8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
Reviewed-by: xuelei
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Apr 06 16:21:05 2017 -0400
@@ -986,9 +986,7 @@
// any way to convey them back to the application.
// That's the default, so no need to write code.
builderParams.setDate(params.date());
- // CertPathCheckers need to be cloned to start from fresh state
- builderParams.setCertPathCheckers(
- params.getPKIXParameters().getCertPathCheckers());
+ builderParams.setCertPathCheckers(params.certPathCheckers());
builderParams.setSigProvider(params.sigProvider());
// Skip revocation during this build to detect circular
@@ -1116,15 +1114,6 @@
}
}
- @Override
- public RevocationChecker clone() {
- RevocationChecker copy = (RevocationChecker)super.clone();
- // we don't deep-copy the exceptions, but that is ok because they
- // are never modified after they are instantiated
- copy.softFailExceptions = new LinkedList<>(softFailExceptions);
- return copy;
- }
-
/*
* This inner class extends the X509CertSelector to add an additional
* check to make sure the subject public key isn't on a particular list.
--- a/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Thu Apr 06 16:21:05 2017 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -24,11 +24,14 @@
/**
* @test
* @bug 8023362
+ * @run main/othervm OcspUnauthorized
* @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
* SOFT_FAIL option is set
*/
import java.io.ByteArrayInputStream;
+import java.security.Security;
+import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.*;
import java.security.cert.PKIXRevocationChecker.Option;
import java.util.Base64;
@@ -69,6 +72,8 @@
private static Base64.Decoder base64Decoder = Base64.getDecoder();
public static void main(String[] args) throws Exception {
+ // EE_CERT is signed with MD5withRSA
+ Security.setProperty("jdk.certpath.disabledAlgorithms", "");
cf = CertificateFactory.getInstance("X.509");
X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
X509Certificate eeCert = getX509Cert(EE_CERT);
@@ -92,6 +97,11 @@
throw new Exception("FAILED: expected CertPathValidatorException");
} catch (CertPathValidatorException cpve) {
cpve.printStackTrace();
+ if (cpve.getReason() != BasicReason.UNSPECIFIED &&
+ !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
+ throw new Exception("FAILED: unexpected " +
+ "CertPathValidatorException reason");
+ }
}
}
--- a/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java Thu Apr 06 16:21:05 2017 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -367,9 +367,15 @@
throw tr.serverExc;
}
+ // make sure getSoftFailExceptions is not empty
+ if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) {
+ throw new Exception("No soft fail exceptions");
+ }
+
System.out.println(" PASS");
System.out.println("=======================================\n");
+
// Make OCSP responders accept connections
intOcsp.acceptConnections();
rootOcsp.acceptConnections();