[jdk17u-dev] RFR: 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails
David Sladký
duke at openjdk.org
Wed Feb 25 14:23:16 UTC 2026
Backport of [JDK-8200566](https://bugs.openjdk.org/browse/JDK-8200566) - DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails.
## Extra changes
### `src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java`
In this file was following conflict:
<<<<<<< HEAD
List<DistributionPoint> points =
ext.get(CRLDistributionPointsExtension.POINTS);
=======
List<DistributionPoint> points = ext.getDistributionPoints();
>>>>>>> 55013153006 (8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails)
- This was resolved in favor of the version in HEAD, since the method `getDistributionPoints()` does not exists in jdk17.
### `test/jdk/java/security/cert/CertPathValidator/crlDP/CheckAllCRLs.java`
This new test introduced in this backport required several changes to be jdk17 compatible
#### 1.
- * @library ../../../../../java/security/testlibrary
- * @build CertificateBuilder CheckAllCRLs
+ * @library /test/lib
+ * @build CheckAllCRLs
- import sun.security.testlibrary.CertificateBuilder;
+ import jdk.test.lib.security.CertificateBuilder;
- jdk17 uses a different test library organization. The `CertificateBuilder` class is located in `test/lib/jdk/test/lib/security/` and uses the `jdk.test.lib.security` package.
#### 2.
- import static sun.security.x509.X509CRLImpl.TBSCertList;
- The `TBSCertList` inner class doesn't exist in JDK17's `X509CRLImpl`.
#### 3.
- crlExts.setExtension(ext.getId(),
+ crlExts.set(ext.getExtensionId().toString(),
new AuthorityKeyIdentifierExtension(kid, null, null));
- crlExts.setExtension(ext.getId(), ext);
+ crlExts.set(ext.getExtensionId().toString(), ext);
- jdk17's `CRLExtensions` class uses the `set()` method instead of `setExtension()`, and requires the extension ID as a
String.
#### 4.
- TBSCertList tcl = new TBSCertList(caIssuer, new Date(start),
+ X509CRLImpl crl = new X509CRLImpl(caIssuer, new Date(start),
- // return signed CRL
- return X509CRLImpl.newSigned(tcl, caKeyPair.getPrivate(), sigAlg);
+ // sign and return CRL
+ crl.sign(caKeyPair.getPrivate(), sigAlg);
+ return crl;
- jdk17 does not have the `X509CRLImpl.newSigned()` static method or the `TBSCertList` wrapper class.
## Tests
### `CheckAllCRLs.java` - PASSES
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
jtreg:test/jdk/java/security/cert/CertPathValidator/crlDP/CheckAllCRLs.java
1 1 0 0
==============================
TEST SUCCESS
### Tier 1 - PASSES
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
jtreg:test/hotspot/jtreg:tier1 1999 1999 0 0
jtreg:test/jdk:tier1 2110 2110 0 0
jtreg:test/langtools:tier1 4246 4246 0 0
jtreg:test/jaxp:tier1 0 0 0 0
jtreg:test/lib-test:tier1 34 34 0 0
==============================
TEST SUCCESS
### GTests - PASSES
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
gtest:all/server 845 845 0 0
==============================
TEST SUCCESS
### GHA - PASSES
https://github.com/TheMangovnik/jdk17u-dev/actions/runs/22395101187
-------------
Commit messages:
- Changes to make CheckAllCRLs.java jdk17 compatible.
- backport 550131530068717c85a7802e2db1578608b10374
Changes: https://git.openjdk.org/jdk17u-dev/pull/4279/files
Webrev: https://webrevs.openjdk.org/?repo=jdk17u-dev&pr=4279&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8200566
Stats: 255 lines in 2 files changed: 248 ins; 0 del; 7 mod
Patch: https://git.openjdk.org/jdk17u-dev/pull/4279.diff
Fetch: git fetch https://git.openjdk.org/jdk17u-dev.git pull/4279/head:pull/4279
PR: https://git.openjdk.org/jdk17u-dev/pull/4279
More information about the jdk-updates-dev
mailing list