PKIXRevocationChecker and ocsp stapling

Michał Zegan webczat_200 at poczta.onet.pl
Mon Jun 3 17:16:12 UTC 2019 


W dniu 03.06.2019 o 16:45, Sean Mullan pisze:
> Hi,
> 
> On 6/1/19 8:29 AM, Michał Zegan wrote:
>> Hello,
>> I believe I have found a bug but not quite sure if it is in
>> documentation or jdk impl itself. I currently have no code example, but
>> I looked into the jdk code itself.
>> This
>> https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html#GUID-43A3A247-E165-408C-AD74-88A75BFB4750
>>
>> actually suggests that when using the own instance of
>> PKIXRevocationChecker, you should disable default revocation by
>> PKIXParameters.setRevocationEnabled(false)
> 
> Not completely true. You should disable revocation checking if you are
> passing in an subclass of PKIXCertPathChecker (and not
> PKIXRevocationChecker) because the JDK implementation doesn't know if it
> is a revocation checker or not. But if you pass in a
> PKIXRevocationChecker (this API was added later in JDK 1.8) it doesn't
> matter if the revocation flag is enabled or not, it will be recognized
> and get used instead of the default one.
Well, the documentation for this (in the user guide) does contain one
example of adding, specifically, the PKIXRevocationChecker, and in this
example they disable the revocationChecking property, so that is what I
mean.
> 
>> and it actually seems to be
>> suggested by api docs too even though it is not stated there directly.
> 
> It says in PKIXParameters.setRevocationEnabled [1]:
> 
> "Sophisticated applications should set this flag to false when it is not
> practical to use a PKIX service provider's default revocation checking
> mechanism or when an alternative revocation checking mechanism is to be
> substituted (by also calling the addCertPathChecker or
> setCertPathCheckers methods)."
It is unclear if adding my own instance of PKIXRevocationChecker (even
if it's the provider's implementation) is considered replacing a default
mechanism or not, so it is at least unclear.
> 
> and in the PKIXRevocationChecker API [2]:
> 
> "When supplying a revocation checker in this manner, it will be used to
> check revocation irrespective of the setting of the RevocationEnabled
> flag."
Yes. However here I would always think if it means that the checker
would be called twice or recognized. Note that if you supply a
revocation checker in *this* manner, it is normal that it will be used
because it is in a list of checkers, so the question is more like if the
default instance of revocation checker will be used if another one is
passed and setRevocationChecking(true) is set... and this is not really
clear from the documentation. That is my line of thinking when I read it
and this is the reason why I looked at the code.
> 
> (Although we should probably add a similar statement to the
> setRevocationChecker API so it is more clear).
> 
>> However:
>> - first, from what I know, if revocation is enabled by
>> setRevocationEnabled and a custom PKIXRevocationChecker is added, then
>> this fact is respected correctly by the validator implementation, it can
>> be seen in the code.
> 
> Right.
> 
>> - on the other hand, if it is disabled, then you can still add the
>> checker, but for example ocsp stapling in jsse probably will stop
>> working.
>> It is because sun.security.validator.PKIXValidator's addResponses method
>> works only if revocationEnabled is true.
> 
> Good catch - that looks like a bug.
> 
>> What is even more weird, the method seems to honour the fact that user
>> could add his own PKIXRevocationChecker, but for it to work it has to be
>> done *and* revocationEnabled needs to be true.
> 
> Yes, that should not be required.
> 
>> Seems like a confusion/inconsistency. Not quite sure if this is a bug in
>> the code, or more in the documentation, and what is the correct approach.
>> Note I didn't actually test this (I don't have any ocsp whatever). It is
>> just what I read when looking at jdk code, so my findings could be wrong.
> 
> Thanks for spotting this. I will file a bug on your behalf.
> 
> --Sean
> 
> [1]
> https://docs.oracle.com/en/java/javase/12/docs/api/java.base/java/security/cert/PKIXParameters.html#setRevocationEnabled(boolean)
> 
> [2]
> https://docs.oracle.com/en/java/javase/12/docs/api/java.base/java/security/cert/PKIXRevocationChecker.html
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190603/4b33ec39/signature.asc>

More information about the security-dev mailing list