> Please review this change which fixes an issue in revocation checking of > CRLs. A certificate's CRL Distribution Points extension can contain multiple > Distribution Points (DPs), and each DP can contain one or more references to > a CRL. These CRL references are typically specified as URLs. > > If there is an issue fetching one of the CRLs (ex: a network error), the JDK > implementation saves the exception, but continues to check for other CRLs, > and if no other CRLs can be fetched, it throws the exception. This was > working for the case in which multiple CRL references were in the same DP, > but not if they were in separate DPs - in that case the exception was thrown > immediately and no further CRLs were checked. > > This also caused inconsistent behavior when the CRL cache was still fresh, as > subsequent attempts would skip the CRL with the network issue (while the > cache was fresh) and find the other CRLs, until the cache became stale again > (30 seconds). The cache is working correctly though. The problem is that the > code should continue to check for more CRLs. > > A new test has been added which exercises both cases above.
Sean Mullan has updated the pull request incrementally with two additional commits since the last revision: - Add previous CertStoreExceptions to suppressed exceptions. - Change test to check if cert is revoked. ------------- Changes: - all: https://git.openjdk.org/jdk/pull/18656/files - new: https://git.openjdk.org/jdk/pull/18656/files/71838754..3ab95897 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18656&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18656&range=01-02 Stats: 28 lines in 2 files changed: 22 ins; 0 del; 6 mod Patch: https://git.openjdk.org/jdk/pull/18656.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18656/head:pull/18656 PR: https://git.openjdk.org/jdk/pull/18656
