> Please review this change which fixes an issue in revocation checking of > CRLs. A certificate's CRL Distribution Points extension can contain multiple > Distribution Points (DPs), and each DP can contain one or more references to > a CRL. These CRL references are typically specified as URLs. > > If there is an issue fetching one of the CRLs (ex: a network error), the JDK > implementation saves the exception, but continues to check for other CRLs, > and if no other CRLs can be fetched, it throws the exception. This was > working for the case in which multiple CRL references were in the same DP, > but not if they were in separate DPs - in that case the exception was thrown > immediately and no further CRLs were checked. > > This also caused inconsistent behavior when the CRL cache was still fresh, as > subsequent attempts would skip the CRL with the network issue (while the > cache was fresh) and find the other CRLs, until the cache became stale again > (30 seconds). The cache is working correctly though. The problem is that the > code should continue to check for more CRLs. > > A new test has been added which exercises both cases above.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Remove unnecessary module java.base/sun.security.provider.certpath. ------------- Changes: - all: https://git.openjdk.org/jdk/pull/18656/files - new: https://git.openjdk.org/jdk/pull/18656/files/b543830b..71838754 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18656&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18656&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 1 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/18656.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18656/head:pull/18656 PR: https://git.openjdk.org/jdk/pull/18656
