On Tue, 10 Jan 2023 17:30:08 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> This fixes an issue where HTTP responses that do not have an explicit >> Content-Length are causing an EOFException which unravels into a >> CertPathValidatorException during validations that involve OCSP checks. >> >> - JBS: https://bugs.openjdk.org/browse/JDK-8296343 > > src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 217: > >> 215: >> 216: int contentLength = con.getContentLength(); >> 217: return (contentLength == -1) ? >> con.getInputStream().readAllBytes() : > > For the returned OCSP bytes, what if the response code is not OK? Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException. That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate. ------------- PR: https://git.openjdk.org/jdk/pull/11917
