RFR: 8296343: CPVE thrown on missing content-length in OCSP response
Xue-Lei Andrew Fan
xuelei at openjdk.org
Tue Jan 10 18:29:53 UTC 2023
On Tue, 10 Jan 2023 17:50:23 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 217:
>>
>>> 215:
>>> 216: int contentLength = con.getContentLength();
>>> 217: return (contentLength == -1) ? con.getInputStream().readAllBytes() :
>>
>> For the returned OCSP bytes, what if the response code is not OK?
>
> Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException. That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate.
It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK.
-------------
PR: https://git.openjdk.org/jdk/pull/11917
More information about the security-dev
mailing list