From 60fa841f74a7f5ef4acfb1a28ee9d4c69530ee50 Mon Sep 17 00:00:00 2001
From: Sean Mullan <mullan@openjdk.org>
Date: Fri, 15 Jan 2010 09:48:21 -0500
Subject: [PATCH] 6915939: Exception should be thrown if OCSP SingleResponses
 contain unresolved critical extensions

Reviewed-by: xuelei
---
 .../sun/security/provider/certpath/OCSPResponse.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
index e7b148fbc7c..c80888f9c1e 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@@ -574,10 +574,18 @@ public final class OCSPResponse {
                             (singleExtDer.length);
                     for (int i = 0; i < singleExtDer.length; i++) {
                         Extension ext = new Extension(singleExtDer[i]);
-                        singleExtensions.put(ext.getId(), ext);
                         if (DEBUG != null) {
                             DEBUG.println("OCSP single extension: " + ext);
                         }
+                        // We don't support any extensions yet. Therefore, if it
+                        // is critical we must throw an exception because we
+                        // don't know how to process it.
+                        if (ext.isCritical()) {
+                            throw new IOException(
+                                "Unsupported OCSP critical extension: " +
+                                ext.getExtensionId());
+                        }
+                        singleExtensions.put(ext.getId(), ext);
                     }
                 } else {
                     singleExtensions = Collections.emptyMap();