-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
8u91
-
generic
-
generic
FULL PRODUCT VERSION :
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) Client VM (build 25.91-b14, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows 7 SP1 64 bit
A DESCRIPTION OF THE PROBLEM :
With the SOFT_FAIL option set, a network timeout exception is not returned by the PKIXRevocationChecker.getSoftFailExceptions(). The Javadoc at http://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXRevocationChecker.Option.html#SOFT_FAIL states "Exceptions that cause the network errors are ignored but can be later retrieved by calling the getSoftFailExceptions method." So the expectation is a socket timeout would be included in the List<CertPathValidatorException>.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker)cpv.getRevocationChecker();
rc.setOptions(EnumSet.of(Option.SOFT_FAIL));
params.addCertPathChecker(rc);
CertPathValidatorResult cpvr = cpv.validate(path, params);
List<CertPathValidatorException> softFailExceptionList = new ArrayList<>(rc.getSoftFailExceptions());
softFailExceptionList = PKIXRevocationChecker.getSoftFailExceptions();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
SocketTimeoutException is included in the the List<CertPathValidatorException> when calling PKIXRevocationChecker.getSoftFailExceptions()
https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXRevocationChecker.html#getSoftFailExceptions--
ACTUAL -
The SocketTimeoutException is not returned in the List<CertPathValidatorException>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public void checkRevocation(X509Certificate xcert) {
/*
pass an X509Certificate xcert with a known OCSP responder in the AIA field that is known to be OFFLINE
*/
Security.setProperty(OCSP_ENABLE_SECURITY_PROPERTY, "true");
System.setProperty(CRLDP_ENABLE_SYSTEM_PROPERTY, "true");
PKIXParameters params = new PKIXParameters(getTrustKS());
CertPathValidator cpv = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpv.getRevocationChecker();
rc.setOptions(Enum.setOf(Option.SOFT_FAIL));
params.addCertPathChecker(rc);
params.setRevocationEnabled(true);
List<X509Certificate> certList = new ArrayList<>();
certList.add(xcert);
CertificateFactory cf = CertificateFactory.getInstance(X509_CERT_TYPE);
CertPath cp = cf.generateCertPath(certList);
PKIXCertPathValidatorResult result = null;
cpv.validate(cp, params);
List<CertPathValidatorException> softFailExceptionList = new ArrayList<>(rc.getSoftFailExceptions());
System.out.println(softFailExceptionList.isEmpty()); //expectation is a SocketTimeoutException is included in the List<CertPathValidatorException>
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use SOFT_FAIL option and use a catch block to catch CertPathValidatorException.getCause() with an instanceof operator to detect a SocketTimeoutException.
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) Client VM (build 25.91-b14, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows 7 SP1 64 bit
A DESCRIPTION OF THE PROBLEM :
With the SOFT_FAIL option set, a network timeout exception is not returned by the PKIXRevocationChecker.getSoftFailExceptions(). The Javadoc at http://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXRevocationChecker.Option.html#SOFT_FAIL states "Exceptions that cause the network errors are ignored but can be later retrieved by calling the getSoftFailExceptions method." So the expectation is a socket timeout would be included in the List<CertPathValidatorException>.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker)cpv.getRevocationChecker();
rc.setOptions(EnumSet.of(Option.SOFT_FAIL));
params.addCertPathChecker(rc);
CertPathValidatorResult cpvr = cpv.validate(path, params);
List<CertPathValidatorException> softFailExceptionList = new ArrayList<>(rc.getSoftFailExceptions());
softFailExceptionList = PKIXRevocationChecker.getSoftFailExceptions();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
SocketTimeoutException is included in the the List<CertPathValidatorException> when calling PKIXRevocationChecker.getSoftFailExceptions()
https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXRevocationChecker.html#getSoftFailExceptions--
ACTUAL -
The SocketTimeoutException is not returned in the List<CertPathValidatorException>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public void checkRevocation(X509Certificate xcert) {
/*
pass an X509Certificate xcert with a known OCSP responder in the AIA field that is known to be OFFLINE
*/
Security.setProperty(OCSP_ENABLE_SECURITY_PROPERTY, "true");
System.setProperty(CRLDP_ENABLE_SYSTEM_PROPERTY, "true");
PKIXParameters params = new PKIXParameters(getTrustKS());
CertPathValidator cpv = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpv.getRevocationChecker();
rc.setOptions(Enum.setOf(Option.SOFT_FAIL));
params.addCertPathChecker(rc);
params.setRevocationEnabled(true);
List<X509Certificate> certList = new ArrayList<>();
certList.add(xcert);
CertificateFactory cf = CertificateFactory.getInstance(X509_CERT_TYPE);
CertPath cp = cf.generateCertPath(certList);
PKIXCertPathValidatorResult result = null;
cpv.validate(cp, params);
List<CertPathValidatorException> softFailExceptionList = new ArrayList<>(rc.getSoftFailExceptions());
System.out.println(softFailExceptionList.isEmpty()); //expectation is a SocketTimeoutException is included in the List<CertPathValidatorException>
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use SOFT_FAIL option and use a catch block to catch CertPathValidatorException.getCause() with an instanceof operator to detect a SocketTimeoutException.
- duplicates
-
-
- Closed
-