You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Freeman Fang (Created) (JIRA)" <ji...@apache.org> on 2012/02/14 10:11:59 UTC
[jira] [Created] (WSS-339) OCSP support
OCSP support
------------
Key: WSS-339
URL: https://issues.apache.org/jira/browse/WSS-339
Project: WSS4J
Issue Type: Improvement
Reporter: Freeman Fang
Assignee: Colm O hEigeartaigh
currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
Security.setProperty("ocsp.enable", enableOCSP);
This should be similar with the property enableRevocation, the logic is
if (enableRevocation && enableOCSP) {
//use OCSP to do revocation check.
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13207599#comment-13207599 ]
Freeman Fang commented on WSS-339:
----------------------------------
I'm working on a patch for it and will append the patch soon
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209029#comment-13209029 ]
Freeman Fang commented on WSS-339:
----------------------------------
Hi Colm,
Thanks for your reply.
But this issue is different with the case tracked by WSS-338.
As this isn't controlled by a system property, it's Security property, so we have to specify ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security which will affect whole JDK or left end user to use Security.setProperty("ocsp.enable", "true") programmatically.
Specify it in $JAVA_HOME/jre/lib/security/java.security isn't acceptable normally as it will affect whole JDK, we can easily run into the problem that one JVM process wanna ocsp.enable=true but the other doesn't.
Also only let end user programmatically use Security.setProperty isn't acceptable too as we do need provide a configurable way to specify ocsp.enable, that why I introduce enableOCSP property for WSHanlder here, so end user can control everything they want just through wss4j typical configuration way.
WDYT?
Best Regards
Freeman
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Daniel Kulp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209042#comment-13209042 ]
Daniel Kulp commented on WSS-339:
---------------------------------
I agree with Colm on both issues. These end up being global settings, not per request or per application settings. Thus, we should not be presenting even an illusion of them being per application or it creates a lot of extra confusion.
They create an app that turns this setting on and expect it to run. Another application gets deployed into the container (osgi container, tomcat, whatever....) that then turns if off. Suddenly, the first app, due to nothing that it did, is no longer meeting the security requirements that it was expecting.
So I disagree with configuring System properties or Security properties from contexts that are supposed to be per service or per request which is pretty much what Colm was trying to get at.
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Updated] (WSS-339) OCSP support
Posted by "Freeman Fang (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang updated WSS-339:
-----------------------------
Attachment: (was: WSS-339.patch)
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209078#comment-13209078 ]
Freeman Fang commented on WSS-339:
----------------------------------
Hi Dan, Colm,
I can get your guys point that both com.sun.security.enableCRLDP and ocsp.enable should be global settings, but I can also see the scenario that we should support those properties per service, for example in same application(that's could be the standalone CXF but not even in container), one service don't want to use OCSP but the other one want to use OCSP, as different services can use different certificates from different CA. In this case the global settings can't meet the requirement. We actually can make those properties per service context wide effective, in the verifyTrust(certs, enableRevocation, enableOCSP) method, before the real
validator.validate(path, param); // check if certificate is still valid
we set the properties, and after that we restore the properties, so each invocation for certificates validation won't pollute the global context.
We need
synchronized (A Globel Lock Object from WSS4J) {
set properties,
validator.validate(path, param); // check if certificate is still valid
restore properties
}
ensure the properties not changed in one validation invocation.
The synchronized may affect the performance little bit, but IMO it's worth of adding certificates revocation check per service context(We can add a extra WSHandler flag which can control if we want per service context or not so that by default it's still old behavior and not impact the performance).
This is my 2 cents, and if team agree it I can come up with new patch accordingly.
Best Regards
Freeman
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Colm O hEigeartaigh (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13208518#comment-13208518 ]
Colm O hEigeartaigh commented on WSS-339:
-----------------------------------------
My comment here applies for this patch as well:
https://issues.apache.org/jira/browse/WSS-338?focusedCommentId=13208517&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13208517
Colm.
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209960#comment-13209960 ]
Freeman Fang commented on WSS-339:
----------------------------------
Hi Dan,
Thanks for the input.
I was thinking wrongly before. I just verified ocsp.enable=true won't affect the certificates which has no ocsp infos, it can still use CRLs as fallback(the JDK doc also confirmed it), and enableCRLDP won't affect the certificates which has no CRLDP infos, it still can use local CRLs as fallback. So I'm ok with the global properties settings for now.
Best Regards
Freeman
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Daniel Kulp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209389#comment-13209389 ]
Daniel Kulp commented on WSS-339:
---------------------------------
Freeman, as global settings in the VM, there is no possible way to use them to mimic per-request/per-service without affect other parts of the system. With the synchronized block like you describe, you run into 2 major issues:
1) Performance - CRLDP and OCSP both involve network connections, data transfers, etc... Even on a local net with caching ocsp results and such, you'll likly add a millisecond or two. If it needs to go off to the internet to check the certs, it's more likely to be in the 10's of milliseconds. Your immediately limiting the entire system to less than 1000 req/sec (best case) and no amount of additional hardware or anything can help. I'm -1 just on that.
2) It doesn't solve the problem. There are other users of the security certs and such besides WSS4J. The SSL stuff (used for things like ActiveMQ ssl connections, HttpsURLConnections, Jetty, etc...) use it as does a lot of other things. There is no way you can create a synchronized lock and change the global settings that would not impact the other users of the API's. So I'm -1 on this as well.
If you need per-request/service checks, you'll need to find another solution that does not involve the built in stuff controlled by system properties/global settings. I believe BouncyCastle has some OCSP stuff built in (they have an oscp package in the jar) that might be usable. I don't really know as I haven't looked at it.
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Updated] (WSS-339) OCSP support
Posted by "Freeman Fang (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang updated WSS-339:
-----------------------------
Attachment: WSS-339.patch
WSS-339.patch
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch, WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Resolved] (WSS-339) OCSP support
Posted by "Freeman Fang (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang resolved WSS-339.
------------------------------
Resolution: Not A Problem
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-339) OCSP support
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13208284#comment-13208284 ]
Freeman Fang commented on WSS-339:
----------------------------------
Hi Team,
I just append a patch for this issue, please review and apply it if it's OK.
Thanks
Freeman
> OCSP support
> ------------
>
> Key: WSS-339
> URL: https://issues.apache.org/jira/browse/WSS-339
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-339.patch
>
>
> currently WSS4J already support CRL for revocation check, it would be better that we can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/java.security to enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation, the logic is
> if (enableRevocation && enableOCSP) {
> //use OCSP to do revocation check.
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org