Details
-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
11, 17, 21
-
Fix Understood
-
b04
-
generic
-
generic
Description
A DESCRIPTION OF THE PROBLEM :
The error is contained in class `sun.security.provider.certpath.OCSP`.
If the HTTP response from the remote OSCP server does not contain the "Content-Length" header, the local variable "contentLength" is set to "Integer.MAX_VALUE". The following call to "IOUtils.readExactlyNBytes" leads to an "EOFException" because it can't read "Integer.MAX_VALUE" bytes from the server.
This change was introduced with commit https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426 in version 17+4 in relationship to https://bugs.openjdk.org/browse/JDK-8179503
There is also a proposed backport to Java 11 where I already presented my concerns: https://github.com/openjdk/jdk11u-dev/pull/847#issuecomment-1550310174
The previous solution in version 17+3 worked well, even if no "Content-Length" header is present. Quick comparison:
Version 17+3: https://github.com/openjdk/jdk/blob/jdk-17%2B3/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L262-L274
Version 17+4: https://github.com/openjdk/jdk/blob/jdk-17%2B4/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L271-L277
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Have the OSCP server NOT contain the "Content-Length" header.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The expected result is a valid OSCP response, even without the "Content-Length" header
ACTUAL -
OCSP validation fails, even though the certificate is correct, which lead to the certificate being marked as "revoked" which is wrong.
CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3 or Java 11
The error is contained in class `sun.security.provider.certpath.OCSP`.
If the HTTP response from the remote OSCP server does not contain the "Content-Length" header, the local variable "contentLength" is set to "Integer.MAX_VALUE". The following call to "IOUtils.readExactlyNBytes" leads to an "EOFException" because it can't read "Integer.MAX_VALUE" bytes from the server.
This change was introduced with commit https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426 in version 17+4 in relationship to https://bugs.openjdk.org/browse/JDK-8179503
There is also a proposed backport to Java 11 where I already presented my concerns: https://github.com/openjdk/jdk11u-dev/pull/847#issuecomment-1550310174
The previous solution in version 17+3 worked well, even if no "Content-Length" header is present. Quick comparison:
Version 17+3: https://github.com/openjdk/jdk/blob/jdk-17%2B3/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L262-L274
Version 17+4: https://github.com/openjdk/jdk/blob/jdk-17%2B4/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L271-L277
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Have the OSCP server NOT contain the "Content-Length" header.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The expected result is a valid OSCP response, even without the "Content-Length" header
ACTUAL -
OCSP validation fails, even though the certificate is correct, which lead to the certificate being marked as "revoked" which is wrong.
CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3 or Java 11
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- relates to
-
JDK-8179503 Java should support GET OCSP calls
-
- Resolved
-