Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8225436

Stapled OCSPResponses should be added to PKIXRevocationChecker irrespective of revocationEnabled flag

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 14
    • None
    • security-libs
    • None

      sun.security.validator.PKIXValidator's addResponses method
      should add responses to a PKIXRevocationChecker even if revocationEnabled is false. See the specification of PKIXParameters.setRevocationEnabled which says:

      "Sophisticated applications should set this flag to false when it is not
      practical to use a PKIX service provider's default revocation checking
      mechanism or when an alternative revocation checking mechanism is to be
      substituted (by also calling the addCertPathChecker or
      setCertPathCheckers methods)."

      and PKIXRevocationChecker:

      "When supplying a revocation checker in this manner, it will be used to
      check revocation irrespective of the setting of the RevocationEnabled
      flag."

            jnimeh Jamil Nimeh
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: