8296343: CPVE thrown on missing content-length in OCSP response

[apavlyutkin]

Hi!

Here is backport of JDK-8296343. The patch fixes CertPathValidatorException taking place if OCSP response does not contain ContentLength field.

Original patch is applied cleanly.

Verification/regression (amd64/20.04 LTS): jdk_security including newly added test/jdk/sun/security/provider/certpath/OCSP/OCSPNoContentLength.java

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8296343: CPVE thrown on missing content-length in OCSP response

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/1361/head:pull/1361
$ git checkout pull/1361

Update a local copy of the PR:
$ git checkout pull/1361
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/1361/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1361

View PR using the GUI difftool:
$ git pr show -t 1361

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/1361.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back apavlyutkin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[openjdk]

@apavlyutkin This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8296343: CPVE thrown on missing content-length in OCSP response

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 6 new commits pushed to the master branch:

• 879f4c5: 8297154: Improve safepoint cleanup logging
• 2913a8d: 8306753: Open source several container AWT tests
• 406d6ba: 8307378: Allow collectors to provide specific values for GC notifications' actions
• 36c364d: 8284331: Add sanity check for signal handler modification warning.
• 4a0f0f4: 8276058: Some swing test fails on specific CI macos system
• f2e837f: 8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[mlbridge]

Webrevs

• 00: Full (46233d15)

[apavlyutkin]

/integrate

[yan-too]

/sponsor

[openjdk]

@apavlyutkin
Your change (at version 46233d1) is now ready to be sponsored by a Committer.

[openjdk]

Going to push as commit 32fda32.
Since your change was applied there have been 7 commits pushed to the master branch:

• 6b362e4: 8261495: Shenandoah: reconsider update references memory ordering
• 879f4c5: 8297154: Improve safepoint cleanup logging
• 2913a8d: 8306753: Open source several container AWT tests
• 406d6ba: 8307378: Allow collectors to provide specific values for GC notifications' actions
• 36c364d: 8284331: Add sanity check for signal handler modification warning.
• 4a0f0f4: 8276058: Some swing test fails on specific CI macos system
• f2e837f: 8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0

Your commit was automatically rebased without conflicts.

[openjdk]

@yan-too @apavlyutkin Pushed as commit 32fda32.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[GoeLin]

Hi @apavlyutkin
since this push we see OCSPNoContentLength.java failing in out nightly tests.
There is a related issue handling this: JDK-8300939

sun/security/provider/certpath/OCSP/OCSPNoContentLength.java fails due to network errors

Please backport this, too!
And next time please check related issues in the JBS Bug before labeling fix-request!!!!

[apavlyutkin]

Hi @apavlyutkin since this push we see OCSPNoContentLength.java failing in out nightly tests. There is a related issue handling this: JDK-8300939

sun/security/provider/certpath/OCSP/OCSPNoContentLength.java fails due to network errors

Please backport this, too! And next time please check related issues in the JBS Bug before labeling fix-request!!!!

#1394

[phax]

Dear all. The problem with OCSP responders not returning Content-Length header is still present and needs fixing. Please don't forget this one....

[phax]

@apavlyutkin what needs to be done, to get this issue back on track?

[apavlyutkin]

I will take a look. Thank you

[phax]

@apavlyutkin do you have a new issue or ticket number for me that tackles the OCSP issue?

[phax]

@apavlyutkin is there any specific process I should follow? Shall I create a new ticket?

[apavlyutkin]

Philip, sorry for long ping, I repent sincerely.

I did not have a time for this because I have changed my employment and now JDK is only a side activity for me.

IMHO it would be better if you raise a new ticket for this, but the most important here is to share how you reproduce the issue. If the issue is reproducible for the upstream?