RFR: 8329213: Better validation for com.sun.security.ocsp.useget option [v5]
Aleksey Shipilev
shade at openjdk.org
Mon Apr 1 17:29:38 UTC 2024
On Mon, 1 Apr 2024 07:34:52 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
>> [JDK-8328638](https://bugs.openjdk.org/browse/JDK-8328638) introduced a new boolean option, `com.sun.security.ocsp.useget`. We use the usual `Boolean.parseBoolean` to convert it from String to boolean value, which works correctly for `false` and `true` as boolean values. However, any string that is not `true` would be treated as `false`. Which means that if users mistype the value, they would get a `false`, which is a non-default value, which is against the spirit of the JDK-8328638.
>>
>> It would be preferable to validate the option range a bit better, and default to the correct value on any error.
>>
>> Additional testing:
>> - [x] Eyeballing `GetAndPostTests` debugging, checking that GET/POST are properly enabled/disabled for `false`, `true`, `foobar` passed as option values
>> - [x] `jdk_security`, out of the box
>> - [x] `jdk_security` with `-Dcom.sun.security.ocsp.useget=false` passes
>> - [x] `jdk_security` with `-Dcom.sun.security.ocsp.useget=foobar` passes
>
> Aleksey Shipilev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
>
> - Merge branch 'master' into JDK-8329213-better-validation-ocsp
> - Copyright headers
> - test -> client
> - Add another option to GetAndPostTests, check requests in test OSCP server
> - Touchup
> - Invert equals
> - Fix
>
> Fix
>
> Fix
Thanks!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18525#issuecomment-2030202152
More information about the security-dev
mailing list