OCSP support

JAVA-3598

Update Evergreen config to run the new OCSP responder

JAVA-3689

Author: jstewart148

.evergreen/.evg.yml

@@ -442,6 +442,56 @@ functions:
           mongo --nodb setup.js aws_e2e_ecs.js
           cd -
 
+  "run-ocsp-test":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          CA_FILE="$DRIVERS_TOOLS/.evergreen/ocsp/rsa/ca.pem" \
+          OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \
+          OCSP_MUST_STAPLE="${OCSP_MUST_STAPLE}" \
+          sh ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-test.sh
+
+  "run-valid-ocsp-server":
+    - command: shell.exec
+      params:
+        script: |
+          cd ${DRIVERS_TOOLS}/.evergreen/ocsp
+          /opt/mongodbtoolchain/v3/bin/python3 -m venv ./venv
+          ./venv/bin/pip3 install -r ${DRIVERS_TOOLS}/.evergreen/ocsp/mock-ocsp-responder-requirements.txt
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          cd ${DRIVERS_TOOLS}/.evergreen/ocsp
+          nohup ./venv/bin/python3 ocsp_mock.py \
+          --ca_file rsa/ca.pem \
+          --ocsp_responder_cert rsa/ca.crt \
+          --ocsp_responder_key rsa/ca.key \
+          -p 8100 -v
+
+  "run-revoked-ocsp-server":
+    - command: shell.exec
+      params:
+        script: |
+          cd ${DRIVERS_TOOLS}/.evergreen/ocsp
+          /opt/mongodbtoolchain/v3/bin/python3 -m venv ./venv
+          ./venv/bin/pip3 install -r ${DRIVERS_TOOLS}/.evergreen/ocsp/mock-ocsp-responder-requirements.txt
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          cd ${DRIVERS_TOOLS}/.evergreen/ocsp
+          nohup ./venv/bin/python3 ocsp_mock.py \
+          --ca_file rsa/ca.pem \
+          --ocsp_responder_cert rsa/ca.crt \
+          --ocsp_responder_key rsa/ca.key \
+          -p 8100 \
+          -v \
+          --fault revoked
+
   "run gssapi auth test":
     - command: shell.exec
       type: test
@@ -613,6 +663,102 @@ tasks:
         - func: "run aws auth test with aws EC2 credentials"
         - func: "run aws ECS auth test"
 
+    - name: "test-ocsp-valid-cert-server-staples"
+      tags: ["ocsp"]
+      commands:
+        - func: "run-valid-ocsp-server"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "true"
+            OCSP_TLS_SHOULD_SUCCEED: "1"
+
+    - name: "test-ocsp-invalid-cert-server-staples"
+      tags: ["ocsp"]
+      commands:
+        - func: "run-revoked-ocsp-server"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "true"
+            OCSP_TLS_SHOULD_SUCCEED: "0"
+
+    - name: "test-ocsp-valid-cert-server-does-not-staple"
+      tags: ["ocsp"]
+      commands:
+        - func: "run-valid-ocsp-server"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "false"
+            OCSP_TLS_SHOULD_SUCCEED: "1"
+
+    - name: "test-ocsp-invalid-cert-server-does-not-staple"
+      tags: ["ocsp"]
+      commands:
+        - func: "run-revoked-ocsp-server"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "false"
+            OCSP_TLS_SHOULD_SUCCEED: "0"
+
+    - name: "test-ocsp-soft-fail"
+      tags: ["ocsp"]
+      commands:
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "false"
+            OCSP_TLS_SHOULD_SUCCEED: "0"
+
+    - name: "test-ocsp-malicious-invalid-cert-mustStaple-server-does-not-staple"
+      tags: ["ocsp"]
+      commands:
+        - func: "run-revoked-ocsp-server"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-disableStapling-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "false"
+            OCSP_TLS_SHOULD_SUCCEED: "0"
+
+    - name: "test-ocsp-malicious-no-responder-mustStaple-server-does-not-staple"
+      tags: ["ocsp"]
+      commands:
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-disableStapling-singleEndpoint.json"
+            VERSION: "latest"
+            TOPOLOGY: "server"
+        - func: "run-ocsp-test"
+          vars:
+            OCSP_MUST_STAPLE: "false"
+            OCSP_TLS_SHOULD_SUCCEED: "0"
+
     - name: "gssapi-auth-test"
       commands:
         - func: "run gssapi auth test"
@@ -929,6 +1075,12 @@ buildvariants:
   tasks:
     - name: "aws-auth-test"
 
+- matrix_name: "ocsp-test"
+  matrix_spec: { auth: "noauth", ssl: "ssl", jdk: "jdk11", version: ["4.4", "latest"], os: "ubuntu" }
+  display_name: "OCSP test ${version} ${os}"
+  tasks:
+    - name: ".ocsp"
+
 - name: atlas-test
   display_name: "Atlas test"
   run_on: rhel70-small

.evergreen/run-ocsp-test.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit  # Exit the script with error if any of the commands fail
+
+# Supported/used environment variables:
+#       JDK                     Set the version of java to be used.  Java versions can be set from the java toolchain /opt/java
+#                               "jdk5", "jdk6", "jdk7", "jdk8", "jdk9", "jdk11"
+
+JDK=${JDK:-jdk11}
+OCSP_MUST_STAPLE=${OCSP_MUST_STAPLE:-}
+OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED:-}
+
+############################################
+#            Functions                     #
+############################################
+
+provision_ssl () {
+  echo "SSL !"
+
+  cp ${JAVA_HOME}/lib/security/cacerts mongo-truststore
+  ${JAVA_HOME}/bin/keytool -import -trustcacerts -file ${CA_FILE} -keystore mongo-truststore -alias ca_ocsp -storepass changeit -noprompt
+
+  # We add extra gradle arguments for SSL
+  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pocsp.property=`pwd`/java-security-ocsp-property -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=changeit -Pssl.checkRevocation=true -Pclient.enableStatusRequestExtension=${OCSP_MUST_STAPLE} -Pclient.protocols=TLSv1.2 -Pocsp.tls.should.succeed=${OCSP_TLS_SHOULD_SUCCEED}"
+}
+
+############################################
+#            Main Program                  #
+############################################
+
+echo "Running OCSP tests"
+
+export JAVA_HOME="/opt/java/${JDK}"
+
+# show test output
+set -x
+
+provision_ssl
+
+echo "Running OCSP tests with ${JDK}"
+./gradlew -version
+./gradlew -PjdkHome=${JAVA_HOME} ${GRADLE_EXTRA_VARS} --stacktrace --debug --info driver-sync:test --tests OcspTest
+

build.gradle

@@ -201,7 +201,7 @@ configure(javaCodeCheckedProjects) {
                 systemProperties(
                         'javax.net.ssl.keyStoreType': project.property('ssl.keyStoreType'),
                         'javax.net.ssl.keyStore': project.property('ssl.keyStore'),
-                        'javax.net.ssl.keyStorePassword': project.property('ssl.keyStorePassword'),
+                        'javax.net.ssl.keyStorePassword': project.property('ssl.keyStorePassword')
                 )
             }
             if (project.hasProperty('ssl.trustStoreType')) {
@@ -211,6 +211,15 @@ configure(javaCodeCheckedProjects) {
                         'javax.net.ssl.trustStorePassword': project.property('ssl.trustStorePassword')
                 )
             }
+            if (project.hasProperty('ocsp.property')) {
+                systemProperties(
+                    'org.mongodb.test.ocsp.tls.should.succeed': project.property('ocsp.tls.should.succeed'),
+                    'java.security.properties': file(project.property('ocsp.property')),
+                    'com.sun.net.ssl.checkRevocation': project.property('ssl.checkRevocation'),
+                    'jdk.tls.client.enableStatusRequestExtension': project.property('client.enableStatusRequestExtension'),
+                    'jdk.tls.client.protocols': project.property('client.protocols')
+                )
+            }
         }
 
         if (project.buildingWith('gssapi.enabled')) {

docs/reference/content/driver/tutorials/ssl.md

@@ -201,3 +201,49 @@ ERefGuide.html).
 Some applications may want to force only the TLS 1.2 protocol. To do this, set the `jdk.tls.client.protocols` system property to "TLSv1.2".
 
 Java runtime environments prior to Java 8 started to enable the TLS 1.2 protocol only in later updates, as shown in the previous section. For the driver to force the use of the TLS 1.2 protocol with a Java runtime environment prior to Java 8, ensure that the update has TLS 1.2 enabled.
+
+
+## OCSP
+
+{{% note %}}
+The Java driver cannot enable OCSP by default on a per MongoClient basis.
+{{% /note %}}
+
+### Client-driven OCSP
+
+An application will need to set JVM system and security properties to ensure that client-driven OCSP is enabled:
+
+-  `com.sun.net.ssl.checkRevocation`:
+      When set to `true`, this system property enables revocation checking.
+
+-  `ocsp.enable`:
+      When set to `true`, this security property enables client-driven OCSP.
+      
+To configure an application to use client-driven OCSP, the application must already be set up to connect to a server using TLS. Setting these system properties is required to enable client-driven OCSP.
+
+{{% note %}}
+The support for TLS provided by the JDK utilizes “hard fail” behavior in the case of an unavailable OCSP responder in contrast to the mongo shell and drivers that utilize “soft fail” behavior.
+{{% /note %}}
+
+### OCSP Stapling
+
+{{% note class=important %}}
+The following exception may occur when using OCSP stapling with Java runtime environments that use the TLS 1.3 protocol (Java 11 and higher use TLS 1.3 by default):
+
+`javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request`
+
+The exception is due to a known issue with TLS 1.3 in Java 11 and higher. To avoid this exception when using a Java runtime environments using the TLS 1.3 protocol, you can force the application to use the TLS 1.2 protocol. To do this, set the `jdk.tls.client.protocols` system property to "TLSv1.2".
+{{% /note %}}
+
+An application will need to set several JVM system properties to set up OCSP stapling:
+
+-  `jdk.tls.client.enableStatusRequestExtension`:
+      When set to `true` (its default value), this enables OCSP stapling.
+
+-  `com.sun.net.ssl.checkRevocation`:
+      When set to `true`, this enables revocation checking. If this property is not set to `true`, then the connection will be allowed to proceed regardless of the presence or status of the revocation information.
+
+To configure an application to use OCSP stapling, the application must already be set up to connect to a server using TLS, and the server must be set up to staple an OCSP response to the certificate it returns as part of the the TLS handshake.
+
+For more information on configuring a Java application to use OCSP, please
+refer to the "Client-driven OCSP and OCSP Stapling" section in the [`JSSE Reference Guide`](https://docs.oracle.com/javase/9/security/java-secure-socket-extension-jsse-reference-guide.htm).

driver-core/src/test/functional/com/mongodb/ClusterFixture.java

@@ -93,6 +93,7 @@ public final class ClusterFixture {
     public static final String DEFAULT_URI = "mongodb://localhost:27017";
     public static final String MONGODB_URI_SYSTEM_PROPERTY_NAME = "org.mongodb.test.uri";
     public static final String MONGODB_TRANSACTION_URI_SYSTEM_PROPERTY_NAME = "org.mongodb.test.transaction.uri";
+    private static final String MONGODB_OCSP_SHOULD_SUCCEED = "org.mongodb.test.ocsp.tls.should.succeed";
     private static final String DEFAULT_DATABASE_NAME = "JavaDriverTest";
     private static final int COMMAND_NOT_FOUND_ERROR_CODE = 59;
     public static final long TIMEOUT = 60L;
@@ -194,6 +195,10 @@ public void run() {
         }
     }
 
+    public static boolean getOcspShouldSucceed() {
+        return Integer.parseInt(System.getProperty(MONGODB_OCSP_SHOULD_SUCCEED)) == 1;
+    }
+
     public static synchronized ConnectionString getMultiMongosConnectionString() {
         return getConnectionStringFromSystemProperty(MONGODB_TRANSACTION_URI_SYSTEM_PROPERTY_NAME);
     }

driver-sync/src/test/functional/com/mongodb/client/OcspTest.java

@@ -0,0 +1,25 @@
+package com.mongodb.client;
+
+import com.mongodb.MongoException;
+import com.mongodb.MongoTimeoutException;
+import org.bson.BsonDocument;
+import org.bson.BsonInt32;
+import org.junit.Test;
+
+import static com.mongodb.ClusterFixture.getOcspShouldSucceed;
+
+import static org.junit.Assert.fail;
+
+public class OcspTest {
+    @Test
+    public void testTLS() {
+        String uri = "mongodb://localhost/?serverSelectionTimeoutMS=2000&tls=true";
+        try (MongoClient client = MongoClients.create(uri)) {
+            client.getDatabase("admin").runCommand(new BsonDocument("ping", new BsonInt32(1)));
+        } catch (MongoTimeoutException e) {
+            if (getOcspShouldSucceed()) {
+                fail("Unexpected exception when using OCSP with tls=true: " + e);
+            }
+        }
+    }
+}

java-security-ocsp-property

@@ -0,0 +1 @@
+ocsp.enable=true