8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts

[jnimeh]

This set of enhancements extends the allowed syntax for the com.sun.security.ocsp.timeout, com.sun.security.crl.timeout and com.sun.security.crl.readtimeout System properties. These properties retain their current behavior where a purely numeric value is interpreted in seconds, but now the numeric value may also be appended with "ms" (case-insensitive) to be interpreted as milliseconds.

This enhancement also adds two new System properties: com.sun.security.cert.timeout and com.sun.security.cert.readtimeout which follow the same new allowed syntax. These timeouts only come into play when an AIA extension on a certificate is followed for pulling the issuing authority certificate and only when the com.sun.security.enableAIAcaIssuers property is true (default false).

JBS: https://bugs.openjdk.org/browse/JDK-8179502
CSR: https://bugs.openjdk.org/browse/JDK-8300722

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8300722 to be approved

Issues

• JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
• JDK-8300722: Enhance OCSP, CRL and Certificate Fetch Timeouts (CSR)

Reviewers

• Sean Mullan (@seanjmullan - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/13762/head:pull/13762
$ git checkout pull/13762

Update a local copy of the PR:
$ git checkout pull/13762
$ git pull https://git.openjdk.org/jdk.git pull/13762/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 13762

View PR using the GUI difftool:
$ git pr show -t 13762

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/13762.diff

Webrev

Link to Webrev Comment

[jnimeh]

/issue 8179502

[jnimeh]

/csr needed

[bridgekeeper]

👋 Welcome back jnimeh! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@jnimeh This issue is referenced in the PR title - it will now be updated.

[openjdk]

@jnimeh an approved CSR request is already required for this pull request.

[openjdk]

@jnimeh The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 04: Full - Incremental (659da859)
• 03: Full - Incremental (e73818ef)
• 02: Full - Incremental (81c7cb35)
• 01: Full - Incremental (3c524e17)
• 00: Full (3e0f5822)

[wangweij]

Shall we allow the s suffix as well? This makes it clear that a value is in seconds.

[jnimeh]

Well, all the existing documentation already states that they are in seconds. That was why I didn't add any additional suffixes. The goal was to make it so folks don't need to make any changes if the existing seconds-level granularity is sufficient for them.

[wangweij]

I don't mean not to support bare numbers. It's just a little unfair that millisecond has a suffix but second does not. We can support all of "1", "1s", and "1000ms".

[jnimeh]

Okay, we can make that change.

[seanjmullan]

I think you should also apply the cert and CRL timeouts to the LDAPCertStore implementation, using the JNDI properties: com.sun.jndi.ldap.connect.timeout and com.sun.jndi.ldap.read.timeout.

[seanjmullan]

I see there is no way to individually control the OCSP read and connect timeouts like there is for certs and CRLs. Perhaps this isn't as big an issue, but when you set the OCSP timeout, it really means 2x what you set.

[jnimeh]

Yes, I noticed that too. I wasn't sure if we needed to make a change there. I opted to leave well-enough alone since nobody was asking for it and it's one less property to keep track of. All of these property sets end up with a max latency of connect-timeout + read-timeout, and by default they are set to the same values. So in practice much of the time they are all 2x.

It's easy enough I think to make a separate property for com.sun.security.ocsp.readtimeout and then the existing .timeout property would be for connect timeouts (keeping in line with the other props). I don't think it will introduce significant risk but I will highlight that in the CSR.

[jnimeh]

I think you should also apply the cert and CRL timeouts to the LDAPCertStore implementation, using the JNDI properties: com.sun.jndi.ldap.connect.timeout and com.sun.jndi.ldap.read.timeout.

I will look into this.

[jnimeh]

I've added the OCSP readtimeout property, seems to be working well. As discussed offline we'll hold off on the LDAP changes for now.

[seanjmullan]

You should call privilegedGetProperty here instead of System.getProperty so the call is wrapped in doPrivileged when an SM is active.

[jnimeh]

Good catch. Will fix.

[seanjmullan]

Is this guaranteed never to throw NumberFormatException? It might be safer to catch it just in case.

[jnimeh]

I'll change this to catch NFE, but I'm pretty sure the pattern will only ever return true if the string is comprised solely of digits from start to end - I could never get a string that would pass when it shouldn't. But point taken, better safe than sorry.

[jnimeh]

@seanjmullan if you have a chance would you mind taking a quick look at the release note for this change? (https://bugs.openjdk.org/browse/JDK-8308582)
It is pretty close to the CSR solution text, but I tried to trim it down a little. It's still pretty long, but there's a lot to convey.

[seanjmullan]

This would also be useful debug for the else case on line 214-216 if the value is not an integer.

[jnimeh]

Sounds good, I can add that.

[seanjmullan]

Does 15 seconds make sense as the default timeout, especially for certs? CRLs are generally larger than certs, so a longer read timeout makes sense.

I'm ok with keeping these default values the same for consistency, but I think we should re-evaluate each of these default timeouts and compare them to other products/technologies to see if some adjustments may be needed - can you file a follow-on RFE for that?

[jnimeh]

Yes, I can make a follow on for that.

[jnimeh]

Filed https://bugs.openjdk.org/browse/JDK-8308601

[seanjmullan]

Looks good. I think there may be value in moving some of the test code into the testlibrary, like the AIA and CRL https servers so other tests can use it, but we can explore that more later if the opportunity arises.

[openjdk]

@jnimeh This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts

Reviewed-by: mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 18 new commits pushed to the master branch:

• 9e196b3: 8308565: HttpClient: Sanitize logging while stopping
• 582ddeb: 8308545: java/net/httpclient/ShutdownNow.java fails with "stream 1 cancelled"
• 1cfb265: 8307814: In the case of two methods with Record Patterns, the second one contains a line number from the first method
• eb11508: 8308281: Java snippets in the FFM API need to be updated
• 26227a6: 8305073: Fix VerifyLoopOptimizations - step 2 - verify idom
• 80d7de7: 8305582: Compiler crash when compiling record patterns with var
• e559613: 8308500: ZStatSubPhase::register_start should not call register_gc_phase_start if ZAbort::should_abort()
• bdd2402: 8260943: C2 SuperWord: Remove dead vectorization optimization added by 8076284
• 4f0f776: 8308403: [s390x] separate remaining_cargs from z_abi_160
• 06b0a5e: 8302652: [SuperWord] Reduction should happen after loop, when possible
• ... and 8 more: https://git.openjdk.org/jdk/compare/8474e693b4404ba62927fe0e43e68b904d66fbde...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[jnimeh]

/integrate

[openjdk]

Going to push as commit 2836c34.
Since your change was applied there have been 28 commits pushed to the master branch:

• 8ffa264: 8306698: Add overloads to MethodTypeDesc::of
• 6b27dad: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries
• ed0e956: 8308716: ProblemList java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java with genzgc on windows-x64
• bddf483: 8303942: os::write should write completely
• ab241b3: 8306706: Support out-of-line code generation for MachNodes
• 710453c: 8308016: Use snippets in java.io package
• e9320f3: 8308116: jdk.test.lib.compiler.InMemoryJavaCompiler.compile does not close files
• 97d3b27: 8307523: [vectorapi] Optimize MaskFromLongBenchmark.java
• bb0ff48: 8305091: Change ChaCha20 cipher init behavior to match AES-GCM
• c0c4d77: 8308544: Fix compilation regression from JDK-8306983 on musl libc
• ... and 18 more: https://git.openjdk.org/jdk/compare/8474e693b4404ba62927fe0e43e68b904d66fbde...master

Your commit was automatically rebased without conflicts.

[openjdk]

@jnimeh Pushed as commit 2836c34.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.