Hello, I believe I have found a bug but not quite sure if it is in documentation or jdk impl itself. I currently have no code example, but I looked into the jdk code itself. This https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html#GUID-43A3A247-E165-408C-AD74-88A75BFB4750 actually suggests that when using the own instance of PKIXRevocationChecker, you should disable default revocation by PKIXParameters.setRevocationEnabled(false) and it actually seems to be suggested by api docs too even though it is not stated there directly. However: - first, from what I know, if revocation is enabled by setRevocationEnabled and a custom PKIXRevocationChecker is added, then this fact is respected correctly by the validator implementation, it can be seen in the code. - on the other hand, if it is disabled, then you can still add the checker, but for example ocsp stapling in jsse probably will stop working. It is because sun.security.validator.PKIXValidator's addResponses method works only if revocationEnabled is true. What is even more weird, the method seems to honour the fact that user could add his own PKIXRevocationChecker, but for it to work it has to be done *and* revocationEnabled needs to be true. Seems like a confusion/inconsistency. Not quite sure if this is a bug in the code, or more in the documentation, and what is the correct approach. Note I didn't actually test this (I don't have any ocsp whatever). It is just what I read when looking at jdk code, so my findings could be wrong.
signature.asc
Description: OpenPGP digital signature
