RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v3]

Sean Mullan mullan at openjdk.org
Mon May 22 16:02:54 UTC 2023

On Fri, 19 May 2023 20:05:07 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> This set of enhancements extends the allowed syntax for the `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and `com.sun.security.crl.readtimeout` System properties.  These properties retain their current behavior where a purely numeric value is interpreted in seconds, but now the numeric value may also be appended with "ms" (case-insensitive) to be interpreted as milliseconds.
>> This enhancement also adds two new System properties: `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` which follow the same new allowed syntax.  These timeouts only come into play when an AIA extension on a certificate is followed for pulling the issuing authority certificate and only when the `com.sun.security.enableAIAcaIssuers` property is true (default false).
>> JBS: https://bugs.openjdk.org/browse/JDK-8179502
>> CSR: https://bugs.openjdk.org/browse/JDK-8300722
> Jamil Nimeh has updated the pull request incrementally with one additional commit since the last revision:
>   Add OCSP readtimeout property

src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 186:

> 184:         }
> 185: 
> 186:         String propVal = System.getProperty(prop, "").trim();

You should call `privilegedGetProperty` here instead of `System.getProperty` so the call is wrapped in `doPrivileged` when an SM is active.

src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 202:

> 200:         // Next check to make sure the string is built only from digits
> 201:         if (propVal.matches("^\\d+$")) {
> 202:             int timeout = Integer.parseInt(propVal);

Is this guaranteed never to throw `NumberFormatException`? It might be safer to catch it just in case.


PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200714709
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200716014

More information about the security-dev mailing list