This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new 3f8ba85 Add OCSP support 3f8ba85 is described below commit 3f8ba85a55e019f6ffc38b5a5bf87edec75338bf Author: remm <r...@apache.org> AuthorDate: Fri Nov 5 11:40:13 2021 +0100 Add OCSP support Avoid code duplication with the context since the verifier there is the same and usually not used. Fix oops in verify logic. Not tested yet with an actual OCSP responder. --- modules/openssl-panama-foreign/openssl-tomcat.conf | 21 ++ modules/openssl-panama-foreign/openssl.h | 1 + .../util/net/openssl/panama/OpenSSLContext.java | 99 +-------- .../util/net/openssl/panama/OpenSSLEngine.java | 233 ++++++++++++++++++++- .../apache/tomcat/util/openssl/constants$26.java | 54 ++++- .../apache/tomcat/util/openssl/constants$27.java | 49 ++++- .../{constants$26.java => constants$28.java} | 21 +- .../{constants$27.java => constants$29.java} | 4 +- .../org/apache/tomcat/util/openssl/openssl_h.java | 184 +++++++++++++++- .../net/openssl/panama/LocalStrings.properties | 3 + 10 files changed, 547 insertions(+), 122 deletions(-) diff --git a/modules/openssl-panama-foreign/openssl-tomcat.conf b/modules/openssl-panama-foreign/openssl-tomcat.conf index 2a172ab..25e121b 100644 --- a/modules/openssl-panama-foreign/openssl-tomcat.conf +++ b/modules/openssl-panama-foreign/openssl-tomcat.conf @@ -90,6 +90,27 @@ --include-macro NID_info_access # header: /usr/include/openssl/obj_mac.h +#### Extracted from: /usr/include/openssl/ocsp.h + +--include-function OCSP_BASICRESP_free # header: /usr/include/openssl/ocsp.h +--include-function OCSP_CERTID_free # header: /usr/include/openssl/ocsp.h +--include-function OCSP_REQUEST_free # header: /usr/include/openssl/ocsp.h +--include-function OCSP_REQUEST_new # header: /usr/include/openssl/ocsp.h +--include-function OCSP_RESPONSE_free # header: /usr/include/openssl/ocsp.h +--include-function OCSP_cert_to_id # header: /usr/include/openssl/ocsp.h +--include-function OCSP_request_add0_id # header: /usr/include/openssl/ocsp.h +--include-function OCSP_response_get1_basic # header: /usr/include/openssl/ocsp.h +--include-function OCSP_response_status # header: /usr/include/openssl/ocsp.h +--include-function OCSP_resp_find # header: /usr/include/openssl/ocsp.h +--include-function OCSP_resp_get0 # header: /usr/include/openssl/ocsp.h +--include-function OCSP_single_get0_status # header: /usr/include/openssl/ocsp.h +--include-function d2i_OCSP_RESPONSE # header: /usr/include/openssl/ocsp.h +--include-function i2d_OCSP_REQUEST # header: /usr/include/openssl/ocsp.h +--include-macro OCSP_RESPONSE_STATUS_SUCCESSFUL # header: /usr/include/openssl/ocsp.h +--include-macro V_OCSP_CERTSTATUS_GOOD # header: /usr/include/openssl/ocsp.h +--include-macro V_OCSP_CERTSTATUS_REVOKED # header: /usr/include/openssl/ocsp.h +--include-macro V_OCSP_CERTSTATUS_UNKNOWN # header: /usr/include/openssl/ocsp.h + #### Extracted from: /usr/include/openssl/opensslconf-x86_64.h --include-macro OPENSSL_API_COMPAT # header: /usr/include/openssl/opensslconf-x86_64.h diff --git a/modules/openssl-panama-foreign/openssl.h b/modules/openssl-panama-foreign/openssl.h index 8d01f90..3f7368b 100644 --- a/modules/openssl-panama-foreign/openssl.h +++ b/modules/openssl-panama-foreign/openssl.h @@ -27,4 +27,5 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/engine.h> +#include <openssl/ocsp.h> diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index 57bc809..ee65359 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -92,10 +92,6 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 | SSL_PROTOCOL_TLSV1_3); - public static final int OCSP_STATUS_OK = 0; - public static final int OCSP_STATUS_REVOKED = 1; - public static final int OCSP_STATUS_UNKNOWN = 2; - private static final String BEGIN_KEY = "-----BEGIN PRIVATE KEY-----\n"; private static final Object END_KEY = "\n-----END PRIVATE KEY-----"; @@ -652,6 +648,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { NativeSymbol openSSLCallbackVerify = CLinker.systemCLinker().upcallStub(openSSLCallbackVerifyHandle.bindTo(this), openSSLCallbackVerifyFunctionDescriptor, state.scope); + // Leave this just in case but in Tomcat this is always set again by the engine SSL_CTX_set_verify(state.ctx, value, openSSLCallbackVerify); // Trust and certificate verification @@ -912,58 +909,17 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { * missing/untrusted. Fail in that case. */ if (verifyErrorIsOptional) { - X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_APPLICATION_VERIFICATION()); - errnum = X509_V_ERR_APPLICATION_VERIFICATION(); - ok = 0; - } else { - int ocspResponse = OCSP_STATUS_UNKNOWN; - // ocspResponse = ssl_verify_OCSP(x509_ctx); - MemoryAddress x509 = X509_STORE_CTX_get_current_cert(x509ctx); - if (!MemoryAddress.NULL.equals(x509)) { - // No need to check cert->valid, because ssl_verify_OCSP() only - // is called if OpenSSL already successfully verified the certificate - // (parameter "ok" in SSL_callback_SSL_verify() must be true). - if (X509_check_issued(x509, x509) == X509_V_OK()) { - // don't do OCSP checking for valid self-issued certs - X509_STORE_CTX_set_error(x509ctx, X509_V_OK()); - } else { - /* if we can't get the issuer, we cannot perform OCSP verification */ - MemoryAddress issuer = X509_STORE_CTX_get0_current_issuer(x509ctx); - if (!MemoryAddress.NULL.equals(issuer)) { - //ssl_ocsp_request(x509, issuer, x509ctx); - int nid = X509_get_ext_by_NID(x509, NID_info_access(), -1); - if (nid >= 0) { - try (var scope = ResourceScope.newConfinedScope()) { - MemoryAddress ext = X509_get_ext(x509, nid); - MemoryAddress os = X509_EXTENSION_get_data(ext); - int len = ASN1_STRING_length(os); - MemoryAddress data = ASN1_STRING_get0_data(os); - // ocsp_urls = decode_OCSP_url(os); - byte[] asn1String = new byte[len + 1]; - for (int i = 0; i < len; i++) { - asn1String[i] = data.get(ValueLayout.JAVA_BYTE, i); - } - asn1String[len] = 0; - Asn1Parser parser = new Asn1Parser(asn1String); - // Parse the byte sequence - ArrayList<String> urls = new ArrayList<>(); - try { - parseOCSPURLs(parser, urls); - } catch (Exception e) { - log.error("OCSP error", e); - } - if (!urls.isEmpty()) { - // FIXME: OCSP requests and response from sslutils.c ssl_ocsp_request - } - } - } - } - } + if (certificateVerifyMode != OPTIONAL_NO_CA) { + X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_APPLICATION_VERIFICATION()); + errnum = X509_V_ERR_APPLICATION_VERIFICATION(); + ok = 0; } - if (ocspResponse == OCSP_STATUS_REVOKED) { + } else { + int ocspResponse = OpenSSLEngine.processOCSP(x509ctx); + if (ocspResponse == V_OCSP_CERTSTATUS_REVOKED()) { ok = 0; errnum = X509_STORE_CTX_get_error(x509ctx); - } else if (ocspResponse == OCSP_STATUS_UNKNOWN) { + } else if (ocspResponse == V_OCSP_CERTSTATUS_UNKNOWN()) { errnum = X509_STORE_CTX_get_error(x509ctx); if (errnum <= 0) { ok = 0; @@ -980,40 +936,6 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { } - private static final int ASN1_SEQUENCE = 0x30; - private static final int ASN1_OID = 0x06; - private static final int ASN1_STRING = 0x86; - private static final byte[] OCSP_OID = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01}; - - private boolean parseOCSPURLs(Asn1Parser parser, ArrayList<String> urls) { - while (true) { - int tag = parser.peekTag(); - if (tag == ASN1_SEQUENCE) { - parser.parseTag(ASN1_SEQUENCE); - parser.parseFullLength(); - } else if (tag == ASN1_OID) { - parser.parseTag(ASN1_OID); - int oidLen = parser.parseLength(); - byte[] oid = new byte[oidLen]; - parser.parseBytes(oid); - if (Arrays.compareUnsigned(oid, 0, OCSP_OID.length, OCSP_OID, 0, OCSP_OID.length) == 0) { - Asn1Parser newParser = new Asn1Parser(Arrays.copyOfRange(oid, 8, oid.length)); - newParser.parseTag(ASN1_STRING); - int urlLen = newParser.parseLength(); - byte[] url = new byte[urlLen]; - urls.add(new String(url)); - } - } else if (tag == 0) { - // Reached the end - return true; - } else { - break; - } - } - return false; - } - - public int openSSLCallbackCertVerify(MemoryAddress /*X509_STORE_CTX*/ x509_ctx, MemoryAddress param) { if (log.isDebugEnabled()) { log.debug("Certificate verification"); @@ -1495,7 +1417,8 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { return new OpenSSLEngine(cleaner, state.ctx, defaultProtocol, false, sessionContext, (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized, sslHostConfig.getCertificateVerificationDepth(), - sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA); + sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA, + noOcspCheck); } @Override diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java index c2a329b..f226bd9 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java @@ -16,16 +16,23 @@ */ package org.apache.tomcat.util.net.openssl.panama; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; import java.lang.invoke.MethodHandle; import java.lang.invoke.MethodHandles; import java.lang.invoke.MethodType; import java.lang.ref.Cleaner; import java.lang.ref.Cleaner.Cleanable; +import java.net.MalformedURLException; +import java.net.URL; import java.nio.ByteBuffer; import java.nio.ReadOnlyBufferException; import java.security.Principal; import java.security.cert.Certificate; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -34,6 +41,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; @@ -56,6 +64,7 @@ import static org.apache.tomcat.util.openssl.openssl_h.*; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.buf.Asn1Parser; import org.apache.tomcat.util.buf.ByteBufferUtils; import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLUtil; @@ -204,6 +213,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn private boolean sendHandshakeError = false; private final boolean clientMode; + private final boolean noOcspCheck; private final String fallbackApplicationProtocol; private final OpenSSLSessionContext sessionContext; private final boolean alpn; @@ -239,7 +249,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn OpenSSLEngine(Cleaner cleaner, MemoryAddress sslCtx, String fallbackApplicationProtocol, boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn, boolean initialized, int certificateVerificationDepth, - boolean certificateVerificationOptionalNoCA) { + boolean certificateVerificationOptionalNoCA, boolean noOcspCheck) { if (sslCtx == null) { throw new IllegalArgumentException(sm.getString("engine.noSSLContext")); } @@ -272,6 +282,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn this.alpn = alpn; this.initialized = initialized; this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA; + this.noOcspCheck = noOcspCheck; } @Override @@ -1280,13 +1291,13 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn } } - public synchronized int openSSLCallbackVerify(int preverify_ok, MemoryAddress /*X509_STORE_CTX*/ x509_ctx) { + public synchronized int openSSLCallbackVerify(int preverify_ok, MemoryAddress /*X509_STORE_CTX*/ x509ctx) { if (logger.isDebugEnabled()) { - logger.debug("Verification in engine with mode [" + certificateVerifyMode + "]"); + logger.debug("Verification in engine with mode [" + certificateVerifyMode + "] for " + state.ssl); } int ok = preverify_ok; - int errnum = X509_STORE_CTX_get_error(x509_ctx); - int errdepth = X509_STORE_CTX_get_error_depth(x509_ctx); + int errnum = X509_STORE_CTX_get_error(x509ctx); + int errdepth = X509_STORE_CTX_get_error_depth(x509ctx); phaState = PHAState.COMPLETE; if (certificateVerifyMode == -1 /*SSL_CVERIFY_UNSET*/ || certificateVerifyMode == SSL_VERIFY_NONE()) { return 1; @@ -1296,12 +1307,12 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))*/ - if ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT()) + boolean verifyErrorIsOptional = (errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT()) || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN()) || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY()) || (errnum == X509_V_ERR_CERT_UNTRUSTED()) - || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE()) && - (certificateVerifyMode == OPTIONAL_NO_CA)) { + || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE()); + if (verifyErrorIsOptional && (certificateVerifyMode == OPTIONAL_NO_CA)) { ok = 1; SSL_set_verify_result(state.ssl, X509_V_OK()); } @@ -1318,10 +1329,35 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn * the "real" error, as returned by OpenSSL. */ if (ok == 0 && errnum == X509_V_ERR_CRL_HAS_EXPIRED()) { - X509_STORE_CTX_set_error(x509_ctx, -1); + X509_STORE_CTX_set_error(x509ctx, -1); } - // FIXME: Implement OCSP again - // FIXME: GLORIOUS PURPOSE !!!!! + + // OCSP + if (!noOcspCheck && (ok > 0)) { + /* If there was an optional verification error, it's not + * possible to perform OCSP validation since the issuer may be + * missing/untrusted. Fail in that case. + */ + if (verifyErrorIsOptional) { + if (certificateVerifyMode != OPTIONAL_NO_CA) { + X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_APPLICATION_VERIFICATION()); + errnum = X509_V_ERR_APPLICATION_VERIFICATION(); + ok = 0; + } + } else { + int ocspResponse = processOCSP(x509ctx); + if (ocspResponse == V_OCSP_CERTSTATUS_REVOKED()) { + ok = 0; + errnum = X509_STORE_CTX_get_error(x509ctx); + } else if (ocspResponse == V_OCSP_CERTSTATUS_UNKNOWN()) { + errnum = X509_STORE_CTX_get_error(x509ctx); + if (errnum <= 0) { + ok = 0; + } + } + } + } + if (ok == 0) { // FIXME: debug logging } @@ -1332,6 +1368,181 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn return ok; } + static int processOCSP(MemoryAddress /*X509_STORE_CTX*/ x509ctx) { + int ocspResponse = V_OCSP_CERTSTATUS_UNKNOWN(); + // ocspResponse = ssl_verify_OCSP(x509_ctx); + MemoryAddress x509 = X509_STORE_CTX_get_current_cert(x509ctx); + if (!MemoryAddress.NULL.equals(x509)) { + // No need to check cert->valid, because ssl_verify_OCSP() only + // is called if OpenSSL already successfully verified the certificate + // (parameter "ok" in SSL_callback_SSL_verify() must be true). + if (X509_check_issued(x509, x509) == X509_V_OK()) { + // don't do OCSP checking for valid self-issued certs + X509_STORE_CTX_set_error(x509ctx, X509_V_OK()); + } else { + // If we can't get the issuer, we cannot perform OCSP verification + MemoryAddress issuer = X509_STORE_CTX_get0_current_issuer(x509ctx); + if (!MemoryAddress.NULL.equals(issuer)) { + // sslutils.c ssl_ocsp_request(x509, issuer, x509ctx); + int nid = X509_get_ext_by_NID(x509, NID_info_access(), -1); + if (nid >= 0) { + try (var scope = ResourceScope.newConfinedScope()) { + MemoryAddress ext = X509_get_ext(x509, nid); + MemoryAddress os = X509_EXTENSION_get_data(ext); + int length = ASN1_STRING_length(os); + MemoryAddress data = ASN1_STRING_get0_data(os); + // ocsp_urls = decode_OCSP_url(os); + byte[] asn1String = MemorySegment.ofAddressNative(data, length, scope).toArray(ValueLayout.JAVA_BYTE); + Asn1Parser parser = new Asn1Parser(asn1String); + // Parse the byte sequence + ArrayList<String> urls = new ArrayList<>(); + try { + parseOCSPURLs(parser, urls); + } catch (Exception e) { + logger.error(sm.getString("engine.ocspParseError"), e); + } + if (!urls.isEmpty()) { + // Use OpenSSL to build OCSP request + for (String urlString : urls) { + if (logger.isDebugEnabled()) { + logger.debug("Processing OCSP URL: " + urlString); + } + try { + URL url = new URL(urlString); + ocspResponse = processOCSPRequest(url, issuer, x509, x509ctx, scope); + } catch (MalformedURLException e) { + logger.warn(sm.getString("engine.invalidOCSPURL")); + } + if (ocspResponse != V_OCSP_CERTSTATUS_UNKNOWN()) { + break; + } + } + } + } + } + } + } + } + return ocspResponse; + } + + private static final int ASN1_SEQUENCE = 0x30; + private static final int ASN1_OID = 0x06; + private static final int ASN1_STRING = 0x86; + private static final byte[] OCSP_OID = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01}; + + private static void parseOCSPURLs(Asn1Parser parser, ArrayList<String> urls) { + while (!parser.eof()) { + int tag = parser.peekTag(); + if (tag == ASN1_SEQUENCE) { + parser.parseTag(ASN1_SEQUENCE); + parser.parseFullLength(); + } else if (tag == ASN1_OID) { + parser.parseTag(ASN1_OID); + int oidLen = parser.parseLength(); + byte[] oid = new byte[oidLen]; + parser.parseBytes(oid); + if (Arrays.compareUnsigned(oid, 0, OCSP_OID.length, OCSP_OID, 0, OCSP_OID.length) == 0) { + parser.parseTag(ASN1_STRING); + int urlLen = parser.parseLength(); + byte[] url = new byte[urlLen]; + parser.parseBytes(url); + urls.add(new String(url)); + } + } else { + return; + } + } + } + + private static int processOCSPRequest(URL url, MemoryAddress issuer, MemoryAddress x509, + MemoryAddress /*X509_STORE_CTX*/ x509ctx, ResourceScope scope) { + MemoryAddress ocspRequest = MemoryAddress.NULL; + MemoryAddress ocspResponse = MemoryAddress.NULL; + MemoryAddress id = MemoryAddress.NULL; + MemoryAddress ocspOneReq = MemoryAddress.NULL; + HttpsURLConnection connection = null; + MemoryAddress basicResponse = MemoryAddress.NULL; + MemoryAddress certId = MemoryAddress.NULL; + try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) { + var allocator = SegmentAllocator.nativeAllocator(scope); + ocspRequest = OCSP_REQUEST_new(); + if (MemoryAddress.NULL.equals(ocspRequest)) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + id = OCSP_cert_to_id(MemoryAddress.NULL, x509, issuer); + if (MemoryAddress.NULL.equals(id)) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + ocspOneReq = OCSP_request_add0_id(ocspRequest, id); + if (MemoryAddress.NULL.equals(ocspOneReq)) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + MemorySegment bufPointer = allocator.allocate(ValueLayout.ADDRESS, MemoryAddress.NULL); + int requestLength = i2d_OCSP_REQUEST(ocspRequest, bufPointer); + if (requestLength <= 0) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + MemoryAddress buf = bufPointer.get(ValueLayout.ADDRESS, 0); + // HTTP request with the following header + // POST urlPath HTTP/1.0 + // Host: urlHost:urlPort + // Content-Type: application/ocsp-request + // Content-Length: ocspRequestData.length + byte[] ocspRequestData = MemorySegment.ofAddressNative(buf, requestLength, scope).toArray(ValueLayout.JAVA_BYTE); + connection = (HttpsURLConnection) url.openConnection(); + connection.setRequestMethod("POST"); + connection.setDoInput(true); + connection.setDoOutput(true); + connection.setFixedLengthStreamingMode(requestLength); + connection.setRequestProperty("Content-Type", "application/ocsp-request"); + connection.connect(); + connection.getOutputStream().write(ocspRequestData); + int responseCode = connection.getResponseCode(); + if (responseCode != HttpsURLConnection.HTTP_OK) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + InputStream is = connection.getInputStream(); + int read = 0; + byte[] responseBuf = new byte[1024]; + while ((read = is.read(responseBuf)) > 0) { + baos.write(responseBuf, 0, read); + } + byte[] responseData = baos.toByteArray(); + var nativeResponseData = allocator.allocateArray(ValueLayout.JAVA_BYTE, responseData); + var nativeResponseDataPointer = allocator.allocate(ValueLayout.ADDRESS, nativeResponseData); + ocspResponse = d2i_OCSP_RESPONSE(MemoryAddress.NULL, nativeResponseDataPointer, responseData.length); + if (!MemoryAddress.NULL.equals(ocspResponse)) { + if (OCSP_response_status(ocspResponse) == OCSP_RESPONSE_STATUS_SUCCESSFUL()) { + basicResponse = OCSP_response_get1_basic(ocspResponse); + certId = OCSP_cert_to_id(MemoryAddress.NULL, x509, issuer); + if (MemoryAddress.NULL.equals(certId)) { + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + // Find by serial number and get the matching response + MemoryAddress singleResponse = OCSP_resp_get0(basicResponse, OCSP_resp_find(basicResponse, certId, -1)); + return OCSP_single_get0_status(singleResponse, MemoryAddress.NULL, + MemoryAddress.NULL, MemoryAddress.NULL, MemoryAddress.NULL); + } + } + } catch (IOException e) { + logger.warn(sm.getString("engine.ocspRequestError", url.toString()), e); + } finally { + if (MemoryAddress.NULL.equals(ocspResponse)) { + // Failed to get a valid response + X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_APPLICATION_VERIFICATION()); + } + OCSP_CERTID_free(certId); + OCSP_BASICRESP_free(basicResponse); + OCSP_RESPONSE_free(ocspResponse); + OCSP_REQUEST_free(ocspRequest); + if (connection != null) { + connection.disconnect(); + } + } + return V_OCSP_CERTSTATUS_UNKNOWN(); + } + @Override public void setEnableSessionCreation(boolean b) { if (!b) { diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java index 0ae8a69..d29be08 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java @@ -26,12 +26,54 @@ import jdk.incubator.foreign.*; import static jdk.incubator.foreign.ValueLayout.*; class constants$26 { - static final MemorySegment OPENSSL_VERSION_TEXT$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("OpenSSL 1.1.1l FIPS 24 Aug 2021"); - static final MemorySegment SHLIB_VERSION_HISTORY$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String(""); - static final MemorySegment SHLIB_VERSION_NUMBER$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("1.1"); - static final MemorySegment OPENSSL_FILE$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("/tmp/jextract$13411719127200839343.h"); - static final MemorySegment SSL_TXT_DSS$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DSS"); - static final MemorySegment SSL_TXT_DH$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DH"); + static final FunctionDescriptor OCSP_cert_to_id$FUNC = FunctionDescriptor.of(ADDRESS, + ADDRESS, + ADDRESS, + ADDRESS + ); + static final MethodHandle OCSP_cert_to_id$MH = RuntimeHelper.downcallHandle( + "OCSP_cert_to_id", + constants$26.OCSP_cert_to_id$FUNC, false + ); + static final FunctionDescriptor OCSP_request_add0_id$FUNC = FunctionDescriptor.of(ADDRESS, + ADDRESS, + ADDRESS + ); + static final MethodHandle OCSP_request_add0_id$MH = RuntimeHelper.downcallHandle( + "OCSP_request_add0_id", + constants$26.OCSP_request_add0_id$FUNC, false + ); + static final FunctionDescriptor OCSP_response_status$FUNC = FunctionDescriptor.of(JAVA_INT, + ADDRESS + ); + static final MethodHandle OCSP_response_status$MH = RuntimeHelper.downcallHandle( + "OCSP_response_status", + constants$26.OCSP_response_status$FUNC, false + ); + static final FunctionDescriptor OCSP_response_get1_basic$FUNC = FunctionDescriptor.of(ADDRESS, + ADDRESS + ); + static final MethodHandle OCSP_response_get1_basic$MH = RuntimeHelper.downcallHandle( + "OCSP_response_get1_basic", + constants$26.OCSP_response_get1_basic$FUNC, false + ); + static final FunctionDescriptor OCSP_resp_get0$FUNC = FunctionDescriptor.of(ADDRESS, + ADDRESS, + JAVA_INT + ); + static final MethodHandle OCSP_resp_get0$MH = RuntimeHelper.downcallHandle( + "OCSP_resp_get0", + constants$26.OCSP_resp_get0$FUNC, false + ); + static final FunctionDescriptor OCSP_resp_find$FUNC = FunctionDescriptor.of(JAVA_INT, + ADDRESS, + ADDRESS, + JAVA_INT + ); + static final MethodHandle OCSP_resp_find$MH = RuntimeHelper.downcallHandle( + "OCSP_resp_find", + constants$26.OCSP_resp_find$FUNC, false + ); } diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java index 90d3cf3..9722495 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java @@ -26,9 +26,52 @@ import jdk.incubator.foreign.*; import static jdk.incubator.foreign.ValueLayout.*; class constants$27 { - static final MemorySegment SSL_TXT_RSA$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("RSA"); - static final MemorySegment SSL_TXT_ECDH$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("ECDH"); - static final MemorySegment SSL_TXT_ECDSA$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("ECDSA"); + static final FunctionDescriptor OCSP_single_get0_status$FUNC = FunctionDescriptor.of(JAVA_INT, + ADDRESS, + ADDRESS, + ADDRESS, + ADDRESS, + ADDRESS + ); + static final MethodHandle OCSP_single_get0_status$MH = RuntimeHelper.downcallHandle( + "OCSP_single_get0_status", + constants$27.OCSP_single_get0_status$FUNC, false + ); + static final FunctionDescriptor OCSP_BASICRESP_free$FUNC = FunctionDescriptor.ofVoid( + ADDRESS + ); + static final MethodHandle OCSP_BASICRESP_free$MH = RuntimeHelper.downcallHandle( + "OCSP_BASICRESP_free", + constants$27.OCSP_BASICRESP_free$FUNC, false + ); + static final FunctionDescriptor OCSP_RESPONSE_free$FUNC = FunctionDescriptor.ofVoid( + ADDRESS + ); + static final MethodHandle OCSP_RESPONSE_free$MH = RuntimeHelper.downcallHandle( + "OCSP_RESPONSE_free", + constants$27.OCSP_RESPONSE_free$FUNC, false + ); + static final FunctionDescriptor d2i_OCSP_RESPONSE$FUNC = FunctionDescriptor.of(ADDRESS, + ADDRESS, + ADDRESS, + JAVA_LONG + ); + static final MethodHandle d2i_OCSP_RESPONSE$MH = RuntimeHelper.downcallHandle( + "d2i_OCSP_RESPONSE", + constants$27.d2i_OCSP_RESPONSE$FUNC, false + ); + static final FunctionDescriptor OCSP_CERTID_free$FUNC = FunctionDescriptor.ofVoid( + ADDRESS + ); + static final MethodHandle OCSP_CERTID_free$MH = RuntimeHelper.downcallHandle( + "OCSP_CERTID_free", + constants$27.OCSP_CERTID_free$FUNC, false + ); + static final FunctionDescriptor OCSP_REQUEST_new$FUNC = FunctionDescriptor.of(ADDRESS); + static final MethodHandle OCSP_REQUEST_new$MH = RuntimeHelper.downcallHandle( + "OCSP_REQUEST_new", + constants$27.OCSP_REQUEST_new$FUNC, false + ); } diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$28.java similarity index 68% copy from modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java copy to modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$28.java index 0ae8a69..22b3c14 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$26.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$28.java @@ -24,14 +24,27 @@ import java.lang.invoke.VarHandle; import java.nio.ByteOrder; import jdk.incubator.foreign.*; import static jdk.incubator.foreign.ValueLayout.*; -class constants$26 { +class constants$28 { + static final FunctionDescriptor OCSP_REQUEST_free$FUNC = FunctionDescriptor.ofVoid( + ADDRESS + ); + static final MethodHandle OCSP_REQUEST_free$MH = RuntimeHelper.downcallHandle( + "OCSP_REQUEST_free", + constants$28.OCSP_REQUEST_free$FUNC, false + ); + static final FunctionDescriptor i2d_OCSP_REQUEST$FUNC = FunctionDescriptor.of(JAVA_INT, + ADDRESS, + ADDRESS + ); + static final MethodHandle i2d_OCSP_REQUEST$MH = RuntimeHelper.downcallHandle( + "i2d_OCSP_REQUEST", + constants$28.i2d_OCSP_REQUEST$FUNC, false + ); static final MemorySegment OPENSSL_VERSION_TEXT$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("OpenSSL 1.1.1l FIPS 24 Aug 2021"); static final MemorySegment SHLIB_VERSION_HISTORY$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String(""); static final MemorySegment SHLIB_VERSION_NUMBER$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("1.1"); - static final MemorySegment OPENSSL_FILE$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("/tmp/jextract$13411719127200839343.h"); - static final MemorySegment SSL_TXT_DSS$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DSS"); - static final MemorySegment SSL_TXT_DH$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DH"); + static final MemorySegment OPENSSL_FILE$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("/tmp/jextract$14118250997508934609.h"); } diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$29.java similarity index 85% copy from modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java copy to modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$29.java index 90d3cf3..ed011ed 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$27.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/constants$29.java @@ -24,8 +24,10 @@ import java.lang.invoke.VarHandle; import java.nio.ByteOrder; import jdk.incubator.foreign.*; import static jdk.incubator.foreign.ValueLayout.*; -class constants$27 { +class constants$29 { + static final MemorySegment SSL_TXT_DSS$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DSS"); + static final MemorySegment SSL_TXT_DH$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("DH"); static final MemorySegment SSL_TXT_RSA$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("RSA"); static final MemorySegment SSL_TXT_ECDH$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("ECDH"); static final MemorySegment SSL_TXT_ECDSA$SEGMENT = RuntimeHelper.CONSTANT_ALLOCATOR.allocateUtf8String("ECDSA"); diff --git a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/openssl_h.java b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/openssl_h.java index 89ab068..2384bad 100644 --- a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/openssl_h.java +++ b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/openssl/openssl_h.java @@ -242,6 +242,18 @@ public class openssl_h { public static int SSL_CTRL_SET_MAX_PROTO_VERSION() { return (int)124L; } + public static int OCSP_RESPONSE_STATUS_SUCCESSFUL() { + return (int)0L; + } + public static int V_OCSP_CERTSTATUS_GOOD() { + return (int)0L; + } + public static int V_OCSP_CERTSTATUS_REVOKED() { + return (int)1L; + } + public static int V_OCSP_CERTSTATUS_UNKNOWN() { + return (int)2L; + } public static MethodHandle OPENSSL_sk_num$MH() { return RuntimeHelper.requireNonNull(constants$0.OPENSSL_sk_num$MH,"OPENSSL_sk_num"); } @@ -1892,20 +1904,174 @@ public class openssl_h { throw new AssertionError("should not reach here", ex$); } } + public static MethodHandle OCSP_cert_to_id$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_cert_to_id$MH,"OCSP_cert_to_id"); + } + public static MemoryAddress OCSP_cert_to_id ( Addressable dgst, Addressable subject, Addressable issuer) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_cert_to_id$MH, "OCSP_cert_to_id"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(dgst, subject, issuer); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_request_add0_id$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_request_add0_id$MH,"OCSP_request_add0_id"); + } + public static MemoryAddress OCSP_request_add0_id ( Addressable req, Addressable cid) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_request_add0_id$MH, "OCSP_request_add0_id"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(req, cid); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_response_status$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_response_status$MH,"OCSP_response_status"); + } + public static int OCSP_response_status ( Addressable resp) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_response_status$MH, "OCSP_response_status"); + try { + return (int)mh$.invokeExact(resp); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_response_get1_basic$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_response_get1_basic$MH,"OCSP_response_get1_basic"); + } + public static MemoryAddress OCSP_response_get1_basic ( Addressable resp) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_response_get1_basic$MH, "OCSP_response_get1_basic"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(resp); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_resp_get0$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_resp_get0$MH,"OCSP_resp_get0"); + } + public static MemoryAddress OCSP_resp_get0 ( Addressable bs, int idx) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_resp_get0$MH, "OCSP_resp_get0"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(bs, idx); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_resp_find$MH() { + return RuntimeHelper.requireNonNull(constants$26.OCSP_resp_find$MH,"OCSP_resp_find"); + } + public static int OCSP_resp_find ( Addressable bs, Addressable id, int last) { + var mh$ = RuntimeHelper.requireNonNull(constants$26.OCSP_resp_find$MH, "OCSP_resp_find"); + try { + return (int)mh$.invokeExact(bs, id, last); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_single_get0_status$MH() { + return RuntimeHelper.requireNonNull(constants$27.OCSP_single_get0_status$MH,"OCSP_single_get0_status"); + } + public static int OCSP_single_get0_status ( Addressable single, Addressable reason, Addressable revtime, Addressable thisupd, Addressable nextupd) { + var mh$ = RuntimeHelper.requireNonNull(constants$27.OCSP_single_get0_status$MH, "OCSP_single_get0_status"); + try { + return (int)mh$.invokeExact(single, reason, revtime, thisupd, nextupd); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_BASICRESP_free$MH() { + return RuntimeHelper.requireNonNull(constants$27.OCSP_BASICRESP_free$MH,"OCSP_BASICRESP_free"); + } + public static void OCSP_BASICRESP_free ( Addressable a) { + var mh$ = RuntimeHelper.requireNonNull(constants$27.OCSP_BASICRESP_free$MH, "OCSP_BASICRESP_free"); + try { + mh$.invokeExact(a); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_RESPONSE_free$MH() { + return RuntimeHelper.requireNonNull(constants$27.OCSP_RESPONSE_free$MH,"OCSP_RESPONSE_free"); + } + public static void OCSP_RESPONSE_free ( Addressable a) { + var mh$ = RuntimeHelper.requireNonNull(constants$27.OCSP_RESPONSE_free$MH, "OCSP_RESPONSE_free"); + try { + mh$.invokeExact(a); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle d2i_OCSP_RESPONSE$MH() { + return RuntimeHelper.requireNonNull(constants$27.d2i_OCSP_RESPONSE$MH,"d2i_OCSP_RESPONSE"); + } + public static MemoryAddress d2i_OCSP_RESPONSE ( Addressable a, Addressable in, long len) { + var mh$ = RuntimeHelper.requireNonNull(constants$27.d2i_OCSP_RESPONSE$MH, "d2i_OCSP_RESPONSE"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(a, in, len); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_CERTID_free$MH() { + return RuntimeHelper.requireNonNull(constants$27.OCSP_CERTID_free$MH,"OCSP_CERTID_free"); + } + public static void OCSP_CERTID_free ( Addressable a) { + var mh$ = RuntimeHelper.requireNonNull(constants$27.OCSP_CERTID_free$MH, "OCSP_CERTID_free"); + try { + mh$.invokeExact(a); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_REQUEST_new$MH() { + return RuntimeHelper.requireNonNull(constants$27.OCSP_REQUEST_new$MH,"OCSP_REQUEST_new"); + } + public static MemoryAddress OCSP_REQUEST_new () { + var mh$ = RuntimeHelper.requireNonNull(constants$27.OCSP_REQUEST_new$MH, "OCSP_REQUEST_new"); + try { + return (jdk.incubator.foreign.MemoryAddress)mh$.invokeExact(); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle OCSP_REQUEST_free$MH() { + return RuntimeHelper.requireNonNull(constants$28.OCSP_REQUEST_free$MH,"OCSP_REQUEST_free"); + } + public static void OCSP_REQUEST_free ( Addressable a) { + var mh$ = RuntimeHelper.requireNonNull(constants$28.OCSP_REQUEST_free$MH, "OCSP_REQUEST_free"); + try { + mh$.invokeExact(a); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } + public static MethodHandle i2d_OCSP_REQUEST$MH() { + return RuntimeHelper.requireNonNull(constants$28.i2d_OCSP_REQUEST$MH,"i2d_OCSP_REQUEST"); + } + public static int i2d_OCSP_REQUEST ( Addressable a, Addressable out) { + var mh$ = RuntimeHelper.requireNonNull(constants$28.i2d_OCSP_REQUEST$MH, "i2d_OCSP_REQUEST"); + try { + return (int)mh$.invokeExact(a, out); + } catch (Throwable ex$) { + throw new AssertionError("should not reach here", ex$); + } + } public static long OPENSSL_VERSION_NUMBER() { return 269488335L; } public static MemorySegment OPENSSL_VERSION_TEXT() { - return constants$26.OPENSSL_VERSION_TEXT$SEGMENT; + return constants$28.OPENSSL_VERSION_TEXT$SEGMENT; } public static MemorySegment SHLIB_VERSION_HISTORY() { - return constants$26.SHLIB_VERSION_HISTORY$SEGMENT; + return constants$28.SHLIB_VERSION_HISTORY$SEGMENT; } public static MemorySegment SHLIB_VERSION_NUMBER() { - return constants$26.SHLIB_VERSION_NUMBER$SEGMENT; + return constants$28.SHLIB_VERSION_NUMBER$SEGMENT; } public static MemorySegment OPENSSL_FILE() { - return constants$26.OPENSSL_FILE$SEGMENT; + return constants$28.OPENSSL_FILE$SEGMENT; } public static int OPENSSL_LINE() { return (int)32L; @@ -1926,19 +2092,19 @@ public class openssl_h { return (int)116L; } public static MemorySegment SSL_TXT_DSS() { - return constants$26.SSL_TXT_DSS$SEGMENT; + return constants$29.SSL_TXT_DSS$SEGMENT; } public static MemorySegment SSL_TXT_DH() { - return constants$26.SSL_TXT_DH$SEGMENT; + return constants$29.SSL_TXT_DH$SEGMENT; } public static MemorySegment SSL_TXT_RSA() { - return constants$27.SSL_TXT_RSA$SEGMENT; + return constants$29.SSL_TXT_RSA$SEGMENT; } public static MemorySegment SSL_TXT_ECDH() { - return constants$27.SSL_TXT_ECDH$SEGMENT; + return constants$29.SSL_TXT_ECDH$SEGMENT; } public static MemorySegment SSL_TXT_ECDSA() { - return constants$27.SSL_TXT_ECDSA$SEGMENT; + return constants$29.SSL_TXT_ECDSA$SEGMENT; } public static int SSL_OP_NO_TICKET() { return (int)16384L; diff --git a/modules/openssl-panama-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties b/modules/openssl-panama-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties index 462ae0d..336418f 100644 --- a/modules/openssl-panama-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties +++ b/modules/openssl-panama-foreign/src/main/resources/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties @@ -22,6 +22,7 @@ engine.failedToWriteBytes=Failed to write bytes engine.inboundClose=Inbound closed before receiving peer's close_notify engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}]) engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes +engine.invalidOCSPURL=The OCSP URL is invalid: [{0}] engine.noRestrictSessionCreation=OpenSslEngine does not permit restricting the engine to only resuming existing sessions engine.noSSLContext=No SSL context engine.noSession=SSL session ID not available @@ -30,6 +31,8 @@ engine.nullBufferInArray=Null buffer in array engine.nullCipherSuite=Null cipher suite engine.nullName=Null value name engine.nullValue=Null value +engine.ocspParseError=Error parsing OCSP URLs +engine.ocspRequestError=Error processing OCSP request for URL [{0}] engine.openSSLError=OpenSSL error: [{0}] message: [{1}] engine.oversizedPacket=Encrypted packet is oversized engine.unsupportedCipher=Unsupported cipher suite: [{0}] [{1}] --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org