RFR: 8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error

[Sean Mullan]

On Thu, 22 Jul 2021 17:29:32 GMT, Rajan Halade <rhalade at openjdk.org> wrote:

> I have updated revoked test certificate but this test may again fail in Sept as test certificate expire leading to OCSP error.
> 
> CA is not willing to issue test certificates with more than 90 day validity so this test will fail every quarter. I am re-thinking the CA certification testing approach to may be try a TLS connection with test websites. This will ensure that test will pass as long as CA keeps test website updated.

Marked as reviewed by mullan (Reviewer).

But you could cache the OCSPResponse now while the certificate is not expired, and use that in the test by calling `PKIXRevocationChecker.setOcspResponses()`. For CRLs, you could also do something similar by caching the CRL and storing it in `CollectionCertStore` and adding that to `PKIXParameters`. Just some ideas to avoid having to continuously update the test certificates every 3 months.

I can approve this now, but can you file a follow-on issue to look into this some more?

-------------

PR: https://git.openjdk.java.net/jdk/pull/4877