JEP 124: Enhance the Certificate Revocation-Checking API
| Owner | Sean Mullan |
| Type | Feature |
| Scope | SE |
| Status | Closed / Delivered |
| Release | 8 |
| Component | security-libs |
| Discussion | security dash dev at openjdk dot java dot net |
| Effort | M |
| Duration | M |
| Endorsed by | Brian Goetz |
| Created | 2011/05/17 20:00 |
| Updated | 2014/07/10 20:54 |
| Issue | 8046114 |
Summary
Improve the certificate revocation-checking API to support best-effort checking, end-entity certificate checking, and mechanism-specific options and parameters.
Goals
-
Provide API support for best-effort checking. With best-effort checking, a certificate is not considered invalid if a connection cannot be made to the server holding the revocation information.
-
Provide API support to only check the revocation status of the end-entity certificate rather than every certificate in the certificate chain.
-
Provide API support for revocation checking options that are currently specified as system properties. Add additional parameters specific to the type of revocation checking mechanism used, CRLs or OCSP.
Motivation
The current java.security.cert API considers a failure to contact the server
holding the revocation information to be a fatal error, which is too strict in
many environments. A best-effort option would provide a reasonable balance
between security and usability and is also supported by many other revocation
checking implementations.
The current API is also "all or nothing", which requires the revocation status of every certificate in the certificate chain to be checked. It does not allow you to only check the revocation status of the end-entity certificate.
The current API lacks support for specifying options that are specific to a particular revocation mechanism, such as CRLs or OCSP. Currently these options are either missing (such as OCSP nonces) or can only be specified as security properties.
These enhancements will make the API more complete, flexible, and more competitive with other implementations. Many implementations provide additional revocation checking options such as best-effort checking.
Description
This is a summary of the API changes that have been made to support the goals above.
A new getRevocationChecker method has been added to the CertPathValidator
and CertPathBuilder classes that returns a CertPathChecker that can be
used to specify additional revocation options and parameters. Similarly, an
engineGetRevocationChecker method has beed added to corresponding Spi classes,
CertPathValidatorSpi and CertPathBuilderSpi.
A new PKIXRevocationChecker class (a subclass of PKIXCertPathChecker) has
been added which can be used for checking the revocation status of certificates
with the PKIX algorithm.
The PKIXRevocationChecker class contains methods to allow various parameters
and options to be specified when requesting revocation.
The existing certpath debug option will be enhanced to log important issues
for debugging purposes (-Djava.security.debug=certpath).
Testing
Unit tests will be created to test the new APIs. It may be necessary to implement OCSP and CRL servers to simulate a proper test environment.
Ideally, each vendor should implement a test suite that checks that a
certificate has been revoked for each CA in the vendor-specific cacerts file
(since the cacerts file in OpenJDK is empty). This will minimize the risk of
failures due to subtle bugs in the implementation or the CA's deployment. Some
CAs will issue test certificates for testing their services; however often
these certificates are short-lived and thus would have to be periodically
renewed.
Impact
-
Documentation: The PKI Programmer's Guide will need to be updated with the new APIs.
-
I18n/L10n: localization of error messages may be required
