On Thu, 13 Feb 2025 19:52:32 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> Also, should it be moved to somewhere else like > jdk/test/sun/security/provider/certpath? Hmmm...not sure about that, but maybe an explanation is in order: Because the JDK only implements the client side with OCSP, we rely on CertPathValidator to handle the path validation and that has never been a problem with PQC. When I did OCSP stapling a long time ago (JDK 9) that was when I wanted a way to build certs (good and malformed ones) and make OCSP servers that didn't need to fork processes outside the jtreg framework or need 3rd party code. That meant I had to implement the server-side (consumption of requests and generation of responses) and that's where things needed some tuning up. So it isn't really a CPV problem, it's a testcode problem. In order to exercise it and ensure that it worked for all the algs we use to sign stuff, I made this test-the-test-code test and at the suggestion of @rhalade I located in the lib-test tree. Using CPV in the test was mainly a way for me to drive the OCSP request from the JDK code. that is also validates consumption of the signed response and the cert chain is a nice freebie. Not opposed to making the changes, I just didn't know if it was the right way to go considering that I'm not changing any actual JDK code, just test helper classes so in the future we can do PQC cert chains and OCSP servers for our tests. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/23566#discussion_r1955301602
