Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6894461

OCSP Checker should not wrap all Exception as "Unable to send OCSP request."(introduced by #6885667)

    Details

    • Subcomponent:
    • Introduced In Build:
      b04
    • Introduced In Version:
    • Resolved In Build:
      b06
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        OCSP Checker should not wrap all Exception as "Unable to send OCSP request." Some of exceptions (such as IOExceptions ) are really because of "Unable to send OCSP request" . While others are because of various responses back from OCSP reponder such as "OCSP response error: MALFORMED_REQUEST" or "OCSP response error: INTERNAL_ERROR", etc. These kind of exceptions should not be wraped as "Unable to send OCSP request." which is misleading (while the real causes can always been found with e.getCause()).

        The following is some logs showing different kinds of response error exceptions and the code causes this bug:

        logs
        --------------------------------------
        ...
        ========================================================
        TEST_CASE: ./testcase/openssl/OpenSSL_User_MalformedRequest
        ========================================================
        PROXY_HOST:null
        PROXY_PORT:null
        OCSP_ENABLE:true
        OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9990
        OCSP_RESPONDER_CERT_SUBJECT_NAME:null
        OCSP_RESPONDER_CERT_ISSUER_NAME:null
        OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
        TRUSTED_ROOT:./data/openssl/RootCAcert.crt
        EE_CERT:./data/openssl/userGood.crt
        EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
        ========================================================
        e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
        e.getLocalizedMessage(): Unable to send OCSP request
        e.getIndex(): 0
        RESULT: FALSE
        java.security.cert.CertPathValidatorException: Unable to send OCSP request
                at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
                at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
                at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
                at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
                at TestOCSP.run(TestOCSP.java:209)
                at TestOCSP.main(TestOCSP.java:60)
        Caused by: java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
                at sun.security.provider.certpath.OCSP.check(OCSP.java:222)
                at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:312)
                at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
                ... 5 more

        ========================================================
        TEST_CASE: ./testcase/openssl/OpenSSL_User_InternalError
        ========================================================
        PROXY_HOST:null
        PROXY_PORT:null
        OCSP_ENABLE:true
        OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9998
        OCSP_RESPONDER_CERT_SUBJECT_NAME:null
        OCSP_RESPONDER_CERT_ISSUER_NAME:null
        OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
        TRUSTED_ROOT:./data/openssl/RootCAcert.crt
        EE_CERT:./data/openssl/userGood.crt
        EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
        ========================================================
        e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
        e.getLocalizedMessage(): Unable to send OCSP request
        e.getIndex(): 0
        RESULT: FALSE
        ...
        -------------------------------------------------------------

        diff of sun/security/provider/certpath/OCSP.java
        -------------------------------------------------------
        @@ -333,14 +332,15 @@
                 try {
                     certId = new CertId
                         (issuerCert, currCertImpl.getSerialNumberObject());
                     response = OCSP.check(Collections.singletonList(certId), uri,
                         responderCert, pkixParams.getDate());
        - } catch (IOException ioe) {
        - // should allow this to pass if network failures are acceptable
        + } catch (Exception e) {
        + // Wrap all exceptions in CertPathValidatorException so that
        + // we can fallback to CRLs, if enabled.
                     throw new CertPathValidatorException
        - ("Unable to send OCSP request", ioe);
        + ("Unable to send OCSP request", e);
                 }
         
                 RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
                 RevocationStatus.CertStatus certStatus = rs.getCertStatus();
                 if (certStatus == RevocationStatus.CertStatus.REVOKED) {
        -----------------------------------------------------------------

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  whusunw Wen-zhong Hu (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: