8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
authormullan
Fri, 06 Sep 2013 12:04:18 -0400
changeset 19820 9ee1d7810f50
parent 19606 6c846d61ba2f
child 19821 d715c5032a03
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized" Reviewed-by: vinnie, xuelei
jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java
--- a/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java	Wed Aug 28 14:07:30 2013 +0100
+++ b/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java	Fri Sep 06 12:04:18 2013 -0400
@@ -300,8 +300,7 @@
          *  <li>The CRL or OCSP response cannot be obtained because of a
          *      network error.
          *  <li>The OCSP responder returns one of the following errors
-         *      specified in section 2.3 of RFC 2560: internalError, tryLater,
-         *      or unauthorized.
+         *      specified in section 2.3 of RFC 2560: internalError or tryLater.
          * </ul><br>
          * Note that these conditions apply to both OCSP and CRLs, and unless
          * the {@code NO_FALLBACK} option is set, the revocation check is
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Wed Aug 28 14:07:30 2013 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Fri Sep 06 12:04:18 2013 -0400
@@ -385,12 +385,12 @@
         switch (responseStatus) {
             case SUCCESSFUL:
                 break;
-            case UNAUTHORIZED:
             case TRY_LATER:
             case INTERNAL_ERROR:
                 throw new CertPathValidatorException(
                     "OCSP response error: " + responseStatus, null, null, -1,
                     BasicReason.UNDETERMINED_REVOCATION_STATUS);
+            case UNAUTHORIZED:
             default:
                 throw new CertPathValidatorException("OCSP response error: " +
                                                      responseStatus);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java	Fri Sep 06 12:04:18 2013 -0400
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8023362
+ * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
+ *          SOFT_FAIL option is set
+ */
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.*;
+import java.security.cert.PKIXRevocationChecker.Option;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.EnumSet;
+
+public class OcspUnauthorized {
+
+    private final static String OCSP_RESPONSE = "MAMKAQY=";
+
+    private final static String EE_CERT =
+        "MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" +
+        "MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" +
+        "kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" +
+        "GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" +
+        "GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" +
+        "ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" +
+        "pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" +
+        "DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" +
+        "TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" +
+        "pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" +
+        "WidZRP4qUG5I6JmGkI";
+
+    private final static String TRUST_ANCHOR =
+        "MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" +
+        "MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" +
+        "kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" +
+        "w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" +
+        "jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" +
+        "zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" +
+        "NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" +
+        "jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" +
+        "Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" +
+        "AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" +
+        "AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0=";
+
+    private static CertificateFactory cf;
+    private static Base64.Decoder base64Decoder = Base64.getDecoder();
+
+    public static void main(String[] args) throws Exception {
+        cf = CertificateFactory.getInstance("X.509");
+        X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
+        X509Certificate eeCert = getX509Cert(EE_CERT);
+        CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert));
+
+        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
+        PKIXRevocationChecker prc =
+            (PKIXRevocationChecker)cpv.getRevocationChecker();
+        prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK));
+        byte[] response = base64Decoder.decode(OCSP_RESPONSE);
+
+        prc.setOcspResponses(Collections.singletonMap(eeCert, response));
+
+        TrustAnchor ta = new TrustAnchor(taCert, null);
+        PKIXParameters params = new PKIXParameters(Collections.singleton(ta));
+
+        params.addCertPathChecker(prc);
+
+        try {
+            cpv.validate(cp, params);
+            throw new Exception("FAILED: expected CertPathValidatorException");
+        } catch (CertPathValidatorException cpve) {
+            cpve.printStackTrace();
+        }
+    }
+
+    private static X509Certificate getX509Cert(String enc) throws Exception {
+        byte[] bytes = base64Decoder.decode(enc);
+        ByteArrayInputStream is = new ByteArrayInputStream(bytes);
+        return (X509Certificate)cf.generateCertificate(is);
+    }
+}