Skip to content

Commit

Permalink
8329213: Better validation for com.sun.security.ocsp.useget option
Browse files Browse the repository at this point in the history
Reviewed-by: mullan
  • Loading branch information
shipilev committed Apr 1, 2024
1 parent 9f5464e commit 4a14cba
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -224,4 +224,37 @@ public static int privilegedGetTimeoutProp(String prop, int def, Debug dbg) {
return def;
}
}

/**
* Convenience method for fetching System property values that are booleans.
*
* @param prop the name of the System property
* @param def a default value
* @param dbg a Debug object, if null no debug messages will be sent
*
* @return a boolean value corresponding to the value in the System property.
* If the property value is neither "true" or "false", the default value
* will be returned.
*/
public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {
String rawPropVal = privilegedGetProperty(prop, "");
if ("".equals(rawPropVal)) {
return def;
}

String lower = rawPropVal.toLowerCase(Locale.ROOT);
if ("true".equals(lower)) {
return true;
} else if ("false".equals(lower)) {
return false;
} else {
if (dbg != null) {
dbg.println("Warning: Unexpected value for " + prop +
": " + rawPropVal +
". Using default value: " + def);
}
return def;
}
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public final class OCSP {
* problems.
*/
private static final boolean USE_GET = initializeBoolean(
"com.sun.security.ocsp.useget", "true");
"com.sun.security.ocsp.useget", true);

/**
* Initialize the timeout length by getting the OCSP timeout
Expand All @@ -121,9 +121,9 @@ private static int initializeTimeout(String prop, int def) {
return timeoutVal;
}

private static boolean initializeBoolean(String prop, String def) {
String flag = GetPropertyAction.privilegedGetProperty(prop, def);
boolean value = Boolean.parseBoolean(flag);
private static boolean initializeBoolean(String prop, boolean def) {
boolean value =
GetPropertyAction.privilegedGetBooleanProp(prop, def, debug);
if (debug != null) {
debug.println(prop + " set to " + value);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
* java.base/sun.security.x509
* @run main/othervm GetAndPostTests
* @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
* @run main/othervm -Dcom.sun.security.ocsp.useget=foo GetAndPostTests
*/

import java.io.ByteArrayInputStream;
Expand Down
11 changes: 10 additions & 1 deletion test/jdk/java/security/testlibrary/SimpleOCSPServer.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -702,6 +702,9 @@ public CRLReason getRevocationReason() {
* responses.
*/
private class OcspHandler implements Runnable {
private final boolean USE_GET =
!System.getProperty("com.sun.security.ocsp.useget", "").equals("false");

private final Socket sock;
InetSocketAddress peerSockAddr;

Expand Down Expand Up @@ -874,6 +877,12 @@ private LocalOcspRequest parseHttpOcspPost(InputStream inStream)
// Okay, make sure we got what we needed from the header, then
// read the remaining OCSP Request bytes
if (properContentType && length >= 0) {
if (USE_GET && length <= 255) {
// Received a small POST request. Check that our client code properly
// handled the relevant flag. We expect small GET requests, unless
// explicitly disabled.
throw new IOException("Should have received small GET, not POST.");
}
byte[] ocspBytes = new byte[length];
inStream.read(ocspBytes);
return new LocalOcspRequest(ocspBytes);
Expand Down

1 comment on commit 4a14cba

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.