OpenJDK / amber / amber

changeset 44479:9669aa3c7bcb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working Reviewed-by: xuelei
author mullan
date Thu, 06 Apr 2017 16:21:05 -0400
parents ed8774740d18
children f2b3b6bb1f4a
files jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java
diffstat 3 files changed, 19 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Apr 06 16:21:05 2017 -0400
@@ -986,9 +986,7 @@
         // any way to convey them back to the application.
         // That's the default, so no need to write code.
         builderParams.setDate(params.date());
-        // CertPathCheckers need to be cloned to start from fresh state
-        builderParams.setCertPathCheckers(
-            params.getPKIXParameters().getCertPathCheckers());
+        builderParams.setCertPathCheckers(params.certPathCheckers());
         builderParams.setSigProvider(params.sigProvider());
 
         // Skip revocation during this build to detect circular
@@ -1116,15 +1114,6 @@
         }
     }
 
-    @Override
-    public RevocationChecker clone() {
-        RevocationChecker copy = (RevocationChecker)super.clone();
-        // we don't deep-copy the exceptions, but that is ok because they
-        // are never modified after they are instantiated
-        copy.softFailExceptions = new LinkedList<>(softFailExceptions);
-        return copy;
-    }
-
     /*
      * This inner class extends the X509CertSelector to add an additional
      * check to make sure the subject public key isn't on a particular list.
--- a/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java	Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java	Thu Apr 06 16:21:05 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,11 +24,14 @@
 /**
  * @test
  * @bug 8023362
+ * @run main/othervm OcspUnauthorized
  * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when
  *          SOFT_FAIL option is set
  */
 
 import java.io.ByteArrayInputStream;
+import java.security.Security;
+import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.*;
 import java.security.cert.PKIXRevocationChecker.Option;
 import java.util.Base64;
@@ -69,6 +72,8 @@
     private static Base64.Decoder base64Decoder = Base64.getDecoder();
 
     public static void main(String[] args) throws Exception {
+        // EE_CERT is signed with MD5withRSA
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
         cf = CertificateFactory.getInstance("X.509");
         X509Certificate taCert = getX509Cert(TRUST_ANCHOR);
         X509Certificate eeCert = getX509Cert(EE_CERT);
@@ -92,6 +97,11 @@
             throw new Exception("FAILED: expected CertPathValidatorException");
         } catch (CertPathValidatorException cpve) {
             cpve.printStackTrace();
+            if (cpve.getReason() != BasicReason.UNSPECIFIED &&
+                !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) {
+                throw new Exception("FAILED: unexpected " +
+                                    "CertPathValidatorException reason");
+            }
         }
     }
 
--- a/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java	Thu Apr 06 04:53:01 2017 +0000
+++ b/jdk/test/javax/net/ssl/Stapling/SSLSocketWithStapling.java	Thu Apr 06 16:21:05 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -367,9 +367,15 @@
             throw tr.serverExc;
         }
 
+        // make sure getSoftFailExceptions is not empty
+        if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) {
+            throw new Exception("No soft fail exceptions");
+        }
+
         System.out.println("                 PASS");
         System.out.println("=======================================\n");
 
+
         // Make OCSP responders accept connections
         intOcsp.acceptConnections();
         rootOcsp.acceptConnections();
© 2007, Oracle and/or its affiliates
Terms of Use · Privacy · Trademarks