On Tue, 10 Jan 2023 17:50:23 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line >> 217: >> >>> 215: >>> 216: int contentLength = con.getContentLength(); >>> 217: return (contentLength == -1) ? >>> con.getInputStream().readAllBytes() : >> >> For the returned OCSP bytes, what if the response code is not OK? > > Well, in the case of a 404 what appears to happen is that HttpURLConnection > would throw a FileNotFoundException. That ultimately would result in a CPVE > if there were no other sources of revocation information (e.g. CRL) for that > certificate. It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK. ------------- PR: https://git.openjdk.org/jdk/pull/11917
