8225433: Clarify behavior of PKIXParameters.setRevocationEnabled when PKIXRevocationChecker is used

Reviewed-by: xuelei, hchao
2022-04-29 12:27:43 +00:00 · 2022-04-29 12:27:43 +00:00 · 694556e137
commit 694556e137
parent e98ac23553
2 changed files with 17 additions and 8 deletions
--- a/src/java.base/share/classes/java/security/cert/PKIXParameters.java
+++ b/src/java.base/share/classes/java/security/cert/PKIXParameters.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -321,8 +321,10 @@ public class PKIXParameters implements CertPathParameters {
    /**
     * Sets the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider
-     * will be used. If this flag is false, the default revocation checking
-     * mechanism will be disabled (not used).
+     * will be used, unless a {@link PKIXRevocationChecker} is passed in
+     * as a {@code CertPathChecker} (see below for further explanation). If
+     * this flag is false, the default revocation checking mechanism will be
+     * disabled (not used).
     * <p>
     * When a {@code PKIXParameters} object is created, this flag is set
     * to true. This setting reflects the most common strategy for checking
@ -333,6 +335,11 @@ public class PKIXParameters implements CertPathParameters {
     * revocation checking mechanism is to be substituted (by also calling the
     * {@link #addCertPathChecker addCertPathChecker} or {@link
     * #setCertPathCheckers setCertPathCheckers} methods).
+     * <p>
+     * Note that when a {@code PKIXRevocationChecker} is passed in as a
+     * parameter via the {@code addCertPathChecker} or
+     * {@code setCertPathCheckers} methods, it will be used to check
+     * revocation irrespective of the setting of the RevocationEnabled flag.
     *
     * @param val the new value of the RevocationEnabled flag
     */
@ -343,8 +350,9 @@ public class PKIXParameters implements CertPathParameters {
    /**
     * Checks the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider
-     * will be used. If this flag is false, the default revocation checking
-     * mechanism will be disabled (not used). See the {@link
+     * will be used, unless a {@link PKIXRevocationChecker} is passed in as
+     * a {@code CertPathChecker}. If this flag is false, the default revocation
+     * checking mechanism will be disabled (not used). See the {@link
     * #setRevocationEnabled setRevocationEnabled} method for more details on
     * setting the value of this flag.
     *
--- a/src/java.base/share/classes/java/security/cert/PKIXRevocationChecker.java
+++ b/src/java.base/share/classes/java/security/cert/PKIXRevocationChecker.java
@ -66,9 +66,10 @@ import java.util.Set;
 * to be validated to the {@link CertPathValidator#validate validate} method
 * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
 * this manner, it will be used to check revocation irrespective of the setting
- * of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag.
- * Similarly, a {@code PKIXRevocationChecker} may be added to a
- * {@code PKIXBuilderParameters} object for use with a PKIX
+ * of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag,
+ * and will override the default revocation checking mechanism of the PKIX
+ * service provider. Similarly, a {@code PKIXRevocationChecker} may be added
+ * to a {@code PKIXBuilderParameters} object for use with a PKIX
 * {@code CertPathBuilder}.
 *
 * <p>Note that when a {@code PKIXRevocationChecker} is added to