New webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.02/

On 10/12/2016 07:55 AM, Sean Mullan wrote:
* AlgorithmChecker

Not sure why these changes are necessary or why the check method has
been made non-static. Isn't the previous code sufficient?


Yeah, that change doesn't appear to be necessary anymore..

* OCSP

129             responderURI, new OCSPResponse.IssuerInfo(null,
issuerCert), null,

Passing null to OCSPResponse.IssuerInfo will throw an NPE. (but see
comment below)


You must have loaded the page just before I refreshed the webrev.  I fixed.

I also added some changes in the exception messages to DisabledAlgorithmConstraints to give the cert subject, algorithm and/or keysize if used..


* OCSPResponse

For IssuerInfo, you don't always have/know the TrustAnchor, so shouldn't
it be optional?

RevocationChecker always has a TrustAnchor as PKIXCertPathValidator passes it. AlgorithmChecker always needs a TrustAnchor, which PKIXCertPathValidator call. So I don't see a situation where we don't always have an TrustAnchor.


1061                 return anchor;

should be indented 4 spaces

--Sean

On 10/10/2016 02:53 PM, Anthony Scarpino wrote:
Hi,

I need a review of a fix to JEP 288 were certpath algorithm checking
wasn't checking OCSP certs against the jdkCA keyword.

http://cr.openjdk.java.net/~ascarpino/8165274/webrev/

thanks

Tony

Reply via email to