WFCORE-6802 [Preview] OCSP stapling support

elytron/pom.xml

@@ -414,6 +414,7 @@
                                 <exclude>jacc-with-providers.xml</exclude>
                                 <exclude>legacy*.xml</exclude>
                                 <exclude>elytron-subsystem-community*.xml</exclude>
+                                <exclude>elytron-subsystem-preview*.xml</exclude>
                             </excludes>
                             <systemId>src/main/resources/schema/wildfly-elytron_18_0.xsd</systemId>
                         </validationSet>

elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java

@@ -12,6 +12,7 @@
  */
 interface ElytronDescriptionConstants {
 
+    String ACCEPT_OCSP_STAPLING = "accept-ocsp-stapling";
     String ACCOUNT_KEY = "account-key";
     String ACTION = "action";
     String ACTIVE_SESSION_COUNT = "active-session-count";
@@ -73,6 +74,8 @@ interface ElytronDescriptionConstants {
     String BCRYPT_MAPPER = "bcrypt-mapper";
 
     String CAA_IDENTITIES = "caa-identities";
+    String CACHE_SIZE = "cache-size";
+    String CACHE_LIFETIME = "cache-lifetime";
     String CACHING_REALM = "caching-realm";
     String CASE_PRINCIPAL_TRANSFORMER = "case-principal-transformer";
     String CALLBACK_HANDLER = "callback-handler";
@@ -246,6 +249,7 @@ interface ElytronDescriptionConstants {
     String IDENTITY_MAPPING = "identity-mapping";
     String IDENTITY_REALM = "identity-realm";
     String IGNORE_UNAVAILABLE_REALMS = "ignore-unavailable-realms";
+    String IGNORE_EXTENSIONS = "ignore-extensions";
     String IMPLEMENTATION = "implementation";
     String IMPLEMENTATION_PROPERTIES = "implementation-properties";
     String IMPORT_CERTIFICATE = "import-certificate";
@@ -366,6 +370,8 @@ interface ElytronDescriptionConstants {
     String OBTAIN_CERTIFICATE = "obtain-certificate";
     String OBTAIN_KERBEROS_TICKET = "obtain-kerberos-ticket";
     String OCSP = "ocsp";
+    String OCSP_STAPLING = "ocsp-stapling";
+    String OCSP_STAPLING_SOFT_FAIL = "ocsp-stapling-soft-fail";
     String OID = "oid";
     String ONLY_LEAF_CERT = "only-leaf-cert";
     String OPERATIONS = "operations";
@@ -467,6 +473,9 @@ interface ElytronDescriptionConstants {
     String RESPONDER = "responder";
     String RESPONDER_CERTIFICATE = "responder-certificate";
     String RESPONDER_KEYSTORE = "responder-keystore";
+    String RESPONDER_OVERRIDE = "responder-override";
+    String RESPONDER_URI = "responder-uri";
+    String RESPONSE_TIMEOUT = "response-timeout";
     String REVERSE = "reverse";
     String REVOKE_CERTIFICATE = "revoke-certificate";
     String RIGHT = "right";

elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java

@@ -193,7 +193,9 @@ private void addCredentialStoreParser(PersistentResourceXMLDescription.Persisten
 
     private void addTlsParser(PersistentResourceXMLDescription.PersistentResourceXMLBuilder builder) {
         TlsParser tlsParser = new TlsParser();
-        if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) {
+        if (this.since(ElytronSubsystemSchema.VERSION_18_0_PREVIEW) && this.enables(SSLDefinitions.OCSP_STAPLING)) {
+            builder.addChild(tlsParser.tlsParserPreview_18_0);
+        } else if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) {
             builder.addChild(tlsParser.tlsParserCommunity_18_0);
         } else if (this.since(ElytronSubsystemSchema.VERSION_14_0)) {
             builder.addChild(tlsParser.tlsParser_14_0);

elytron/src/main/java/org/wildfly/extension/elytron/TlsParser.java

@@ -180,6 +180,30 @@ class TlsParser {
             .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER)
             .addAttribute(SSLDefinitions.REALM_MAPPER);
 
+    private PersistentResourceXMLBuilder serverSslContextPreviewParser_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(SERVER_SSL_CONTEXT))
+            .setXmlWrapperElement(SERVER_SSL_CONTEXTS)
+            .setMarshallDefaultValues(true)
+            .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES)
+            .addAttribute(SSLDefinitions.PROTOCOLS)
+            .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL)
+            .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER)
+            .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE)
+            .addAttribute(SSLDefinitions.SESSION_TIMEOUT)
+            .addAttribute(SSLDefinitions.WRAP)
+            .addAttribute(SSLDefinitions.KEY_MANAGER)
+            .addAttribute(SSLDefinitions.TRUST_MANAGER)
+            .addAttribute(SSLDefinitions.PROVIDERS)
+            .addAttribute(SSLDefinitions.PROVIDER_NAME)
+            .addAttribute(SSLDefinitions.PRE_REALM_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.POST_REALM_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.FINAL_PRINCIPAL_TRANSFORMER)
+            .addAttribute(SSLDefinitions.REALM_MAPPER)
+            .addAttribute(SSLDefinitions.OCSP_STAPLING);    // new OCSP_STAPLING element
+
     private PersistentResourceXMLBuilder clientSslContextParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT))
             .setXmlWrapperElement(CLIENT_SSL_CONTEXTS)
             .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
@@ -224,6 +248,28 @@ class TlsParser {
             .addAttribute(SSLDefinitions.PROVIDERS)
             .addAttribute(SSLDefinitions.PROVIDER_NAME);
 
+    private PersistentResourceXMLBuilder clientSslContextParserPreview_18_0 = PersistentResourceXMLDescription.builder(PathElement.pathElement(CLIENT_SSL_CONTEXT))
+            .setXmlWrapperElement(CLIENT_SSL_CONTEXTS)
+            .addAttribute(SSLDefinitions.SECURITY_DOMAIN)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_FILTER)
+            .addAttribute(SSLDefinitions.CIPHER_SUITE_NAMES)
+            .addAttribute(SSLDefinitions.PROTOCOLS)
+            .addAttribute(SSLDefinitions.WANT_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.NEED_CLIENT_AUTH)
+            .addAttribute(SSLDefinitions.AUTHENTICATION_OPTIONAL)
+            .addAttribute(SSLDefinitions.USE_CIPHER_SUITES_ORDER)
+            .addAttribute(SSLDefinitions.MAXIMUM_SESSION_CACHE_SIZE)
+            .addAttribute(SSLDefinitions.SESSION_TIMEOUT)
+            .addAttribute(SSLDefinitions.WRAP)
+            .addAttribute(SSLDefinitions.KEY_MANAGER)
+            .addAttribute(SSLDefinitions.TRUST_MANAGER)
+            .addAttribute(SSLDefinitions.PROVIDERS)
+            .addAttribute(SSLDefinitions.PROVIDER_NAME)
+            .addAttribute(SSLDefinitions.ACCEPT_OCSP_STAPLING)      //new
+            .addAttribute(SSLDefinitions.OCSP_STAPLING_SOFT_FAIL)   // new
+            .addAttribute(SSLDefinitions.ACCEPT_OCSP_RESPONDER_KEYSTORE)    // new
+            .addAttribute(SSLDefinitions.ACCEPT_OCSP_RESPONDER_CERTIFICATE); //new
+
     private PersistentResourceXMLBuilder certificateAuthorityAccountParser = PersistentResourceXMLDescription.builder(PathElement.pathElement(CERTIFICATE_AUTHORITY_ACCOUNT))
             .setXmlWrapperElement(CERTIFICATE_AUTHORITY_ACCOUNTS)
             .addAttribute(CertificateAuthorityAccountDefinition.CERTIFICATE_AUTHORITY)
@@ -371,4 +417,20 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode mappi
             .addChild(serverSslSniContextParser)
             .addChild(dynamicClientSslContextParser) // new
             .build();
+
+    final PersistentResourceXMLDescription tlsParserPreview_18_0 = decorator(TLS)
+            .addChild(decorator(KEY_STORES)
+                    .addChild(keyStoreParser)
+                    .addChild(ldapKeyStoreParser)
+                    .addChild(filteringKeyStoreParser)
+            )
+            .addChild(keyManagerParser_12_0)
+            .addChild(trustManagerParser_14_0)
+            .addChild(serverSslContextPreviewParser_18_0)   // new parser with ocsp_stapling
+            .addChild(clientSslContextParserPreview_18_0) // new parser with ocsp_stapling
+            .addChild(certificateAuthorityParser)
+            .addChild(certificateAuthorityAccountParser)
+            .addChild(serverSslSniContextParser)
+            .addChild(dynamicClientSslContextParser)
+            .build();
 }

elytron/src/main/java/org/wildfly/extension/elytron/TrivialService.java

@@ -45,7 +45,11 @@ void setValueSupplier(ValueSupplier<T> valueSupplier) {
 
     @Override
     public void start(StartContext context) throws StartException {
-        value = checkNotNullParam("valueSupplier", valueSupplier).get();
+        try {
+            value = checkNotNullParam("valueSupplier", valueSupplier).get();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
         if (valueConsumer != null) {
             valueConsumer.accept(value);
         }
@@ -69,7 +73,7 @@ public T getValue() throws IllegalStateException, IllegalArgumentException {
     @FunctionalInterface
     interface ValueSupplier<T> {
 
-        T get() throws StartException;
+        T get() throws Exception;
 
         default void dispose() {}
 

elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java

@@ -732,5 +732,7 @@ public interface ElytronSubsystemMessages extends BasicLogger {
      *
      * If no suitable section is available add a new section.
      */
+    @Message(id = 1221, value = "Unable to load keystore capability service from trustManager")
+    OperationFailedException unableToLoadKeystoreCapabilityService();
 
 }

elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties

@@ -1386,6 +1386,10 @@ elytron.client-ssl-context.key-refresh=Refresh KeyManager used by SSLContext.
 elytron.client-ssl-context.trust-manager=Reference to the trust manager to use within the SSLContext.
 elytron.client-ssl-context.provider-name=The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext.
 elytron.client-ssl-context.providers=The name of the providers to obtain the Provider[] to use to load the SSLContext.
+elytron.client-ssl-context.accept-ocsp-stapling=Indicates whether the client would accept OCSP stapled responses fom the model or not.
+elytron.client-ssl-context.ocsp-stapling-soft-fail=Determines client behaviour upon receiving an unknown OCSP-stapled response from the server.
+elytron.client-ssl-context.responder-certificate=The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate in validation.
+elytron.client-ssl-context.responder-keystore=The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined.
 # Runtime Attributes
 elytron.client-ssl-context.active-session-count=The count of current active sessions.
 
@@ -1521,6 +1525,13 @@ elytron.server-ssl-context.ssl-session.peer-certificates.signature-algorithm=The
 elytron.server-ssl-context.ssl-session.peer-certificates.signature=The signature of the certificate.
 elytron.server-ssl-context.ssl-session.peer-certificates.version=The certificate version.
 
+elytron.server-ssl-context.ocsp-stapling=Support for OCSP Stapling for server ssl context.
+elytron.server-ssl-context.ocsp-stapling.response-timeout=Enables online certificate status protocol Stapling for the server SSL context.
+elytron.server-ssl-context.ocsp-stapling.cache-size=Controls the maximum cache size in entries.
+elytron.server-ssl-context.ocsp-stapling.cache-lifetime=Controls the maximum life of a cached response in seconds.
+elytron.server-ssl-context.ocsp-stapling.responder-uri=The responder to contact in case the certificate used by the server does not have the Authority Info Access (AIA) extension. This does not override the AIA extension value unless "responder-override" is set to true.
+elytron.server-ssl-context.ocsp-stapling.responder-override=Determines whether the Authority information from the AIA extension value would be overridden by the value of the `responderURI`.
+elytron.server-ssl-context.ocsp-stapling.ignore-extensions=determines whether the forwarding of OCSP extensions specified in the "status_request" or "status_request_v2" TLS extensions is disabled or not.
 # Operations
 elytron.server-ssl-context.ssl-session.invalidate=Invalidate the SSLSession (Note: This does not terminate current connections, only prevents future connections from joining or resuming this session).
 

elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd

@@ -5145,6 +5145,9 @@
                 Definitions of a single server side SSLContext.
             </xs:documentation>
         </xs:annotation>
+        <xs:all>
+            <xs:element name="ocsp-stapling" type="ocspStaplingType" minOccurs="0" maxOccurs="1"/>
+        </xs:all>
         <xs:attribute name="name" type="xs:string" use="required">
             <xs:annotation>
                 <xs:documentation>
@@ -5298,6 +5301,61 @@
         </xs:attribute>
     </xs:complexType>
 
+    <xs:complexType name="ocspStaplingType">
+        <xs:annotation>
+            <xs:documentation>
+                Enables online certificate status protocol Stapling for the server SSL context.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:attribute name="response-timeout" type="xs:int" use="optional" default="5000">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum amount of time in millisecond the server will use to obtain OCSP responses,
+                    whether from the cache or by contacting an OCSP responder.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="cache-size" type="xs:int" use="optional" default="256">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum cache size in entries.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="cache-lifetime" type="xs:int" use="optional" default="3600">
+            <xs:annotation>
+                <xs:documentation>
+                    Controls the maximum life of a cached response in seconds.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-uri" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The responder to contact in case the certificate used by the server does
+                    not have the Authority Info Access (AIA) extension. This does not override
+                    the AIA extension value unless "responder-override" is set to true.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-override" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    Determines whether the Authority information from the AIA extension
+                    value would be overridden by the value of the `responderURI`.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="ignore-extentions" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    determines whether the forwarding of OCSP extensions specified in the
+                    "status_request" or "status_request_v2" TLS extensions is disabled or not.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
     <xs:complexType name="clientSSLContextsType">
         <xs:annotation>
             <xs:documentation>
@@ -5372,6 +5430,34 @@
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="accept-ocsp-stapling" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    Indicates whether the client would accept OCSP stapled responses fom the model or not.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="ocsp-stapling-soft-fail" type="xs:boolean" use="optional" default="true">
+            <xs:annotation>
+                <xs:documentation>
+                    Indicates the behaviour of the client when the stapled status of the server's certificate is unknown.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-certificate" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate being validated.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responder-keystore" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="keyStoresType">
@@ -6438,4 +6524,4 @@
         </xs:attribute>
     </xs:complexType>
 
-</xs:schema>
+</xs:schema>