Merge pull request #204 from alexanderjordanbaker/RetryableVerificationFailure

alexanderjordanbaker · web-flow · commit f9cca8d4ff8b · 2025-11-12T23:07:55.000-08:00
Adding RETRYABLE_VERIFICATION_FAILURE for OCSP network failures
diff --git a/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java b/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java
@@ -7,6 +7,7 @@
 import java.security.PublicKey;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.PKIXCertPathValidatorResult;
@@ -113,6 +114,10 @@ PublicKey verifyChainWithoutCaching(String[] certificates, boolean performRevoca
             PKIXCertPathValidatorResult certPathValidatorResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
             return certPathValidatorResult.getPublicKey();
         } catch (Exception e) {
+            // This indicates an OCSP network failure
+            if (e instanceof CertPathValidatorException && ((CertPathValidatorException) e).getReason() == CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
+                throw new VerificationException(VerificationStatus.RETRYABLE_VERIFICATION_FAILURE);
+            }
             throw new VerificationException(VerificationStatus.INVALID_CHAIN, e);
         }
     }
diff --git a/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java b/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java
@@ -5,6 +5,7 @@
 public enum VerificationStatus {
     OK,
     VERIFICATION_FAILURE,
+    RETRYABLE_VERIFICATION_FAILURE,
     INVALID_APP_IDENTIFIER,
     INVALID_ENVIRONMENT,
     INVALID_CERTIFICATE,
