RFR: 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails [v2]

[Sean Mullan]

On Fri, 5 Apr 2024 14:16:47 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Remove unnecessary module java.base/sun.security.provider.certpath.
>
> test/jdk/java/security/cert/CertPathValidator/crlDP/CheckAllCRLs.java line 95:
> 
>> 93:             rootKeyPair, eeKeyPair, rootCert, "SHA384withRSA", false, false);
>> 94: 
>> 95:         // Create a CRL with no revoked certificates and store it in a file
> 
> I think the test is based on a fact that if both paths (HTTP and file) fail then validation would fail because there is no way to check for revocation. However, I have a slightest concern that what if it does not fail and everything goes on and validation succeeds. So, if the CRL is not empty and the test detects the cert is revoked it will be more reliable.

Yes, this is a good suggestion, as something could go undetected later on. I will update the CRL so that the certificate is revoked and then the test should always expect a failure with the proper reason.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18656#discussion_r1554111732