RFR[15] 8242060: Add revocation checking to jarsigner

Hai-May Chao hai-may.chao at oracle.com
Sat May 2 18:20:32 UTC 2020


Thanks Max!
Using localhost would do it as well.

Hai-May


> On May 1, 2020, at 7:49 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
>> 
>> * EnableRevocation.java
>> 
>> - How long does this test take - does it hang for a little while trying to make a connection or timeout right away? If it takes a while, you could experiment with overriding the default timeouts for CRLs and OCSP checks to make this test finish faster. Use the system properties com.sun.security.ocsp.timeout and com.sun.security.crl.readtimeout.
> 
> What if we use 0.0.0.0 for both OCSP and CRLDP? I assume it will return immediately, just hope it's not an uncaught RuntimeException.
> 
> --Max
> 
>> 
>> Looks good otherwise. Please add a release-note and open a follow-on issue to update the man page with the new option.
>> 
>> --Sean
>> 
>> On 5/1/20 12:02 PM, Hai-May Chao wrote:
>>> Hi,
>>> With small change added to ‘Usages.java' test, here is the updated webrev:
>>> https://cr.openjdk.java.net/~hchao/8242060/webrev.01/
>>> Thanks,
>>> Hai-May
>>>> On Apr 30, 2020, at 4:29 PM, Hai-May Chao <hai-may.chao at oracle.com> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I’d like to request a review for:
>>>> 
>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8242060
>>>> CSR: https://bugs.openjdk.java.net/browse/JDK-8244046
>>>> Webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.00/
>>>> 
>>>> The jarsigner command currently does certificate chain validation, but does not check revocation. Users won’t be able to know if the certificates are revoked. This change is to provide an option in jarsigner to enable the revocation check, and to emit progress messages when jarsigner starts network connections to get OCSP responses and CRL.
>>>> 
>>>> Thanks,
>>>> Hai-May
>>>> 
>>>> 
>>>> 
> 



More information about the security-dev mailing list