Skip to content

Commit

Permalink
8328638: Fallback option for POST-only OCSP requests
Browse files Browse the repository at this point in the history
Reviewed-by: mullan, rhalade
  • Loading branch information
shipilev committed Mar 27, 2024
1 parent d292aab commit 614db2e
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -85,6 +85,28 @@ public final class OCSP {
private static final int READ_TIMEOUT = initializeTimeout(
"com.sun.security.ocsp.readtimeout", DEFAULT_READ_TIMEOUT);

/**
* Boolean value indicating whether OCSP client can use GET for OCSP
* requests. There is an ambiguity in RFC recommendations.
*
* RFC 5019 says a stronger thing, "MUST":
* "When sending requests that are less than or equal to 255 bytes in
* total (after encoding) including the scheme and delimiters (http://),
* server name and base64-encoded OCSPRequest structure, clients MUST
* use the GET method (to enable OCSP response caching)."
*
* RFC 6960 says a weaker thing, "MAY":
* "HTTP-based OCSP requests can use either the GET or the POST method to
* submit their requests. To enable HTTP caching, small requests (that
* after encoding are less than 255 bytes) MAY be submitted using GET."
*
* For performance reasons, we default to stronger behavior. But this
* option also allows to fallback to weaker behavior in case of compatibility
* problems.
*/
private static final boolean USE_GET = initializeBoolean(
"com.sun.security.ocsp.useget", "true");

/**
* Initialize the timeout length by getting the OCSP timeout
* system property. If the property has not been set, or if its
Expand All @@ -99,6 +121,15 @@ private static int initializeTimeout(String prop, int def) {
return timeoutVal;
}

private static boolean initializeBoolean(String prop, String def) {
String flag = GetPropertyAction.privilegedGetProperty(prop, def);
boolean value = Boolean.parseBoolean(flag);
if (debug != null) {
debug.println(prop + " set to " + value);
}
return value;
}

private OCSP() {}

/**
Expand Down Expand Up @@ -186,7 +217,7 @@ public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
encodedGetReq.append(URLEncoder.encode(
Base64.getEncoder().encodeToString(bytes), UTF_8));

if (encodedGetReq.length() <= 255) {
if (USE_GET && encodedGetReq.length() <= 255) {
url = new URI(encodedGetReq.toString()).toURL();
con = (HttpURLConnection)url.openConnection();
con.setConnectTimeout(CONNECT_TIMEOUT);
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -23,14 +23,15 @@

/**
* @test
* @bug 8179503
* @bug 8179503 8328638
* @summary Java should support GET OCSP calls
* @library /javax/net/ssl/templates /java/security/testlibrary
* @build SimpleOCSPServer
* @modules java.base/sun.security.util
* java.base/sun.security.provider.certpath
* java.base/sun.security.x509
* @run main/othervm GetAndPostTests
* @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
*/

import java.io.ByteArrayInputStream;
Expand Down
Loading

1 comment on commit 614db2e

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.