Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8225436

Stapled OCSPResponses should be added to PKIXRevocationChecker irrespective of revocationEnabled flag

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 14
    • Component/s: security-libs
    • Labels:
      None

      Description

      sun.security.validator.PKIXValidator's addResponses method
      should add responses to a PKIXRevocationChecker even if revocationEnabled is false. See the specification of PKIXParameters.setRevocationEnabled which says:

      "Sophisticated applications should set this flag to false when it is not
      practical to use a PKIX service provider's default revocation checking
      mechanism or when an alternative revocation checking mechanism is to be
      substituted (by also calling the addCertPathChecker or
      setCertPathCheckers methods)."

      and PKIXRevocationChecker:

      "When supplying a revocation checker in this manner, it will be used to
      check revocation irrespective of the setting of the RevocationEnabled
      flag."

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jnimeh Jamil Nimeh
              Reporter:
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: