Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6383078: OCSP checking does not work on end-entity certificate
authorvinnie
Wed, 14 May 2008 18:59:18 +0100
changeset 625 ba0b63c29671
parent 496 6ce58b34b3df
child 626 baf1cb906914
6383078: OCSP checking does not work on end-entity certificate Reviewed-by: mullan
jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Sun May 11 00:26:16 2008 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Wed May 14 18:59:18 2008 +0100
@@ -102,7 +102,7 @@
      */
     public void init(boolean forward) throws CertPathValidatorException {
         if (!forward) {
-            remainingCerts = certs.length;
+            remainingCerts = certs.length + 1;
         } else {
             throw new CertPathValidatorException(
                 "Forward checking not supported");
@@ -131,14 +131,22 @@
 
         InputStream in = null;
         OutputStream out = null;
+
+        // Decrement the certificate counter
+        remainingCerts--;
+
         try {
-            // Examine OCSP properties
             X509Certificate responderCert = null;
             boolean seekResponderCert = false;
             X500Principal responderSubjectName = null;
             X500Principal responderIssuerName = null;
             BigInteger responderSerialNumber = null;
 
+            boolean seekIssuerCert = true;
+            X509CertImpl issuerCertImpl = null;
+            X509CertImpl currCertImpl =
+                X509CertImpl.toImpl((X509Certificate)cert);
+
             /*
              * OCSP security property values, in the following order:
              *   1. ocsp.responderURL
@@ -148,6 +156,9 @@
              */
             String[] properties = getOCSPProperties();
 
+            // Check whether OCSP is feasible before seeking cert information
+            URL url = getOCSPServerURL(currCertImpl, properties);
+
             // When responder's subject name is set then the issuer/serial
             // properties are ignored
             if (properties[1] != null) {
@@ -172,14 +183,9 @@
                 seekResponderCert = true;
             }
 
-            boolean seekIssuerCert = true;
-            X509CertImpl issuerCertImpl = null;
-            X509CertImpl currCertImpl =
-                X509CertImpl.toImpl((X509Certificate)cert);
-            remainingCerts--;
-
-            // Set the issuer certificate
-            if (remainingCerts != 0) {
+            // Set the issuer certificate to the next cert in the chain
+            // (unless we're processing the final cert).
+            if (remainingCerts < certs.length) {
                 issuerCertImpl = X509CertImpl.toImpl(certs[remainingCerts]);
                 seekIssuerCert = false; // done
 
@@ -312,7 +318,8 @@
             // Construct an OCSP Request
             OCSPRequest ocspRequest =
                 new OCSPRequest(currCertImpl, issuerCertImpl);
-            URL url = getOCSPServerURL(currCertImpl, properties);
+
+            // Use the URL to the OCSP service that was created earlier
             HttpURLConnection con = (HttpURLConnection)url.openConnection();
             if (DEBUG != null) {
                 DEBUG.println("connecting to OCSP service at: " + url);
jdk-sandbox