Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8296343: CPVE thrown on missing content-length in OCSP response #11917

Closed
wants to merge 4 commits into from

Conversation

jnimeh
Copy link
Member

@jnimeh jnimeh commented Jan 10, 2023

This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8296343: CPVE thrown on missing content-length in OCSP response

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11917/head:pull/11917
$ git checkout pull/11917

Update a local copy of the PR:
$ git checkout pull/11917
$ git pull https://git.openjdk.org/jdk pull/11917/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 11917

View PR using the GUI difftool:
$ git pr show -t 11917

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11917.diff

@jnimeh
Copy link
Member Author

jnimeh commented Jan 10, 2023

/issue 8296343

@jnimeh jnimeh marked this pull request as ready for review January 10, 2023 06:03
@bridgekeeper
Copy link

bridgekeeper bot commented Jan 10, 2023

👋 Welcome back jnimeh! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@jnimeh
Copy link
Member Author

jnimeh commented Jan 10, 2023

/label security

@openjdk openjdk bot added the rfr Pull request is ready for review label Jan 10, 2023
@openjdk
Copy link

openjdk bot commented Jan 10, 2023

@jnimeh This issue is referenced in the PR title - it will now be updated.

@openjdk openjdk bot added the security security-dev@openjdk.org label Jan 10, 2023
@openjdk
Copy link

openjdk bot commented Jan 10, 2023

@jnimeh
The security label was successfully added.

@mlbridge
Copy link

mlbridge bot commented Jan 10, 2023

Webrevs

static String EE_ALIAS = "endentity";

// Turn on debugging
static final boolean debug = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you really mean to set debug to true?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overall output is pretty small even with it on, but I'll switch it off.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could also use Boolean.getBoolean("test.debug") (or some other property name) so it can be set on the command line when the test is run.


return IOUtils.readExactlyNBytes(con.getInputStream(),
contentLength);
return (contentLength == -1) ? con.getInputStream().readAllBytes() :
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the returned OCSP bytes, what if the response code is not OK?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException. That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging the error code and returning with no read and not throwing an exception I believe would still work since the revocation information would be missing. I'm wondering though if this needs to be a separate issue given that we're talking about a different use case, and one that involves the behavior of HttpURLConnection when dealing with different response codes. I'll also check to see if there are existing tests that make CPV checks against URIs that have non-200 response codes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I was not quite correct about the HttpURLConnection behavior - it's not the 404 that's causing the issue directly, it is indeed the getContentLength when the 404 happens. So forget a separate issue, I will deal with non-200 codes in this PR.

rootOcsp.start();

// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pattern is repeated over 20 times in the code. Instead of spinning on a boolean, the SimpleOCSPServer class could use a CountdownLatch to signal when it's ready. Then, instead of having an isServerReady() method, it would just have a method e.g., boolean waitForServer(long timeout, TimeUnit unit) which just delegates to CountdownLatch.await(long, TimeUnit).

And to avoid changing 20+ other tests, just mark isServerReady() as deprecated.

static String EE_ALIAS = "endentity";

// Turn on debugging
static final boolean debug = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could also use Boolean.getBoolean("test.debug") (or some other property name) so it can be set on the command line when the test is run.

// }
// if (!rootOcsp.isServerReady()) {
// throw new RuntimeException("Server not ready yet");
// }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lines 149-154 can be deleted

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I caught all the dead comments, but I guess I missed this one. Good catch, will fix.

Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the code changes to OCSP.java and it looks fine. I have not reviewed the test changes though, please find a separate Reviewer for those changes.

@openjdk
Copy link

openjdk bot commented Jan 19, 2023

@jnimeh This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8296343: CPVE thrown on missing content-length in OCSP response

Reviewed-by: mullan, rhalade

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 253 new commits pushed to the master branch:

  • 079255e: 8300864: Declare some fields in java.io as final
  • a56598f: 8299684: (bf) JNI direct buffer functions with large capacity behave unexpectedly
  • 542bfe6: 8300587: (bf) Some covariant overrides are missing @SInCE tags
  • 03a9a88: 8300265: Remove metaprogramming/isSigned.hpp
  • 5a4945c: 8299975: Limit underflow protection CMoveINode in PhaseIdealLoop::do_unroll must also protect type from underflow
  • f307e8c: 8299795: Relativize locals in interpreter frames
  • 11aadc9: 8244400: MenuItem may cache the size and did not update it when the screen DPI is changed
  • 836198a: 8300591: @SuppressWarnings option "lossy-conversions" missing from jdk.compiler module javadoc
  • 45e4e00: 8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
  • 030b071: 8300207: Add a pre-check for the number of canonical equivalent permutations in j.u.r.Pattern
  • ... and 243 more: https://git.openjdk.org/jdk/compare/7607c07e002cd86cf2a0f44df9933612550ced95...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Jan 19, 2023
@jnimeh
Copy link
Member Author

jnimeh commented Jan 23, 2023

/integrate

@openjdk
Copy link

openjdk bot commented Jan 23, 2023

Going to push as commit 1a3cb8c.
Since your change was applied there have been 256 commits pushed to the master branch:

  • 86fed79: 8300693: Lower the compile threshold and reduce the iterations of warmup loop in VarHandles tests
  • 4525aa3: 8300867: Fix document issues in java.io
  • a7f035d: 8300868: Reduce visibility in java.io.SerialCallbackContext
  • 079255e: 8300864: Declare some fields in java.io as final
  • a56598f: 8299684: (bf) JNI direct buffer functions with large capacity behave unexpectedly
  • 542bfe6: 8300587: (bf) Some covariant overrides are missing @SInCE tags
  • 03a9a88: 8300265: Remove metaprogramming/isSigned.hpp
  • 5a4945c: 8299975: Limit underflow protection CMoveINode in PhaseIdealLoop::do_unroll must also protect type from underflow
  • f307e8c: 8299795: Relativize locals in interpreter frames
  • 11aadc9: 8244400: MenuItem may cache the size and did not update it when the screen DPI is changed
  • ... and 246 more: https://git.openjdk.org/jdk/compare/7607c07e002cd86cf2a0f44df9933612550ced95...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Jan 23, 2023
@openjdk openjdk bot closed this Jan 23, 2023
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Jan 23, 2023
@openjdk
Copy link

openjdk bot commented Jan 23, 2023

@jnimeh Pushed as commit 1a3cb8c.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@jnimeh jnimeh deleted the JDK-8296343 branch January 24, 2023 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
Development

Successfully merging this pull request may close these issues.

6 participants