Skip to content

8296343: CPVE thrown on missing content-length in OCSP response #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

8296343: CPVE thrown on missing content-length in OCSP response #332

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b07d5ec
Backport 1a3cb8c5018bc016c2ad6b078e4abe13b39d151c
Jun 7, 2023
482b550
properly fix
Jun 7, 2023
17beb21
cleaning up
Jun 7, 2023
811c1d6
removing trailing whitespaces
Jun 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 45 additions & 19 deletions jdk/src/share/classes/sun/security/provider/certpath/OCSP.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,31 +264,57 @@ public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
out.flush();
}

// Check the response
if (debug != null &&
con.getResponseCode() != HttpURLConnection.HTTP_OK) {
debug.println("Received HTTP error: " + con.getResponseCode()
+ " - " + con.getResponseMessage());
// Check the response. Non-200 codes will generate an exception
// but path validation may complete successfully if revocation info
// can be obtained elsewhere (e.g. CRL).
int respCode = con.getResponseCode();
if (respCode != HttpURLConnection.HTTP_OK) {
String msg = "Received HTTP error: " + respCode + " - " +
con.getResponseMessage();
if (debug != null) {
debug.println(msg);
}
throw new IOException(msg);
}
InputStream in = con.getInputStream();

int contentLength = con.getContentLength();
if (contentLength == -1) {
contentLength = Integer.MAX_VALUE;
if (contentLength == -1){
// read all available content from the input stream
InputStream in = con.getInputStream();
final int initialBufferSize = 2048;
byte[] response = new byte[initialBufferSize];
int total = 0;
while (true) {
int read = in.read(response, total, response.length - total);
if (read == -1){
break;
}
total += read;
if (total == response.length){
response = Arrays.copyOf(response, 2 * response.length);
}
}
return Arrays.copyOf(response, total);
}
byte[] response = new byte[contentLength > 2048 ? 2048 : contentLength];

int total = 0;
while (total < contentLength) {
int count = in.read(response, total, response.length - total);
if (count < 0)
break;
total += count;
if (total == response.length && total < contentLength) {
response = Arrays.copyOf(response, total * 2);
else {
// read exactly contentLength bytes from the input stream
InputStream in = con.getInputStream();
byte[] response = new byte[contentLength];
int total = 0;
while (total < contentLength) {
int read = in.read(response, total, contentLength - total);
if (read == -1){
String msg = "ACTUAL content length = " + total + " vs. " +
contentLength + " EXPECTED";
if (debug != null) {
debug.println(msg);
}
throw new IOException(msg);
}
total += read;
}
return response;
}
return Arrays.copyOf(response, total);
} finally {
if (con != null) {
con.disconnect();
Expand Down
12 changes: 6 additions & 6 deletions jdk/test/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -66,6 +66,7 @@
import java.util.Objects;
import java.util.Set;
import java.util.HashSet;
import java.util.concurrent.TimeUnit;
import sun.security.testlibrary.SimpleOCSPServer;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
Expand Down Expand Up @@ -118,11 +119,10 @@ public static void main(String args[]) throws Exception {
}} ));
ocspResponder.start();
// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !ocspResponder.isServerReady()); i++) {
Thread.sleep(50);
}
if (!ocspResponder.isServerReady()) {
throw new RuntimeException("Server not ready yet");
boolean readyStatus =
ocspResponder.awaitServerReady(5, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}

int ocspPort = ocspResponder.getPort();
Expand Down
53 changes: 40 additions & 13 deletions jdk/test/java/security/testlibrary/SimpleOCSPServer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -89,10 +89,11 @@ public static enum CertStatus {
private boolean logEnabled = false;
private ExecutorService threadPool;
private volatile boolean started = false;
private volatile boolean serverReady = false;
private CountDownLatch serverReady = new CountDownLatch(1);
private volatile boolean receivedShutdown = false;
private volatile boolean acceptConnections = true;
private volatile long delayMsec = 0;
private boolean omitContentLength = false;

// Fields used in the generation of responses
private long nextUpdateInterval = -1;
Expand Down Expand Up @@ -222,14 +223,15 @@ public void run() {
listenPort), 128);
log("Listening on " + servSocket.getLocalSocketAddress());

// Singal ready
serverReady = true;

// Update the listenPort with the new port number. If
// the server is restarted, it will bind to the same
// port rather than picking a new one.
listenPort = servSocket.getLocalPort();

// Decrement the latch, allowing any waiting entities
// to proceed with their requests.
serverReady.countDown();

// Main dispatch loop
while (!receivedShutdown) {
try {
Expand Down Expand Up @@ -263,7 +265,7 @@ public void run() {
// Reset state variables so the server can be restarted
receivedShutdown = false;
started = false;
serverReady = false;
serverReady = new CountDownLatch(1);
}
}
});
Expand Down Expand Up @@ -503,7 +505,7 @@ public void setSignatureAlgorithm(String algName)
* server has not yet been bound to a port.
*/
public int getPort() {
if (serverReady) {
if (serverReady.getCount() == 0) {
InetSocketAddress inetSock =
(InetSocketAddress)servSocket.getLocalSocketAddress();
return inetSock.getPort();
Expand All @@ -513,12 +515,21 @@ public int getPort() {
}

/**
* Use to check if OCSP server is ready to accept connection.
* Allow SimpleOCSPServer consumers to wait for the server to be in
* the ready state before sending requests.
*
* @param timeout the length of time to wait for the server to be ready
* @param unit the unit of time applied to the timeout parameter
*
* @return true if server ready, false otherwise
* @return true if the server enters the ready state, false if the
* timeout period elapses while the caller is waiting for the server
* to become ready.
*
* @throws InterruptedException if the current thread is interrupted.
*/
public boolean isServerReady() {
return serverReady;
public boolean awaitServerReady(long timeout, TimeUnit unit)
throws InterruptedException {
return serverReady.await(timeout, unit);
}

/**
Expand All @@ -537,6 +548,19 @@ public void setDelay(long delayMillis) {
}
}

/**
* Setting to control whether HTTP responses have the Content-Length
* field asserted or not.
*
* @param isDisabled true if the Content-Length field should not be
* asserted, false otherwise.
*/
public void setDisableContentLength(boolean isDisabled) {
if (!started) {
omitContentLength = isDisabled;
}
}

/**
* Log a message to stdout.
*
Expand Down Expand Up @@ -782,8 +806,11 @@ public void sendResponse(OutputStream out, LocalOcspResponse resp)

sb.append("HTTP/1.0 200 OK\r\n");
sb.append("Content-Type: application/ocsp-response\r\n");
sb.append("Content-Length: ").append(respBytes.length);
sb.append("\r\n\r\n");
if (!omitContentLength) {
sb.append("Content-Length: ").append(respBytes.length).
append("\r\n");
}
sb.append("\r\n");

out.write(sb.toString().getBytes("UTF-8"));
out.write(respBytes);
Expand Down
18 changes: 7 additions & 11 deletions jdk/test/javax/net/ssl/Stapling/HttpsUrlConnClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -562,11 +562,9 @@ private static void createPKI() throws Exception {
rootOcsp.start();

// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
Thread.sleep(50);
}
if (!rootOcsp.isServerReady()) {
throw new RuntimeException("Server not ready yet");
boolean readyStatus = rootOcsp.awaitServerReady(5, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}

rootOcspPort = rootOcsp.getPort();
Expand Down Expand Up @@ -615,11 +613,9 @@ private static void createPKI() throws Exception {
intOcsp.start();

// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
Thread.sleep(50);
}
if (!intOcsp.isServerReady()) {
throw new RuntimeException("Server not ready yet");
readyStatus = intOcsp.awaitServerReady(5, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}

intOcspPort = intOcsp.getPort();
Expand Down
18 changes: 7 additions & 11 deletions jdk/test/javax/net/ssl/Stapling/SSLEngineWithStapling.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -505,11 +505,9 @@ private static void createPKI() throws Exception {
rootOcsp.start();

// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
Thread.sleep(50);
}
if (!rootOcsp.isServerReady()) {
throw new RuntimeException("Server not ready yet");
boolean readyStatus = rootOcsp.awaitServerReady(5, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}

rootOcspPort = rootOcsp.getPort();
Expand Down Expand Up @@ -558,11 +556,9 @@ private static void createPKI() throws Exception {
intOcsp.start();

// Wait 5 seconds for server ready
for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
Thread.sleep(50);
}
if (!intOcsp.isServerReady()) {
throw new RuntimeException("Server not ready yet");
readyStatus = intOcsp.awaitServerReady(5, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}

intOcspPort = intOcsp.getPort();
Expand Down
Loading