On Mon, 8 Apr 2024 12:41:23 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Please review this change which fixes an issue in revocation checking of >> CRLs. A certificate's CRL Distribution Points extension can contain multiple >> Distribution Points (DPs), and each DP can contain one or more references to >> a CRL. These CRL references are typically specified as URLs. >> >> If there is an issue fetching one of the CRLs (ex: a network error), the JDK >> implementation saves the exception, but continues to check for other CRLs, >> and if no other CRLs can be fetched, it throws the exception. This was >> working for the case in which multiple CRL references were in the same DP, >> but not if they were in separate DPs - in that case the exception was thrown >> immediately and no further CRLs were checked. >> >> This also caused inconsistent behavior when the CRL cache was still fresh, >> as subsequent attempts would skip the CRL with the network issue (while the >> cache was fresh) and find the other CRLs, until the cache became stale again >> (30 seconds). The cache is working correctly though. The problem is that the >> code should continue to check for more CRLs. >> >> A new test has been added which exercises both cases above. > > Sean Mullan has updated the pull request incrementally with two additional > commits since the last revision: > > - Add previous CertStoreExceptions to suppressed exceptions. > - Change test to check if cert is revoked. Thanks for addressing my feedback. The latest update seems good. ------------- Marked as reviewed by weijun (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/18656#pullrequestreview-1986487520
