RFR: 8296343: CPVE thrown on missing content-length in OCSP response

Jamil Nimeh jnimeh at openjdk.org
Tue Jan 10 17:52:56 UTC 2023


On Tue, 10 Jan 2023 17:30:08 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
>> 
>> - JBS: https://bugs.openjdk.org/browse/JDK-8296343
>
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 217:
> 
>> 215: 
>> 216:             int contentLength = con.getContentLength();
>> 217:             return (contentLength == -1) ? con.getInputStream().readAllBytes() :
> 
> For the returned OCSP bytes, what if the response code is not OK?

Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException.  That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate.

-------------

PR: https://git.openjdk.org/jdk/pull/11917


More information about the security-dev mailing list