[8] RFR JDK-8029788: Certificate validation- java.lang.ClassCastException

Vincent Ryan vincent.x.ryan at oracle.com
Tue Dec 10 17:30:05 UTC 2013


Thanks for your reviews. I’ve made a minor change to include a message in
the CPVE, as suggested by Max.

% hg diff OCSPResponse.java
diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@@ -427,9 +427,14 @@ public final class OCSPResponse {
         if (signerCert == null) {
             // Add the Issuing CA cert and/or Trusted Responder cert to the list
             // of certs from the OCSP response
-            certs.add((X509CertImpl) issuerCert);
-            if (responderCert != null) {
-                certs.add((X509CertImpl) responderCert);
+            try {
+                certs.add(X509CertImpl.toImpl(issuerCert));
+                if (responderCert != null) {
+                    certs.add(X509CertImpl.toImpl(responderCert));
+                }
+            } catch (CertificateException ce) {
+                throw new CertPathValidatorException(
+                    "Invalid issuer or trusted responder certificate", ce);
             }
 
             if (responderName != null) {



On 10 Dec 2013, at 01:44, Weijun Wang <weijun.wang at oracle.com> wrote:

> It looks good. Would you like to add a string message?
> 
> Thanks
> Max
> 
> On 12/10/13, 9:47, Jason Uh wrote:
>> Hi Vinnie,
>> 
>> The change looks good to me.
>> 
>> Jason
>> (Not an official Reviewer)
>> 
>> On 12/9/13 3:25 PM, Vincent Ryan wrote:
>>> 
>>> Please review this fix to the OCSPResponse class in the internal
>>> sun.security.provider.certpath package. Previously, when validating
>>> an OCSP response, it expected the supplied issuer and/or trusted
>>> responder X509 certs to already be in an internal format used by
>>> the package. Now it accepts certs in any subclass of X509Certificate
>>> and will convert to the internal format, if necessary.
>>> 
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8029788
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8029788/webrev.00/
>>> 
>>> This fixes a regression introduced by JDK-8015571.
>>> Thanks.
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20131210/8e45f836/attachment.htm>


More information about the security-dev mailing list