On Fri, 19 May 2023 20:05:07 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:
>> This set of enhancements extends the allowed syntax for the >> `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and >> `com.sun.security.crl.readtimeout` System properties. These properties >> retain their current behavior where a purely numeric value is interpreted in >> seconds, but now the numeric value may also be appended with "ms" >> (case-insensitive) to be interpreted as milliseconds. >> >> This enhancement also adds two new System properties: >> `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` >> which follow the same new allowed syntax. These timeouts only come into >> play when an AIA extension on a certificate is followed for pulling the >> issuing authority certificate and only when the >> `com.sun.security.enableAIAcaIssuers` property is true (default false). >> >> JBS: https://bugs.openjdk.org/browse/JDK-8179502 >> CSR: https://bugs.openjdk.org/browse/JDK-8300722 > > Jamil Nimeh has updated the pull request incrementally with one additional > commit since the last revision: > > Add OCSP readtimeout property src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 186: > 184: } > 185: > 186: String propVal = System.getProperty(prop, "").trim(); You should call `privilegedGetProperty` here instead of `System.getProperty` so the call is wrapped in `doPrivileged` when an SM is active. src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 202: > 200: // Next check to make sure the string is built only from digits > 201: if (propVal.matches("^\\d+$")) { > 202: int timeout = Integer.parseInt(propVal); Is this guaranteed never to throw `NumberFormatException`? It might be safer to catch it just in case. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200714709 PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200716014