Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6854712

Revocation checking enhancements (JEP-124)

    XMLWordPrintable

Details

    • b43
    • generic
    • generic
    • Verified

    Backports

      Description

        This is an umbrella CR of various revocation checking enhancements. Some are deployment related. Separate CRs should be spun off as they are addressed. More enhancements may be added to this list.

        1) Add an API for just checking if a certificate is revoked.

        Currently you must validate a chain of certificates using a PKIX CertPathValidator to check if the certs have been revoked. This is signficant overhead, when all you want to check is if a certificate is revoked, which is a useful thing to do as a periodic check or when the revocation information becomes stale (ex: CRL is expired).

        The API should return revocation information (CRLs, OCSP Responses) so that they can be cached by an implementation.

        2) Add more deployment revocation checking properties

        Currently, revocation checking is either enabled or disabled. It would be useful to have the following suboptions if revocation is enabled:

         a) check revocation of end-entity cert only
         b) allow revocation check to pass if network problem prevents checking of status
        The enhancements in this RFE have been posted to OpenJDK as JEP-124:

        http://openjdk.java.net/jeps/124

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8193955 Revocation checking enhancements (JEP-124)

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-7178820 Remove test/closed/java/security/cert/CertPathValidator/OCSP/OCSPUnitTest.java

            • P3 - Major loss of function.
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. JDK-7187962 sun.security.pkcs11.P11DSAKeyFactory.implTranslatePublicKey doesn't check if params is null

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Enhancement - null JDK-6637288 Add OCSP support to PKIX CertPathBuilder implementation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            JEP - Java Enhancement Proposal JDK-8046114 JEP 124: Enhance the Certificate Revocation-Checking API

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Activity

              People

                mullan Sean Mullan
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: