-
Enhancement
-
Resolution: Fixed
-
P4
-
8
-
b43
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8193955 | openjdk7u | Andrew Hughes | P4 | Resolved | Fixed | master |
This is an umbrella CR of various revocation checking enhancements. Some are deployment related. Separate CRs should be spun off as they are addressed. More enhancements may be added to this list.
1) Add an API for just checking if a certificate is revoked.
Currently you must validate a chain of certificates using a PKIX CertPathValidator to check if the certs have been revoked. This is signficant overhead, when all you want to check is if a certificate is revoked, which is a useful thing to do as a periodic check or when the revocation information becomes stale (ex: CRL is expired).
The API should return revocation information (CRLs, OCSP Responses) so that they can be cached by an implementation.
2) Add more deployment revocation checking properties
Currently, revocation checking is either enabled or disabled. It would be useful to have the following suboptions if revocation is enabled:
a) check revocation of end-entity cert only
b) allow revocation check to pass if network problem prevents checking of status
The enhancements in this RFE have been posted to OpenJDK as JEP-124:
http://openjdk.java.net/jeps/124
1) Add an API for just checking if a certificate is revoked.
Currently you must validate a chain of certificates using a PKIX CertPathValidator to check if the certs have been revoked. This is signficant overhead, when all you want to check is if a certificate is revoked, which is a useful thing to do as a periodic check or when the revocation information becomes stale (ex: CRL is expired).
The API should return revocation information (CRLs, OCSP Responses) so that they can be cached by an implementation.
2) Add more deployment revocation checking properties
Currently, revocation checking is either enabled or disabled. It would be useful to have the following suboptions if revocation is enabled:
a) check revocation of end-entity cert only
b) allow revocation check to pass if network problem prevents checking of status
The enhancements in this RFE have been posted to OpenJDK as JEP-124:
http://openjdk.java.net/jeps/124
- backported by
-
JDK-8193955 Revocation checking enhancements (JEP-124)
-
- Resolved
-
- relates to
-
JDK-7178820 Remove test/closed/java/security/cert/CertPathValidator/OCSP/OCSPUnitTest.java
-
- Closed
-
-
JDK-7187962 sun.security.pkcs11.P11DSAKeyFactory.implTranslatePublicKey doesn't check if params is null
-
- Closed
-
-
JDK-6637288 Add OCSP support to PKIX CertPathBuilder implementation
-
- Closed
-
-
JDK-8046114 JEP 124: Enhance the Certificate Revocation-Checking API
-
- Closed
-