Mercurial > hg > openjdk > jdk8u > jdk
changeset 14146:e329505b1e6a
8161973: PKIXRevocationChecker.getSoftFailExceptions() not working
Reviewed-by: xuelei, mbalao
author | mullan |
---|---|
date | Thu, 06 Apr 2017 16:21:05 -0400 |
parents | a39036fa30bb |
children | cf50798dd5a5 |
files | src/share/classes/sun/security/provider/certpath/RevocationChecker.java test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java |
diffstat | 2 files changed, 12 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Aug 25 18:12:01 2020 +0300 +++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Apr 06 16:21:05 2017 -0400 @@ -986,9 +986,7 @@ // any way to convey them back to the application. // That's the default, so no need to write code. builderParams.setDate(params.date()); - // CertPathCheckers need to be cloned to start from fresh state - builderParams.setCertPathCheckers( - params.getPKIXParameters().getCertPathCheckers()); + builderParams.setCertPathCheckers(params.certPathCheckers()); builderParams.setSigProvider(params.sigProvider()); // Skip revocation during this build to detect circular @@ -1116,15 +1114,6 @@ } } - @Override - public RevocationChecker clone() { - RevocationChecker copy = (RevocationChecker)super.clone(); - // we don't deep-copy the exceptions, but that is ok because they - // are never modified after they are instantiated - copy.softFailExceptions = new LinkedList<>(softFailExceptions); - return copy; - } - /* * This inner class extends the X509CertSelector to add an additional * check to make sure the subject public key isn't on a particular list.
--- a/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Tue Aug 25 18:12:01 2020 +0300 +++ b/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Thu Apr 06 16:21:05 2017 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,11 +24,14 @@ /** * @test * @bug 8023362 + * @run main/othervm OcspUnauthorized * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when * SOFT_FAIL option is set */ import java.io.ByteArrayInputStream; +import java.security.Security; +import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.*; import java.security.cert.PKIXRevocationChecker.Option; import java.util.Base64; @@ -69,6 +72,8 @@ private static Base64.Decoder base64Decoder = Base64.getDecoder(); public static void main(String[] args) throws Exception { + // EE_CERT is signed with MD5withRSA + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); cf = CertificateFactory.getInstance("X.509"); X509Certificate taCert = getX509Cert(TRUST_ANCHOR); X509Certificate eeCert = getX509Cert(EE_CERT); @@ -92,6 +97,11 @@ throw new Exception("FAILED: expected CertPathValidatorException"); } catch (CertPathValidatorException cpve) { cpve.printStackTrace(); + if (cpve.getReason() != BasicReason.UNSPECIFIED && + !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) { + throw new Exception("FAILED: unexpected " + + "CertPathValidatorException reason"); + } } }