RFR JDK-8206925,,Support the certificate_authorities extension
Xuelei Fan
xuelei.fan at oracle.com
Fri May 15 22:11:01 UTC 2020
New webrev: http://cr.openjdk.java.net/~xuelei/8206925/webrev.04/
On 5/15/2020 5:27 AM, Sean Mullan wrote:
> On 5/15/20 1:22 AM, Xuelei Fan wrote:
>> Alexey has some good point about the size limit of the extension. I
>> added more comments about the compatibility impact and interop impact
>> when there is too much CAs to meet the size limits in CSR, source code
>> and release notes.
>>
>> New webrev: https://bugs.openjdk.java.net/browse/JDK-8244460
>>
>> I have not had a chance to add a negative test case yet.
>
> By negative test case, do you mean trying to exceed the maximum number
> of CAs? I agree that would be a good test to add, as we may or may not
> exceed that number some day, but it would be good to know when/if we do.
>
Yes. I added a new test case in webrev.04 (TooMuchCAs.java).
Xuelei
> --Sean
>
>>
>> On 5/14/2020 1:38 PM, Sean Mullan wrote:
>>> For the CSR, why did you check the binary and behavioral boxes for
>>> compatibility risk?
>> I should not check the boxes. Removed.
>>
>> Thanks,
>> Xuelei
>>
>>> Otherwise it looks good, and I added my name as Reviewer. I will
>>> review the updated webrev later.
>>>
>>> Please file and add a link to a docs issue to document the new system
>>> property.
>>>
>>> --Sean
>>>
>>> On 5/13/20 5:20 PM, Xuelei Fan wrote:
>>>>
>>>> On 5/13/2020 2:11 PM, Sean Mullan wrote:
>>>>>>>> It is not expected to use this extension regularly.
>>>>>>>>
>>>>>>>> Please let me know if you still prefer to use "enableCAExtension".
>>>>>>>>
>>>>>>>>> Also, it is a bit unfortunate that we have to have a system
>>>>>>>>> property to enable it. Can we not enable it based on whether
>>>>>>>>> the configured X509TrustManager.getAcceptedIssuers returns a
>>>>>>>>> non-empty list?
>>>>>>>>>
>>>>>>>> We can do that on server side, but there are compatibility
>>>>>>>> impact on client behavior if we did it in client side. See #2
>>>>>>>> in the "Specification" section.
>>>>>>>
>>>>>>> But doesn't the default JDK PKIX TrustManager throw a fatal
>>>>>>> exception and close the connection if the server's certificate
>>>>>>> cannot be validated? Could we check if the PKIX TrustManager is
>>>>>>> being used?
>>>>>>>
>>>>>> Yes, the trust manager could throw a fatal exception and close the
>>>>>> connection if the trust cannot be established. The fallback
>>>>>> mechanism is implemented in the customized trust manager, that if
>>>>>> users accept the cert, the cert is trusted, and no exception and
>>>>>> the handshaking continued. It is too later to fallback after the
>>>>>> connection closed.
>>>>>
>>>>>>> If a client wants to accept self-signed or untrusted server
>>>>>>> certificates, I would have expected them to have to use a custom
>>>>>>> X509TrustManager that allows that, and that getAcceptedIssuers()
>>>>>>> should return an empty List. Is that not is what is typically
>>>>>>> done in practice?
>>>>>>>
>>>>>> Yes, customized trust manager is used to accept users manually
>>>>>> selection. As the users may also want to accept normal
>>>>>> certificate without manually involved, so getAcceptedIssuers()
>>>>>> should respect those CA as well.
>>>>>
>>>>> I see. Out of curiosity, have you checked how other implementations
>>>>> handle this extension? For web browsers, they typically give the
>>>>> user the option of proceeding if the server certificate is not
>>>>> trusted. Seems to be a bit of a configuration dilemma as you may
>>>>> want this extension enabled for certain sites that have multiple
>>>>> certificates, but not as a general default because then you
>>>>> wouldn't be able to connect to untrusted sites (at your own risk of
>>>>> course). I wonder if it would have been better for the RFC to allow
>>>>> the server to treat this extension more as a hint, and still return
>>>>> its chain if an acceptable certificate could not be found.
>>>> If it is treated as a hint, then it might be better no have this
>>>> extension.
>>>>
>>>> I checked with browsers, the extension is not present in
>>>> ClientHello. For JDK, I would not expect a lot use of this extension
>>>> in client side. It is just designed to workaround a few cases, just
>>>> as you mentioned above.
>>>>
>>>> Xuelei
More information about the security-dev
mailing list