtensionValue();
          } else if (ext.isCritical()) {
            throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
          }
        }
      }
    }
    responseNonce = nonce;

    // signatureAlgorithmId
    sigAlgId = AlgorithmId.parse(seqTmp[1]);

    // signature
    signature = seqTmp[2].getBitString();

    // if seq[3] is available , then it is a sequence of certificates
    if (seqTmp.length > 3) {
      // certs are available
      DerValue seqCert = seqTmp[3];
      if (!seqCert.isContextSpecific((byte) 0)) {
        throw new IOException(
            "Bad encoding in certs element of "
                + "OCSP response: expected ASN.1 context specific tag 0.");
      }
      DerValue[] derCerts = seqCert.getData().getSequence(3);
      certs = new ArrayList<X509CertImpl>(derCerts.length);
      try {
        for (int i = 0; i < derCerts.length; i++) {
          certs.add(new X509CertImpl(derCerts[i].toByteArray()));
        }
      } catch (CertificateException ce) {
        throw new IOException("Bad encoding in X509 Certificate", ce);
      }
    } else {
      certs = Collections.<X509CertImpl>emptyList();
    }
  }

  void verify(List<CertId> certIds, X509Certificate responderCert, Date date, byte[] nonce)
      throws CertPathValidatorException {
    switch (responseStatus) {
      case SUCCESSFUL:
        break;
      case TRY_LATER:
      case INTERNAL_ERROR:
        throw new CertPathValidatorException(
            "OCSP response error: " + responseStatus,
            null,
            null,
            -1,
            BasicReason.UNDETERMINED_REVOCATION_STATUS);
      case UNAUTHORIZED:
      default:
        throw new CertPathValidatorException("OCSP response error: " + responseStatus);
    }

    // Check that the response includes a response for all of the
    // certs that were supplied in the request
    for (CertId certId : certIds) {
      SingleResponse sr = getSingleResponse(certId);
      if (sr == null) {
        if (debug != null) {
          debug.println("No response found for CertId: " + certId);
        }
        throw new CertPathValidatorException(
            "OCSP response does not include a response for a "
                + "certificate supplied in the OCSP request");
      }
      if (debug != null) {
        debug.println(
            "Status of certificate (with serial number "
                + certId.getSerialNumber()
                + ") is: "
                + sr.getCertStatus());
      }
    }

    // Check whether the cert returned by the responder is trusted
    if (!certs.isEmpty()) {
      X509CertImpl cert = certs.get(0);
      // First check if the cert matches the expected responder cert
      if (cert.equals(responderCert)) {
        // cert is trusted, now verify the signed response

        // Next check if the cert was issued by the responder cert
        // which was set locally.
      } else if (cert.getIssuerX500Principal().equals(responderCert.getSubjectX500Principal())) {

        // Check for the OCSPSigning key purpose
        try {
          List<String> keyPurposes = cert.getExtendedKeyUsage();
          if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
            throw new CertPathValidatorException(
                "Responder's certificate not valid for signing " + "OCSP responses");
          }
        } catch (CertificateParsingException cpe) {
          // assume cert is not valid for signing
          throw new CertPathValidatorException(
              "Responder's certificate not valid for signing " + "OCSP responses", cpe);
        }

        // Check algorithm constraints specified in security property
        // "jdk.certpath.disabledAlgorithms".
        AlgorithmChecker algChecker = new AlgorithmChecker(new TrustAnchor(responderCert, null));
        algChecker.init(false);
        algChecker.check(cert, Collections.<String>emptySet());

        // check the validity
        try {
          if (date == null) {
            cert.checkValidity();
          } else {
            cert.checkValidity(date);
          }
        } catch (CertificateException e) {
          throw new CertPathValidatorException(
              "Responder's certificate not within the " + "validity period", e);
        }

        // check for revocation
        //
        // A CA may specify that an OCSP client can trust a
        // responder for the lifetime of the responder's
        // certificate. The CA does so by including the
        // extension id-pkix-ocsp-nocheck.
        //
        Extension noCheck = cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
        if (noCheck != null) {
          if (debug != null) {
            debug.println(
                "Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
          }
        } else {
          // we should do the revocation checking of the
          // authorized responder in a future update.
        }

        // verify the signature
        try {
          cert.verify(responderCert.getPublicKey());
          responderCert = cert;
          // cert is trusted, now verify the signed response

        } catch (GeneralSecurityException e) {
          responderCert = null;
        }
      } else {
        throw new CertPathValidatorException(
            "Responder's certificate is not authorized to sign " + "OCSP responses");
      }
    }

    // Confirm that the signed response was generated using the public
    // key from the trusted responder cert
    if (responderCert != null) {
      // Check algorithm constraints specified in security property
      // "jdk.certpath.disabledAlgorithms".
      AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId);

      if (!verifySignature(responderCert)) {
        throw new CertPathValidatorException("Error verifying OCSP Response's signature");
      }
    } else {
      // Need responder's cert in order to verify the signature
      throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
    }

    // Check freshness of OCSPResponse
    if (nonce != null) {
      if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
        throw new CertPathValidatorException("Nonces don't match");
      }
    }

    long now = (date == null) ? System.currentTimeMillis() : date.getTime();
    Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
    Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
    for (SingleResponse sr : singleResponseMap.values()) {
      if (debug != null) {
        String until = "";
        if (sr.nextUpdate != null) {
          until = " until " + sr.nextUpdate;
        }
        debug.println("Response's validity interval is from " + sr.thisUpdate + until);
      }

      // Check that the test date is within the validity interval
      if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate))
          || (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) {
        throw new CertPathValidatorException(
            "Response is unreliable: its validity " + "interval is out-of-date");
      }
    }
  }

  /** Returns the OCSP ResponseStatus. */
  ResponseStatus getResponseStatus() {
    return responseStatus;
  }

  /*
   * Verify the signature of the OCSP response.
   * The responder's cert is implicitly trusted.
   */
  private boolean verifySignature(X509Certificate cert) throws CertPathValidatorException {

    try {
      Signature respSignature = Signature.getInstance(sigAlgId.getName());
      respSignature.initVerify(cert.getPublicKey());
      respSignature.update(tbsResponseData);

      if (respSignature.verify(signature)) {
        if (debug != null) {
          debug.println("Verified signature of OCSP Response");
        }
        return true;

      } else {
        if (debug != null) {
          debug.println("Error verifying signature of OCSP Response");
        }
        return false;
      }
    } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
      throw new CertPathValidatorException(e);
    }
  }

  /**
   * Returns the SingleResponse of the specified CertId, or null if there is no response for that
   * CertId.
   */
  SingleResponse getSingleResponse(CertId certId) {
    return singleResponseMap.get(certId);
  }

  /*
   * A class representing a single OCSP response.
   */
  static final class SingleResponse implements OCSP.RevocationStatus {
    private final CertId certId;
    private final CertStatus certStatus;
    private final Date thisUpdate;
    private final Date nextUpdate;
    private final Date revocationTime;
    private final CRLReason revocationReason;
    private final Map<String, java.security.cert.Extension> singleExtensions;

    private SingleResponse(DerValue der) throws IOException {
      if (der.tag != DerValue.tag_Sequence) {
        throw new IOException("Bad ASN.1 encoding in SingleResponse");
      }
      DerInputStream tmp = der.data;

      certId = new CertId(tmp.getDerValue().data);
      DerValue derVal = tmp.getDerValue();
      short tag = (byte) (derVal.tag & 0x1f);
      if (tag == CERT_STATUS_REVOKED) {
        certStatus = CertStatus.REVOKED;
        revocationTime = derVal.data.getGeneralizedTime();
        if (derVal.data.available() != 0) {
          DerValue dv = derVal.data.getDerValue();
          tag = (byte) (dv.tag & 0x1f);
          if (tag == 0) {
            int reason = dv.data.getEnumerated();
            // if reason out-of-range just leave as UNSPECIFIED
            if (reason >= 0 && reason < values.length) {
              revocationReason = values[reason];
            } else {
              revocationReason = CRLReason.UNSPECIFIED;
            }
          } else {
            revocationReason = CRLReason.UNSPECIFIED;
          }
        } else {
          revocationReason = CRLReason.UNSPECIFIED;
        }
        // RevokedInfo
        if (debug != null) {
          debug.println("Revocation time: " + revocationTime);
          debug.println("Revocation reason: " + revocationReason);
        }
      } else {
        revocationTime = null;
        revocationReason = CRLReason.UNSPECIFIED;
        if (tag == CERT_STATUS_GOOD) {
          certStatus = CertStatus.GOOD;
        } else if (tag == CERT_STATUS_UNKNOWN) {
          certStatus = CertStatus.UNKNOWN;
        } else {
          throw new IOException("Invalid certificate status");
        }
      }

      thisUpdate = tmp.getGeneralizedTime();

      if (tmp.available() == 0) {
        // we are done
        nextUpdate = null;
      } else {
        derVal = tmp.getDerValue();
        tag = (byte) (derVal.tag & 0x1f);
        if (tag == 0) {
          // next update
          nextUpdate = derVal.data.getGeneralizedTime();

          if (tmp.available() == 0) {
            // we are done
          } else {
            derVal = tmp.getDerValue();
            tag = (byte) (derVal.tag & 0x1f);
          }
        } else {
          nextUpdate = null;
        }
      }
      // singleExtensions
      if (tmp.available() > 0) {
        derVal = tmp.getDerValue();
        if (derVal.isContextSpecific((byte) 1)) {
          DerValue[] singleExtDer = derVal.data.getSequence(3);
          singleExtensions = new HashMap<String, java.security.cert.Extension>(singleExtDer.length);
          for (int i = 0; i < singleExtDer.length; i++) {
            Extension ext = new Extension(singleExtDer[i]);
            if (debug != null) {
              debug.println("OCSP single extension: " + ext);
            }
            // We don't support any extensions yet. Therefore, if it
            // is critical we must throw an exception because we
            // don't know how to process it.
            if (ext.isCritical()) {
              throw new IOException("Unsupported OCSP critical extension: " + ext.getExtensionId());
            }
            singleExtensions.put(ext.getId(), ext);
          }
        } else {
          singleExtensions = Collections.emptyMap();
        }
      } else {
        singleExtensions = Collections.emptyMap();
      }
    }

    /*
     * Return the certificate's revocation status code
     */
    @Override
    public CertStatus getCertStatus() {
      return certStatus;
    }

    private CertId getCertId() {
      return certId;
    }

    @Override
    public Date getRevocationTime() {
      return (Date) revocationTime.clone();
    }

    @Override
    public CRLReason getRevocationReason() {
      return revocationReason;
    }

    @Override
    public Map<String, java.security.cert.Extension> getSingleExtensions() {
      return Collections.unmodifiableMap(singleExtensions);
    }

    /** Construct a string representation of a single OCSP response. */
    @Override
    public String toString() {
      StringBuilder sb = new StringBuilder();
      sb.append("SingleResponse:  \n");
      sb.append(certId);
      sb.append("\nCertStatus: " + certStatus + "\n");
      if (certStatus == CertStatus.REVOKED) {
        sb.append("revocationTime is " + revocationTime + "\n");
        sb.append("revocationReason is " + revocationReason + "\n");
      }
      sb.append("thisUpdate is " + thisUpdate + "\n");
      if (nextUpdate != null) {
        sb.append("nextUpdate is " + nextUpdate + "\n");
      }
      return sb.toString();
    }
  }
}