RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol…

Jamil Nimeh jnimeh at openjdk.java.net
Tue Jan 12 16:29:04 UTC 2021


On Mon, 11 Jan 2021 21:41:56 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

> This enhancement adds support for the nonce extension in OCSP request extensions by system property jdk.security.certpath.ocspNonce.
> 
> Please review the CSR at:
> https://bugs.openjdk.java.net/browse/JDK-8257766

In general it looks pretty good.  Just a couple small comments.

src/java.base/share/classes/sun/security/provider/certpath/OCSPNonceExtension.java line 126:

> 124:      *      is set for this extension
> 125:      * @param incomingNonce The nonce data to be set for the extension.  This
> 126:      *      must be a non-null array of at least one byte long and can be upto

typo: "upto" -> "up to"

src/java.base/share/classes/sun/security/provider/certpath/OCSPNonceExtension.java line 143:

> 141:         // RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet
> 142:         // and can be up to 32 octets.
> 143:         if (incomingNonce.length > 0 && incomingNonce.length <=32) {

nit: space after the <= to be consistent with style elsewhere

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 118:

> 116:                 tmpExtensions = new ArrayList<Extension>();
> 117:                 tmpExtensions.add(nonceExt);
> 118:                 setOcspExtensions(tmpExtensions);

It seems like you could collapse 113 - 118 into something like:
setOcspExtensions(List.of(new OCSPNonceExtension(DEFAULT_NONCE_BYTES)));

At the very least, it looks like you could do away with 113, since you immediately change the value of the tmpExtensions reference on 116.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2039


More information about the security-dev mailing list