Mercurial > hg > openjdk > jdk8 > jdk
changeset 6079:46b24eb85b86
7171570: JEP 124 Potential API Changes
Reviewed-by: vinnie, xuelei
author | mullan |
---|---|
date | Mon, 05 Nov 2012 10:30:49 -0500 |
parents | 3f62cfc4e83d |
children | 4770b0a49675 |
files | src/share/classes/java/security/cert/CertPathBuilder.java src/share/classes/java/security/cert/CertPathValidator.java src/share/classes/java/security/cert/PKIXRevocationChecker.java src/share/classes/sun/security/provider/certpath/RevocationChecker.java test/java/security/cert/PKIXRevocationChecker/UnitTest.java |
diffstat | 5 files changed, 46 insertions(+), 29 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/CertPathBuilder.java Thu Oct 18 01:14:00 2012 -0700 +++ b/src/share/classes/java/security/cert/CertPathBuilder.java Mon Nov 05 10:30:49 2012 -0500 @@ -315,12 +315,14 @@ * Returns a {@code CertPathChecker} that the encapsulated * {@code CertPathBuilderSpi} implementation uses to check the revocation * status of certificates. A PKIX implementation returns objects of - * type {@code PKIXRevocationChecker}. + * type {@code PKIXRevocationChecker}. Each invocation of this method + * returns a new instance of {@code CertPathChecker}. * * <p>The primary purpose of this method is to allow callers to specify * additional input parameters and options specific to revocation checking. * See the class description for an example. * + * @return a {@code CertPathChecker} * @throws UnsupportedOperationException if the service provider does not * support this method * @since 1.8
--- a/src/share/classes/java/security/cert/CertPathValidator.java Thu Oct 18 01:14:00 2012 -0700 +++ b/src/share/classes/java/security/cert/CertPathValidator.java Mon Nov 05 10:30:49 2012 -0500 @@ -327,12 +327,14 @@ * Returns a {@code CertPathChecker} that the encapsulated * {@code CertPathValidatorSpi} implementation uses to check the revocation * status of certificates. A PKIX implementation returns objects of - * type {@code PKIXRevocationChecker}. + * type {@code PKIXRevocationChecker}. Each invocation of this method + * returns a new instance of {@code CertPathChecker}. * * <p>The primary purpose of this method is to allow callers to specify * additional input parameters and options specific to revocation checking. * See the class description for an example. * + * @return a {@code CertPathChecker} * @throws UnsupportedOperationException if the service provider does not * support this method * @since 1.8
--- a/src/share/classes/java/security/cert/PKIXRevocationChecker.java Thu Oct 18 01:14:00 2012 -0700 +++ b/src/share/classes/java/security/cert/PKIXRevocationChecker.java Mon Nov 05 10:30:49 2012 -0500 @@ -63,8 +63,8 @@ * and then the {@code PKIXParameters} is passed along with the {@code CertPath} * to be validated to the {@link CertPathValidator#validate validate} method * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in - * this manner, do not enable the default revocation checking mechanism (by - * calling {@link PKIXParameters#setRevocationEnabled}. + * this manner, it will be used to check revocation irrespective of the setting + * of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag. * * <p>Note that when a {@code PKIXRevocationChecker} is added to * {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker}; @@ -88,7 +88,7 @@ private URI ocspResponder; private X509Certificate ocspResponderCert; private List<Extension> ocspExtensions = Collections.<Extension>emptyList(); - private Map<X509Certificate, byte[]> ocspStapled = Collections.emptyMap(); + private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap(); private Set<Option> options = Collections.emptySet(); protected PKIXRevocationChecker() {} @@ -169,40 +169,40 @@ } /** - * Sets the stapled OCSP responses. These responses are used to determine + * Sets the OCSP responses. These responses are used to determine * the revocation status of the specified certificates when OCSP is used. * - * @param responses a map of stapled OCSP responses. Each key is an + * @param responses a map of OCSP responses. Each key is an * {@code X509Certificate} that maps to the corresponding * DER-encoded OCSP response for that certificate. A deep copy of * the map is performed to protect against subsequent modification. */ - public void setOCSPStapledResponses(Map<X509Certificate, byte[]> responses) + public void setOCSPResponses(Map<X509Certificate, byte[]> responses) { if (responses == null) { - this.ocspStapled = Collections.<X509Certificate, byte[]>emptyMap(); + this.ocspResponses = Collections.<X509Certificate, byte[]>emptyMap(); } else { Map<X509Certificate, byte[]> copy = new HashMap<>(responses.size()); for (Map.Entry<X509Certificate, byte[]> e : responses.entrySet()) { copy.put(e.getKey(), e.getValue().clone()); } - this.ocspStapled = copy; + this.ocspResponses = copy; } } /** - * Gets the stapled OCSP responses. These responses are used to determine + * Gets the OCSP responses. These responses are used to determine * the revocation status of the specified certificates when OCSP is used. * - * @return a map of stapled OCSP responses. Each key is an + * @return a map of OCSP responses. Each key is an * {@code X509Certificate} that maps to the corresponding * DER-encoded OCSP response for that certificate. A deep copy of * the map is returned to protect against subsequent modification. * Returns an empty map if no responses have been specified. */ - public Map<X509Certificate, byte[]> getOCSPStapledResponses() { - Map<X509Certificate, byte[]> copy = new HashMap<>(ocspStapled.size()); - for (Map.Entry<X509Certificate, byte[]> e : ocspStapled.entrySet()) { + public Map<X509Certificate, byte[]> getOCSPResponses() { + Map<X509Certificate, byte[]> copy = new HashMap<>(ocspResponses.size()); + for (Map.Entry<X509Certificate, byte[]> e : ocspResponses.entrySet()) { copy.put(e.getKey(), e.getValue().clone()); } return copy; @@ -234,10 +234,10 @@ public Object clone() { PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone(); copy.ocspExtensions = new ArrayList<>(ocspExtensions); - copy.ocspStapled = new HashMap<>(ocspStapled); - // deep-copy the encoded stapled responses, since they are mutable + copy.ocspResponses = new HashMap<>(ocspResponses); + // deep-copy the encoded responses, since they are mutable for (Map.Entry<X509Certificate, byte[]> entry : - copy.ocspStapled.entrySet()) + copy.ocspResponses.entrySet()) { byte[] encoded = entry.getValue(); entry.setValue(encoded.clone());
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Oct 18 01:14:00 2012 -0700 +++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Mon Nov 05 10:30:49 2012 -0500 @@ -67,7 +67,7 @@ private URI responderURI; private X509Certificate responderCert; private List<CertStore> certStores; - private Map<X509Certificate, byte[]> ocspStapled; + private Map<X509Certificate, byte[]> ocspResponses; private List<Extension> ocspExtensions; private boolean legacy; @@ -140,7 +140,7 @@ } else { crlDP = true; } - ocspStapled = getOCSPStapledResponses(); + ocspResponses = getOCSPResponses(); ocspExtensions = getOCSPExtensions(); this.anchor = anchor; @@ -645,11 +645,11 @@ try { certId = new CertId(issuerCert, currCert.getSerialNumberObject()); - // check if there is a stapled OCSP response available - byte[] responseBytes = ocspStapled.get(cert); + // check if there is a cached OCSP response available + byte[] responseBytes = ocspResponses.get(cert); if (responseBytes != null) { if (debug != null) { - debug.println("Found stapled OCSP response"); + debug.println("Found cached OCSP response"); } response = new OCSPResponse(responseBytes);
--- a/test/java/security/cert/PKIXRevocationChecker/UnitTest.java Thu Oct 18 01:14:00 2012 -0700 +++ b/test/java/security/cert/PKIXRevocationChecker/UnitTest.java Mon Nov 05 10:30:49 2012 -0500 @@ -23,7 +23,7 @@ /** * @test - * @bug 6854712 + * @bug 6854712 7171570 * @summary Basic unit test for PKIXRevocationChecker */ @@ -33,6 +33,7 @@ import java.io.OutputStream; import java.net.URI; import java.security.cert.CertificateFactory; +import java.security.cert.CertPathBuilder; import java.security.cert.CertPathChecker; import java.security.cert.CertPathValidator; import java.security.cert.Extension; @@ -58,8 +59,7 @@ requireNull(prc.getOCSPResponder(), "getOCSPResponder()"); requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()"); requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()"); - requireEmpty(prc.getOCSPStapledResponses(), - "getOCSPStapledResponses()"); + requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()"); requireEmpty(prc.getOptions(), "getOptions()"); System.out.println("Testing that get methods return same parameters " + @@ -94,11 +94,24 @@ requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()"); prc.setOCSPExtensions(null); requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()"); - prc.setOCSPStapledResponses(null); - requireEmpty(prc.getOCSPStapledResponses(), - "getOCSPStapledResponses()"); + prc.setOCSPResponses(null); + requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()"); prc.setOptions(null); requireEmpty(prc.getOptions(), "getOptions()"); + + System.out.println("Testing that getRevocationChecker returns new " + + "instance each time"); + CertPathChecker first = cpv.getRevocationChecker(); + CertPathChecker second = cpv.getRevocationChecker(); + if (first == second) { + throw new Exception("FAILED: CertPathCheckers not new instances"); + } + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); + first = cpb.getRevocationChecker(); + second = cpb.getRevocationChecker(); + if (first == second) { + throw new Exception("FAILED: CertPathCheckers not new instances"); + } } static void requireNull(Object o, String msg) throws Exception {