-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails #18656
Conversation
👋 Welcome back mullan! A progress list of the required criteria for merging this PR into |
@seanjmullan This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 42 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
@seanjmullan The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
certStores, trustAnchors, validity, variant, anchor); | ||
results.addAll(crls); | ||
} catch (CertStoreException cse) { | ||
savedCSE = cse; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you going to addSuppressed
the exception if savedCSE
is already not null here? Also, better to print out a debug info.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that would be a good idea to call addSupressed
in case there is more than one exception. For debug, there is already a debug statement further down the call stack in either the URICertStore or LDAPCertStore code where the exception cause is captured so I didn't want to duplicate that info.
X509Certificate eeCert2 = createCert(cb, "CN=End Entity", | ||
rootKeyPair, eeKeyPair, rootCert, "SHA384withRSA", false, false); | ||
|
||
// Create a CRL with no revoked certificates and store it in a file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the test is based on a fact that if both paths (HTTP and file) fail then validation would fail because there is no way to check for revocation. However, I have a slightest concern that what if it does not fail and everything goes on and validation succeeds. So, if the CRL is not empty and the test detects the cert is revoked it will be more reliable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is a good suggestion, as something could go undetected later on. I will update the CRL so that the certificate is revoked and then the test should always expect a failure with the proper reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing my feedback. The latest update seems good.
/integrate |
Going to push as commit e702646.
Your commit was automatically rebased without conflicts. |
@seanjmullan Pushed as commit e702646. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Please review this change which fixes an issue in revocation checking of CRLs. A certificate's CRL Distribution Points extension can contain multiple Distribution Points (DPs), and each DP can contain one or more references to a CRL. These CRL references are typically specified as URLs.
If there is an issue fetching one of the CRLs (ex: a network error), the JDK implementation saves the exception, but continues to check for other CRLs, and if no other CRLs can be fetched, it throws the exception. This was working for the case in which multiple CRL references were in the same DP, but not if they were in separate DPs - in that case the exception was thrown immediately and no further CRLs were checked.
This also caused inconsistent behavior when the CRL cache was still fresh, as subsequent attempts would skip the CRL with the network issue (while the cache was fresh) and find the other CRLs, until the cache became stale again (30 seconds). The cache is working correctly though. The problem is that the code should continue to check for more CRLs.
A new test has been added which exercises both cases above.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18656/head:pull/18656
$ git checkout pull/18656
Update a local copy of the PR:
$ git checkout pull/18656
$ git pull https://git.openjdk.org/jdk.git pull/18656/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 18656
View PR using the GUI difftool:
$ git pr show -t 18656
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18656.diff
Webrev
Link to Webrev Comment