New webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.02/
On 10/12/2016 07:55 AM, Sean Mullan wrote:
Not sure why these changes are necessary or why the check method has
been made non-static. Isn't the previous code sufficient?
Yeah, that change doesn't appear to be necessary anymore..
129 responderURI, new OCSPResponse.IssuerInfo(null,
Passing null to OCSPResponse.IssuerInfo will throw an NPE. (but see
You must have loaded the page just before I refreshed the webrev. I fixed.
I also added some changes in the exception messages to
DisabledAlgorithmConstraints to give the cert subject, algorithm and/or
keysize if used..
For IssuerInfo, you don't always have/know the TrustAnchor, so shouldn't
it be optional?
RevocationChecker always has a TrustAnchor as PKIXCertPathValidator
passes it. AlgorithmChecker always needs a TrustAnchor, which
PKIXCertPathValidator call. So I don't see a situation where we don't
always have an TrustAnchor.
1061 return anchor;
should be indented 4 spaces
On 10/10/2016 02:53 PM, Anthony Scarpino wrote:
I need a review of a fix to JEP 288 were certpath algorithm checking
wasn't checking OCSP certs against the jdkCA keyword.