Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8170820

RevocationRestrictions.java test needs to be updated to use cached OCSP responses

    Details

    • Subcomponent:
    • Resolved In Build:
      b150
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        RevocationRestrictions.java test does certpath validation against date in past which is set with PKIXParameters.setDate() method.

        The test has been failing after JDK-8168931 was fixed. This fix updated the revocation checker to validate fresh OCSP responses against current date. The test needs to be updated to use cached OCSP responses when it validates certpaths against date in past.

          Issue Links

            Activity

            Hide
            asmotrak Artem Smotrakov added a comment -
            Certpath validation in Test #4 / runTestSHA1() passes if it sets cached OCSP responses which are valid at PKIXParameters date.

            So, this looks like a test bug, other test cases which set PKIXParameters date in past need to be updated to use cached OCSP responses.
            Show
            asmotrak Artem Smotrakov added a comment - Certpath validation in Test #4 / runTestSHA1() passes if it sets cached OCSP responses which are valid at PKIXParameters date. So, this looks like a test bug, other test cases which set PKIXParameters date in past need to be updated to use cached OCSP responses.
            Hide
            asmotrak Artem Smotrakov added a comment -
            Here are original subject and description for this bug (just for records):

            denyAfter constraint is not applied to OCSP certificates after JDK-8168931

            JDK-8168931 updated OCSP.check() not to pass date from PKIXParameters to OCSPResponse.verify(). But verify() method uses passed date for both:
            - checking validity of OCSP signer
            - denyAfter constrains

            See OCSPResponse.java for details:

            http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/aa6fda530e14/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java#l508

            ...
                            // Check algorithm constraints specified in security property
                            // "jdk.certpath.disabledAlgorithms".
                            AlgorithmChecker algChecker =
                                    new AlgorithmChecker(issuerInfo.getAnchor(), date);
                            algChecker.init(false);
                            algChecker.check(signerCert, Collections.<String>emptySet());

                            // check the validity
                            try {
                                if (date == null) {
                                    signerCert.checkValidity();
                                } else {
                                    signerCert.checkValidity(date);
                                }
                            } catch (CertificateException e) {
                                throw new CertPathValidatorException(
                                    "Responder's certificate not within the " +
                                    "validity period", e);
                            }
            ...

            OCSP response validity period needs to be checked with current time (see JDK-8168931), but "denyAfter" constrains should be checked against the date set by PKIXParameters.setDate().
            Show
            asmotrak Artem Smotrakov added a comment - Here are original subject and description for this bug (just for records): denyAfter constraint is not applied to OCSP certificates after JDK-8168931 JDK-8168931 updated OCSP.check() not to pass date from PKIXParameters to OCSPResponse.verify(). But verify() method uses passed date for both: - checking validity of OCSP signer - denyAfter constrains See OCSPResponse.java for details: http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/aa6fda530e14/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java#l508 ...                 // Check algorithm constraints specified in security property                 // "jdk.certpath.disabledAlgorithms".                 AlgorithmChecker algChecker =                         new AlgorithmChecker(issuerInfo.getAnchor(), date);                 algChecker.init(false);                 algChecker.check(signerCert, Collections.<String>emptySet());                 // check the validity                 try {                     if (date == null) {                         signerCert.checkValidity();                     } else {                         signerCert.checkValidity(date);                     }                 } catch (CertificateException e) {                     throw new CertPathValidatorException(                         "Responder's certificate not within the " +                         "validity period", e);                 } ... OCSP response validity period needs to be checked with current time (see JDK-8168931), but "denyAfter" constrains should be checked against the date set by PKIXParameters.setDate().

              People

              • Assignee:
                asmotrak Artem Smotrakov
                Reporter:
                asmotrak Artem Smotrakov
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: