Re: [PR] ZOOKEEPER-4955 Add option for enabling/disabling certificate revocation check on custom trustmanagers [zookeeper]

Sat, 09 Aug 2025 00:43:41 -0700 


kezhuw commented on PR #2289:
URL: https://github.com/apache/zookeeper/pull/2289#issuecomment-3170465635

   > Apart from the single setRevocationEnabled method (which only exists if we 
install a custom TrustManager), Java only has global settings for handling 
revocation config.
   
   Turns out, this is not ture.
   
   > The PKIXRevocationChecker is added to a PKIXParameters object using the 
[addCertPathChecker](https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXParameters.html#addCertPathChecker-java.security.cert.PKIXCertPathChecker-)
 or 
[setCertPathCheckers](https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXParameters.html#setCertPathCheckers-java.util.List-)
 method, and then the PKIXParameters is passed along with the CertPath to be 
validated to the 
[validate](https://docs.oracle.com/javase/8/docs/api/java/security/cert/CertPathValidator.html#validate-java.security.cert.CertPath-java.security.cert.CertPathParameters-)
 method of a PKIX CertPathValidator. When supplying a revocation checker in 
this manner, it will be used to check revocation irrespective of the setting of 
the 
[RevocationEnabled](https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXParameters.html#isRevocationEnabled--)
 flag.
   >
   > 
https://docs.oracle.com/javase/8/docs/api/java/security/cert/PKIXRevocationChecker.html
   
   It is this since Java 8. I opened stoty/zookeeper#2 for alternative, see 
https://github.com/stoty/zookeeper/pull/2/commits/68839ce266b75537b4bb3bfce63bca484a77b94c
 for changes.
   
   See also:
   * 
https://docs.oracle.com/javase/8/docs/api/java/security/cert/CertPathValidator.html
   * https://bugs.openjdk.org/browse/JDK-8225433
   * 
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/cert/PKIXParameters.html#setRevocationEnabled(boolean)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to