BCJSSE: Only update session lastAccessedTime at resumption

peterdettman · peterdettman · commit a2b8f764040c · 2025-08-26T01:13:47.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSession.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSession.java
@@ -2,6 +2,7 @@
 
 import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
 
 import org.bouncycastle.jsse.BCSNIServerName;
 import org.bouncycastle.tls.CipherSuite;
@@ -15,6 +16,7 @@ class ProvSSLSession
     protected final TlsSession tlsSession;
     protected final SessionParameters sessionParameters;
     protected final JsseSessionParameters jsseSessionParameters;
+    protected final AtomicLong lastAccessedTime;
 
     ProvSSLSession(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap, String peerHost,
         int peerPort, long creationTime, TlsSession tlsSession, JsseSessionParameters jsseSessionParameters)
@@ -24,6 +26,18 @@ class ProvSSLSession
         this.tlsSession = tlsSession;
         this.sessionParameters = tlsSession == null ? null : tlsSession.exportSessionParameters();
         this.jsseSessionParameters = jsseSessionParameters;
+        this.lastAccessedTime = new AtomicLong(creationTime);
+    }
+
+    long access()
+    {
+        long accessTime = getCurrentTime(), previous;
+        do
+        {
+            previous = lastAccessedTime.get();
+        }
+        while (accessTime > previous && !lastAccessedTime.compareAndSet(previous, accessTime));
+        return accessTime;
     }
 
     @Override
@@ -50,6 +64,11 @@ protected JsseSessionParameters getJsseSessionParameters()
         return jsseSessionParameters;
     }
 
+    public long getLastAccessedTime()
+    {
+        return lastAccessedTime.get();
+    }
+
     @Override
     protected org.bouncycastle.tls.Certificate getLocalCertificateTLS()
     {
@@ -110,7 +129,7 @@ public boolean isValid()
     static final ProvSSLSession createDummySession()
     {
         // NB: Allow session value binding on failed connections for SunJSSE compatibility 
-        return new ProvSSLSession(null, createValueMap(), null, -1, createCreationTime(), null,
+        return new ProvSSLSession(null, createValueMap(), null, -1, getCurrentTime(), null,
             new JsseSessionParameters(null, null));
     }
 }
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java
@@ -4,7 +4,6 @@
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
@@ -33,7 +32,6 @@ abstract class ProvSSLSessionBase
     protected final int peerPort;
     protected final long creationTime;
     protected final SSLSession exportSSLSession;
-    protected final AtomicLong lastAccessedTime;
 
     ProvSSLSessionBase(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap,
         String peerHost, int peerPort, long creationTime)
@@ -46,7 +44,6 @@ abstract class ProvSSLSessionBase
         this.peerPort = peerPort;
         this.creationTime = creationTime;
         this.exportSSLSession = SSLSessionUtil.exportSSLSession(this);
-        this.lastAccessedTime = new AtomicLong(creationTime);
     }
 
     protected abstract int getCipherSuiteTLS();
@@ -70,15 +67,6 @@ SSLSession getExportSSLSession()
         return exportSSLSession;
     }
 
-    void accessedAt(long accessTime)
-    {
-        long current = lastAccessedTime.get();
-        if (accessTime > current)
-        {
-            lastAccessedTime.compareAndSet(current, accessTime);
-        }
-    }
-
     @Override
     public boolean equals(Object obj)
     {
@@ -117,11 +105,6 @@ public byte[] getId()
         return TlsUtils.isNullOrEmpty(id) ? TlsUtils.EMPTY_BYTES : id.clone();
     }
 
-    public long getLastAccessedTime()
-    {
-        return lastAccessedTime.get();
-    }
-
     public Certificate[] getLocalCertificates()
     {
         if (null != crypto)
@@ -358,13 +341,13 @@ private void implInvalidate(boolean removeFromSessionContext)
         invalidateTLS();
     }
 
-    protected static long createCreationTime()
+    protected static ConcurrentHashMap<String, Object> createValueMap()
     {
-        return System.currentTimeMillis();
+        return new ConcurrentHashMap<String, Object>();
     }
 
-    protected static ConcurrentHashMap<String, Object> createValueMap()
+    protected static long getCurrentTime()
     {
-        return new ConcurrentHashMap<String, Object>();
+        return System.currentTimeMillis();
     }
 }
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionContext.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionContext.java
@@ -63,15 +63,15 @@ synchronized ProvSSLSession getSessionImpl(byte[] sessionID)
     {
         processQueue();
 
-        return accessSession(mapGet(sessionsByID, makeSessionID(sessionID)));
+        return getSessionImpl(mapGet(sessionsByID, makeSessionID(sessionID)));
     }
 
     synchronized ProvSSLSession getSessionImpl(String hostName, int port)
     {
         processQueue();
 
         SessionEntry sessionEntry = mapGet(sessionsByPeer, makePeerKey(hostName, port));
-        ProvSSLSession session = accessSession(sessionEntry);
+        ProvSSLSession session = getSessionImpl(sessionEntry);
         if (session != null)
         {
             // NOTE: For the current simple cache implementation, need to 'access' the sessionByIDs entry
@@ -207,17 +207,15 @@ public synchronized void setSessionTimeout(int seconds) throws IllegalArgumentEx
         removeAllExpiredSessions();
     }
 
-    private ProvSSLSession accessSession(SessionEntry sessionEntry)
+    private ProvSSLSession getSessionImpl(SessionEntry sessionEntry)
     {
         if (sessionEntry != null)
         {
             ProvSSLSession session = sessionEntry.get();
             if (session != null)
             {
-                long currentTimeMillis = System.currentTimeMillis();
-                if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit(currentTimeMillis)))
+                if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit()))
                 {
-                    session.accessedAt(currentTimeMillis);
                     return session;
                 }
             }
@@ -227,9 +225,9 @@ private ProvSSLSession accessSession(SessionEntry sessionEntry)
         return null;
     }
 
-    private long getCreationTimeLimit(long expiryTimeMillis)
+    private long getCreationTimeLimit()
     {
-        return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (expiryTimeMillis - 1000L * sessionTimeoutSeconds);
+        return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (System.currentTimeMillis() - 1000L * sessionTimeoutSeconds);
     }
 
     private boolean invalidateIfCreatedBefore(SessionEntry sessionEntry, long creationTimeLimit)
@@ -267,7 +265,7 @@ private void removeAllExpiredSessions()
     {
         processQueue();
 
-        long creationTimeLimit = getCreationTimeLimit(System.currentTimeMillis());
+        long creationTimeLimit = getCreationTimeLimit();
 
         Iterator<SessionEntry> iter = sessionsByID.values().iterator();
         while (iter.hasNext())
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionHandshake.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionHandshake.java
@@ -20,7 +20,7 @@ class ProvSSLSessionHandshake
     ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)
     {
-        this(sslSessionContext, createValueMap(), peerHost, peerPort, createCreationTime(), securityParameters,
+        this(sslSessionContext, createValueMap(), peerHost, peerPort, getCurrentTime(), securityParameters,
             jsseSecurityParameters);
     }
 
@@ -63,6 +63,11 @@ protected JsseSessionParameters getJsseSessionParameters()
         return null;
     }
 
+    public long getLastAccessedTime()
+    {
+        return getCreationTime();
+    }
+
     @Override
     protected org.bouncycastle.tls.Certificate getLocalCertificateTLS()
     {
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionResumed.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionResumed.java
@@ -11,6 +11,7 @@ class ProvSSLSessionResumed
     protected final TlsSession tlsSession;
     protected final SessionParameters sessionParameters;
     protected final JsseSessionParameters jsseSessionParameters;
+    protected final long lastAccessedTime;
 
     ProvSSLSessionResumed(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters,
@@ -22,6 +23,7 @@ class ProvSSLSessionResumed
         this.tlsSession = resumedSession.getTlsSession();
         this.sessionParameters = tlsSession.exportSessionParameters();
         this.jsseSessionParameters = resumedSession.getJsseSessionParameters();
+        this.lastAccessedTime = resumedSession.access();
     }
 
     @Override
@@ -36,6 +38,11 @@ protected byte[] getIDArray()
         return tlsSession.getSessionID();
     }
 
+    public long getLastAccessedTime()
+    {
+        return lastAccessedTime;
+    }
+
     @Override
     protected JsseSessionParameters getJsseSessionParameters()
     {

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@`
`4`	`4`	`import java.security.cert.Certificate;`
`5`	`5`	`import java.security.cert.X509Certificate;`
`6`	`6`	`import java.util.concurrent.ConcurrentHashMap;`
`7`		`-import java.util.concurrent.atomic.AtomicLong;`
`8`	`7`	`import java.util.concurrent.atomic.AtomicReference;`
`9`	`8`
`10`	`9`	`import javax.net.ssl.SSLPeerUnverifiedException;`
`@@ -33,7 +32,6 @@ abstract class ProvSSLSessionBase`
`33`	`32`	`protected final int peerPort;`
`34`	`33`	`protected final long creationTime;`
`35`	`34`	`protected final SSLSession exportSSLSession;`
`36`		`- protected final AtomicLong lastAccessedTime;`
`37`	`35`
`38`	`36`	`ProvSSLSessionBase(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap,`
`39`	`37`	`String peerHost, int peerPort, long creationTime)`
`@@ -46,7 +44,6 @@ abstract class ProvSSLSessionBase`
`46`	`44`	`this.peerPort = peerPort;`
`47`	`45`	`this.creationTime = creationTime;`
`48`	`46`	`this.exportSSLSession = SSLSessionUtil.exportSSLSession(this);`
`49`		`- this.lastAccessedTime = new AtomicLong(creationTime);`
`50`	`47`	`}`
`51`	`48`
`52`	`49`	`protected abstract int getCipherSuiteTLS();`
`@@ -70,15 +67,6 @@ SSLSession getExportSSLSession()`
`70`	`67`	`return exportSSLSession;`
`71`	`68`	`}`
`72`	`69`
`73`		`- void accessedAt(long accessTime)`
`74`		`- {`
`75`		`- long current = lastAccessedTime.get();`
`76`		`- if (accessTime > current)`
`77`		`- {`
`78`		`- lastAccessedTime.compareAndSet(current, accessTime);`
`79`		`- }`
`80`		`- }`
`81`		`-`
`82`	`70`	`@Override`
`83`	`71`	`public boolean equals(Object obj)`
`84`	`72`	`{`
`@@ -117,11 +105,6 @@ public byte[] getId()`
`117`	`105`	`return TlsUtils.isNullOrEmpty(id) ? TlsUtils.EMPTY_BYTES : id.clone();`
`118`	`106`	`}`
`119`	`107`
`120`		`- public long getLastAccessedTime()`
`121`		`- {`
`122`		`- return lastAccessedTime.get();`
`123`		`- }`
`124`		`-`
`125`	`108`	`public Certificate[] getLocalCertificates()`
`126`	`109`	`{`
`127`	`110`	`if (null != crypto)`
`@@ -358,13 +341,13 @@ private void implInvalidate(boolean removeFromSessionContext)`
`358`	`341`	`invalidateTLS();`
`359`	`342`	`}`
`360`	`343`
`361`		`- protected static long createCreationTime()`
	`344`	`+ protected static ConcurrentHashMap<String, Object> createValueMap()`
`362`	`345`	`{`
`363`		`- return System.currentTimeMillis();`
	`346`	`+ return new ConcurrentHashMap<String, Object>();`
`364`	`347`	`}`
`365`	`348`
`366`		`- protected static ConcurrentHashMap<String, Object> createValueMap()`
	`349`	`+ protected static long getCurrentTime()`
`367`	`350`	`{`
`368`		`- return new ConcurrentHashMap<String, Object>();`
	`351`	`+ return System.currentTimeMillis();`
`369`	`352`	`}`
`370`	`353`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,15 +63,15 @@ synchronized ProvSSLSession getSessionImpl(byte[] sessionID)`
`63`	`63`	`{`
`64`	`64`	`processQueue();`
`65`	`65`
`66`		`- return accessSession(mapGet(sessionsByID, makeSessionID(sessionID)));`
	`66`	`+ return getSessionImpl(mapGet(sessionsByID, makeSessionID(sessionID)));`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`synchronized ProvSSLSession getSessionImpl(String hostName, int port)`
`70`	`70`	`{`
`71`	`71`	`processQueue();`
`72`	`72`
`73`	`73`	`SessionEntry sessionEntry = mapGet(sessionsByPeer, makePeerKey(hostName, port));`
`74`		`- ProvSSLSession session = accessSession(sessionEntry);`
	`74`	`+ ProvSSLSession session = getSessionImpl(sessionEntry);`
`75`	`75`	`if (session != null)`
`76`	`76`	`{`
`77`	`77`	`// NOTE: For the current simple cache implementation, need to 'access' the sessionByIDs entry`
`@@ -207,17 +207,15 @@ public synchronized void setSessionTimeout(int seconds) throws IllegalArgumentEx`
`207`	`207`	`removeAllExpiredSessions();`
`208`	`208`	`}`
`209`	`209`
`210`		`- private ProvSSLSession accessSession(SessionEntry sessionEntry)`
	`210`	`+ private ProvSSLSession getSessionImpl(SessionEntry sessionEntry)`
`211`	`211`	`{`
`212`	`212`	`if (sessionEntry != null)`
`213`	`213`	`{`
`214`	`214`	`ProvSSLSession session = sessionEntry.get();`
`215`	`215`	`if (session != null)`
`216`	`216`	`{`
`217`		`- long currentTimeMillis = System.currentTimeMillis();`
`218`		`- if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit(currentTimeMillis)))`
	`217`	`+ if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit()))`
`219`	`218`	`{`
`220`		`- session.accessedAt(currentTimeMillis);`
`221`	`219`	`return session;`
`222`	`220`	`}`
`223`	`221`	`}`
`@@ -227,9 +225,9 @@ private ProvSSLSession accessSession(SessionEntry sessionEntry)`
`227`	`225`	`return null;`
`228`	`226`	`}`
`229`	`227`
`230`		`- private long getCreationTimeLimit(long expiryTimeMillis)`
	`228`	`+ private long getCreationTimeLimit()`
`231`	`229`	`{`
`232`		`- return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (expiryTimeMillis - 1000L * sessionTimeoutSeconds);`
	`230`	`+ return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (System.currentTimeMillis() - 1000L * sessionTimeoutSeconds);`
`233`	`231`	`}`
`234`	`232`
`235`	`233`	`private boolean invalidateIfCreatedBefore(SessionEntry sessionEntry, long creationTimeLimit)`
`@@ -267,7 +265,7 @@ private void removeAllExpiredSessions()`
`267`	`265`	`{`
`268`	`266`	`processQueue();`
`269`	`267`
`270`		`- long creationTimeLimit = getCreationTimeLimit(System.currentTimeMillis());`
	`268`	`+ long creationTimeLimit = getCreationTimeLimit();`
`271`	`269`
`272`	`270`	`Iterator<SessionEntry> iter = sessionsByID.values().iterator();`
`273`	`271`	`while (iter.hasNext())`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ class ProvSSLSessionHandshake`
`20`	`20`	`ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,`
`21`	`21`	`SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)`
`22`	`22`	`{`
`23`		`- this(sslSessionContext, createValueMap(), peerHost, peerPort, createCreationTime(), securityParameters,`
	`23`	`+ this(sslSessionContext, createValueMap(), peerHost, peerPort, getCurrentTime(), securityParameters,`
`24`	`24`	`jsseSecurityParameters);`
`25`	`25`	`}`
`26`	`26`
`@@ -63,6 +63,11 @@ protected JsseSessionParameters getJsseSessionParameters()`
`63`	`63`	`return null;`
`64`	`64`	`}`
`65`	`65`
	`66`	`+ public long getLastAccessedTime()`
	`67`	`+ {`
	`68`	`+ return getCreationTime();`
	`69`	`+ }`
	`70`	`+`
`66`	`71`	`@Override`
`67`	`72`	`protected org.bouncycastle.tls.Certificate getLocalCertificateTLS()`
`68`	`73`	`{`