changeset 18587:d70aed7424f6

8019259: Failover to CRL checking does not happen if wrong OCSP responder URL is set Reviewed-by: xuelei
author vinnie
date Mon, 01 Jul 2013 14:39:47 +0100
parents 36bbc241ad6e
children 8aa1d5a9d447
files jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java jdk/test/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java
diffstat 2 files changed, 29 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Mon Jul 01 11:13:56 2013 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Mon Jul 01 14:39:47 2013 +0100
@@ -675,8 +675,12 @@
                                       responderURI, respCert, params.date(),
                                       ocspExtensions);
             }
-        } catch (IOException e) {
-            throw new CertPathValidatorException(e);
+        } catch (Exception e) {
+            if (e instanceof CertPathValidatorException) {
+                throw (CertPathValidatorException) e;
+            } else {
+                throw new CertPathValidatorException(e);
+            }
         }
 
         RevocationStatus rs =
--- a/jdk/test/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java	Mon Jul 01 11:13:56 2013 +0200
+++ b/jdk/test/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java	Mon Jul 01 14:39:47 2013 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /**
  * @test
- * @bug 6383095
+ * @bug 6383095 8019259
  * @summary CRL revoked certificate failures masked by OCSP failures
  *
  * Note that the certificate validity is from Mar 16 14:55:35 2009 GMT to
@@ -254,12 +254,32 @@
         CertPathValidator validator = CertPathValidator.getInstance("PKIX");
 
         try {
+            System.out.println("Validating cert via OCSP: no responder URL");
             validator.validate(path, params);
         } catch (CertPathValidatorException cpve) {
             if (cpve.getReason() != BasicReason.REVOKED) {
                 throw new Exception(
-                    "unexpect exception, should be a REVOKED CPVE", cpve);
+                    "unexpected exception, should be a REVOKED CPVE", cpve);
             }
+            System.out.println("  successful failover to using CRLs");
+        }
+
+        java.security.cert.PKIXRevocationChecker revocationChecker =
+            (java.security.cert.PKIXRevocationChecker)
+                validator.getRevocationChecker();
+        revocationChecker.setOCSPResponder(
+            new java.net.URI("bad_ocsp_responder_url"));
+        params.addCertPathChecker(revocationChecker);
+
+        try {
+            System.out.println("Validating cert via OCSP: bad responder URL");
+            validator.validate(path, params);
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != BasicReason.REVOKED) {
+                throw new Exception(
+                    "unexpected exception, should be a REVOKED CPVE", cpve);
+            }
+            System.out.println("  successful failover to using CRLs");
         }
     }
 }