JDK-8296343 : CPVE thrown on missing content-length in OCSP response
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 17
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2022-11-03
  • Updated: 2024-02-13
  • Resolved: 2023-01-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21
17.0.12-oracleFixed 21 b07Fixed
Related Reports
Duplicate :  
JDK-8308255 - OSCP responses without a "Content-Length" header lead to "EOFException"
Relates :  
JDK-8300946 - Add sun/security/provider/certpath/OCSP/OCSPNoContentLength to ProblemList
Relates :  
JDK-8179503 - Java should support GET OCSP calls
Relates :  
JDK-8300939 - sun/security/provider/certpath/OCSP/OCSPNoContentLength.java fails due to network errors
Description
CertPathValidatorException is thrown when OCSP response doesn't specify the content-length.
Comments
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/332 Date: 2023-06-07 10:17:57 +0000
07-06-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1920 Date: 2023-05-31 16:56:07 +0000
31-05-2023
Fix Request (17u) The patch fixes CertPathValidatorException taking place if OCSP response does not contain ContentLength field. Original patch is applied cleanly. Verification/regression (amd64/20.04 LTS): jdk_security including newly added test/jdk/sun/security/provider/certpath/OCSP/OCSPNoContentLength.java [~clanger] please take a look
18-05-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/1361 Date: 2023-05-18 15:59:18 +0000
18-05-2023
Changeset: 1a3cb8c5 Author: Jamil Nimeh <jnimeh@openjdk.org> Date: 2023-01-23 18:05:48 +0000 URL: https://git.openjdk.org/jdk/commit/1a3cb8c5018bc016c2ad6b078e4abe13b39d151c
23-01-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/11917 Date: 2023-01-10 06:02:29 +0000
10-01-2023
contentLength is set to Integer.MAX_VALUE if it is missing in OCSP response. It causes EOFException to be thrown from IOUtils.readExactlyNBytes eventually causing CertPathValidatorException.
03-11-2022