ELY-434 [Preview] OCSP Stapling Support

wildfly-security · May 10, 2024 · 51f8b99 · 51f8b99
1 parent bab0267
commit 51f8b99
Show file tree

Hide file tree

Showing 9 changed files with 2,232 additions and 57 deletions.
diff --git a/auth/client/src/main/java/org/wildfly/security/auth/client/ElytronXmlParser.java b/auth/client/src/main/java/org/wildfly/security/auth/client/ElytronXmlParser.java
@@ -154,7 +154,8 @@ private enum Version {
         VERSION_1_4("urn:elytron:client:1.4", VERSION_1_3),
         VERSION_1_5("urn:elytron:client:1.5", VERSION_1_4),
         VERSION_1_6("urn:elytron:client:1.6", VERSION_1_5),
-        VERSION_1_7("urn:elytron:client:1.7", VERSION_1_6);
+        VERSION_1_7("urn:elytron:client:1.7", VERSION_1_6),
+        VERSION_1_8("urn:elytron:client:1.8", VERSION_1_7);
 
         final String namespace;
 
@@ -465,6 +466,7 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
         ExceptionSupplier<KeyStore, ConfigXMLParseException> trustStoreSupplier = null;
         DeferredSupplier<Provider[]> providersSupplier = new DeferredSupplier<>(providers);
         TrustManagerBuilder trustManagerBuilder = new TrustManagerBuilder(providersSupplier, location);
+        boolean acceptOcspStapling = false;
 
         while (reader.hasNext()) {
             final int tag = reader.nextTag();
@@ -536,6 +538,13 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
                         parseCertificateRevocationLists(reader, trustManagerBuilder, xmlVersion);
                         break;
                     }
+                    case "accept-ocsp-stapling": {
+                        if (isSet(foundBits, 10)) throw reader.unexpectedElement();
+                        foundBits = setBit(foundBits, 10);
+                        if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedElement();
+                        acceptOcspStapling = parseOcspStaplingType(reader, trustManagerBuilder, xmlVersion);
+                        break;
+                    }
                     default: throw reader.unexpectedElement();
                 }
             } else if (tag != END_ELEMENT) {
@@ -549,6 +558,8 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
                 final ExceptionSupplier<X509ExtendedKeyManager, ConfigXMLParseException> finalKeyManagerSupplier = keyManagerSupplier;
                 final ExceptionSupplier<KeyStore, ConfigXMLParseException> finalTrustStoreSupplier = trustStoreSupplier;
                 final boolean initTrustManager = finalTrustStoreSupplier != null || isSet(foundBits, 7);
+                final boolean finalAcceptOcspStapling = acceptOcspStapling;
+
                 sslContextsMap.putIfAbsent(name, () -> {
                     final SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
                     sslContextBuilder.setClientMode(true);
@@ -574,6 +585,7 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
                     sslContextBuilder.setProviderName(finalProviderName);
                     sslContextBuilder.setProviderSupplier(finalProvidersSupplier);
                     sslContextBuilder.setUseCipherSuitesOrder(true);
+                    sslContextBuilder.setAcceptOCSPStapling(finalAcceptOcspStapling);
                     return sslContextBuilder.build();
                 });
                 return;
@@ -582,6 +594,42 @@ private static void parseSslContextType(final ConfigurationXMLStreamReader reade
         throw reader.unexpectedDocumentEnd();
     }
 
+    private static boolean parseOcspStaplingType(ConfigurationXMLStreamReader reader, TrustManagerBuilder builder, Version xmlVersion) throws ConfigXMLParseException {
+        final int attributeCount = reader.getAttributeCount();
+        boolean acceptOcspStapling = false;
+        boolean softFail = false;
+
+        for (int i = 0; i < attributeCount; i ++) {
+            checkAttributeNamespace(reader, i);
+            switch (reader.getAttributeLocalName(i)) {
+                case "accept-ocsp": {
+                    if (acceptOcspStapling) throw reader.unexpectedAttribute(i);
+                    if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedAttribute(i);
+                    acceptOcspStapling = reader.getBooleanAttributeValueResolved(i);
+                    builder.setOcspStapling(acceptOcspStapling);
+                    break;
+                }
+                case "soft-fail": {
+                    if (softFail) throw reader.unexpectedAttribute(i);
+                    if (!xmlVersion.isAtLeast(Version.VERSION_1_8)) throw reader.unexpectedAttribute(i);
+                    softFail = reader.getBooleanAttributeValueResolved(i);
+                    builder.setSoftFail(softFail);
+                    break;
+                }
+                default: throw reader.unexpectedAttribute(i);
+            }
+        }
+        while (reader.hasNext()) {
+            final int tag = reader.nextTag();
+            if (tag == END_ELEMENT) {
+                return acceptOcspStapling;
+            } else {
+                throw reader.unexpectedContent();
+            }
+        }
+        throw reader.unexpectedDocumentEnd();
+    }
+
     private static class TrustManagerBuilder {
         final Supplier<Provider[]> providers;
         final Location xmlLocation;
@@ -592,6 +640,7 @@ private static class TrustManagerBuilder {
         List<InputStream> crlStreams = new ArrayList<>();
         int maxCertPath = 5;
         boolean ocsp = false;
+        boolean ocspStapling = false;
         boolean preferCrls = false;
         boolean onlyLeafCert = false;
         boolean softFail = false;
@@ -638,6 +687,9 @@ boolean isMaxCertPathSet() {
         public void setOcsp() {
             this.ocsp = true;
         }
+        public void setOcspStapling(boolean ocspStapling) {
+            this.ocspStapling = ocspStapling;
+        }
 
         public void setPreferCrls(boolean preferCrls) {
             this.preferCrls = preferCrls;
@@ -697,6 +749,13 @@ X509TrustManager build() throws NoSuchAlgorithmException, KeyStoreException, Con
                     revocationBuilder.setOcspResponderCert((X509Certificate) responderStore.getCertificate(responderCertAlias));
                 }
 
+                return revocationBuilder.build();
+            } else if (ocspStapling) {
+                X509RevocationTrustManager.Builder revocationBuilder = X509RevocationTrustManager.builder();
+                revocationBuilder.setTrustManagerFactory(trustManagerFactory);
+                revocationBuilder.setTrustStore(trustStore);
+                revocationBuilder.setCheckRevocation(true);
+                revocationBuilder.setSoftFail(softFail);
                 return revocationBuilder.build();
             } else {
                 trustManagerFactory.init(trustStore);