RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v5]
Sean Mullan
mullan at openjdk.org
Tue May 23 15:30:18 UTC 2023
On Mon, 22 May 2023 21:55:12 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> This set of enhancements extends the allowed syntax for the `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and `com.sun.security.crl.readtimeout` System properties. These properties retain their current behavior where a purely numeric value is interpreted in seconds, but now the numeric value may also be appended with "ms" (case-insensitive) to be interpreted as milliseconds.
>>
>> This enhancement also adds two new System properties: `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` which follow the same new allowed syntax. These timeouts only come into play when an AIA extension on a certificate is followed for pulling the issuing authority certificate and only when the `com.sun.security.enableAIAcaIssuers` property is true (default false).
>>
>> JBS: https://bugs.openjdk.org/browse/JDK-8179502
>> CSR: https://bugs.openjdk.org/browse/JDK-8300722
>
> Jamil Nimeh has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains eight additional commits since the last revision:
>
> - Add additional debug message in timeout property parser
> - Merge with main
> - Use privilegedGetProperty, catch NFE following string match
> - Add OCSP readtimeout property
> - Add 's' suffix to allowed syntax
> - Fix more whitespace errors
> - Fix whitespace errors
> - 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
Looks good. I think there may be value in moving some of the test code into the testlibrary, like the AIA and CRL https servers so other tests can use it, but we can explore that more later if the opportunity arises.
-------------
Marked as reviewed by mullan (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/13762#pullrequestreview-1439694604
More information about the security-dev
mailing list