Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v2]

Fri, 15 Jan 2021 15:17:06 -0800 

On Thu, 14 Jan 2021 14:35:25 GMT, Sean Mullan <[email protected]> wrote:

>> Hai-May Chao has updated the pull request incrementally with one additional 
>> commit since the last revision:
>> 
>>   update to use List.of() and typo changes
>
> src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
>  line 88:
> 
>> 86:         boolean ocspNonce;
>> 87:     }
>> 88:     private RevocationProperties rp;
> 
> I think this field could be `final`.

No change made due to getting an error: cannot assign a value to final variable 
rp.

> src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
>  line 107:
> 
>> 105: 
>> 106:     private void setDefaultNonce() {
>> 107:         byte[] nonce = null;
> 
> This variable looks like it is not used and can be removed.

The setDefaultNonce() method is removed.

> src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
>  line 109:
> 
>> 107:         byte[] nonce = null;
>> 108: 
>> 109:         // Set the nonce by default in OCSP request extension when the 
>> sytem property
> 
> Typo: s/sytem/system/

The setDefaultNonce() method is removed as creating nonce is done in 
checkOCSP() method now.

> src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
>  line 113:
> 
>> 111:         if (rp.ocspNonce) {
>> 112:             try {
>> 113:                 setOcspExtensions(List.of(new 
>> OCSPNonceExtension(DEFAULT_NONCE_BYTES)));
> 
> I don't think we should use the `PKIXRevocationChecker.setOcspExtensions()` 
> API to add an OCSP Nonce extension. That API is intended to be called by 
> applications. I think the Nonce extension should be set by the implementation 
> only and not exposed via the standard API. Also, a nonce should be unique for 
> each OCSP request, but setting it here means that it could re-use the same 
> nonce for different OCSP requests.
> 
> I think a better place to create/add the OCSPExtension is in the `checkOCSP` 
> method, and the extension should be created each time that method is called 
> (if the system property is enabled), so a new nonce is created for each OCSP 
> request.

Creating the nonce is moved to checkOCSP() method.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2039

Reply via email to