RFR: 8329213: Better validation for com.sun.security.ocsp.useget option [v2]

Sean Mullan mullan at openjdk.org
Thu Mar 28 18:22:32 UTC 2024 

On Thu, 28 Mar 2024 09:09:46 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:

>> [JDK-8328638](https://bugs.openjdk.org/browse/JDK-8328638) introduced a new boolean option, `com.sun.security.ocsp.useget`. We use the usual `Boolean.parseBoolean` to convert it from String to boolean value, which works correctly for `false` and `true` as boolean values. However, any string that is not `true` would be treated as `false`. Which means that if users mistype the value, they would get a `false`, which is a non-default value, which is against the spirit of the JDK-8328638.
>> 
>> It would be preferable to validate the option range a bit better, and default to the correct value on any error.
>> 
>> Additional testing:
>>   - [x] Eyeballing `GetAndPostTests` debugging, checking that GET/POST are properly enabled/disabled for `false`, `true`, `foobar` passed as option values
>>   - [x] `jdk_security`, out of the box
>>   - [x] `jdk_security` with `-Dcom.sun.security.ocsp.useget=false` passes
>>   - [x] `jdk_security` with `-Dcom.sun.security.ocsp.useget=foobar` passes
>
> Aleksey Shipilev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Invert equals

Can you also add to the RN that any value other than "false" (case-insensitive) defaults to "true".

src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 235:

> 233:      * @param dbg a Debug object, if null no debug messages will be sent
> 234:      *
> 235:      * @return an boolean value corresponding to the value in the System property.

s/an/a/

src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 239:

> 237:      *      will be returned.
> 238:      */
> 239:     public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {

It probably makes more sense to put this method in the `GetBooleanAction` class.

-------------

PR Review: https://git.openjdk.org/jdk/pull/18525#pullrequestreview-1966933688
PR Review Comment: https://git.openjdk.org/jdk/pull/18525#discussion_r1543422305
PR Review Comment: https://git.openjdk.org/jdk/pull/18525#discussion_r1543421938

More information about the security-dev mailing list