JEP 124: Enhance the Certificate Revocation-Checking API

OwnerSean Mullan
Created2011/05/17 20:00
Updated2014/07/10 20:54
TypeFeature
StatusClosed / Delivered
Componentsecurity-libs
ScopeSE
Discussionsecurity dash dev at openjdk dot java dot net
EffortM
DurationM
Priority4
Endorsed byBrian Goetz
Release8
Issue8046114
Relates to6854712: Revocation checking enhancements (JEP-124)

Summary

Improve the certificate revocation-checking API to support best-effort checking, end-entity certificate checking, and mechanism-specific options and parameters.

Goals

  1. Provide API support for best-effort checking. With best-effort checking, a certificate is not considered invalid if a connection cannot be made to the server holding the revocation information.

  2. Provide API support to only check the revocation status of the end-entity certificate rather than every certificate in the certificate chain.

  3. Provide API support for revocation checking options that are currently specified as system properties. Add additional parameters specific to the type of revocation checking mechanism used, CRLs or OCSP.

Motivation

The current java.security.cert API considers a failure to contact the server holding the revocation information to be a fatal error, which is too strict in many environments. A best-effort option would provide a reasonable balance between security and usability and is also supported by many other revocation checking implementations.

The current API is also "all or nothing", which requires the revocation status of every certificate in the certificate chain to be checked. It does not allow you to only check the revocation status of the end-entity certificate.

The current API lacks support for specifying options that are specific to a particular revocation mechanism, such as CRLs or OCSP. Currently these options are either missing (such as OCSP nonces) or can only be specified as security properties.

These enhancements will make the API more complete, flexible, and more competitive with other implementations. Many implementations provide additional revocation checking options such as best-effort checking.

Description

This is a summary of the API changes that have been made to support the goals above.

A new getRevocationChecker method has been added to the CertPathValidator and CertPathBuilder classes that returns a CertPathChecker that can be used to specify additional revocation options and parameters. Similarly, an engineGetRevocationChecker method has beed added to corresponding Spi classes, CertPathValidatorSpi and CertPathBuilderSpi.

A new PKIXRevocationChecker class (a subclass of PKIXCertPathChecker) has been added which can be used for checking the revocation status of certificates with the PKIX algorithm.

The PKIXRevocationChecker class contains methods to allow various parameters and options to be specified when requesting revocation.

The existing certpath debug option will be enhanced to log important issues for debugging purposes (-Djava.security.debug=certpath).

Testing

Unit tests will be created to test the new APIs. It may be necessary to implement OCSP and CRL servers to simulate a proper test environment.

Ideally, each vendor should implement a test suite that checks that a certificate has been revoked for each CA in the vendor-specific cacerts file (since the cacerts file in OpenJDK is empty). This will minimize the risk of failures due to subtle bugs in the implementation or the CA's deployment. Some CAs will issue test certificates for testing their services; however often these certificates are short-lived and thus would have to be periodically renewed.

Impact