Align behaviour (but not implementation) with Tomcat Native

Author: markt-asf

java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java

@@ -1305,6 +1305,7 @@ private static void parseOCSPURLs(Asn1Parser parser, ArrayList<String> urls) {
     private static int processOCSPRequest(EngineState state, URL url, MemorySegment issuer, MemorySegment x509,
             MemorySegment /* X509_STORE_CTX */ x509ctx, Arena localArena) {
         if (openssl_h_Compatibility.BORINGSSL || openssl_h_Compatibility.isLibreSSLPre35()) {
+            X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
             return V_OCSP_CERTSTATUS_UNKNOWN();
         }
         MemorySegment ocspRequest = MemorySegment.NULL;
@@ -1317,20 +1318,24 @@ private static int processOCSPRequest(EngineState state, URL url, MemorySegment
         try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
             ocspRequest = OCSP_REQUEST_new();
             if (MemorySegment.NULL.equals(ocspRequest)) {
+                X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                 return V_OCSP_CERTSTATUS_UNKNOWN();
             }
             id = OCSP_cert_to_id(MemorySegment.NULL, x509, issuer);
             if (MemorySegment.NULL.equals(id)) {
+                X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                 return V_OCSP_CERTSTATUS_UNKNOWN();
             }
             ocspOneReq = OCSP_request_add0_id(ocspRequest, id);
             if (MemorySegment.NULL.equals(ocspOneReq)) {
+                X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                 return V_OCSP_CERTSTATUS_UNKNOWN();
             }
             OCSP_request_add1_nonce(ocspRequest, (char) 0, -1);
             MemorySegment bufPointer = localArena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
             int requestLength = i2d_OCSP_REQUEST(ocspRequest, bufPointer);
             if (requestLength <= 0) {
+                X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                 return V_OCSP_CERTSTATUS_UNKNOWN();
             }
             MemorySegment buf = bufPointer.get(ValueLayout.ADDRESS, 0);
@@ -1352,13 +1357,15 @@ private static int processOCSPRequest(EngineState state, URL url, MemorySegment
             connection.getOutputStream().write(ocspRequestData);
             int responseCode = connection.getResponseCode();
             if (responseCode != HttpURLConnection.HTTP_OK) {
+                X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                 return V_OCSP_CERTSTATUS_UNKNOWN();
             }
             InputStream is = connection.getInputStream();
             int read;
             byte[] responseBuf = new byte[1024];
             while ((read = is.read(responseBuf)) > 0) {
                 if (baos.size() > OCSP_MAX_RESPONSE_SIZE) {
+                    X509_STORE_CTX_set_error(x509ctx, X509_V_ERR_UNABLE_TO_GET_CRL());
                     return V_OCSP_CERTSTATUS_UNKNOWN();
                 }
                 baos.write(responseBuf, 0, read);

test/org/apache/tomcat/util/net/ocsp/TestOcspSoftFailInternalError.java

@@ -0,0 +1,110 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.ocsp;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.net.ssl.SSLHandshakeException;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Assume;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+import org.apache.tomcat.util.net.ocsp.TesterOcspResponder.OcspResponse;
+
+@RunWith(Parameterized.class)
+public class TestOcspSoftFailInternalError extends OcspBaseTest {
+
+    private static TesterOcspResponder ocspResponder;
+
+    @BeforeClass
+    public static void startOcspResponder() {
+        ocspResponder = new TesterOcspResponder();
+        ocspResponder.setFixedResponse(OcspResponse.INTERNAL_ERROR);
+        try {
+            ocspResponder.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+
+    @AfterClass
+    public static void stopOcspResponder() {
+        if (ocspResponder != null) {
+            ocspResponder.stop();
+            ocspResponder = null;
+        }
+    }
+
+
+    @Parameters(name = "{0} with OpenSSL trust {2}: softFail {4}, clientOk {5}")
+    public static Collection<Object[]> parameters() {
+        List<Object[]> parameterSets = new ArrayList<>();
+        Collection<Object[]> baseData = OcspBaseTest.parameters();
+
+        for (Object[] base : baseData) {
+            for (Boolean softFail : booleans) {
+                for (Boolean clientCertValid : booleans) {
+                    Boolean handshakeFailureExpected;
+
+                    if (softFail.booleanValue()) {
+                        handshakeFailureExpected = Boolean.FALSE;
+                    } else {
+                        handshakeFailureExpected = Boolean.TRUE;
+                    }
+
+                    parameterSets.add(new Object[] { base[0], base[1], base[2], base[3], softFail, clientCertValid,
+                            handshakeFailureExpected});
+                }
+            }
+        }
+        return parameterSets;
+    }
+
+    @Parameter(4)
+    public Boolean softFail;
+
+    @Parameter(5)
+    public boolean clientCertValid;
+
+    @Parameter(6)
+    public boolean handshakeFailureExpected;
+
+    @Test
+    public void test() throws Exception {
+        Assume.assumeNotNull(ocspResponder);
+        try {
+            doTest(clientCertValid, true, ClientCertificateVerification.ENABLED, false, softFail);
+            if (handshakeFailureExpected) {
+                Assert.fail("Handshake did not fail when expected to do so.");
+            }
+        } catch (SSLHandshakeException e) {
+            if (!handshakeFailureExpected) {
+                Assert.fail("Handshake failed when not expected to do so.");
+            }
+        }
+    }
+}

test/org/apache/tomcat/util/net/ocsp/TesterOcspResponder.java

@@ -106,6 +106,7 @@ public enum OcspResponse {
         OK,
         REVOKED,
         UNKNOWN,
-        TRY_LATER
+        TRY_LATER,
+        INTERNAL_ERROR
     }
 }

test/org/apache/tomcat/util/net/ocsp/TesterOcspResponderServlet.java

@@ -247,6 +247,8 @@ private OCSPResp processOscpRequest(byte[] derEncodeOCSPRequest) throws ServletE
                     case UNKNOWN:
                         responseBuilder.addResponse(certificateID, new UnknownStatus());
                         break;
+                    case INTERNAL_ERROR:
+                        throw new ServletException("Internal error");
                 }
             }
         }

webapps/docs/changelog.xml

@@ -134,6 +134,10 @@
         non-trailer fields. Control characters (excluding TAB), and characters
         with code points above 255 will be replaced with a space. (markt)
       </add>
+      <fix>
+        Align OpenSSl FFM behaviour with Tomcat Native for various OCSP edge
+        cases. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Cluster">