JDK-8046114 : JEP 124: Enhance the Certificate Revocation-Checking API
  • Type: JEP
  • Component: security-libs
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Fix Versions: 8
  • Submitted: 2011-05-17
  • Updated: 2014-07-10
  • Resolved: 2014-07-10
Related Reports
Relates :  
Description
Summary
-------

Improve the certificate revocation-checking API to support best-effort
checking, end-entity certificate checking, and mechanism-specific options and
parameters.


Goals
-----

  1. Provide API support for best-effort checking.  With best-effort checking,
     a certificate is not considered invalid if a connection cannot be made to
     the server holding the revocation information.

  2. Provide API support to only check the revocation status of the end-entity
     certificate rather than every certificate in the certificate chain.

  3. Provide API support for revocation checking options that are currently
     specified as system properties.  Add additional parameters specific to the
     type of revocation checking mechanism used, CRLs or OCSP.


Motivation
----------

The current `java.security.cert` API considers a failure to contact the server
holding the revocation information to be a fatal error, which is too strict in
many environments.  A best-effort option would provide a reasonable balance
between security and usability and is also supported by many other revocation
checking implementations.

The current API is also "all or nothing", which requires the revocation status
of every certificate in the certificate chain to be checked.  It does not allow
you to only check the revocation status of the end-entity certificate.

The current API lacks support for specifying options that are specific to a
particular revocation mechanism, such as CRLs or OCSP.  Currently these options
are either missing (such as OCSP nonces) or can only be specified as security
properties.

These enhancements will make the API more complete, flexible, and more
competitive with other implementations.  Many implementations provide
additional revocation checking options such as best-effort checking.


Description
-----------

This is a summary of the API changes that have been made to support the goals
above.

A new `getRevocationChecker` method has been added to the `CertPathValidator`
and `CertPathBuilder` classes that returns a `CertPathChecker` that can be
used to specify additional revocation options and parameters.  Similarly, an
`engineGetRevocationChecker` method has beed added to corresponding Spi classes,
`CertPathValidatorSpi` and `CertPathBuilderSpi`.

A new `PKIXRevocationChecker` class (a subclass of `PKIXCertPathChecker`) has
been added which can be used for checking the revocation status of certificates
with the PKIX algorithm.

The `PKIXRevocationChecker` class contains methods to allow various parameters
and options to be specified when requesting revocation.


The existing certpath debug option will be enhanced to log important issues
for debugging purposes (`-Djava.security.debug=certpath`).


Testing
-------

Unit tests will be created to test the new APIs.  It may be necessary to
implement OCSP and CRL servers to simulate a proper test environment.

Ideally, each vendor should implement a test suite that checks that a
certificate has been revoked for each CA in the vendor-specific `cacerts` file
(since the `cacerts` file in OpenJDK is empty).  This will minimize the risk of
failures due to subtle bugs in the implementation or the CA's deployment.  Some
CAs will issue test certificates for testing their services; however often
these certificates are short-lived and thus would have to be periodically
renewed.


Impact
------

  - Documentation: The PKI Programmer's Guide will need to be updated with the
    new APIs.

  - I18n/L10n: localization of error messages may be required