8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension #2039
Conversation
… (OCSP) Nonce Extension
|
👋 Welcome back hchao! A progress list of the required criteria for merging this PR into |
|
@haimaychao The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
| @@ -121,12 +123,13 @@ public OCSPNonceExtension(byte[] incomingNonce) throws IOException { | |||
| * @param isCritical a boolean flag indicating whether the criticality bit | |||
| * is set for this extension | |||
| * @param incomingNonce The nonce data to be set for the extension. This | |||
| * must be a non-null array of at least one byte long. | |||
| * must be a non-null array of at least one byte long and can be upto | |||
| if (incomingNonce.length > 0) { | ||
| // RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet | ||
| // and can be up to 32 octets. | ||
| if (incomingNonce.length > 0 && incomingNonce.length <=32) { |
There was a problem hiding this comment.
nit: space after the <= to be consistent with style elsewhere
|
|
||
| tmpExtensions = new ArrayList<Extension>(); | ||
| tmpExtensions.add(nonceExt); | ||
| setOcspExtensions(tmpExtensions); |
There was a problem hiding this comment.
It seems like you could collapse 113 - 118 into something like:
setOcspExtensions(List.of(new OCSPNonceExtension(DEFAULT_NONCE_BYTES)));
At the very least, it looks like you could do away with 113, since you immediately change the value of the tmpExtensions reference on 116.
There was a problem hiding this comment.
collapsing done.
|
Thanks for the review, Jamil. I've updated with all of your comments. |
| @@ -47,6 +47,7 @@ | |||
|
|
|||
| public static void main(String[] args) throws Exception { | |||
|
|
|||
| System.setProperty("jdk.security.certpath.ocspNonce", "true"); | |||
There was a problem hiding this comment.
Trying to understand this change - why do we need this change and only in couple of tests? Did these test fail with your change?
There was a problem hiding this comment.
No, these test did not fail with my changes. These two tests are being changed to set the system property jdk.security.certpath.ocspNonce=true in order to send the nonce as the responders in these tests will take the nonce and return it their responses, so we could test the benefit of having nonce extension set.
| } | ||
| private RevocationProperties rp; |
There was a problem hiding this comment.
I think this field could be final.
There was a problem hiding this comment.
No change made due to getting an error: cannot assign a value to final variable rp.
| init(anchor, params); | ||
| } | ||
|
|
||
| private void setDefaultNonce() { | ||
| byte[] nonce = null; |
There was a problem hiding this comment.
This variable looks like it is not used and can be removed.
There was a problem hiding this comment.
The setDefaultNonce() method is removed.
| private void setDefaultNonce() { | ||
| byte[] nonce = null; | ||
|
|
||
| // Set the nonce by default in OCSP request extension when the sytem property |
There was a problem hiding this comment.
The setDefaultNonce() method is removed as creating nonce is done in checkOCSP() method now.
| // jdk.security.certpath.ocspNonce=true. | ||
| if (rp.ocspNonce) { | ||
| try { | ||
| setOcspExtensions(List.of(new OCSPNonceExtension(DEFAULT_NONCE_BYTES))); |
There was a problem hiding this comment.
I don't think we should use the PKIXRevocationChecker.setOcspExtensions() API to add an OCSP Nonce extension. That API is intended to be called by applications. I think the Nonce extension should be set by the implementation only and not exposed via the standard API. Also, a nonce should be unique for each OCSP request, but setting it here means that it could re-use the same nonce for different OCSP requests.
I think a better place to create/add the OCSPExtension is in the checkOCSP method, and the extension should be created each time that method is called (if the system property is enabled), so a new nonce is created for each OCSP request.
There was a problem hiding this comment.
Creating the nonce is moved to checkOCSP() method.
|
@haimaychao This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 188 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@jnimeh, @seanjmullan) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
haimaychao
changed the title
| } | ||
| } catch (IOException e) { | ||
| throw new CertPathValidatorException("Failed to create the default nonce " + | ||
| "in OCSP entensions"); |
There was a problem hiding this comment.
Typo: s/entensions/extensions/
Also, use the CertPathValidatorException(String, Throwable) ctor instead and pass the IOException as the 2nd parameter.
| try { | ||
| // create the 16-byte nonce by default | ||
| Extension nonceExt = new OCSPNonceExtension(DEFAULT_NONCE_BYTES); | ||
| tmpExtensions.add(nonceExt); |
There was a problem hiding this comment.
I think you should add the OCSPNonce extension to the list of extensions that the application passed in, as there may be other extensions that have been specified and should be sent in the OCSP response, ex:
ocspExtensions.add(new OCSPNonceExtension(DEFAULT_NONCE_BYTES));
This means you don't need the tmpExtensions variable.
There was a problem hiding this comment.
During testing, I got the "java.base/java.util.Collections$UnmodifiableCollection.add(Collections.java:1062) exception with this line of change. I've changed to use a tmpExtensions variable when setting the OCSP nonce to the extension sets instead of modifying the ocspExtensions.
| response = OCSP.check(Collections.singletonList(certId), | ||
| responderURI, issuerInfo, responderCert, null, | ||
| ocspExtensions, params.variant()); | ||
| rp.ocspNonce ? tmpExtensions : ocspExtensions, params.variant()); |
There was a problem hiding this comment.
Here you can just pass in ocspExtensions since it will contain the nonce if the property has been set.
There was a problem hiding this comment.
No change as tmpExtensions is needed.
| if (ocspExtensions.size() > 0) { | ||
| tmpExtensions = new ArrayList<Extension>(ocspExtensions); | ||
| } else { | ||
| tmpExtensions = new ArrayList<Extension>(); | ||
| } | ||
|
|
||
| tmpExtensions.add(nonceExt); |
There was a problem hiding this comment.
If you only need the nonce, you could use List.of and save a little bit of memory, ex:
if (ocspExtensions.size() > 0) {
tmpExtensions = new ArrayList<Extension>(ocspExtensions);
tmpExtensions.add(nonceExt);
} else {
tmpExtensions = List.of(nonceExt);
}
There was a problem hiding this comment.
Thanks for the review. Updated as suggested.
| @@ -740,9 +746,43 @@ private void checkOCSP(X509Certificate cert, | |||
| null, -1); | |||
| } | |||
|
|
|||
| List<Extension> tmpExtensions = Collections.<Extension>emptyList(); | |||
There was a problem hiding this comment.
One other comment - I think you can just set this to null.
|
/integrate |
|
@haimaychao |
|
/sponsor |
openjdk
bot
removed
sponsor
|
@seanjmullan @haimaychao Since your change was applied there have been 188 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit 8b95d95. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
This enhancement adds support for the nonce extension in OCSP request extensions by system property jdk.security.certpath.ocspNonce.
Please review the CSR at:
https://bugs.openjdk.java.net/browse/JDK-8257766
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/2039/head:pull/2039$ git checkout pull/2039