8329213: Better validation for com.sun.security.ocsp.useget option
Reviewed-by: mullan
This commit is contained in:
Aleksey Shipilev
parent
9f5464ee95
commit
4a14cba2f1
@ -224,4 +224,37 @@ public class GetPropertyAction implements PrivilegedAction<String> {
|
|||||||
return def;
|
return def;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convenience method for fetching System property values that are booleans.
|
||||||
|
*
|
||||||
|
* @param prop the name of the System property
|
||||||
|
* @param def a default value
|
||||||
|
* @param dbg a Debug object, if null no debug messages will be sent
|
||||||
|
*
|
||||||
|
* @return a boolean value corresponding to the value in the System property.
|
||||||
|
* If the property value is neither "true" or "false", the default value
|
||||||
|
* will be returned.
|
||||||
|
*/
|
||||||
|
public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {
|
||||||
|
String rawPropVal = privilegedGetProperty(prop, "");
|
||||||
|
if ("".equals(rawPropVal)) {
|
||||||
|
return def;
|
||||||
|
}
|
||||||
|
|
||||||
|
String lower = rawPropVal.toLowerCase(Locale.ROOT);
|
||||||
|
if ("true".equals(lower)) {
|
||||||
|
return true;
|
||||||
|
} else if ("false".equals(lower)) {
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
if (dbg != null) {
|
||||||
|
dbg.println("Warning: Unexpected value for " + prop +
|
||||||
|
": " + rawPropVal +
|
||||||
|
". Using default value: " + def);
|
||||||
|
}
|
||||||
|
return def;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -105,7 +105,7 @@ public final class OCSP {
|
|||||||
* problems.
|
* problems.
|
||||||
*/
|
*/
|
||||||
private static final boolean USE_GET = initializeBoolean(
|
private static final boolean USE_GET = initializeBoolean(
|
||||||
"com.sun.security.ocsp.useget", "true");
|
"com.sun.security.ocsp.useget", true);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialize the timeout length by getting the OCSP timeout
|
* Initialize the timeout length by getting the OCSP timeout
|
||||||
@ -121,9 +121,9 @@ public final class OCSP {
|
|||||||
return timeoutVal;
|
return timeoutVal;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static boolean initializeBoolean(String prop, String def) {
|
private static boolean initializeBoolean(String prop, boolean def) {
|
||||||
String flag = GetPropertyAction.privilegedGetProperty(prop, def);
|
boolean value =
|
||||||
boolean value = Boolean.parseBoolean(flag);
|
GetPropertyAction.privilegedGetBooleanProp(prop, def, debug);
|
||||||
if (debug != null) {
|
if (debug != null) {
|
||||||
debug.println(prop + " set to " + value);
|
debug.println(prop + " set to " + value);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -32,6 +32,7 @@
|
|||||||
* java.base/sun.security.x509
|
* java.base/sun.security.x509
|
||||||
* @run main/othervm GetAndPostTests
|
* @run main/othervm GetAndPostTests
|
||||||
* @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
|
* @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
|
||||||
|
* @run main/othervm -Dcom.sun.security.ocsp.useget=foo GetAndPostTests
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -702,6 +702,9 @@ public class SimpleOCSPServer {
|
|||||||
* responses.
|
* responses.
|
||||||
*/
|
*/
|
||||||
private class OcspHandler implements Runnable {
|
private class OcspHandler implements Runnable {
|
||||||
|
private final boolean USE_GET =
|
||||||
|
!System.getProperty("com.sun.security.ocsp.useget", "").equals("false");
|
||||||
|
|
||||||
private final Socket sock;
|
private final Socket sock;
|
||||||
InetSocketAddress peerSockAddr;
|
InetSocketAddress peerSockAddr;
|
||||||
|
|
||||||
@ -874,6 +877,12 @@ public class SimpleOCSPServer {
|
|||||||
// Okay, make sure we got what we needed from the header, then
|
// Okay, make sure we got what we needed from the header, then
|
||||||
// read the remaining OCSP Request bytes
|
// read the remaining OCSP Request bytes
|
||||||
if (properContentType && length >= 0) {
|
if (properContentType && length >= 0) {
|
||||||
|
if (USE_GET && length <= 255) {
|
||||||
|
// Received a small POST request. Check that our client code properly
|
||||||
|
// handled the relevant flag. We expect small GET requests, unless
|
||||||
|
// explicitly disabled.
|
||||||
|
throw new IOException("Should have received small GET, not POST.");
|
||||||
|
}
|
||||||
byte[] ocspBytes = new byte[length];
|
byte[] ocspBytes = new byte[length];
|
||||||
inStream.read(ocspBytes);
|
inStream.read(ocspBytes);
|
||||||
return new LocalOcspRequest(ocspBytes);
|
return new LocalOcspRequest(ocspBytes);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user