The OCSPNoCheckExtension has been modified to always close the DerOutputStream instance.
The OCSPNoCheckExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata
>From 44d70e078f5e5270908dd6d7a3182f48022b148d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Thu, 3 Nov 2016 02:43:03 +0100 Subject: [PATCH] Fixed resource leak in OCSPNoCheckExtension. The OCSPNoCheckExtension has been modified to always close the DerOutputStream instance. The OCSPNoCheckExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530 --- .../netscape/cms/policy/extensions/OCSPNoCheckExt.java | 16 ++++++++++------ .../security/extensions/OCSPNoCheckExtension.java | 6 ++++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java b/base/server/cms/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java index aece9664a64c2c016cd14e15f7daad0c4482a8a7..da0584cb04816568bab9d1d3fe3d5b50fc893987 100644 --- a/base/server/cms/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java +++ b/base/server/cms/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java @@ -22,11 +22,6 @@ import java.security.cert.CertificateException; import java.util.Locale; import java.util.Vector; -import netscape.security.extensions.OCSPNoCheckExtension; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.X509CertInfo; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -38,6 +33,11 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; +import netscape.security.extensions.OCSPNoCheckExtension; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.X509CertInfo; + /** * This implements an OCSP Signing policy, it * adds the OCSP Signing extension to the certificate. @@ -88,7 +88,11 @@ public class OCSPNoCheckExt extends APolicyRule */ public void init(ISubsystem owner, IConfigStore config) throws EBaseException { - mOCSPNoCheck = new OCSPNoCheckExtension(); + try { + mOCSPNoCheck = new OCSPNoCheckExtension(); + } catch (IOException e) { + throw new EBaseException(e); + } if (mOCSPNoCheck != null) { // configure the extension itself diff --git a/base/util/src/netscape/security/extensions/OCSPNoCheckExtension.java b/base/util/src/netscape/security/extensions/OCSPNoCheckExtension.java index 3d89e1d504645a259e5e40615590493e2f4d202a..5952a29b82c7c4be2ee74fc6c7b9da6d4fe2158a 100644 --- a/base/util/src/netscape/security/extensions/OCSPNoCheckExtension.java +++ b/base/util/src/netscape/security/extensions/OCSPNoCheckExtension.java @@ -51,11 +51,11 @@ public class OCSPNoCheckExtension extends Extension implements CertAttrSet { } } - public OCSPNoCheckExtension() { + public OCSPNoCheckExtension() throws IOException { this(Boolean.FALSE); } - public OCSPNoCheckExtension(Boolean crit) { + public OCSPNoCheckExtension(Boolean crit) throws IOException { try { extensionId = ObjectIdentifier.getObjectIdentifier(OCSPNoCheckExtension.OID); } catch (IOException e) { @@ -67,6 +67,8 @@ public class OCSPNoCheckExtension extends Extension implements CertAttrSet { try { tmpD.putNull(); } catch (IOException ex) { + } finally { + tmpD.close(); } extensionValue = tmpD.toByteArray(); } -- 2.5.5
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel