v12.2.4

• Added new entries to EMessageDigestAlgorithm for the message digest algorithms guaranteed to be available on every Java 17+ runtime via the SUN provider: SHA_512_224 (SHA-512/224), SHA_512_256 (SHA-512/256), SHA3_224 (SHA3-224), SHA3_256 (SHA3-256), SHA3_384 (SHA3-384) and SHA3_512 (SHA3-512).
• Hardened the CRL download path used by AbstractRevocationCheckBuilder:
  • IURLDownloader.createDefault() now sets a connect timeout of 10 seconds and a read timeout of 60 seconds. Previously no timeouts were configured, so a slow or unreachable CRL distribution point could block revocation checks indefinitely.
  • Added IURLDownloader.createDefault(int nConnectTimeoutMS, int nReadTimeoutMS) to override the defaults, plus the new constants DEFAULT_CONNECT_TIMEOUT_MS and DEFAULT_READ_TIMEOUT_MS.
  • Added new class CRLAllowList with case-insensitive prefix matching to restrict which CRL distribution point URLs may be downloaded. Mitigates SSRF and unbounded-download risk against attacker-controlled certificates. An empty allow list keeps the legacy behavior of allowing every HTTP(S) URL.
  • CRLDownloader now exposes allowList() and consults it before each download. Refused URLs are logged with a warning. Non-HTTP/HTTPS URLs are now also logged with a warning instead of being dropped silently.
• AbstractRevocationCheckBuilder.build() no longer returns ERevoked.REVOKED when CRL retrieval fails. Previously a missing CRL (e.g. unreachable distribution point) was indistinguishable from a real revocation, which could wrongly block valid certificates during a CRL endpoint outage. The check now returns the new ERevoked.UNKNOWN value instead. The detection covers both directly observable CRL download failures (every distribution point of the certificate returned null) and the JDK-level CertPathValidatorException with reason UNDETERMINED_REVOCATION_STATUS.
• Added new enum value ERevoked.UNKNOWN with isRevoked() returning false (so existing callers do not start treating unverified certificates as revoked) and a new isUnknown() accessor.
• Added default methods IRevokedIndicator.isUnknown() and IRevokedIndicator.isKnown() so callers can distinguish "verified not revoked" from "could not be verified".
• Propagated the UNKNOWN revocation state through the higher-level certificate check API. Previously a CRL download failure would silently surface as ECertificateCheckResult.VALID when revocation caching was enabled, because the cache only exposed a boolean isRevoked view.
  • Added new enum value ECertificateCheckResult.REVOCATION_STATUS_UNKNOWN with isValid() returning false.
  • Added new method RevocationCheckResultCache.getRevocationStatus(X509Certificate) returning the full ERevoked status. The existing isRevoked(X509Certificate) is preserved and now delegates to it.
  • CertificateHelper.checkCertificate and TrustedCAChecker.checkCertificate now return REVOCATION_STATUS_UNKNOWN whenever the underlying revocation check could not determine the certificate status.

Full Changelog: ph-commons-parent-pom-12.2.3...ph-commons-parent-pom-12.2.4