Skip to content

Commit

Permalink
8179503: Java should support GET OCSP calls
Browse files Browse the repository at this point in the history
Reviewed-by: xuelei
  • Loading branch information
Jamil Nimeh committed Dec 31, 2020
1 parent 8435f0d commit f5ee356
Show file tree
Hide file tree
Showing 3 changed files with 334 additions and 55 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,20 @@
*/
package sun.security.provider.certpath;

import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.net.URL;
import java.net.HttpURLConnection;
import java.net.URLEncoder;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.CRLReason;
import java.security.cert.Extension;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.List;
Expand All @@ -46,6 +46,7 @@
import sun.security.action.GetIntegerAction;
import sun.security.util.Debug;
import sun.security.util.Event;
import sun.security.util.IOUtils;
import sun.security.validator.Validator;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
Expand Down Expand Up @@ -224,71 +225,61 @@ public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
OCSPRequest request = new OCSPRequest(certIds, extensions);
byte[] bytes = request.encodeBytes();

InputStream in = null;
OutputStream out = null;
byte[] response = null;
if (debug != null) {
debug.println("connecting to OCSP service at: " + responderURI);
}
Event.report(Event.ReporterCategory.CRLCHECK, "event.ocsp.check",
responderURI.toString());

URL url;
HttpURLConnection con = null;
try {
URL url = responderURI.toURL();
if (debug != null) {
debug.println("connecting to OCSP service at: " + url);
String encodedGetReq = responderURI.toString() + "/" +
URLEncoder.encode(Base64.getEncoder().encodeToString(bytes),
"UTF-8");

if (encodedGetReq.length() <= 255) {

This comment has been minimized.

Copy link
@paulkelele

paulkelele May 30, 2022

Put a flag to bypass the GET method for length request <= 255 bytes and using POST method. From rfc 2560 : small requests (that after encoding are less than 255 bytes), MAY be submitted using GET. It's not MUST. So give the possibility to continue using POST method under 256 bytes length.

url = new URL(encodedGetReq);
con = (HttpURLConnection)url.openConnection();
con.setDoOutput(true);
con.setDoInput(true);
con.setRequestMethod("GET");
} else {
url = responderURI.toURL();
con = (HttpURLConnection)url.openConnection();
con.setConnectTimeout(CONNECT_TIMEOUT);
con.setReadTimeout(CONNECT_TIMEOUT);
con.setDoOutput(true);
con.setDoInput(true);
con.setRequestMethod("POST");
con.setRequestProperty
("Content-type", "application/ocsp-request");
con.setRequestProperty
("Content-length", String.valueOf(bytes.length));
OutputStream out = con.getOutputStream();
out.write(bytes);
out.flush();
}

Event.report(Event.ReporterCategory.CRLCHECK, "event.ocsp.check", url.toString());
HttpURLConnection con = (HttpURLConnection)url.openConnection();
con.setConnectTimeout(CONNECT_TIMEOUT);
con.setReadTimeout(CONNECT_TIMEOUT);
con.setDoOutput(true);
con.setDoInput(true);
con.setRequestMethod("POST");
con.setRequestProperty
("Content-type", "application/ocsp-request");
con.setRequestProperty
("Content-length", String.valueOf(bytes.length));
out = con.getOutputStream();
out.write(bytes);
out.flush();
// Check the response
if (debug != null &&
con.getResponseCode() != HttpURLConnection.HTTP_OK) {
debug.println("Received HTTP error: " + con.getResponseCode()
+ " - " + con.getResponseMessage());
}
in = con.getInputStream();

int contentLength = con.getContentLength();
if (contentLength == -1) {
contentLength = Integer.MAX_VALUE;
}
response = new byte[contentLength > 2048 ? 2048 : contentLength];
int total = 0;
while (total < contentLength) {
int count = in.read(response, total, response.length - total);
if (count < 0)
break;

total += count;
if (total >= response.length && total < contentLength) {
response = Arrays.copyOf(response, total * 2);
}
}
response = Arrays.copyOf(response, total);

return IOUtils.readExactlyNBytes(con.getInputStream(),
contentLength);
} finally {
if (in != null) {
try {
in.close();
} catch (IOException ioe) {
throw ioe;
}
}
if (out != null) {
try {
out.close();
} catch (IOException ioe) {
throw ioe;
}
if (con != null) {
con.disconnect();
}
}
return response;
}

/**
Expand Down
Loading

1 comment on commit f5ee356

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.