[jdk17u-dev] RFR: 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails

Goetz Lindenmaier goetz at openjdk.org
Sat Feb 28 07:28:28 UTC 2026 

On Wed, 25 Feb 2026 14:16:01 GMT, David Sladký <duke at openjdk.org> wrote:

> Backport of [JDK-8200566](https://bugs.openjdk.org/browse/JDK-8200566) - DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails.
> 
> ## Extra changes
> 
> ### `src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java`
> 
> In this file was following conflict:
> 
> <<<<<<< HEAD
>             List<DistributionPoint> points =
>                     ext.get(CRLDistributionPointsExtension.POINTS);
> =======
>             List<DistributionPoint> points = ext.getDistributionPoints();
>>>>>>>> 55013153006 (8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails)
> 
> - This was resolved in favor of the version in HEAD, since the method `getDistributionPoints()` does not exists in jdk17.
> 
> ### `test/jdk/java/security/cert/CertPathValidator/crlDP/CheckAllCRLs.java`
> 
> This new test introduced in this backport required several changes to be jdk17 compatible
> 
> #### 1.
> 
> 
> - * @library ../../../../../java/security/testlibrary
> - * @build CertificateBuilder CheckAllCRLs
> + * @library /test/lib
> + * @build CheckAllCRLs
> 
> 
> 
> - import sun.security.testlibrary.CertificateBuilder;
> + import jdk.test.lib.security.CertificateBuilder;
> 
> 
> - jdk17 uses a different test library organization. The `CertificateBuilder` class is located in `test/lib/jdk/test/lib/security/` and uses the `jdk.test.lib.security` package.
> 
> #### 2.
> 
> 
> - import static sun.security.x509.X509CRLImpl.TBSCertList;
> 
> - The `TBSCertList` inner class doesn't exist in JDK17's `X509CRLImpl`.
> 
> #### 3.
> 
> 
> - crlExts.setExtension(ext.getId(),
> + crlExts.set(ext.getExtensionId().toString(),
>       new AuthorityKeyIdentifierExtension(kid, null, null));
> 
> 
> 
> - crlExts.setExtension(ext.getId(), ext);
> + crlExts.set(ext.getExtensionId().toString(), ext);
> 
> - jdk17's `CRLExtensions` class uses the `set()` method instead of `setExtension()`, and requires the extension ID as a
>   String.
> 
> #### 4.
> 
> 
> - TBSCertList tcl = new TBSCertList(caIssuer, new Date(start),
> + X509CRLImpl crl = new X509CRLImpl(caIssuer, new Date(start),
> 
> - // return signed CRL
> - return X509CRLImpl.newSigned(tcl, caKeyPair.getPrivate(), sigAlg);
> + // sign and return CRL
> + crl.sign(caKeyPair.getPrivate(), sigAlg);
> + return crl;
> 
> - jdk17 does not have the `X509CRLImpl.newSigned()` static method or the `TBSCertList` wrapper class.
> 
> ## Tests
> 
> ### `CheckAllCRLs.java` - PASSES
> 
> 
> ============================...

I ran this through SAPs nightly testing ... all green.

-------------

PR Comment: https://git.openjdk.org/jdk17u-dev/pull/4279#issuecomment-3976588225

More information about the jdk-updates-dev mailing list