-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8296343: CPVE thrown on missing content-length in OCSP response #11917
Conversation
/issue 8296343 |
👋 Welcome back jnimeh! A progress list of the required criteria for merging this PR into |
/label security |
@jnimeh This issue is referenced in the PR title - it will now be updated. |
@jnimeh |
Webrevs
|
static String EE_ALIAS = "endentity"; | ||
|
||
// Turn on debugging | ||
static final boolean debug = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really mean to set debug
to true
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The overall output is pretty small even with it on, but I'll switch it off.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could also use Boolean.getBoolean("test.debug")
(or some other property name) so it can be set on the command line when the test is run.
|
||
return IOUtils.readExactlyNBytes(con.getInputStream(), | ||
contentLength); | ||
return (contentLength == -1) ? con.getInputStream().readAllBytes() : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the returned OCSP bytes, what if the response code is not OK?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException. That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Logging the error code and returning with no read and not throwing an exception I believe would still work since the revocation information would be missing. I'm wondering though if this needs to be a separate issue given that we're talking about a different use case, and one that involves the behavior of HttpURLConnection when dealing with different response codes. I'll also check to see if there are existing tests that make CPV checks against URIs that have non-200 response codes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, I was not quite correct about the HttpURLConnection behavior - it's not the 404 that's causing the issue directly, it is indeed the getContentLength when the 404 happens. So forget a separate issue, I will deal with non-200 codes in this PR.
rootOcsp.start(); | ||
|
||
// Wait 5 seconds for server ready | ||
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pattern is repeated over 20 times in the code. Instead of spinning on a boolean, the SimpleOCSPServer class could use a CountdownLatch to signal when it's ready. Then, instead of having an isServerReady()
method, it would just have a method e.g., boolean waitForServer(long timeout, TimeUnit unit)
which just delegates to CountdownLatch.await(long, TimeUnit)
.
And to avoid changing 20+ other tests, just mark isServerReady()
as deprecated.
static String EE_ALIAS = "endentity"; | ||
|
||
// Turn on debugging | ||
static final boolean debug = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could also use Boolean.getBoolean("test.debug")
(or some other property name) so it can be set on the command line when the test is run.
// } | ||
// if (!rootOcsp.isServerReady()) { | ||
// throw new RuntimeException("Server not ready yet"); | ||
// } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 149-154 can be deleted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought I caught all the dead comments, but I guess I missed this one. Good catch, will fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reviewed the code changes to OCSP.java and it looks fine. I have not reviewed the test changes though, please find a separate Reviewer for those changes.
@jnimeh This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 253 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
/integrate |
Going to push as commit 1a3cb8c.
Your commit was automatically rebased without conflicts. |
This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11917/head:pull/11917
$ git checkout pull/11917
Update a local copy of the PR:
$ git checkout pull/11917
$ git pull https://git.openjdk.org/jdk pull/11917/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 11917
View PR using the GUI difftool:
$ git pr show -t 11917
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11917.diff