RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v4]

Sean Mullan mullan at openjdk.java.net
Wed Jan 20 13:53:49 UTC 2021 

On Fri, 15 Jan 2021 23:09:26 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> This enhancement adds support for the nonce extension in OCSP request extensions by system property jdk.security.certpath.ocspNonce.
>> 
>> Please review the CSR at:
>> https://bugs.openjdk.java.net/browse/JDK-8257766
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Nonce creation is done in checkOCSP method

Changes requested by mullan (Reviewer).

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 762:

> 760:                         } catch (IOException e) {
> 761:                             throw new CertPathValidatorException("Failed to create the default nonce " +
> 762:                                     "in OCSP entensions");

Typo: s/entensions/extensions/

Also, use the `CertPathValidatorException(String, Throwable)` ctor instead and pass the `IOException` as the 2nd parameter.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 755:

> 753:                             // create the 16-byte nonce by default
> 754:                             Extension nonceExt = new OCSPNonceExtension(DEFAULT_NONCE_BYTES);
> 755:                             tmpExtensions.add(nonceExt);

I think you should add the OCSPNonce extension to the list of extensions that the application passed in, as there may be other extensions that have been specified and should be sent in the OCSP response, ex:

`ocspExtensions.add(new OCSPNonceExtension(DEFAULT_NONCE_BYTES));`

This means you don't need the `tmpExtensions` variable.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 779:

> 777:                 response = OCSP.check(Collections.singletonList(certId),
> 778:                         responderURI, issuerInfo, responderCert, null,
> 779:                         rp.ocspNonce ? tmpExtensions : ocspExtensions, params.variant());

Here you can just pass in `ocspExtensions` since it will contain the nonce if the property has been set.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2039

More information about the security-dev mailing list