On Tue, 28 Apr 2026 22:38:39 GMT, Artur Barashev <[email protected]> wrote:
>> If the PKIX path building cares about validity nesting violations, possibly >> yes. You might not see it for a long time and then you'll get a rare >> failure here and there. That's why when I use CertificateBuilder to build >> chains I make a point of ensuring the EE cert's validity window will always >> be inside that of the CAs. The code as written will do that almost always, >> but in rare cases maybe not. > > We don't care about validity nesting violations by default. I just verified > it by running the test with CA validity period entirely inside EE validity > period. I can set `now` value statically (just in case we ever change the > default behavior) if you prefer it this way. That seems like a good solution. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30944#discussion_r3157648811
