7171570: JEP 124 Potential API Changes

Reviewed-by: vinnie, xuelei

7171570: JEP 124 Potential API Changes
Reviewed-by: vinnie, xuelei
f9ea41f2 · mullan · b80ffe55 · f9ea41f2 · f9ea41f2 · f9ea41f2
5 changed file
--- a/src/share/classes/java/security/cert/CertPathBuilder.java
+++ b/src/share/classes/java/security/cert/CertPathBuilder.java
@@ -315,12 +315,14 @@ public class CertPathBuilder {
     * Returns a {@code CertPathChecker} that the encapsulated
     * {@code CertPathBuilderSpi} implementation uses to check the revocation
     * status of certificates. A PKIX implementation returns objects of
-     * type {@code PKIXRevocationChecker}.
+     * type {@code PKIXRevocationChecker}. Each invocation of this method
+     * returns a new instance of {@code CertPathChecker}.
     *
     * <p>The primary purpose of this method is to allow callers to specify
     * additional input parameters and options specific to revocation checking.
     * See the class description for an example.
     *
+     * @return a {@code CertPathChecker}
     * @throws UnsupportedOperationException if the service provider does not
     *         support this method
     * @since 1.8

--- a/src/share/classes/java/security/cert/CertPathValidator.java
+++ b/src/share/classes/java/security/cert/CertPathValidator.java
@@ -327,12 +327,14 @@ public class CertPathValidator {
     * Returns a {@code CertPathChecker} that the encapsulated
     * {@code CertPathValidatorSpi} implementation uses to check the revocation
     * status of certificates. A PKIX implementation returns objects of
-     * type {@code PKIXRevocationChecker}.
+     * type {@code PKIXRevocationChecker}. Each invocation of this method
+     * returns a new instance of {@code CertPathChecker}.
     *
     * <p>The primary purpose of this method is to allow callers to specify
     * additional input parameters and options specific to revocation checking.
     * See the class description for an example.
     *
+     * @return a {@code CertPathChecker}
     * @throws UnsupportedOperationException if the service provider does not
     *         support this method
     * @since 1.8

--- a/src/share/classes/java/security/cert/PKIXRevocationChecker.java
+++ b/src/share/classes/java/security/cert/PKIXRevocationChecker.java
@@ -63,8 +63,8 @@ import java.util.Set;
 * and then the {@code PKIXParameters} is passed along with the {@code CertPath}
 * to be validated to the {@link CertPathValidator#validate validate} method
 * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
- * this manner, do not enable the default revocation checking mechanism (by
- * calling {@link PKIXParameters#setRevocationEnabled}.
+ * this manner, it will be used to check revocation irrespective of the setting
+ * of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag.
 *
 * <p>Note that when a {@code PKIXRevocationChecker} is added to
 * {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
@@ -88,7 +88,7 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
    private URI ocspResponder;
    private X509Certificate ocspResponderCert;
    private List<Extension> ocspExtensions = Collections.<Extension>emptyList();
-    private Map<X509Certificate, byte[]> ocspStapled = Collections.emptyMap();
+    private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap();
    private Set<Option> options = Collections.emptySet();

    protected PKIXRevocationChecker() {}
@@ -169,40 +169,40 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
    }

    /**
-     * Sets the stapled OCSP responses. These responses are used to determine
+     * Sets the OCSP responses. These responses are used to determine
     * the revocation status of the specified certificates when OCSP is used.
     *
-     * @param responses a map of stapled OCSP responses. Each key is an
+     * @param responses a map of OCSP responses. Each key is an
     *        {@code X509Certificate} that maps to the corresponding
     *        DER-encoded OCSP response for that certificate. A deep copy of
     *        the map is performed to protect against subsequent modification.
     */
-    public void setOCSPStapledResponses(Map<X509Certificate, byte[]> responses)
+    public void setOCSPResponses(Map<X509Certificate, byte[]> responses)
    {
        if (responses == null) {
-            this.ocspStapled = Collections.<X509Certificate, byte[]>emptyMap();
+            this.ocspResponses = Collections.<X509Certificate, byte[]>emptyMap();
        } else {
            Map<X509Certificate, byte[]> copy = new HashMap<>(responses.size());
            for (Map.Entry<X509Certificate, byte[]> e : responses.entrySet()) {
                copy.put(e.getKey(), e.getValue().clone());
            }
-            this.ocspStapled = copy;
+            this.ocspResponses = copy;
        }
    }

    /**
-     * Gets the stapled OCSP responses. These responses are used to determine
+     * Gets the OCSP responses. These responses are used to determine
     * the revocation status of the specified certificates when OCSP is used.
     *
-     * @return a map of stapled OCSP responses. Each key is an
+     * @return a map of OCSP responses. Each key is an
     *        {@code X509Certificate} that maps to the corresponding
     *        DER-encoded OCSP response for that certificate. A deep copy of
     *        the map is returned to protect against subsequent modification.
     *        Returns an empty map if no responses have been specified.
     */
-    public Map<X509Certificate, byte[]> getOCSPStapledResponses() {
-        Map<X509Certificate, byte[]> copy = new HashMap<>(ocspStapled.size());
-        for (Map.Entry<X509Certificate, byte[]> e : ocspStapled.entrySet()) {
+    public Map<X509Certificate, byte[]> getOCSPResponses() {
+        Map<X509Certificate, byte[]> copy = new HashMap<>(ocspResponses.size());
+        for (Map.Entry<X509Certificate, byte[]> e : ocspResponses.entrySet()) {
            copy.put(e.getKey(), e.getValue().clone());
        }
        return copy;
@@ -234,10 +234,10 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
    public Object clone() {
        PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone();
        copy.ocspExtensions = new ArrayList<>(ocspExtensions);
-        copy.ocspStapled = new HashMap<>(ocspStapled);
-        // deep-copy the encoded stapled responses, since they are mutable
+        copy.ocspResponses = new HashMap<>(ocspResponses);
+        // deep-copy the encoded responses, since they are mutable
        for (Map.Entry<X509Certificate, byte[]> entry :
-                 copy.ocspStapled.entrySet())
+                 copy.ocspResponses.entrySet())
        {
            byte[] encoded = entry.getValue();
            entry.setValue(encoded.clone());

--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -67,7 +67,7 @@ class RevocationChecker extends PKIXRevocationChecker {
    private URI responderURI;
    private X509Certificate responderCert;
    private List<CertStore> certStores;
-    private Map<X509Certificate, byte[]> ocspStapled;
+    private Map<X509Certificate, byte[]> ocspResponses;
    private List<Extension> ocspExtensions;
    private boolean legacy;

@@ -140,7 +140,7 @@ class RevocationChecker extends PKIXRevocationChecker {
        } else {
            crlDP = true;
        }
-        ocspStapled = getOCSPStapledResponses();
+        ocspResponses = getOCSPResponses();
        ocspExtensions = getOCSPExtensions();

        this.anchor = anchor;
@@ -645,11 +645,11 @@ class RevocationChecker extends PKIXRevocationChecker {
        try {
            certId = new CertId(issuerCert, currCert.getSerialNumberObject());

-            // check if there is a stapled OCSP response available
-            byte[] responseBytes = ocspStapled.get(cert);
+            // check if there is a cached OCSP response available
+            byte[] responseBytes = ocspResponses.get(cert);
            if (responseBytes != null) {
                if (debug != null) {
-                    debug.println("Found stapled OCSP response");
+                    debug.println("Found cached OCSP response");
                }
                response = new OCSPResponse(responseBytes);


--- a/test/java/security/cert/PKIXRevocationChecker/UnitTest.java
+++ b/test/java/security/cert/PKIXRevocationChecker/UnitTest.java
@@ -23,7 +23,7 @@

 /**
 * @test
- * @bug 6854712
+ * @bug 6854712 7171570
 * @summary Basic unit test for PKIXRevocationChecker
 */

@@ -33,6 +33,7 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.net.URI;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathChecker;
 import java.security.cert.CertPathValidator;
 import java.security.cert.Extension;
@@ -58,8 +59,7 @@ public class UnitTest {
        requireNull(prc.getOCSPResponder(), "getOCSPResponder()");
        requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
        requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
-        requireEmpty(prc.getOCSPStapledResponses(),
-                     "getOCSPStapledResponses()");
+        requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
        requireEmpty(prc.getOptions(), "getOptions()");

        System.out.println("Testing that get methods return same parameters " +
@@ -94,11 +94,24 @@ public class UnitTest {
        requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
        prc.setOCSPExtensions(null);
        requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
-        prc.setOCSPStapledResponses(null);
-        requireEmpty(prc.getOCSPStapledResponses(),
-                     "getOCSPStapledResponses()");
+        prc.setOCSPResponses(null);
+        requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
        prc.setOptions(null);
        requireEmpty(prc.getOptions(), "getOptions()");
+
+        System.out.println("Testing that getRevocationChecker returns new " +
+                           "instance each time");
+        CertPathChecker first = cpv.getRevocationChecker();
+        CertPathChecker second = cpv.getRevocationChecker();
+        if (first == second) {
+            throw new Exception("FAILED: CertPathCheckers not new instances");
+        }
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
+        first = cpb.getRevocationChecker();
+        second = cpb.getRevocationChecker();
+        if (first == second) {
+            throw new Exception("FAILED: CertPathCheckers not new instances");
+        }
    }

    static void requireNull(Object o, String msg) throws Exception {