On Fri, 15 Jan 2021 23:09:26 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> This enhancement adds support for the nonce extension in OCSP request >> extensions by system property jdk.security.certpath.ocspNonce. >> >> Please review the CSR at: >> https://bugs.openjdk.java.net/browse/JDK-8257766 > > Hai-May Chao has updated the pull request incrementally with one additional > commit since the last revision: > > Nonce creation is done in checkOCSP method Changes requested by mullan (Reviewer). src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 762: > 760: } catch (IOException e) { > 761: throw new CertPathValidatorException("Failed > to create the default nonce " + > 762: "in OCSP entensions"); Typo: s/entensions/extensions/ Also, use the `CertPathValidatorException(String, Throwable)` ctor instead and pass the `IOException` as the 2nd parameter. src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 755: > 753: // create the 16-byte nonce by default > 754: Extension nonceExt = new > OCSPNonceExtension(DEFAULT_NONCE_BYTES); > 755: tmpExtensions.add(nonceExt); I think you should add the OCSPNonce extension to the list of extensions that the application passed in, as there may be other extensions that have been specified and should be sent in the OCSP response, ex: `ocspExtensions.add(new OCSPNonceExtension(DEFAULT_NONCE_BYTES));` This means you don't need the `tmpExtensions` variable. src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java line 779: > 777: response = OCSP.check(Collections.singletonList(certId), > 778: responderURI, issuerInfo, responderCert, null, > 779: rp.ocspNonce ? tmpExtensions : ocspExtensions, > params.variant()); Here you can just pass in `ocspExtensions` since it will contain the nonce if the property has been set. ------------- PR: https://git.openjdk.java.net/jdk/pull/2039