Details
-
Bug
-
Resolution: Fixed
-
P3
-
7
-
b04
-
b06
-
generic
-
generic
-
Verified
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2185157 | 7 | Sean Mullan | P4 | Resolved | Fixed | b78 |
| JDK-2186996 | OpenJDK6 | Sean Mullan | P4 | Resolved | Fixed | b18 |
Description
OCSP Checker should not wrap all Exception as "Unable to send OCSP request." Some of exceptions (such as IOExceptions ) are really because of "Unable to send OCSP request" . While others are because of various responses back from OCSP reponder such as "OCSP response error: MALFORMED_REQUEST" or "OCSP response error: INTERNAL_ERROR", etc. These kind of exceptions should not be wraped as "Unable to send OCSP request." which is misleading (while the real causes can always been found with e.getCause()).
The following is some logs showing different kinds of response error exceptions and the code causes this bug:
logs
--------------------------------------
...
========================================================
TEST_CASE: ./testcase/openssl/OpenSSL_User_MalformedRequest
========================================================
PROXY_HOST:null
PROXY_PORT:null
OCSP_ENABLE:true
OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9990
OCSP_RESPONDER_CERT_SUBJECT_NAME:null
OCSP_RESPONDER_CERT_ISSUER_NAME:null
OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
TRUSTED_ROOT:./data/openssl/RootCAcert.crt
EE_CERT:./data/openssl/userGood.crt
EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
========================================================
e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
e.getLocalizedMessage(): Unable to send OCSP request
e.getIndex(): 0
RESULT: FALSE
java.security.cert.CertPathValidatorException: Unable to send OCSP request
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at TestOCSP.run(TestOCSP.java:209)
at TestOCSP.main(TestOCSP.java:60)
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
at sun.security.provider.certpath.OCSP.check(OCSP.java:222)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:312)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 5 more
========================================================
TEST_CASE: ./testcase/openssl/OpenSSL_User_InternalError
========================================================
PROXY_HOST:null
PROXY_PORT:null
OCSP_ENABLE:true
OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9998
OCSP_RESPONDER_CERT_SUBJECT_NAME:null
OCSP_RESPONDER_CERT_ISSUER_NAME:null
OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
TRUSTED_ROOT:./data/openssl/RootCAcert.crt
EE_CERT:./data/openssl/userGood.crt
EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
========================================================
e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
e.getLocalizedMessage(): Unable to send OCSP request
e.getIndex(): 0
RESULT: FALSE
...
-------------------------------------------------------------
diff of sun/security/provider/certpath/OCSP.java
-------------------------------------------------------
@@ -333,14 +332,15 @@
try {
certId = new CertId
(issuerCert, currCertImpl.getSerialNumberObject());
response = OCSP.check(Collections.singletonList(certId), uri,
responderCert, pkixParams.getDate());
- } catch (IOException ioe) {
- // should allow this to pass if network failures are acceptable
+ } catch (Exception e) {
+ // Wrap all exceptions in CertPathValidatorException so that
+ // we can fallback to CRLs, if enabled.
throw new CertPathValidatorException
- ("Unable to send OCSP request", ioe);
+ ("Unable to send OCSP request", e);
}
RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
-----------------------------------------------------------------
The following is some logs showing different kinds of response error exceptions and the code causes this bug:
logs
--------------------------------------
...
========================================================
TEST_CASE: ./testcase/openssl/OpenSSL_User_MalformedRequest
========================================================
PROXY_HOST:null
PROXY_PORT:null
OCSP_ENABLE:true
OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9990
OCSP_RESPONDER_CERT_SUBJECT_NAME:null
OCSP_RESPONDER_CERT_ISSUER_NAME:null
OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
TRUSTED_ROOT:./data/openssl/RootCAcert.crt
EE_CERT:./data/openssl/userGood.crt
EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
========================================================
e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
e.getLocalizedMessage(): Unable to send OCSP request
e.getIndex(): 0
RESULT: FALSE
java.security.cert.CertPathValidatorException: Unable to send OCSP request
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at TestOCSP.run(TestOCSP.java:209)
at TestOCSP.main(TestOCSP.java:60)
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: MALFORMED_REQUEST
at sun.security.provider.certpath.OCSP.check(OCSP.java:222)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:312)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 5 more
========================================================
TEST_CASE: ./testcase/openssl/OpenSSL_User_InternalError
========================================================
PROXY_HOST:null
PROXY_PORT:null
OCSP_ENABLE:true
OCSP_RESPONDER_URL:http://powerpuff.sfbay.sun.com:9998
OCSP_RESPONDER_CERT_SUBJECT_NAME:null
OCSP_RESPONDER_CERT_ISSUER_NAME:null
OCSP_RESPONDER_CERT_SERIAL_NUMBER:null
TRUSTED_ROOT:./data/openssl/RootCAcert.crt
EE_CERT:./data/openssl/userGood.crt
EXPECTED_EXCEPTION:java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
========================================================
e.getCause(): java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
e.getLocalizedMessage(): Unable to send OCSP request
e.getIndex(): 0
RESULT: FALSE
...
-------------------------------------------------------------
diff of sun/security/provider/certpath/OCSP.java
-------------------------------------------------------
@@ -333,14 +332,15 @@
try {
certId = new CertId
(issuerCert, currCertImpl.getSerialNumberObject());
response = OCSP.check(Collections.singletonList(certId), uri,
responderCert, pkixParams.getDate());
- } catch (IOException ioe) {
- // should allow this to pass if network failures are acceptable
+ } catch (Exception e) {
+ // Wrap all exceptions in CertPathValidatorException so that
+ // we can fallback to CRLs, if enabled.
throw new CertPathValidatorException
- ("Unable to send OCSP request", ioe);
+ ("Unable to send OCSP request", e);
}
RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
-----------------------------------------------------------------
Attachments
Issue Links
- backported by
-
JDK-2185157 OCSP Checker should not wrap all Exception as "Unable to send OCSP request."(introduced by #6885667)
-
- Resolved
-
-
-
- Resolved
-