On Tue, 28 Apr 2026 22:01:04 GMT, Jamil Nimeh <[email protected]> wrote:
>> Ok, but how does it matter for this test? > > If the PKIX path building cares about validity nesting violations, possibly > yes. You might not see it for a long time and then you'll get a rare failure > here and there. That's why when I use CertificateBuilder to build chains I > make a point of ensuring the EE cert's validity window will always be inside > that of the CAs. The code as written will do that almost always, but in rare > cases maybe not. We don't care about validity nesting violations by default. I just verified it by running the test with CA validity period entirely inside EE validity period. I can set `now` value statically (just in case we ever change the default behavior) if you prefer it this way. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30944#discussion_r3157633578
