Please review this change which fixes an issue in revocation checking of CRLs. A certificate's CRL Distribution Points extension can contain multiple Distribution Points (DPs), and each DP can contain one or more references to a CRL. These CRL references are typically specified as URLs.
If there is an issue fetching one of the CRLs (ex: a network error), the JDK implementation saves the exception, but continues to check for other CRLs, and if no other CRLs can be fetched, it throws the exception. This was working for the case in which multiple CRL references were in the same DP, but not if they were in separate DPs - in that case the exception was thrown immediately and no further CRLs were checked. This also caused inconsistent behavior when the CRL cache was still fresh, as subsequent attempts would skip the CRL with the network issue (while the cache was fresh) and find the other CRLs, until the cache became stale again (30 seconds). The cache is working correctly though. The problem is that the code should continue to check for more CRLs. A new test has been added which exercises both cases above. ------------- Commit messages: - Rename test. - Merge - Initial fix with test. Changes: https://git.openjdk.org/jdk/pull/18656/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=18656&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8200566 Stats: 235 lines in 2 files changed: 227 ins; 1 del; 7 mod Patch: https://git.openjdk.org/jdk/pull/18656.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18656/head:pull/18656 PR: https://git.openjdk.org/jdk/pull/18656
