Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol… [v2]

Thu, 14 Jan 2021 07:08:53 -0800 

On Tue, 12 Jan 2021 19:18:18 GMT, Hai-May Chao <hc...@openjdk.org> wrote:

>> This enhancement adds support for the nonce extension in OCSP request 
>> extensions by system property jdk.security.certpath.ocspNonce.
>> 
>> Please review the CSR at:
>> https://bugs.openjdk.java.net/browse/JDK-8257766
>
> Hai-May Chao has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   update to use List.of() and typo changes

Changes requested by mullan (Reviewer).

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
 line 88:

> 86:         boolean ocspNonce;
> 87:     }
> 88:     private RevocationProperties rp;

I think this field could be `final`.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
 line 107:

> 105: 
> 106:     private void setDefaultNonce() {
> 107:         byte[] nonce = null;

This variable looks like it is not used and can be removed.

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
 line 109:

> 107:         byte[] nonce = null;
> 108: 
> 109:         // Set the nonce by default in OCSP request extension when the 
> sytem property

Typo: s/sytem/system/

src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
 line 113:

> 111:         if (rp.ocspNonce) {
> 112:             try {
> 113:                 setOcspExtensions(List.of(new 
> OCSPNonceExtension(DEFAULT_NONCE_BYTES)));

I don't think we should use the `PKIXRevocationChecker.setOcspExtensions()` API 
to add an OCSP Nonce extension. That API is intended to be called by 
applications. I think the Nonce extension should be set by the implementation 
only and not exposed via the standard API. Also, a nonce should be unique for 
each OCSP request, but setting it here means that it could re-use the same 
nonce for different OCSP requests.

I think a better place to create/add the OCSPExtension is in the `checkOCSP` 
method, and the extension should be created each time that method is called (if 
the system property is enabled), so a new nonce is created for each OCSP 
request.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2039

Reply via email to