RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol… [v2]

Sean Mullan mullan at openjdk.java.net
Thu Jan 14 15:08:09 UTC 2021 

On Tue, 12 Jan 2021 19:18:18 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> This enhancement adds support for the nonce extension in OCSP request extensions by system property jdk.security.certpath.ocspNonce.
>> 
>> Please review the CSR at:
>> https://bugs.openjdk.java.net/browse/JDK-8257766
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   update to use List.of() and typo changes

Changes requested by mullan (Reviewer).

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 88:

> 86:         boolean ocspNonce;
> 87:     }
> 88:     private RevocationProperties rp;

I think this field could be `final`.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 107:

> 105: 
> 106:     private void setDefaultNonce() {
> 107:         byte[] nonce = null;

This variable looks like it is not used and can be removed.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 109:

> 107:         byte[] nonce = null;
> 108: 
> 109:         // Set the nonce by default in OCSP request extension when the sytem property

Typo: s/sytem/system/

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 113:

> 111:         if (rp.ocspNonce) {
> 112:             try {
> 113:                 setOcspExtensions(List.of(new OCSPNonceExtension(DEFAULT_NONCE_BYTES)));

I don't think we should use the `PKIXRevocationChecker.setOcspExtensions()` API to add an OCSP Nonce extension. That API is intended to be called by applications. I think the Nonce extension should be set by the implementation only and not exposed via the standard API. Also, a nonce should be unique for each OCSP request, but setting it here means that it could re-use the same nonce for different OCSP requests.

I think a better place to create/add the OCSPExtension is in the `checkOCSP` method, and the extension should be created each time that method is called (if the system property is enabled), so a new nonce is created for each OCSP request.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2039

More information about the security-dev mailing list