提交 7f2a12a3 编写于 作者: M mullan

Merge

......@@ -315,12 +315,14 @@ public class CertPathBuilder {
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathBuilderSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
* type {@code PKIXRevocationChecker}.
* type {@code PKIXRevocationChecker}. Each invocation of this method
* returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
* @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
......
......@@ -327,12 +327,14 @@ public class CertPathValidator {
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathValidatorSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
* type {@code PKIXRevocationChecker}.
* type {@code PKIXRevocationChecker}. Each invocation of this method
* returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
* @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
......
......@@ -63,8 +63,8 @@ import java.util.Set;
* and then the {@code PKIXParameters} is passed along with the {@code CertPath}
* to be validated to the {@link CertPathValidator#validate validate} method
* of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
* this manner, do not enable the default revocation checking mechanism (by
* calling {@link PKIXParameters#setRevocationEnabled}.
* this manner, it will be used to check revocation irrespective of the setting
* of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag.
*
* <p>Note that when a {@code PKIXRevocationChecker} is added to
* {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
......@@ -88,7 +88,7 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
private URI ocspResponder;
private X509Certificate ocspResponderCert;
private List<Extension> ocspExtensions = Collections.<Extension>emptyList();
private Map<X509Certificate, byte[]> ocspStapled = Collections.emptyMap();
private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap();
private Set<Option> options = Collections.emptySet();
protected PKIXRevocationChecker() {}
......@@ -169,40 +169,40 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
}
/**
* Sets the stapled OCSP responses. These responses are used to determine
* Sets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
* @param responses a map of stapled OCSP responses. Each key is an
* @param responses a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is performed to protect against subsequent modification.
*/
public void setOCSPStapledResponses(Map<X509Certificate, byte[]> responses)
public void setOCSPResponses(Map<X509Certificate, byte[]> responses)
{
if (responses == null) {
this.ocspStapled = Collections.<X509Certificate, byte[]>emptyMap();
this.ocspResponses = Collections.<X509Certificate, byte[]>emptyMap();
} else {
Map<X509Certificate, byte[]> copy = new HashMap<>(responses.size());
for (Map.Entry<X509Certificate, byte[]> e : responses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
this.ocspStapled = copy;
this.ocspResponses = copy;
}
}
/**
* Gets the stapled OCSP responses. These responses are used to determine
* Gets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
* @return a map of stapled OCSP responses. Each key is an
* @return a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is returned to protect against subsequent modification.
* Returns an empty map if no responses have been specified.
*/
public Map<X509Certificate, byte[]> getOCSPStapledResponses() {
Map<X509Certificate, byte[]> copy = new HashMap<>(ocspStapled.size());
for (Map.Entry<X509Certificate, byte[]> e : ocspStapled.entrySet()) {
public Map<X509Certificate, byte[]> getOCSPResponses() {
Map<X509Certificate, byte[]> copy = new HashMap<>(ocspResponses.size());
for (Map.Entry<X509Certificate, byte[]> e : ocspResponses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
return copy;
......@@ -234,10 +234,10 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
public Object clone() {
PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone();
copy.ocspExtensions = new ArrayList<>(ocspExtensions);
copy.ocspStapled = new HashMap<>(ocspStapled);
// deep-copy the encoded stapled responses, since they are mutable
copy.ocspResponses = new HashMap<>(ocspResponses);
// deep-copy the encoded responses, since they are mutable
for (Map.Entry<X509Certificate, byte[]> entry :
copy.ocspStapled.entrySet())
copy.ocspResponses.entrySet())
{
byte[] encoded = entry.getValue();
entry.setValue(encoded.clone());
......
......@@ -67,7 +67,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private URI responderURI;
private X509Certificate responderCert;
private List<CertStore> certStores;
private Map<X509Certificate, byte[]> ocspStapled;
private Map<X509Certificate, byte[]> ocspResponses;
private List<Extension> ocspExtensions;
private boolean legacy;
......@@ -140,7 +140,7 @@ class RevocationChecker extends PKIXRevocationChecker {
} else {
crlDP = true;
}
ocspStapled = getOCSPStapledResponses();
ocspResponses = getOCSPResponses();
ocspExtensions = getOCSPExtensions();
this.anchor = anchor;
......@@ -645,11 +645,11 @@ class RevocationChecker extends PKIXRevocationChecker {
try {
certId = new CertId(issuerCert, currCert.getSerialNumberObject());
// check if there is a stapled OCSP response available
byte[] responseBytes = ocspStapled.get(cert);
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found stapled OCSP response");
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
......
......@@ -23,7 +23,7 @@
/**
* @test
* @bug 6854712
* @bug 6854712 7171570
* @summary Basic unit test for PKIXRevocationChecker
*/
......@@ -33,6 +33,7 @@ import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathChecker;
import java.security.cert.CertPathValidator;
import java.security.cert.Extension;
......@@ -58,8 +59,7 @@ public class UnitTest {
requireNull(prc.getOCSPResponder(), "getOCSPResponder()");
requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
requireEmpty(prc.getOCSPStapledResponses(),
"getOCSPStapledResponses()");
requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
requireEmpty(prc.getOptions(), "getOptions()");
System.out.println("Testing that get methods return same parameters " +
......@@ -94,11 +94,24 @@ public class UnitTest {
requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
prc.setOCSPExtensions(null);
requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
prc.setOCSPStapledResponses(null);
requireEmpty(prc.getOCSPStapledResponses(),
"getOCSPStapledResponses()");
prc.setOCSPResponses(null);
requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
prc.setOptions(null);
requireEmpty(prc.getOptions(), "getOptions()");
System.out.println("Testing that getRevocationChecker returns new " +
"instance each time");
CertPathChecker first = cpv.getRevocationChecker();
CertPathChecker second = cpv.getRevocationChecker();
if (first == second) {
throw new Exception("FAILED: CertPathCheckers not new instances");
}
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
first = cpb.getRevocationChecker();
second = cpb.getRevocationChecker();
if (first == second) {
throw new Exception("FAILED: CertPathCheckers not new instances");
}
}
static void requireNull(Object o, String msg) throws Exception {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册