server-side OCSP stapling support for TLSv1.2 and TLSv1.3

ant/jdk13.xml

@@ -111,8 +111,8 @@
                 <exclude name="**/PKIXCertPathBuilderSpi_8.java"/>
                 <exclude name="**/WrappedRevocationChecker.java"/>
                 <exclude name="**/ProvRevocationChecker.java"/>
-                <exclude name="**/provider/OcspCache.java"/>
                 <exclude name="**/provider/ProvOcspRevocationChecker.java"/>
+                <exclude name="**/provider/OcspResponseManager.java"/>
                 <exclude name="**/jcajce/BCFKSLoadStoreParameter.java" />
                 <exclude name="**/jcajce/BCLoadStoreParameter.java" />
 		<exclude name="**/keystore/util/ParameterUtil.java" />
@@ -246,6 +246,7 @@
                 <exclude name="**/jce/provider/test/AEADTest.java" />
                 <exclude name="**/jce/provider/test/ECEncodingTest.java" />
                 <exclude name="**/jce/provider/test/CertLocaleTest.java" />
+                <exclude name="**/jce/provider/test/OcspResponseManagerTest.java" />
             </fileset>
             <fileset dir="pkix/src/test/java">
                 <exclude name="**/pkix/test/RevocationTest.java"/>

ant/jdk14.xml

@@ -70,7 +70,7 @@
                 <exclude name="**/BCEC*.java"/>
                 <exclude name="**/JCEEC5*.java"/>
                 <exclude name="**/provider/JCEEC*.java"/>
-                <exclude name="**/provider/OcspCache.java"/>
+                <exclude name="**/provider/OcspResponseManager.java"/>
                 <exclude name="**/provider/ProvOcspRevocationChecker.java"/>
                 <exclude name="**/EC5*.java"/>
                 <exclude name="**/PKCS12StoreParameter.java"/>
@@ -175,6 +175,7 @@
                 <exclude name="**/jce/provider/test/JceTestUtil.java"/>
                 <exclude name="**/SIKE*.java"/>
 		<exclude name="**/CertLocaleTest.java"/>
+		        <exclude name="**/jce/provider/test/OcspResponseManagerTest.java"/>
             </fileset>
 
             <fileset dir="tls/src/main/java" includes="**/*.java">

build1-1

@@ -102,8 +102,9 @@ find $jdk11src -name "*.java" -exec scripts/useseccert.sh \{\} \;
     rm -f org/bouncycastle/jce/provider/PKIXCertPathBuilderSpi_8.java
     rm -f org/bouncycastle/jce/provider/WrappedRevocationChecker.java
     rm -f org/bouncycastle/jce/provider/ProvRevocationChecker.java
-    rm -f org/bouncycastle/jce/provider/OcspCache.java
     rm -f org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java
+    rm -f org/bouncycastle/jce/provider/OcspResponseManager.java
+    rm -f org/bouncycastle/jce/provider/test/OcspResponseManagerTest.java
     rm -rf org/bouncycastle/i18n/filter/test
     rm -rf org/bouncycastle/math/ec/test
     rm -rf org/bouncycastle/jce/provider/test/ECEncodingTest.java

build1-2

@@ -182,8 +182,9 @@ find $jdk12src -name "*.java" -exec scripts/usejcecert.sh \{\} \;
     rm -f org/bouncycastle/jce/provider/PKIXCertPathBuilderSpi_8.java
     rm -f org/bouncycastle/jce/provider/WrappedRevocationChecker.java
     rm -f org/bouncycastle/jce/provider/ProvRevocationChecker.java
-    rm -f org/bouncycastle/jce/provider/OcspCache.java
     rm -f org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java
+    rm -f org/bouncycastle/jce/provider/OcspResponseManager.java
+    rm -f org/bouncycastle/jce/provider/test/OcspResponseManagerTest.java
     rm -rf org/bouncycastle/x509/PKIXAttrCert*.java
     rm -rf org/bouncycastle/jce/provider/RFC3281*.java
     rm -rf org/bouncycastle/jcajce/PKCS12StoreParameter.java

docs/releasenotes.html

@@ -24,10 +24,13 @@ <h2>2.0 Release History</h2>
 <h3>2.1.2 Defects Fixed</h3>
 <ul>
 <li>Leading zeroes were sometimes dropped from Ed25519 signatures leading to verification errors in the PGP API. This has been fixed.</li>
+<li>Issue when getting BC ProvRevocationChecker (engineGetRevocationChecker), then adding it to the PKIXBuilderParams from the client, causing the ProvOcspRevocationChecker to have an old "parent" reference without ocspResponses added.</li>
 </ul>
 <h3>2.1.3 Additional Features and Functionality</h3>
 <ul>
 <li>BCJSSE: Added support for security property "jdk.tls.server.defaultDHEParameters" (disabled in FIPS mode).</li>
+<li>BCJSSE: Support has been added for server-side OCSP stapling (status_request and status_request_v2) for TLSv1.2 and TLSv1.3 during TLS handshake.</li>
+<li>New property has been added (org.bouncycastle.prov.revocation.checker.no-fallback) to complement RevocationChecker's NO_FALLBACK option.</li>
 </ul>
 
 <a id="r1rv78d1"><h3>2.2.1 Version</h3></a>
@@ -100,6 +103,9 @@ <h3>2.3.5 Security Advisories.</h3>
 <li>CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.</li>
 <li>CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.</li>
 <li>CVE-2024-34447 - When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.</li>
+<li>BCJSSE: For OCSP server stapling to be enabled, the property jdk.tls.server.enableStatusRequestExtension must be
+set to true. Other properties that control stapling are also available: jdk.tls.server.[cacheSize | cacheLifetime
+| responseTimeout | responderURI | responderOverride | ignoreExtensions]</li>
 </ul>
 
 <a id="r1rv77"><h3>2.4.1 Version</h3></a>