changeset 26967 | c182469301ee |
parent 25859 | 3317bb8137f4 |
child 29264 | 5172066a2da6 |
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Oct 07 19:22:24 2014 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Oct 07 22:23:19 2014 -0700 @@ -472,9 +472,9 @@ " ---checking revocation status ..."); } - // reject circular dependencies - RFC 3280 is not explicit on how - // to handle this, so we feel it is safest to reject them until - // the issue is resolved in the PKIX WG. + // Reject circular dependencies - RFC 5280 is not explicit on how + // to handle this, but does suggest that they can be a security + // risk and can create unresolvable dependencies if (stackedCerts != null && stackedCerts.contains(cert)) { if (debug != null) { debug.println("RevocationChecker.checkCRLs()" + @@ -628,7 +628,7 @@ /* * Abort CRL validation and throw exception if there are any * unrecognized critical CRL entry extensions (see section - * 5.3 of RFC 3280). + * 5.3 of RFC 5280). */ Set<String> unresCritExts = entry.getCriticalExtensionOIDs(); if (unresCritExts != null && !unresCritExts.isEmpty()) { @@ -880,9 +880,9 @@ " ---checking " + msg + "..."); } - // reject circular dependencies - RFC 3280 is not explicit on how - // to handle this, so we feel it is safest to reject them until - // the issue is resolved in the PKIX WG. + // Reject circular dependencies - RFC 5280 is not explicit on how + // to handle this, but does suggest that they can be a security + // risk and can create unresolvable dependencies if ((stackedCerts != null) && stackedCerts.contains(cert)) { if (debug != null) { debug.println(