JDK-8244046 : Add revocation checking to jarsigner
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 15
  • Submitted: 2020-04-28
  • Updated: 2020-05-06
  • Resolved: 2020-05-06
Related Reports
CSR :  
JDK-8242060 - Add revocation checking to jarsigner
Description
Summary
-------

Add a new option '*-revCheck*' to jarsigner command. When the '*-revCheck'* option is specified, jarsigner will enable revocation checking to find out if the certificates are revoked.

Problem
-------

The jarsigner tool does certificate chain validation when signing or verifying the JAR file, but does not check revocation. Users won't be able to know if the certificates are revoked and are no longer trusted. Option should be provided so users can have jarsigner to check the revocation status of certificates.

Solution
--------

Provide '*-revCheck*' option for jarsigner to enable revocation check.

Specification
-------------

New option for jarsigner signing or verifying:

 - *-revCheck*: Enable revocation checking when it is specified. The jarsigner command will perform network connections to fetch OCSP responses and CRL. Default is off when not specified.

Jarsigner will emit new indication messages when the revocation check is taking place for OCSP and CRLDP respectively:

 - Contacting OCSP server at ...
 - Downloading CRL from ...
Comments
Moving to Approved.
06-05-2020
Also, since this option makes outbound network requests, we always want it to be a user opt-in, and not enabled by default.
01-05-2020
Yes, this option is a boolean with default to false, and sets it to true when -revCheck is specified.
01-05-2020
Moving to Provisional. Is this the sort of option that should be a boolean, initially defaulting to false, that eventually get defaulted to true?
01-05-2020