JDK 8 Code Review Request for 7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
Xuelei Fan
xuelei.fan at oracle.com
Wed Sep 12 08:12:02 UTC 2012
RevocationChecker.java:
========================
line 473:
We may only want to save the first exception.
473 if (softFail && nfe == null &&
line 530 to 540:
"nfe" is not null means it is to ignore network failure. I think we may
not want to check the network failure before verifyWithSeparateSigningKey().
Otherwise, looks fine to me.
On 9/12/2012 12:17 PM, Weijun Wang wrote:
> I'm probably not familiar with CertPath validation. BTW, are PREFER_CRL
> and SOFT_FAIL options java-specific? I tried to google them but there is
> no result.
>
PREFER_CRL and SOFT_FAIL are defines in the new PKIXRevocationChecker in
JDK 8.
PKIXRevocationChecker.Option:
--------------------------------------------
/**
* Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each
* PKIX implementation should document further details of their
* specific preference rules and fallback policies.
*/
PREFER_CRLS,
/**
* Ignore network failures. The default behavior is to consider it a
* failure if the revocation status of a certificate cannot be obtained
* due to a network error. This option applies to both OCSP and CRLs.
*/
SOFT_FAIL
--------------------------------------------
Xuelei
> -Max
>
> On 09/12/2012 01:29 AM, Sean Mullan wrote:
>> Still waiting on a review for this ... Max or Vinnie maybe?
>>
>> Thanks,
>> Sean
>>
>> On 9/5/12 3:25 PM, Sean Mullan wrote:
>>> I'm requesting a code review for my fix for 7176627. For some reason
>>> the bug is
>>> not accessible at bugs.sun.com, so I have inserted a description of
>>> the problem
>>> and solution in the webrev header (see "Author comments"):
>>>
>>> http://cr.openjdk.java.net/~mullan/webrevs/7176627/webrev.00/
>>>
>>> Thanks,
>>> Sean
>>>
More information about the security-dev
mailing list