# HG changeset patch # User mullan # Date 1491510065 14400 # Node ID 9669aa3c7bcbd3609295a6ddcada0301127d14e4 # Parent ed8774740d18812899b701a598490d66c2c15c5e 8161973: PKIXRevocationChecker.getSoftFailExceptions() not working Reviewed-by: xuelei diff -r ed8774740d18 -r 9669aa3c7bcb jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Apr 06 04:53:01 2017 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Apr 06 16:21:05 2017 -0400 @@ -986,9 +986,7 @@ // any way to convey them back to the application. // That's the default, so no need to write code. builderParams.setDate(params.date()); - // CertPathCheckers need to be cloned to start from fresh state - builderParams.setCertPathCheckers( - params.getPKIXParameters().getCertPathCheckers()); + builderParams.setCertPathCheckers(params.certPathCheckers()); builderParams.setSigProvider(params.sigProvider()); // Skip revocation during this build to detect circular @@ -1116,15 +1114,6 @@ } } - @Override - public RevocationChecker clone() { - RevocationChecker copy = (RevocationChecker)super.clone(); - // we don't deep-copy the exceptions, but that is ok because they - // are never modified after they are instantiated - copy.softFailExceptions = new LinkedList<>(softFailExceptions); - return copy; - } - /* * This inner class extends the X509CertSelector to add an additional * check to make sure the subject public key isn't on a particular list. diff -r ed8774740d18 -r 9669aa3c7bcb jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java --- a/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Thu Apr 06 04:53:01 2017 +0000 +++ b/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Thu Apr 06 16:21:05 2017 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,11 +24,14 @@ /** * @test * @bug 8023362 + * @run main/othervm OcspUnauthorized * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when * SOFT_FAIL option is set */ import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.*; import java.security.cert.PKIXRevocationChecker.Option; import java.util.Base64; @@ -69,6 +72,8 @@ private static Base64.Decoder base64Decoder = Base64.getDecoder(); public static void main(String[] args) throws Exception { + // EE_CERT is signed with MD5withRSA + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); cf = CertificateFactory.getInstance("X.509"); X509Certificate taCert = getX509Cert(TRUST_ANCHOR); X509Certificate eeCert = getX509Cert(EE_CERT); @@ -92,6 +97,11 @@ throw new Exception("FAILED: expected CertPathValidatorException"); } catch (CertPathValidatorException cpve) { cpve.printStackTrace(); + if (cpve.getReason() != BasicReason.UNSPECIFIED && + !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) { + throw new Exception("FAILED: unexpected " + + "CertPathValidatorException reason"); + } } } diff -r ed8774740d18 -r 9669aa3c7bcb jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java --- a/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java Thu Apr 06 04:53:01 2017 +0000 +++ b/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java Thu Apr 06 16:21:05 2017 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -367,9 +367,15 @@ throw tr.serverExc; } + // make sure getSoftFailExceptions is not empty + if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) { + throw new Exception("No soft fail exceptions"); + } + System.out.println(" PASS"); System.out.println("=======================================\n"); + // Make OCSP responders accept connections intOcsp.acceptConnections(); rootOcsp.acceptConnections();