diff --git a/jdk/src/share/classes/java/security/cert/CertPathBuilder.java b/jdk/src/share/classes/java/security/cert/CertPathBuilder.java
index 096627d6188..3d122218c6e 100644
--- a/jdk/src/share/classes/java/security/cert/CertPathBuilder.java
+++ b/jdk/src/share/classes/java/security/cert/CertPathBuilder.java
@@ -315,12 +315,14 @@ public class CertPathBuilder {
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathBuilderSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
- * type {@code PKIXRevocationChecker}.
+ * type {@code PKIXRevocationChecker}. Each invocation of this method
+ * returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
+ * @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
diff --git a/jdk/src/share/classes/java/security/cert/CertPathValidator.java b/jdk/src/share/classes/java/security/cert/CertPathValidator.java
index 9d912acdabd..67204820bb8 100644
--- a/jdk/src/share/classes/java/security/cert/CertPathValidator.java
+++ b/jdk/src/share/classes/java/security/cert/CertPathValidator.java
@@ -327,12 +327,14 @@ public class CertPathValidator {
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathValidatorSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
- * type {@code PKIXRevocationChecker}.
+ * type {@code PKIXRevocationChecker}. Each invocation of this method
+ * returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
+ * @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
diff --git a/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java b/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
index ba85686c5db..2446c821df6 100644
--- a/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
+++ b/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
@@ -63,8 +63,8 @@ import java.util.Set;
* and then the {@code PKIXParameters} is passed along with the {@code CertPath}
* to be validated to the {@link CertPathValidator#validate validate} method
* of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
- * this manner, do not enable the default revocation checking mechanism (by
- * calling {@link PKIXParameters#setRevocationEnabled}.
+ * this manner, it will be used to check revocation irrespective of the setting
+ * of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag.
*
* <p>Note that when a {@code PKIXRevocationChecker} is added to
* {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
@@ -88,7 +88,7 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
private URI ocspResponder;
private X509Certificate ocspResponderCert;
private List<Extension> ocspExtensions = Collections.<Extension>emptyList();
- private Map<X509Certificate, byte[]> ocspStapled = Collections.emptyMap();
+ private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap();
private Set<Option> options = Collections.emptySet();
protected PKIXRevocationChecker() {}
@@ -169,40 +169,40 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
}
/**
- * Sets the stapled OCSP responses. These responses are used to determine
+ * Sets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
- * @param responses a map of stapled OCSP responses. Each key is an
+ * @param responses a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is performed to protect against subsequent modification.
*/
- public void setOCSPStapledResponses(Map<X509Certificate, byte[]> responses)
+ public void setOCSPResponses(Map<X509Certificate, byte[]> responses)
{
if (responses == null) {
- this.ocspStapled = Collections.<X509Certificate, byte[]>emptyMap();
+ this.ocspResponses = Collections.<X509Certificate, byte[]>emptyMap();
} else {
Map<X509Certificate, byte[]> copy = new HashMap<>(responses.size());
for (Map.Entry<X509Certificate, byte[]> e : responses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
- this.ocspStapled = copy;
+ this.ocspResponses = copy;
}
}
/**
- * Gets the stapled OCSP responses. These responses are used to determine
+ * Gets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
- * @return a map of stapled OCSP responses. Each key is an
+ * @return a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is returned to protect against subsequent modification.
* Returns an empty map if no responses have been specified.
*/
- public Map<X509Certificate, byte[]> getOCSPStapledResponses() {
- Map<X509Certificate, byte[]> copy = new HashMap<>(ocspStapled.size());
- for (Map.Entry<X509Certificate, byte[]> e : ocspStapled.entrySet()) {
+ public Map<X509Certificate, byte[]> getOCSPResponses() {
+ Map<X509Certificate, byte[]> copy = new HashMap<>(ocspResponses.size());
+ for (Map.Entry<X509Certificate, byte[]> e : ocspResponses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
return copy;
@@ -234,10 +234,10 @@ public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
public Object clone() {
PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone();
copy.ocspExtensions = new ArrayList<>(ocspExtensions);
- copy.ocspStapled = new HashMap<>(ocspStapled);
- // deep-copy the encoded stapled responses, since they are mutable
+ copy.ocspResponses = new HashMap<>(ocspResponses);
+ // deep-copy the encoded responses, since they are mutable
for (Map.Entry<X509Certificate, byte[]> entry :
- copy.ocspStapled.entrySet())
+ copy.ocspResponses.entrySet())
{
byte[] encoded = entry.getValue();
entry.setValue(encoded.clone());
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java b/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
index e279faba38c..b65b6df1eb4 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -67,7 +67,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private URI responderURI;
private X509Certificate responderCert;
private List<CertStore> certStores;
- private Map<X509Certificate, byte[]> ocspStapled;
+ private Map<X509Certificate, byte[]> ocspResponses;
private List<Extension> ocspExtensions;
private boolean legacy;
@@ -140,7 +140,7 @@ class RevocationChecker extends PKIXRevocationChecker {
} else {
crlDP = true;
}
- ocspStapled = getOCSPStapledResponses();
+ ocspResponses = getOCSPResponses();
ocspExtensions = getOCSPExtensions();
this.anchor = anchor;
@@ -645,11 +645,11 @@ class RevocationChecker extends PKIXRevocationChecker {
try {
certId = new CertId(issuerCert, currCert.getSerialNumberObject());
- // check if there is a stapled OCSP response available
- byte[] responseBytes = ocspStapled.get(cert);
+ // check if there is a cached OCSP response available
+ byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
- debug.println("Found stapled OCSP response");
+ debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
diff --git a/jdk/test/java/security/cert/PKIXRevocationChecker/UnitTest.java b/jdk/test/java/security/cert/PKIXRevocationChecker/UnitTest.java
index 8accf9e86dd..27fd1629ace 100644
--- a/jdk/test/java/security/cert/PKIXRevocationChecker/UnitTest.java
+++ b/jdk/test/java/security/cert/PKIXRevocationChecker/UnitTest.java
@@ -23,7 +23,7 @@
/**
* @test
- * @bug 6854712
+ * @bug 6854712 7171570
* @summary Basic unit test for PKIXRevocationChecker
*/
@@ -33,6 +33,7 @@ import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.security.cert.CertificateFactory;
+import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathChecker;
import java.security.cert.CertPathValidator;
import java.security.cert.Extension;
@@ -58,8 +59,7 @@ public class UnitTest {
requireNull(prc.getOCSPResponder(), "getOCSPResponder()");
requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
- requireEmpty(prc.getOCSPStapledResponses(),
- "getOCSPStapledResponses()");
+ requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
requireEmpty(prc.getOptions(), "getOptions()");
System.out.println("Testing that get methods return same parameters " +
@@ -94,11 +94,24 @@ public class UnitTest {
requireNull(prc.getOCSPResponderCert(), "getOCSPResponderCert()");
prc.setOCSPExtensions(null);
requireEmpty(prc.getOCSPExtensions(), "getOCSPExtensions()");
- prc.setOCSPStapledResponses(null);
- requireEmpty(prc.getOCSPStapledResponses(),
- "getOCSPStapledResponses()");
+ prc.setOCSPResponses(null);
+ requireEmpty(prc.getOCSPResponses(), "getOCSPResponses()");
prc.setOptions(null);
requireEmpty(prc.getOptions(), "getOptions()");
+
+ System.out.println("Testing that getRevocationChecker returns new " +
+ "instance each time");
+ CertPathChecker first = cpv.getRevocationChecker();
+ CertPathChecker second = cpv.getRevocationChecker();
+ if (first == second) {
+ throw new Exception("FAILED: CertPathCheckers not new instances");
+ }
+ CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
+ first = cpb.getRevocationChecker();
+ second = cpb.getRevocationChecker();
+ if (first == second) {
+ throw new Exception("FAILED: CertPathCheckers not new instances");
+ }
}
static void requireNull(Object o, String msg) throws Exception {