[8] RFR JDK-8029788: Certificate validation- java.lang.ClassCastException
Sean Mullan
sean.mullan at oracle.com
Tue Dec 10 20:04:18 UTC 2013
Looks fine.
Not as part of this fix, but as a future perf. improvement we should
intern (see X509Factory.intern) the X509CertImpl objects that are
created from the contents of the OCSP response, so that they are put in
the certificate memory cache. If the same OCSP responder is used
frequently, then these X509Certificate objects won't be created each
time the OCSP response is validated.
--Sean
On 12/10/2013 12:30 PM, Vincent Ryan wrote:
> Thanks for your reviews. I’ve made a minor change to include a message in
> the CPVE, as suggested by Max.
>
> % hg diff OCSPResponse.java
> diff --git
> a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
> b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
> --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
> +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
> @@ -427,9 +427,14 @@ public final class OCSPResponse {
> if (signerCert == null) {
> // Add the Issuing CA cert and/or Trusted Responder cert
> to the list
> // of certs from the OCSP response
> - certs.add((X509CertImpl) issuerCert);
> - if (responderCert != null) {
> - certs.add((X509CertImpl) responderCert);
> + try {
> + certs.add(X509CertImpl.toImpl(issuerCert));
> + if (responderCert != null) {
> + certs.add(X509CertImpl.toImpl(responderCert));
> + }
> + } catch (CertificateException ce) {
> + throw new CertPathValidatorException(
> + "Invalid issuer or trusted responder certificate", ce);
> }
>
>
> if (responderName != null) {
>
>
>
> On 10 Dec 2013, at 01:44, Weijun Wang <weijun.wang at oracle.com
> <mailto:weijun.wang at oracle.com>> wrote:
>
>> It looks good. Would you like to add a string message?
>>
>> Thanks
>> Max
>>
>> On 12/10/13, 9:47, Jason Uh wrote:
>>> Hi Vinnie,
>>>
>>> The change looks good to me.
>>>
>>> Jason
>>> (Not an official Reviewer)
>>>
>>> On 12/9/13 3:25 PM, Vincent Ryan wrote:
>>>>
>>>> Please review this fix to the OCSPResponse class in the internal
>>>> sun.security.provider.certpath package. Previously, when validating
>>>> an OCSP response, it expected the supplied issuer and/or trusted
>>>> responder X509 certs to already be in an internal format used by
>>>> the package. Now it accepts certs in any subclass of X509Certificate
>>>> and will convert to the internal format, if necessary.
>>>>
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8029788
>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8029788/webrev.00/
>>>>
>>>> This fixes a regression introduced by JDK-8015571.
>>>> Thanks.
>>>
>
More information about the security-dev
mailing list