RevocationChecker.java: ======================== line 473: We may only want to save the first exception. 473 if (softFail && nfe == null &&
line 530 to 540: "nfe" is not null means it is to ignore network failure. I think we may not want to check the network failure before verifyWithSeparateSigningKey(). Otherwise, looks fine to me. On 9/12/2012 12:17 PM, Weijun Wang wrote: > I'm probably not familiar with CertPath validation. BTW, are PREFER_CRL > and SOFT_FAIL options java-specific? I tried to google them but there is > no result. > PREFER_CRL and SOFT_FAIL are defines in the new PKIXRevocationChecker in JDK 8. PKIXRevocationChecker.Option: -------------------------------------------- /** * Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each * PKIX implementation should document further details of their * specific preference rules and fallback policies. */ PREFER_CRLS, /** * Ignore network failures. The default behavior is to consider it a * failure if the revocation status of a certificate cannot be obtained * due to a network error. This option applies to both OCSP and CRLs. */ SOFT_FAIL -------------------------------------------- Xuelei > -Max > > On 09/12/2012 01:29 AM, Sean Mullan wrote: >> Still waiting on a review for this ... Max or Vinnie maybe? >> >> Thanks, >> Sean >> >> On 9/5/12 3:25 PM, Sean Mullan wrote: >>> I'm requesting a code review for my fix for 7176627. For some reason >>> the bug is >>> not accessible at bugs.sun.com, so I have inserted a description of >>> the problem >>> and solution in the webrev header (see "Author comments"): >>> >>> http://cr.openjdk.java.net/~mullan/webrevs/7176627/webrev.00/ >>> >>> Thanks, >>> Sean >>>
