RFR[15] 8242060: Add revocation checking to jarsigner

Sean Mullan sean.mullan at oracle.com
Fri May 1 18:50:20 UTC 2020 

* Main.java:

2067                         Event.setReportListener(new Event.Reporter() {
2068                             @Override
2069                             public void handle(String t, Object... o) {
2070 
System.out.println(String.format(rb.getString(t), o));
2071                             }
2072                         });

I think you could use a lambda expression above.

* Event.java:

   35     static Reporter reporter = null;

Make this private? Also, no need to explicitly initialize to null as 
that is the default value.

Can you add some comments at the top of the class describing the purpose 
of this class?

* EnableRevocation.java

- How long does this test take - does it hang for a little while trying 
to make a connection or timeout right away? If it takes a while, you 
could experiment with overriding the default timeouts for CRLs and OCSP 
checks to make this test finish faster. Use the system properties 
com.sun.security.ocsp.timeout and com.sun.security.crl.readtimeout.

Looks good otherwise. Please add a release-note and open a follow-on 
issue to update the man page with the new option.

--Sean

On 5/1/20 12:02 PM, Hai-May Chao wrote:
> Hi,
> 
> With small change added to ‘Usages.java' test, here is the updated webrev:
> 
> https://cr.openjdk.java.net/~hchao/8242060/webrev.01/
> 
> Thanks,
> Hai-May
> 
>> On Apr 30, 2020, at 4:29 PM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>>
>> Hi,
>>
>> I’d like to request a review for:
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8242060
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8244046
>> Webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.00/
>>
>> The jarsigner command currently does certificate chain validation, but does not check revocation. Users won’t be able to know if the certificates are revoked. This change is to provide an option in jarsigner to enable the revocation check, and to emit progress messages when jarsigner starts network connections to get OCSP responses and CRL.
>>
>> Thanks,
>> Hai-May
>>
>>
>>
>

More information about the security-dev mailing list