1 /*
2 * Copyright 2022 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl.ocsp;
17
18 import io.netty.channel.ChannelHandlerContext;
19 import io.netty.channel.ChannelInboundHandlerAdapter;
20 import io.netty.handler.ssl.SslHandler;
21 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
22 import io.netty.resolver.dns.DnsNameResolver;
23 import io.netty.resolver.dns.DnsNameResolverBuilder;
24 import io.netty.util.AttributeKey;
25 import io.netty.util.concurrent.Future;
26 import io.netty.util.concurrent.GenericFutureListener;
27 import io.netty.util.concurrent.Promise;
28 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
29 import org.bouncycastle.cert.ocsp.OCSPException;
30 import org.bouncycastle.cert.ocsp.RevokedStatus;
31 import org.bouncycastle.cert.ocsp.SingleResp;
32
33 import java.security.cert.Certificate;
34 import java.security.cert.X509Certificate;
35 import java.util.Date;
36
37 import static io.netty.util.internal.ObjectUtil.checkNotNull;
38
39 /**
40 * {@link OcspServerCertificateValidator} validates incoming server's certificate
41 * using OCSP. Once TLS handshake is completed, {@link SslHandshakeCompletionEvent#SUCCESS} is fired, validator
42 * will perform certificate validation using OCSP over HTTP/1.1 with the server's certificate issuer OCSP responder.
43 */
44 public class OcspServerCertificateValidator extends ChannelInboundHandlerAdapter {
45 /**
46 * An attribute used to mark all channels created by the {@link OcspServerCertificateValidator}.
47 */
48 public static final AttributeKey<Boolean> OCSP_PIPELINE_ATTRIBUTE =
49 AttributeKey.newInstance("io.netty.handler.ssl.ocsp.pipeline");
50
51 private final boolean closeAndThrowIfNotValid;
52 private final boolean validateNonce;
53 private final IoTransport ioTransport;
54 private final DnsNameResolver dnsNameResolver;
55
56 /**
57 * Create a new {@link OcspServerCertificateValidator} instance without nonce validation
58 * on OCSP response, using default {@link IoTransport#DEFAULT} instance,
59 * default {@link DnsNameResolver} implementation and with {@link #closeAndThrowIfNotValid}
60 * set to {@code true}
61 */
62 public OcspServerCertificateValidator() {
63 this(false);
64 }
65
66 /**
67 * Create a new {@link OcspServerCertificateValidator} instance with
68 * default {@link IoTransport#DEFAULT} instance and default {@link DnsNameResolver} implementation
69 * and {@link #closeAndThrowIfNotValid} set to {@code true}.
70 *
71 * @param validateNonce Set to {@code true} if we should force nonce validation on
72 * OCSP response else set to {@code false}
73 */
74 public OcspServerCertificateValidator(boolean validateNonce) {
75 this(validateNonce, IoTransport.DEFAULT);
76 }
77
78 /**
79 * Create a new {@link OcspServerCertificateValidator} instance
80 *
81 * @param validateNonce Set to {@code true} if we should force nonce validation on
82 * OCSP response else set to {@code false}
83 * @param ioTransport {@link IoTransport} to use
84 */
85 public OcspServerCertificateValidator(boolean validateNonce, IoTransport ioTransport) {
86 this(validateNonce, ioTransport, createDefaultResolver(ioTransport));
87 }
88
89 /**
90 * Create a new {@link IoTransport} instance with {@link #closeAndThrowIfNotValid} set to {@code true}
91 *
92 * @param validateNonce Set to {@code true} if we should force nonce validation on
93 * OCSP response else set to {@code false}
94 * @param ioTransport {@link IoTransport} to use
95 * @param dnsNameResolver {@link DnsNameResolver} implementation to use
96 */
97 public OcspServerCertificateValidator(boolean validateNonce, IoTransport ioTransport,
98 DnsNameResolver dnsNameResolver) {
99 this(true, validateNonce, ioTransport, dnsNameResolver);
100 }
101
102 /**
103 * Create a new {@link IoTransport} instance
104 *
105 * @param closeAndThrowIfNotValid If set to {@code true} then we will close the channel and throw an exception
106 * when certificate is not {@link OcspResponse.Status#VALID}.
107 * If set to {@code false} then we will simply pass the {@link OcspValidationEvent}
108 * to the next handler in pipeline and let it decide what to do.
109 * @param validateNonce Set to {@code true} if we should force nonce validation on
110 * OCSP response else set to {@code false}
111 * @param ioTransport {@link IoTransport} to use
112 * @param dnsNameResolver {@link DnsNameResolver} implementation to use
113 */
114 public OcspServerCertificateValidator(boolean closeAndThrowIfNotValid, boolean validateNonce,
115 IoTransport ioTransport, DnsNameResolver dnsNameResolver) {
116 this.closeAndThrowIfNotValid = closeAndThrowIfNotValid;
117 this.validateNonce = validateNonce;
118 this.ioTransport = checkNotNull(ioTransport, "IoTransport");
119 this.dnsNameResolver = checkNotNull(dnsNameResolver, "DnsNameResolver");
120 }
121
122 protected static DnsNameResolver createDefaultResolver(final IoTransport ioTransport) {
123 return new DnsNameResolverBuilder()
124 .eventLoop(ioTransport.eventLoop())
125 .channelFactory(ioTransport.datagramChannel())
126 .socketChannelFactory(ioTransport.socketChannel())
127 .build();
128 }
129
130 @Override
131 public void userEventTriggered(final ChannelHandlerContext ctx, final Object evt) throws Exception {
132 ctx.fireUserEventTriggered(evt);
133
134 if (evt instanceof SslHandshakeCompletionEvent) {
135 SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) evt;
136
137 // If TLS handshake was successful then only we will perform OCSP certificate validation.
138 // If not, then just forward the event to next handler in pipeline and remove ourselves from pipeline.
139 if (sslHandshakeCompletionEvent.isSuccess()) {
140 Certificate[] certificates = ctx.pipeline().get(SslHandler.class)
141 .engine()
142 .getSession()
143 .getPeerCertificates();
144
145 assert certificates.length >= 2 : "There must an end-entity certificate and issuer certificate";
146
147 Promise<BasicOCSPResp> ocspRespPromise = OcspClient.query((X509Certificate) certificates[0],
148 (X509Certificate) certificates[1], validateNonce, ioTransport, dnsNameResolver);
149
150 ocspRespPromise.addListener(new GenericFutureListener<Future<BasicOCSPResp>>() {
151 @Override
152 public void operationComplete(Future<BasicOCSPResp> future) throws Exception {
153 // If Future is success then we have successfully received OCSP response
154 // from OCSP responder. We will validate it now and process.
155 if (future.isSuccess()) {
156 SingleResp response = future.get().getResponses()[0];
157
158 Date current = new Date();
159 if (!(current.after(response.getThisUpdate()) &&
160 current.before(response.getNextUpdate()))) {
161 ctx.fireExceptionCaught(new IllegalStateException("OCSP Response is out-of-date"));
162 }
163
164 OcspResponse.Status status;
165 if (response.getCertStatus() == null) {
166 // 'null' means certificate is valid
167 status = OcspResponse.Status.VALID;
168 } else if (response.getCertStatus() instanceof RevokedStatus) {
169 status = OcspResponse.Status.REVOKED;
170 } else {
171 status = OcspResponse.Status.UNKNOWN;
172 }
173
174 ctx.fireUserEventTriggered(new OcspValidationEvent(
175 new OcspResponse(status, response.getThisUpdate(), response.getNextUpdate())));
176
177 // If Certificate is not VALID and 'closeAndThrowIfNotValid' is set
178 // to 'true' then close the channel and throw an exception.
179 if (status != OcspResponse.Status.VALID && closeAndThrowIfNotValid) {
180 ctx.channel().close();
181 // Certificate is not valid. Throw
182 ctx.fireExceptionCaught(new OCSPException(
183 "Certificate not valid. Status: " + status));
184 }
185 } else {
186 ctx.fireExceptionCaught(future.cause());
187 }
188 }
189 });
190 }
191 // Lets remove ourselves from the pipeline because we are done processing validation.
192 ctx.pipeline().remove(this);
193 }
194 }
195
196 @Override
197 public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
198 ctx.channel().close();
199 }
200 }