On Fri, 5 Apr 2024 13:17:21 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> Please review this change which fixes an issue in revocation checking of > CRLs. A certificate's CRL Distribution Points extension can contain multiple > Distribution Points (DPs), and each DP can contain one or more references to > a CRL. These CRL references are typically specified as URLs. > > If there is an issue fetching one of the CRLs (ex: a network error), the JDK > implementation saves the exception, but continues to check for other CRLs, > and if no other CRLs can be fetched, it throws the exception. This was > working for the case in which multiple CRL references were in the same DP, > but not if they were in separate DPs - in that case the exception was thrown > immediately and no further CRLs were checked. > > This also caused inconsistent behavior when the CRL cache was still fresh, as > subsequent attempts would skip the CRL with the network issue (while the > cache was fresh) and find the other CRLs, until the cache became stale again > (30 seconds). The cache is working correctly though. The problem is that the > code should continue to check for more CRLs. > > A new test has been added which exercises both cases above. This pull request has now been integrated. Changeset: e7026465 Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/e70264654570155a39d0841ce82b9dd52ca0389c Stats: 257 lines in 2 files changed: 248 ins; 1 del; 8 mod 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails Reviewed-by: weijun ------------- PR: https://git.openjdk.org/jdk/pull/18656
