From 602326ce943755993afc216ea5fa63d9d7c8274a Mon Sep 17 00:00:00 2001
From: Alex Baker <alexander_j_baker@apple.com>
Date: Fri, 31 Oct 2025 18:58:26 -0700
Subject: [PATCH] Adding RETRYABLE_VERIFICATION_FAILURE for OCSP network
 failures

---
 .../apple/itunes/storekit/verification/ChainVerifier.java    | 5 +++++
 .../itunes/storekit/verification/VerificationStatus.java     | 1 +
 2 files changed, 6 insertions(+)

diff --git a/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java b/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java
index 3bf5db85..9ca08aee 100644
--- a/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java
+++ b/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java
@@ -7,6 +7,7 @@
 import java.security.PublicKey;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.PKIXCertPathValidatorResult;
@@ -113,6 +114,10 @@ PublicKey verifyChainWithoutCaching(String[] certificates, boolean performRevoca
             PKIXCertPathValidatorResult certPathValidatorResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
             return certPathValidatorResult.getPublicKey();
         } catch (Exception e) {
+            // This indicates an OCSP network failure
+            if (e instanceof CertPathValidatorException && ((CertPathValidatorException) e).getReason() == CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS) {
+                throw new VerificationException(VerificationStatus.RETRYABLE_VERIFICATION_FAILURE);
+            }
             throw new VerificationException(VerificationStatus.INVALID_CHAIN, e);
         }
     }
diff --git a/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java b/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java
index 983e6f7b..0ce55ebd 100644
--- a/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java
+++ b/src/main/java/com/apple/itunes/storekit/verification/VerificationStatus.java
@@ -5,6 +5,7 @@
 public enum VerificationStatus {
     OK,
     VERIFICATION_FAILURE,
+    RETRYABLE_VERIFICATION_FAILURE,
     INVALID_APP_IDENTIFIER,
     INVALID_ENVIRONMENT,
     INVALID_CERTIFICATE,