JDK 8 Code Review Request for 7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
Sean Mullan
sean.mullan at oracle.com
Thu Sep 13 17:24:45 UTC 2012
On 9/12/12 4:12 AM, Xuelei Fan wrote:
> RevocationChecker.java:
> ========================
> line 473:
> We may only want to save the first exception.
> 473 if (softFail && nfe == null &&
Good catch. I've changed it to your suggestion.
> line 530 to 540:
> "nfe" is not null means it is to ignore network failure. I think we may
> not want to check the network failure before verifyWithSeparateSigningKey().
Another good catch. I've also made that change.
Both are fairly minor changes, so I won't post another webrev but I'll test my
changes again before pushing.
Thanks,
Sean
>
> Otherwise, looks fine to me.
>
> On 9/12/2012 12:17 PM, Weijun Wang wrote:
>> I'm probably not familiar with CertPath validation. BTW, are PREFER_CRL
>> and SOFT_FAIL options java-specific? I tried to google them but there is
>> no result.
>>
> PREFER_CRL and SOFT_FAIL are defines in the new PKIXRevocationChecker in
> JDK 8.
>
> PKIXRevocationChecker.Option:
> --------------------------------------------
> /**
> * Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each
> * PKIX implementation should document further details of their
> * specific preference rules and fallback policies.
> */
> PREFER_CRLS,
>
> /**
> * Ignore network failures. The default behavior is to consider it a
> * failure if the revocation status of a certificate cannot be obtained
> * due to a network error. This option applies to both OCSP and CRLs.
> */
> SOFT_FAIL
> --------------------------------------------
>
> Xuelei
>
>> -Max
>>
>> On 09/12/2012 01:29 AM, Sean Mullan wrote:
>>> Still waiting on a review for this ... Max or Vinnie maybe?
>>>
>>> Thanks,
>>> Sean
>>>
>>> On 9/5/12 3:25 PM, Sean Mullan wrote:
>>>> I'm requesting a code review for my fix for 7176627. For some reason
>>>> the bug is
>>>> not accessible at bugs.sun.com, so I have inserted a description of
>>>> the problem
>>>> and solution in the webrev header (see "Author comments"):
>>>>
>>>> http://cr.openjdk.java.net/~mullan/webrevs/7176627/webrev.00/
>>>>
>>>> Thanks,
>>>> Sean
>>>>
>
More information about the security-dev
mailing list