Re: RFR: 8179503: Java should support GET OCSP calls [v2]

Wed, 30 Dec 2020 21:10:42 -0800 

On Wed, 30 Dec 2020 23:33:14 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:

>> This enhancement allows the underlying OCSP subsystem to submit OCSP 
>> requests using HTTP GET when the request is less than or equal to 255 bytes 
>> as documented in RFC 6960 and clarified in RFC 5019.
>
> Jamil Nimeh has updated the pull request with a new target base due to a 
> merge or a rebase. The incremental webrev excludes the unrelated changes 
> brought in by the merge/rebase. The pull request contains four additional 
> commits since the last revision:
> 
>  - Merge
>  - Change IO to use readExactlyNBytes method
>  - Merge
>  - 8179503: Java should support GET OCSP calls

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 235:

> 233: 
> 234:         URL url;
> 235:         HttpURLConnection con;

I was just wondering, if the new httpclient APIs could be used here?  Maybe it 
is a out of the scope of this update.

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 237:

> 235:         HttpURLConnection con;
> 236:         String encodedGetReq = responderURI.toString() + "/" +
> 237:                 URLEncoder.encode(Base64.getMimeEncoder(0, new byte[0]).

I did not get the point to use MIME encoder.  Is the basic base64 encoder 
sufficient here?

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 240:

> 238:                         encodeToString(bytes), "UTF-8");
> 239: 
> 240:         if (encodedGetReq.length() <= 255) {

If the request less than 256, the GET method will be used.  RFC 6960 declare 
this as a "MAY" feature ("To enable HTTP caching, small requests ... MAY be 
submitted using GET").  Although RFC 5019 declare it as a "MUST" feature  
("When sending requests that are less than or equal to 255 bytes ... clients 
MUST use the GET method"), but RFC 5109 is released before RFC 6960.  I'm not 
very sure if there is interop issues that a server may not accept the "Get" 
method for some reasons.  I don't worry about it too much, but just for sure 
you have considered the cases.

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 275:

> 273:             contentLength = Integer.MAX_VALUE;
> 274:         }
> 275: 

Is there a leak if the URL connection is not closed?

-------------

PR: https://git.openjdk.java.net/jdk/pull/1760

Reply via email to