On 9/12/12 4:12 AM, Xuelei Fan wrote: > RevocationChecker.java: > ======================== > line 473: > We may only want to save the first exception. > 473 if (softFail && nfe == null &&
Good catch. I've changed it to your suggestion. > line 530 to 540: > "nfe" is not null means it is to ignore network failure. I think we may > not want to check the network failure before verifyWithSeparateSigningKey(). Another good catch. I've also made that change. Both are fairly minor changes, so I won't post another webrev but I'll test my changes again before pushing. Thanks, Sean > > Otherwise, looks fine to me. > > On 9/12/2012 12:17 PM, Weijun Wang wrote: >> I'm probably not familiar with CertPath validation. BTW, are PREFER_CRL >> and SOFT_FAIL options java-specific? I tried to google them but there is >> no result. >> > PREFER_CRL and SOFT_FAIL are defines in the new PKIXRevocationChecker in > JDK 8. > > PKIXRevocationChecker.Option: > -------------------------------------------- > /** > * Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each > * PKIX implementation should document further details of their > * specific preference rules and fallback policies. > */ > PREFER_CRLS, > > /** > * Ignore network failures. The default behavior is to consider it a > * failure if the revocation status of a certificate cannot be obtained > * due to a network error. This option applies to both OCSP and CRLs. > */ > SOFT_FAIL > -------------------------------------------- > > Xuelei > >> -Max >> >> On 09/12/2012 01:29 AM, Sean Mullan wrote: >>> Still waiting on a review for this ... Max or Vinnie maybe? >>> >>> Thanks, >>> Sean >>> >>> On 9/5/12 3:25 PM, Sean Mullan wrote: >>>> I'm requesting a code review for my fix for 7176627. For some reason >>>> the bug is >>>> not accessible at bugs.sun.com, so I have inserted a description of >>>> the problem >>>> and solution in the webrev header (see "Author comments"): >>>> >>>> http://cr.openjdk.java.net/~mullan/webrevs/7176627/webrev.00/ >>>> >>>> Thanks, >>>> Sean >>>> >
