RFR: 8296343: CPVE thrown on missing content-length in OCSP response
Matthew Donovan
duke at openjdk.org
Tue Jan 10 18:34:58 UTC 2023
On Tue, 10 Jan 2023 06:02:29 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
> This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
>
> - JBS: https://bugs.openjdk.org/browse/JDK-8296343
test/jdk/sun/security/provider/certpath/OCSP/OCSPNoContentLength.java line 146:
> 144:
> 145: // Wait 5 seconds for server ready
> 146: for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
This pattern is repeated over 20 times in the code. Instead of spinning on a boolean, the SimpleOCSPServer class could use a CountdownLatch to signal when it's ready. Then, instead of having an `isServerReady()` method, it would just have a method e.g., `boolean waitForServer(long timeout, TimeUnit unit)` which just delegates to `CountdownLatch.await(long, TimeUnit)`.
And to avoid changing 20+ other tests, just mark `isServerReady()` as deprecated.
-------------
PR: https://git.openjdk.org/jdk/pull/11917
More information about the security-dev
mailing list