RFR: 8296343: CPVE thrown on missing content-length in OCSP response
Xue-Lei Andrew Fan
xuelei at openjdk.org
Tue Jan 10 17:33:00 UTC 2023
On Tue, 10 Jan 2023 06:02:29 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
> This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
>
> - JBS: https://bugs.openjdk.org/browse/JDK-8296343
src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 217:
> 215:
> 216: int contentLength = con.getContentLength();
> 217: return (contentLength == -1) ? con.getInputStream().readAllBytes() :
For the returned OCSP bytes, what if the response code is not OK?
-------------
PR: https://git.openjdk.org/jdk/pull/11917
More information about the security-dev
mailing list