I am still reviewing, but here are some comments so far:
* X509CertImpl
I would prefer if getSubjectKeyIdentifier returned a KeyIdentifier so
that it is consistent with the getAuthKeyId method. Also, in
OCSPResponse, you can then just call KeyIdentifier.equals instead of
comparing the bytes yourself with Arrays.equals.
* RevocationChecker
RevocationChecker can be re-used for subsequent revocation checks by
calling the init method. So, you need to clear the contents of the
responderCerts list each time init is called. You can add this after
line 323 in the init method
responderCerts.clear();
--Sean
On 10/21/2013 05:36 PM, Vincent Ryan wrote:
Please review this fix to support key-rollover certs
(same name, different keys):
Bug: https://bugs.openjdk.java.net/browse/JDK-8012636
Webrev: http://cr.openjdk.java.net/~vinnie/8012636/webrev.00/
This issue arises when an OCSP responder replaces its public key
but retains its subject name. The OCSP client must be able to
validate responses signed by both keys.
Thanks.
