JDK-8170820 : RevocationRestrictions.java test needs to be updated to use cached OCSP responses
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2016-12-06
  • Updated: 2017-03-20
  • Resolved: 2016-12-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u152Fixed 9 b150Fixed
Related Reports
Relates :  
JDK-8165274 - SHA1 certpath constraint check fails with OCSP certificate
Description
RevocationRestrictions.java test does certpath validation against date in past which is set with PKIXParameters.setDate() method.

The test has been failing after JDK-8168931 was fixed. This fix updated the revocation checker to validate fresh OCSP responses against current date. The test needs to be updated to use cached OCSP responses when it validates certpaths against date in past.
Comments
Here are original subject and description for this bug (just for records): denyAfter constraint is not applied to OCSP certificates after JDK-8168931 JDK-8168931 updated OCSP.check() not to pass date from PKIXParameters to OCSPResponse.verify(). But verify() method uses passed date for both: - checking validity of OCSP signer - denyAfter constrains See OCSPResponse.java for details: http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/aa6fda530e14/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java#l508 ... // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". AlgorithmChecker algChecker = new AlgorithmChecker(issuerInfo.getAnchor(), date); algChecker.init(false); algChecker.check(signerCert, Collections.<String>emptySet()); // check the validity try { if (date == null) { signerCert.checkValidity(); } else { signerCert.checkValidity(date); } } catch (CertificateException e) { throw new CertPathValidatorException( "Responder's certificate not within the " + "validity period", e); } ... OCSP response validity period needs to be checked with current time (see JDK-8168931), but "denyAfter" constrains should be checked against the date set by PKIXParameters.setDate().
09-12-2016
Certpath validation in Test #4 / runTestSHA1() passes if it sets cached OCSP responses which are valid at PKIXParameters date. So, this looks like a test bug, other test cases which set PKIXParameters date in past need to be updated to use cached OCSP responses.
09-12-2016