Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8256409

Setup per-connection proxy for Revocation Checker

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • None
    • security-libs
    • None
    • source
    • low
    • Low compatibility risk because of default behavior is not changed
    • Java API

      Summary

      Extend PKIXRevocationChecker class with custom proxy configuration to Revocation Checker server.

      Problem

      When connecting to HTTPS server, the client can specify proxy settings that will be used for this particular connection. During TLS handshake implementation can verify peer certificate using Certificate Revocation Checker ( OCSP or CRL ). Connection to OCSP/CRL server will be established using system-wide proxy settings (system default, custom ProxySelector, "http.proxyHost"/"http.proxyPort" properties ). It is not possible to setup per-connection proxy settings for connection to OCSP/CRL server inside TLS handshake.

      Solution

      Extend PKIXRevocationChecker class with custom proxy configuration for OCSP/CRL server. This proxy configuration, if specified, will have higher priority in comparison with system wide "http.proxyHost"/"http.proxyPort" properties or default/custom ProxySelector implementation. SSLParameters class can be used with server and client connection, SSLEngine, SSLSocket, and HttpClient based implementation. So, SSLParameters class is the right place to add proxy configuration for OCSP/CRL server. There are two possible options to indicate proxy configuration for the Certificate Revocation Checker server:

      1. Static proxy configuration using instance of Proxy class:
        void PKIXRevocationChecker.setProxy(Proxy proxy)
  Proxy PKIXRevocationChecker.getProxy()
      1. Dynamic proxy configuration using callback function to select proxy configuration on the base Revocation Checker URI and type:
        void PKIXRevocationChecker.setRevCheckerProxySelector(BiFunction<URI, Type, Proxy> proxySelector)
  BiFunction<URI, Type, Proxy> PKIXRevocationChecker.getRevCheckerProxySelector()

      Dynamic proxy configuration is a preferable solution because of allowing to select proxy settings on the base of Revocation Checker type and URL. Revocation Checker itself can be configured for different TLS connections.

      Example of usage:

              CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker revChecker = (PKIXRevocationChecker)certPathBuilder.getRevocationChecker();
        BiFunction<URI, PKIXRevocationChecker.Type, Proxy> proxySelector =
        (uri, type) -> switch(type) {
            case OCSP -> new Proxy(Proxy.Type.HTTP, "ocsp_proxy_address");
            case CRL -> new Proxy(Proxy.Type.HTTP, "crl_proxy_address");
        };
        revChecker.setProxySelector(proxySelector);
        revChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
        ...
        PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters(ts, new X509CertSelector());
        pkixBuilderParameters.addCertPathChecker(revChecker);
        ...
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(new CertPathTrustManagerParameters(pkixBuilderParameters));
        ...
        SSLContext sslCtx = SSLContext.getInstance("TLSv1.3");
        sslCtx.init(keyManagerFactory, trustManagerFactory, null);
        ...
        SSLSocketFactory sslSocketFactory = sslCtx.getSocketFactory();
        SSLSocket sslSocket = sslSocketFactory.createSocket(host, port).

      Specification

       /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
  */
 package java.security.cert;

+import java.net.Proxy;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -33,6 +34,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
+import java.util.function.BiFunction;

 /**
  * A {@code PKIXCertPathChecker} for checking the revocation status of
@@ -98,6 +100,7 @@ import java.util.Set;
  */
 public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
     private URI ocspResponder;
+    private BiFunction<URI, Type, Proxy> proxySelector;
     private X509Certificate ocspResponderCert;
     private List<Extension> ocspExtensions = Collections.<Extension>emptyList();
     private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap();
@@ -261,6 +264,51 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
      */
     public abstract List<CertPathValidatorException> getSoftFailExceptions();

+    /**
+     * Registers a callback function that selects
+     * proxy configuration for connection to remote Revocation Checker server
+     * on the base of Revocation Checker type (OCSP, CRL) and URI.
+     * The function overrides default proxy selector and supports
+     * the following type parameters:
+     * <blockquote>
+     * <dl>
+     * <dt> {@code URI}
+     * <dd> Non-null URI of the OCSP Revocation Checker or CRL Certificate
+     *      Store.
+     * <dt> {@code Type}
+     * <dd> Type of Certificate Revocation Status mechanism.
+     * <dt> {@code Proxy}
+     * <dd> The function's result is an instance of {@code Proxy} class that
+     *      represents proxy configuration for connection to the Revocation
+     *      Checker or {@code null} if default proxy configuration should be
+     *      used.
+     * </dl>
+     * </blockquote>
+     *
+     * @param proxySelector the callback function or null to de-register.
+     *
+     * @see #getProxySelector
+     * @since 17
+     */
+    public void setProxySelector(BiFunction<URI, Type, Proxy> proxySelector) {
+        this.proxySelector = proxySelector;
+    }
+
+    /**
+     * Returns a callback function to be used to select proxy configuration
+     * for connection to Revocation Checker server on the base of Revocation
+     * Checker type (OCSP, CRL) and URI.
+     *
+     * @return the function to be applied to select proxy configuration
+     *         or {@code null} if default proxy configuration should be used
+     *
+     * @see #setProxySelector
+     * @since 17
+     */
+    public BiFunction<URI, Type, Proxy> getProxySelector() {
+        return proxySelector;
+    }
+
     @Override
     public PKIXRevocationChecker clone() {
         PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone();
@@ -277,6 +325,20 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
         return copy;
     }

+    /**
+     * Various types of Certificate Revocation Status mechanisms.
+     */
+    public enum Type {
+        /**
+         * Online Certificate Status Protocol (OCSP) as defined in RFC 2560
+         */
+        OCSP,
+        /**
+         * Certificate Revocation Lists (CRLs) as defined in RFC 5280
+         */
+        CRL
+    }
+
     /**
      * Various revocation options that can be specified for the revocation
      * checking mechanism.

            abakhtin Alexey Bakhtin
            abakhtin Alexey Bakhtin
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: