6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02,...

6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72. Summary: Wrap all OCSP exceptions in CertPathValidatorException so that we can fallback to CRLs, if enabled. Reviewed-by: dgu, xuelei

6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02,...
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72. Summary: Wrap all OCSP exceptions in CertPathValidatorException so that we can fallback to CRLs, if enabled. Reviewed-by: dgu, xuelei
314a0946 · mullan · 281283c6 · 314a0946 · 314a0946
2 changed file
--- a/src/share/classes/sun/security/provider/certpath/OCSP.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSP.java
@@ -64,6 +64,8 @@ public final class OCSP {

    private static final Debug debug = Debug.getInstance("certpath");

+    private static final int CONNECT_TIMEOUT = 15000; // 15 seconds
+
    private OCSP() {}

    /**
@@ -176,6 +178,8 @@ public final class OCSP {
                debug.println("connecting to OCSP service at: " + url);
            }
            HttpURLConnection con = (HttpURLConnection)url.openConnection();
+            con.setConnectTimeout(CONNECT_TIMEOUT);
+            con.setReadTimeout(CONNECT_TIMEOUT);
            con.setDoOutput(true);
            con.setDoInput(true);
            con.setRequestMethod("POST");

--- a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
@@ -25,7 +25,6 @@

 package sun.security.provider.certpath;

-import java.io.IOException;
 import java.math.BigInteger;
 import java.util.*;
 import java.security.AccessController;
@@ -335,10 +334,11 @@ class OCSPChecker extends PKIXCertPathChecker {
                (issuerCert, currCertImpl.getSerialNumberObject());
            response = OCSP.check(Collections.singletonList(certId), uri,
                responderCert, pkixParams.getDate());
-        } catch (IOException ioe) {
-            // should allow this to pass if network failures are acceptable
+        } catch (Exception e) {
+            // Wrap all exceptions in CertPathValidatorException so that
+            // we can fallback to CRLs, if enabled.
            throw new CertPathValidatorException
-                ("Unable to send OCSP request", ioe);
+                ("Unable to send OCSP request", e);
        }

        RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);