RFR: 8179503: Java should support GET OCSP calls [v2]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Thu Dec 31 05:10:00 UTC 2020 

On Wed, 30 Dec 2020 23:33:14 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> This enhancement allows the underlying OCSP subsystem to submit OCSP requests using HTTP GET when the request is less than or equal to 255 bytes as documented in RFC 6960 and clarified in RFC 5019.
>
> Jamil Nimeh has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - Merge
>  - Change IO to use readExactlyNBytes method
>  - Merge
>  - 8179503: Java should support GET OCSP calls

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 235:

> 233: 
> 234:         URL url;
> 235:         HttpURLConnection con;

I was just wondering, if the new httpclient APIs could be used here?  Maybe it is a out of the scope of this update.

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 237:

> 235:         HttpURLConnection con;
> 236:         String encodedGetReq = responderURI.toString() + "/" +
> 237:                 URLEncoder.encode(Base64.getMimeEncoder(0, new byte[0]).

I did not get the point to use MIME encoder.  Is the basic base64 encoder sufficient here?

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 240:

> 238:                         encodeToString(bytes), "UTF-8");
> 239: 
> 240:         if (encodedGetReq.length() <= 255) {

If the request less than 256, the GET method will be used.  RFC 6960 declare this as a "MAY" feature ("To enable HTTP caching, small requests ... MAY be submitted using GET").  Although RFC 5019 declare it as a "MUST" feature  ("When sending requests that are less than or equal to 255 bytes ... clients MUST use the GET method"), but RFC 5109 is released before RFC 6960.  I'm not very sure if there is interop issues that a server may not accept the "Get" method for some reasons.  I don't worry about it too much, but just for sure you have considered the cases.

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 275:

> 273:             contentLength = Integer.MAX_VALUE;
> 274:         }
> 275: 

Is there a leak if the URL connection is not closed?

-------------

PR: https://git.openjdk.java.net/jdk/pull/1760

More information about the security-dev mailing list