Bug ID: JDK-8308255 OSCP responses without a "Content-Length" header lead to "EOFException"

Type: Bug
Component: security-libs
Sub-Component: jdk.security
Affected Version: 11,17,21

Priority: P4
Status: New
Resolution: Unresolved
OS: generic
CPU: generic

Submitted: 2023-05-16
Updated: 2023-05-17

A DESCRIPTION OF THE PROBLEM :
The error is contained in class `sun.security.provider.certpath.OCSP`.

If the HTTP response from the remote OSCP server does not contain the "Content-Length" header, the local variable "contentLength" is set to "Integer.MAX_VALUE". The following call to "IOUtils.readExactlyNBytes" leads to an "EOFException" because it can't read "Integer.MAX_VALUE" bytes from the server.

This change was introduced with commit https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426 in version 17+4 in relationship to https://bugs.openjdk.org/browse/JDK-8179503

There is also a proposed backport to Java 11 where I already presented my concerns: https://github.com/openjdk/jdk11u-dev/pull/847#issuecomment-1550310174

The previous solution in version 17+3 worked well, even if no "Content-Length" header is present. Quick comparison:


Version 17+3: https://github.com/openjdk/jdk/blob/jdk-17%2B3/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L262-L274

Version 17+4: https://github.com/openjdk/jdk/blob/jdk-17%2B4/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java#L271-L277

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Have the OSCP server NOT contain the "Content-Length" header.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The expected result is a valid OSCP response, even without the "Content-Length" header
ACTUAL -
OCSP validation fails, even though the certificate is correct, which lead to the certificate being marked as "revoked" which is wrong.

CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3 or Java 11

The issue was introduced in JDK 17ea+4.

17-05-2023