| author | mullan |
| Thu, 06 Apr 2017 16:21:05 -0400 | |
| changeset 44479 | 9669aa3c7bcb |
| parent 19820 | 9ee1d7810f50 |
| permissions | -rw-r--r-- |
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
1 |
/* |
|
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
2 |
* Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. |
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
4 |
* |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
8 |
* |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
13 |
* accompanied this code). |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
14 |
* |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
18 |
* |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
21 |
* questions. |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
22 |
*/ |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
23 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
24 |
/** |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
25 |
* @test |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
26 |
* @bug 8023362 |
|
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
27 |
* @run main/othervm OcspUnauthorized |
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
28 |
* @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
29 |
* SOFT_FAIL option is set |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
30 |
*/ |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
31 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
32 |
import java.io.ByteArrayInputStream; |
|
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
33 |
import java.security.Security; |
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
34 |
import java.security.cert.CertPathValidatorException.BasicReason; |
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
35 |
import java.security.cert.*; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
36 |
import java.security.cert.PKIXRevocationChecker.Option; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
37 |
import java.util.Base64; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
38 |
import java.util.Collections; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
39 |
import java.util.EnumSet; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
40 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
41 |
public class OcspUnauthorized {
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
42 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
43 |
private final static String OCSP_RESPONSE = "MAMKAQY="; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
44 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
45 |
private final static String EE_CERT = |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
46 |
"MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
47 |
"MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
48 |
"kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
49 |
"GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
50 |
"GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
51 |
"ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
52 |
"pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
53 |
"DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
54 |
"TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
55 |
"pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
56 |
"WidZRP4qUG5I6JmGkI"; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
57 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
58 |
private final static String TRUST_ANCHOR = |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
59 |
"MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
60 |
"MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
61 |
"kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
62 |
"w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
63 |
"jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
64 |
"zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
65 |
"NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
66 |
"jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
67 |
"Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
68 |
"AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" + |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
69 |
"AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0="; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
70 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
71 |
private static CertificateFactory cf; |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
72 |
private static Base64.Decoder base64Decoder = Base64.getDecoder(); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
73 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
74 |
public static void main(String[] args) throws Exception {
|
|
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
75 |
// EE_CERT is signed with MD5withRSA |
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
76 |
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
|
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
77 |
cf = CertificateFactory.getInstance("X.509");
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
78 |
X509Certificate taCert = getX509Cert(TRUST_ANCHOR); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
79 |
X509Certificate eeCert = getX509Cert(EE_CERT); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
80 |
CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert)); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
81 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
82 |
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
83 |
PKIXRevocationChecker prc = |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
84 |
(PKIXRevocationChecker)cpv.getRevocationChecker(); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
85 |
prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK)); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
86 |
byte[] response = base64Decoder.decode(OCSP_RESPONSE); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
87 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
88 |
prc.setOcspResponses(Collections.singletonMap(eeCert, response)); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
89 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
90 |
TrustAnchor ta = new TrustAnchor(taCert, null); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
91 |
PKIXParameters params = new PKIXParameters(Collections.singleton(ta)); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
92 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
93 |
params.addCertPathChecker(prc); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
94 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
95 |
try {
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
96 |
cpv.validate(cp, params); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
97 |
throw new Exception("FAILED: expected CertPathValidatorException");
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
98 |
} catch (CertPathValidatorException cpve) {
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
99 |
cpve.printStackTrace(); |
|
44479
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
100 |
if (cpve.getReason() != BasicReason.UNSPECIFIED && |
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
101 |
!cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
|
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
102 |
throw new Exception("FAILED: unexpected " +
|
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
103 |
"CertPathValidatorException reason"); |
|
9669aa3c7bcb
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
mullan
parents:
19820
diff
changeset
|
104 |
} |
|
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
105 |
} |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
106 |
} |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
107 |
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
108 |
private static X509Certificate getX509Cert(String enc) throws Exception {
|
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
109 |
byte[] bytes = base64Decoder.decode(enc); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
110 |
ByteArrayInputStream is = new ByteArrayInputStream(bytes); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
111 |
return (X509Certificate)cf.generateCertificate(is); |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
112 |
} |
|
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
diff
changeset
|
113 |
} |