JSSE: add Android non-standard checkServerTrusted() in X509TrustManager

Author: cconlon

native/com_wolfssl_WolfSSLCertManager.c

@@ -145,3 +145,48 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertManager_CertManagerVerifyBuff
     return (jint)ret;
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCertManager_CertManagerCheckOCSPResponse
+  (JNIEnv* jenv, jclass jcl, jlong cmPtr, jbyteArray response)
+{
+#ifdef HAVE_OCSP
+    int ret = 0;
+    jint responseSz = 0;
+    byte* responseBuffer = NULL;
+    WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)(uintptr_t)cmPtr;
+    (void)jcl;
+
+    if (jenv == NULL || response == NULL || cm == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        responseSz = (*jenv)->GetArrayLength(jenv, response);
+        responseBuffer = (byte*)(*jenv)->GetByteArrayElements(jenv,
+            response, NULL);
+        if (responseBuffer == NULL) {
+            ret = MEMORY_E;
+        }
+    }
+
+    /* Call native wolfSSL OCSP response validation. Pass NULL for unused
+     * parameters as we only need basic response validation. */
+    if (ret == 0) {
+        ret = wolfSSL_CertManagerCheckOCSPResponse(cm, responseBuffer,
+            responseSz, NULL, NULL, NULL, NULL);
+    }
+
+    if (responseBuffer != NULL) {
+        (*jenv)->ReleaseByteArrayElements(jenv, response,
+            (jbyte*)responseBuffer, JNI_ABORT);
+    }
+
+    return (jint)ret;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)cmPtr;
+    (void)response;
+    return (jint)NOT_COMPILED_IN;
+#endif
+}
+

native/com_wolfssl_WolfSSLCertManager.h

@@ -49,10 +49,11 @@ public class WolfSSLCertManager {
     static native void CertManagerFree(long cm);
     static native int CertManagerLoadCA(long cm, String f, String d);
     static native int CertManagerLoadCABuffer(long cm, byte[] in, long sz,
-                                              int format);
+        int format);
     static native int CertManagerUnloadCAs(long cm);
     static native int CertManagerVerifyBuffer(long cm, byte[] in, long sz,
-                                              int format);
+        int format);
+    static native int CertManagerCheckOCSPResponse(long cm, byte[] response);
 
     /**
      * Create new WolfSSLCertManager object
@@ -246,6 +247,41 @@ public synchronized int CertManagerVerifyBuffer(
         }
     }
 
+    /**
+     * Check OCSP response for certificate revocation status
+     *
+     * @param response DER-encoded OCSP response data
+     *
+     * @return WolfSSL.SSL_SUCCESS on success, negative on error
+     *
+     * @throws IllegalStateException if WolfSSLCertManager has been freed
+     * @throws WolfSSLException if OCSP is not compiled in
+     */
+    public synchronized int CertManagerCheckOCSPResponse(byte[] response)
+        throws IllegalStateException, WolfSSLException {
+
+        confirmObjectIsActive();
+
+        if (response == null || response.length == 0) {
+            throw new IllegalArgumentException(
+                "OCSP response data is null or invalid size");
+        }
+
+        synchronized (cmLock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.cmPtr,
+                () -> "entered CertManagerCheckOCSPResponse(responseSz: " +
+                response.length + ")");
+
+            int ret = CertManagerCheckOCSPResponse(this.cmPtr, response);
+            if (ret == WolfSSL.NOT_COMPILED_IN) {
+                throw new WolfSSLException(
+                    "OCSP support not compiled into wolfSSL");
+            }
+            return ret;
+        }
+    }
+
     /**
      * Frees CertManager object
      * @see WolfSSLSession#freeSSL()

src/java/com/wolfssl/WolfSSLCertManager.java

@@ -953,6 +953,104 @@ public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
         return certList;
     }
 
+    /**
+     * Verifies a specified certificate chain.
+     * Non standard API, this is called/needed by Android.
+     *
+     * Android expects this method signature for OCSP stapling support.
+     * Native wolfSSL supports OCSP response processing via
+     * wolfSSL_CertManagerCheckOCSPResponse(). The ocspData parameter
+     * contains DER-encoded OCSP response data that is processed for
+     * certificate revocation checking.
+     *
+     * @param chain      Certificate chain to validate
+     * @param ocspData   OCSP response data (DER-encoded), may be null
+     * @param tlsSctData TLS SCT data (unused, wolfSSL does not support SCT)
+     * @param authType   Authentication type
+     * @param host       Hostname of the server
+     *
+     * @return Certificate chain used for verification, ordered with leaf/peer
+     *         cert first, root CA cert last
+     *
+     * @throws CertificateException if chain does not verify properly
+     */
+    public List<X509Certificate> checkServerTrusted(X509Certificate[] chain,
+        byte[] ocspData, byte[] tlsSctData, String authType, String host)
+        throws CertificateException {
+
+        int ret;
+        WolfSSLCertManager cm = null;
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            () -> "entered checkServerTrusted(chain, ocspData, tlsSctData, " +
+            "authType, host)");
+
+        /* First verify the certificate chain normally, throws exception
+         * if chain is invalid */
+        List<X509Certificate> certList =
+            checkServerTrusted(chain, authType, host);
+
+        /* Verify OCSP response data if provided */
+        if (ocspData != null && ocspData.length > 0) {
+
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                () -> "Verifying OCSP response data (" + ocspData.length +
+                " bytes)");
+
+            try {
+                cm = new WolfSSLCertManager();
+
+                /* Load the trusted CAs that were used for cert verification */
+                ret = cm.CertManagerLoadCAKeyStore(this.store);
+                if (ret != WolfSSL.SSL_SUCCESS) {
+                    throw new CertificateException(
+                        "Failed to load trusted CAs for OCSP verification");
+                }
+
+                /* Check OCSP response */
+                ret = cm.CertManagerCheckOCSPResponse(ocspData);
+                if (ret != WolfSSL.SSL_SUCCESS) {
+                    throw new CertificateException(
+                        "OCSP response validation failed: " + ret);
+                }
+
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    () -> "OCSP response validation successful");
+
+            } catch (WolfSSLException e) {
+                if (e.getMessage().contains("not compiled")) {
+                    /* OCSP not available, log and continue */
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        () -> "OCSP support not available, skipping " +
+                        "OCSP validation");
+                } else {
+                    throw new CertificateException("OCSP validation error", e);
+                }
+            } finally {
+                if (cm != null) {
+                    cm.free();
+                }
+            }
+
+        } else {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                () -> "No OCSP data provided");
+        }
+
+        /* Ignore TLS SCT data as wolfSSL doesn't support it */
+        if (tlsSctData != null && tlsSctData.length > 0) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                () -> "TLS SCT data provided (" + tlsSctData.length +
+                " bytes), currently not processed");
+        }
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            () -> "leaving checkServerTrusted(chain, ocspData, tlsSctData, " +
+            "authType, host), success");
+
+        return certList;
+    }
+
     /**
      * Returns an array of certificate authorities which are trusted for
      * authenticating peers.