stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8329213: Better validation for com.sun.security.ocsp.useget option

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Aleksey Shipilev 2024-04-01 17:27:00 +00:00
parent 9f5464ee95
commit 4a14cba2f1
4 changed files with 48 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/java.base/share/classes/sun/security/action/GetPropertyAction.java
View File

@ -224,4 +224,37 @@ public class GetPropertyAction implements PrivilegedAction<String> {
return def;
}
}
/**
* Convenience method for fetching System property values that are booleans.
*
* @param prop the name of the System property
* @param def a default value
* @param dbg a Debug object, if null no debug messages will be sent
*
* @return a boolean value corresponding to the value in the System property.
* If the property value is neither "true" or "false", the default value
* will be returned.
*/
public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {
String rawPropVal = privilegedGetProperty(prop, "");
if ("".equals(rawPropVal)) {
return def;
}
String lower = rawPropVal.toLowerCase(Locale.ROOT);
if ("true".equals(lower)) {
return true;
} else if ("false".equals(lower)) {
return false;
} else {
if (dbg != null) {
dbg.println("Warning: Unexpected value for " + prop +
": " + rawPropVal +
". Using default value: " + def);
}
return def;
}
}
}

8
src/java.base/share/classes/sun/security/provider/certpath/OCSP.java
View File

@ -105,7 +105,7 @@ public final class OCSP {
* problems.
*/
private static final boolean USE_GET = initializeBoolean(
"com.sun.security.ocsp.useget", "true");
"com.sun.security.ocsp.useget", true);
/**
* Initialize the timeout length by getting the OCSP timeout
@ -121,9 +121,9 @@ public final class OCSP {
return timeoutVal;
}
private static boolean initializeBoolean(String prop, String def) {
String flag = GetPropertyAction.privilegedGetProperty(prop, def);
boolean value = Boolean.parseBoolean(flag);
private static boolean initializeBoolean(String prop, boolean def) {
boolean value =
GetPropertyAction.privilegedGetBooleanProp(prop, def, debug);
if (debug != null) {
debug.println(prop + " set to " + value);
}

1
test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java
View File

@ -32,6 +32,7 @@
* java.base/sun.security.x509
* @run main/othervm GetAndPostTests
* @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
* @run main/othervm -Dcom.sun.security.ocsp.useget=foo GetAndPostTests
*/
import java.io.ByteArrayInputStream;

11
test/jdk/java/security/testlibrary/SimpleOCSPServer.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -702,6 +702,9 @@ public class SimpleOCSPServer {
* responses.
*/
private class OcspHandler implements Runnable {
private final boolean USE_GET =
!System.getProperty("com.sun.security.ocsp.useget", "").equals("false");
private final Socket sock;
InetSocketAddress peerSockAddr;
@ -874,6 +877,12 @@ public class SimpleOCSPServer {
// Okay, make sure we got what we needed from the header, then
// read the remaining OCSP Request bytes
if (properContentType && length >= 0) {
if (USE_GET && length <= 255) {
// Received a small POST request. Check that our client code properly
// handled the relevant flag. We expect small GET requests, unless
// explicitly disabled.
throw new IOException("Should have received small GET, not POST.");
}
byte[] ocspBytes = new byte[length];
inStream.read(ocspBytes);
return new LocalOcspRequest(ocspBytes);