OCSP Stapling Checks (#756)

Adds the ability for TrustStategy to configure whether or not certificate revocation checking is to be carried out. By default revocation checking is disabled.

If enabled the driver will check the validity of stapled OCSP (Online Certificate Status Protocol) response(s). These responses are returned during the TLS handshake by the server and if not present, the driver will fail to accept the certificate.

See: https://tools.ietf.org/html/rfc6961

Author: gjmwoods

driver/src/main/java/org/neo4j/driver/Config.java

@@ -30,7 +30,7 @@
 import org.neo4j.driver.exceptions.ServiceUnavailableException;
 import org.neo4j.driver.exceptions.SessionExpiredException;
 import org.neo4j.driver.exceptions.TransientException;
-import org.neo4j.driver.internal.ConnectionSettings;
+import org.neo4j.driver.internal.RevocationStrategy;
 import org.neo4j.driver.internal.SecuritySettings;
 import org.neo4j.driver.internal.async.pool.PoolSettings;
 import org.neo4j.driver.internal.cluster.RoutingSettings;
@@ -802,6 +802,7 @@ public enum Strategy
         private final Strategy strategy;
         private final File certFile;
         private boolean hostnameVerificationEnabled = true;
+        private RevocationStrategy revocationStrategy = RevocationStrategy.NO_CHECKS;
 
         private TrustStrategy( Strategy strategy )
         {
@@ -901,5 +902,53 @@ public static TrustStrategy trustAllCertificates()
         {
             return new TrustStrategy( Strategy.TRUST_ALL_CERTIFICATES );
         }
+
+        /**
+         * The revocation strategy used for verifying certificates.
+         * @return this {@link TrustStrategy}'s revocation strategy
+         */
+        public RevocationStrategy revocationStrategy()
+        {
+            return revocationStrategy;
+        }
+
+        /**
+         * Configures the {@link TrustStrategy} to not carry out OCSP revocation checks on certificates. This is the
+         * option that is configured by default.
+         * @return the current trust strategy
+         */
+        public TrustStrategy withoutCertificateRevocationChecks()
+        {
+            this.revocationStrategy = RevocationStrategy.NO_CHECKS;
+            return this;
+        }
+
+        /**
+         * Configures the {@link TrustStrategy} to carry out OCSP revocation checks when the revocation status is
+         * stapled to the certificate. If no stapled response is found, then certificate verification continues
+         * (and does not fail verification). This setting also requires the server to be configured to enable
+         * OCSP stapling.
+         * @return the current trust strategy
+         */
+        public TrustStrategy withVerifyIfPresentRevocationChecks()
+        {
+            this.revocationStrategy = RevocationStrategy.VERIFY_IF_PRESENT;
+            return this;
+        }
+
+        /**
+         * Configures the {@link TrustStrategy} to carry out strict OCSP revocation checks for revocation status that
+         * are stapled to the certificate. If no stapled response is found, then the driver will fail certificate verification
+         * and not connect to the server. This setting also requires the server to be configured to enable OCSP stapling.
+         *
+         * Note: enabling this setting will prevent the driver connecting to the server when the server is unable to reach
+         * the certificate's configured OCSP responder URL.
+         * @return the current trust strategy
+         */
+        public TrustStrategy withStrictRevocationChecks()
+        {
+            this.revocationStrategy = RevocationStrategy.STRICT;
+            return this;
+        }
     }
 }

driver/src/main/java/org/neo4j/driver/internal/RevocationStrategy.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2002-2020 "Neo4j,"
+ * Neo4j Sweden AB [http://neo4j.com]
+ *
+ * This file is part of Neo4j.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.neo4j.driver.internal;
+
+public enum RevocationStrategy
+{
+    /** Don't do any OCSP revocation checks, regardless whether there are stapled revocation statuses or not. */
+    NO_CHECKS,
+    /** Verify OCSP revocation checks when the revocation status is stapled to the certificate, continue if not. */
+    VERIFY_IF_PRESENT,
+    /** Require stapled revocation status and verify OCSP revocation checks, fail if no revocation status is stapled to the certificate. */
+    STRICT;
+
+    public static boolean requiresRevocationChecking( RevocationStrategy revocationStrategy )
+    {
+        return revocationStrategy.equals( STRICT ) || revocationStrategy.equals( VERIFY_IF_PRESENT );
+    }
+}

driver/src/main/java/org/neo4j/driver/internal/SecuritySettings.java

@@ -92,11 +92,11 @@ private SecurityPlan createSecurityPlanFromScheme( String scheme ) throws Genera
     {
         if ( isHighTrustScheme(scheme) )
         {
-            return SecurityPlanImpl.forSystemCASignedCertificates( true );
+            return SecurityPlanImpl.forSystemCASignedCertificates( true, RevocationStrategy.NO_CHECKS );
         }
         else
         {
-            return SecurityPlanImpl.forAllCertificates( false );
+            return SecurityPlanImpl.forAllCertificates( false, RevocationStrategy.NO_CHECKS );
         }
     }
 
@@ -110,14 +110,15 @@ private static SecurityPlan createSecurityPlanImpl( boolean encrypted, Config.Tr
         if ( encrypted )
         {
             boolean hostnameVerificationEnabled = trustStrategy.isHostnameVerificationEnabled();
+            RevocationStrategy revocationStrategy = trustStrategy.revocationStrategy();
             switch ( trustStrategy.strategy() )
             {
             case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
-                return SecurityPlanImpl.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled );
+                return SecurityPlanImpl.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled, revocationStrategy );
             case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
-                return SecurityPlanImpl.forSystemCASignedCertificates( hostnameVerificationEnabled );
+                return SecurityPlanImpl.forSystemCASignedCertificates( hostnameVerificationEnabled, revocationStrategy );
             case TRUST_ALL_CERTIFICATES:
-                return SecurityPlanImpl.forAllCertificates( hostnameVerificationEnabled );
+                return SecurityPlanImpl.forAllCertificates( hostnameVerificationEnabled, revocationStrategy );
             default:
                 throw new ClientException(
                         "Unknown TLS authentication strategy: " + trustStrategy.strategy().name() );

driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java

@@ -20,6 +20,8 @@
 
 import javax.net.ssl.SSLContext;
 
+import org.neo4j.driver.internal.RevocationStrategy;
+
 /**
  * A SecurityPlan consists of encryption and trust details.
  */
@@ -30,4 +32,6 @@ public interface SecurityPlan
     SSLContext sslContext();
 
     boolean requiresHostnameVerification();
+
+    RevocationStrategy revocationStrategy();
 }

driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java

@@ -22,70 +22,140 @@
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
+import java.security.Security;
 import java.security.cert.CertificateException;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
+import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
+import org.neo4j.driver.internal.RevocationStrategy;
+
+import static org.neo4j.driver.internal.RevocationStrategy.VERIFY_IF_PRESENT;
+import static org.neo4j.driver.internal.RevocationStrategy.requiresRevocationChecking;
 import static org.neo4j.driver.internal.util.CertificateTool.loadX509Cert;
 
 /**
  * A SecurityPlan consists of encryption and trust details.
  */
 public class SecurityPlanImpl implements SecurityPlan
 {
-    public static SecurityPlan forAllCertificates( boolean requiresHostnameVerification ) throws GeneralSecurityException
+    public static SecurityPlan forAllCertificates( boolean requiresHostnameVerification, RevocationStrategy revocationStrategy ) throws GeneralSecurityException
     {
         SSLContext sslContext = SSLContext.getInstance( "TLS" );
         sslContext.init( new KeyManager[0], new TrustManager[]{new TrustAllTrustManager()}, null );
 
-        return new SecurityPlanImpl( true, sslContext, requiresHostnameVerification );
+        return new SecurityPlanImpl( true, sslContext, requiresHostnameVerification, revocationStrategy );
+    }
+
+    public static SecurityPlan forCustomCASignedCertificates( File certFile, boolean requiresHostnameVerification,
+                                                              RevocationStrategy revocationStrategy )
+            throws GeneralSecurityException, IOException
+    {
+        SSLContext sslContext = configureSSLContext( certFile, revocationStrategy );
+        return new SecurityPlanImpl( true, sslContext, requiresHostnameVerification, revocationStrategy );
+    }
+
+    public static SecurityPlan forSystemCASignedCertificates( boolean requiresHostnameVerification, RevocationStrategy revocationStrategy )
+            throws GeneralSecurityException, IOException
+    {
+        SSLContext sslContext = configureSSLContext( null, revocationStrategy );
+        return new SecurityPlanImpl( true, sslContext, requiresHostnameVerification, revocationStrategy );
     }
 
-    public static SecurityPlan forCustomCASignedCertificates( File certFile, boolean requiresHostnameVerification )
+    private static SSLContext configureSSLContext( File customCertFile, RevocationStrategy revocationStrategy )
             throws GeneralSecurityException, IOException
     {
-        // A certificate file is specified so we will load the certificates in the file
-        // Init a in memory TrustedKeyStore
-        KeyStore trustedKeyStore = KeyStore.getInstance( "JKS" );
+        KeyStore trustedKeyStore = KeyStore.getInstance( KeyStore.getDefaultType() );
         trustedKeyStore.load( null, null );
 
-        // Load the certs from the file
-        loadX509Cert( certFile, trustedKeyStore );
+        if ( customCertFile != null )
+        {
+            // A certificate file is specified so we will load the certificates in the file
+            loadX509Cert( customCertFile, trustedKeyStore );
+        }
+        else
+        {
+            loadSystemCertificates( trustedKeyStore );
+        }
+
+        // Configure certificate revocation checking (X509CertSelector() selects all certificates)
+        PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters( trustedKeyStore, new X509CertSelector() );
 
-        // Create TrustManager from TrustedKeyStore
-        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( "SunX509" );
-        trustManagerFactory.init( trustedKeyStore );
+        // sets checking of stapled ocsp response
+        pkixBuilderParameters.setRevocationEnabled( requiresRevocationChecking( revocationStrategy ) );
+
+        if ( requiresRevocationChecking( revocationStrategy ) )
+        {
+            // enables status_request extension in client hello
+            System.setProperty( "jdk.tls.client.enableStatusRequestExtension", "true" );
+
+            if ( revocationStrategy.equals( VERIFY_IF_PRESENT ) )
+            {
+                // enables soft-fail behaviour if no stapled response found.
+                Security.setProperty( "ocsp.enable", "true" );
+            }
+        }
 
         SSLContext sslContext = SSLContext.getInstance( "TLS" );
+
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
+        trustManagerFactory.init( new CertPathTrustManagerParameters( pkixBuilderParameters ) );
         sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null );
 
-        return new SecurityPlanImpl( true, sslContext, requiresHostnameVerification );
+        return sslContext;
     }
 
-    public static SecurityPlan forSystemCASignedCertificates( boolean requiresHostnameVerification ) throws NoSuchAlgorithmException
+    private static void loadSystemCertificates( KeyStore trustedKeyStore ) throws GeneralSecurityException, IOException
     {
-        return new SecurityPlanImpl( true, SSLContext.getDefault(), requiresHostnameVerification );
+        // To customize the PKIXParameters we need to get hold of the default KeyStore, no other elegant way available
+        TrustManagerFactory tempFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
+        tempFactory.init( (KeyStore) null );
+
+        // Get hold of the default trust manager
+        X509TrustManager x509TrustManager = null;
+        for ( TrustManager trustManager : tempFactory.getTrustManagers() )
+        {
+            if ( trustManager instanceof X509TrustManager )
+            {
+                x509TrustManager = (X509TrustManager) trustManager;
+                break;
+            }
+        }
+
+        if ( x509TrustManager == null )
+        {
+            throw new CertificateException( "No system certificates found" );
+        }
+        else
+        {
+            // load system default certificates into KeyStore
+            loadX509Cert( x509TrustManager.getAcceptedIssuers(), trustedKeyStore );
+        }
     }
 
     public static SecurityPlan insecure()
     {
-        return new SecurityPlanImpl( false, null, false );
+        return new SecurityPlanImpl( false, null, false,
+                                     RevocationStrategy.NO_CHECKS );
     }
 
     private final boolean requiresEncryption;
     private final SSLContext sslContext;
     private final boolean requiresHostnameVerification;
+    private final RevocationStrategy revocationStrategy;
 
-    private SecurityPlanImpl( boolean requiresEncryption, SSLContext sslContext, boolean requiresHostnameVerification )
+    private SecurityPlanImpl( boolean requiresEncryption, SSLContext sslContext, boolean requiresHostnameVerification, RevocationStrategy revocationStrategy )
     {
         this.requiresEncryption = requiresEncryption;
         this.sslContext = sslContext;
         this.requiresHostnameVerification = requiresHostnameVerification;
+        this.revocationStrategy = revocationStrategy;
     }
 
     @Override
@@ -106,6 +176,12 @@ public boolean requiresHostnameVerification()
         return requiresHostnameVerification;
     }
 
+    @Override
+    public RevocationStrategy revocationStrategy()
+    {
+        return revocationStrategy;
+    }
+
     private static class TrustAllTrustManager implements X509TrustManager
     {
         public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException

driver/src/main/java/org/neo4j/driver/internal/util/CertificateTool.java

@@ -30,12 +30,13 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.Base64;
 
 /**
  * A tool used to save, load certs, etc.
  */
-public class CertificateTool
+public final class CertificateTool
 {
     private static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
     private static final String END_CERT = "-----END CERTIFICATE-----";
@@ -139,6 +140,14 @@ public static void loadX509Cert( File certFile, KeyStore keyStore ) throws Gener
         }
     }
 
+    public static void loadX509Cert( X509Certificate[] certificates, KeyStore keyStore ) throws GeneralSecurityException, IOException
+    {
+        for ( int i = 0; i < certificates.length; i++ )
+        {
+            loadX509Cert( certificates[i], "neo4j.javadriver.trustedcert." + i, keyStore );
+        }
+    }
+
     /**
      * Load a certificate to a key store with a name
      *
@@ -161,6 +170,10 @@ public static String X509CertToString( String cert )
         String cert64CharPerLine = cert.replaceAll( "(.{64})", "$1\n" );
         return BEGIN_CERT + "\n" + cert64CharPerLine + "\n"+ END_CERT + "\n";
     }
+
+    private CertificateTool()
+    {
+    }
 }