8328638: Fallback option for POST-only OCSP requests

Reviewed-by: mullan, rhalade

Author: shipilev

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -85,6 +85,28 @@ public final class OCSP {
     private static final int READ_TIMEOUT = initializeTimeout(
             "com.sun.security.ocsp.readtimeout", DEFAULT_READ_TIMEOUT);
 
+    /**
+     * Boolean value indicating whether OCSP client can use GET for OCSP
+     * requests. There is an ambiguity in RFC recommendations.
+     *
+     * RFC 5019 says a stronger thing, "MUST":
+     *    "When sending requests that are less than or equal to 255 bytes in
+     *     total (after encoding) including the scheme and delimiters (http://),
+     *     server name and base64-encoded OCSPRequest structure, clients MUST
+     *     use the GET method (to enable OCSP response caching)."
+     *
+     * RFC 6960 says a weaker thing, "MAY":
+     *    "HTTP-based OCSP requests can use either the GET or the POST method to
+     *     submit their requests.  To enable HTTP caching, small requests (that
+     *     after encoding are less than 255 bytes) MAY be submitted using GET."
+     *
+     * For performance reasons, we default to stronger behavior. But this
+     * option also allows to fallback to weaker behavior in case of compatibility
+     * problems.
+     */
+    private static final boolean USE_GET = initializeBoolean(
+            "com.sun.security.ocsp.useget", "true");
+
     /**
      * Initialize the timeout length by getting the OCSP timeout
      * system property. If the property has not been set, or if its
@@ -99,6 +121,15 @@ private static int initializeTimeout(String prop, int def) {
         return timeoutVal;
     }
 
+    private static boolean initializeBoolean(String prop, String def) {
+        String flag = GetPropertyAction.privilegedGetProperty(prop, def);
+        boolean value = Boolean.parseBoolean(flag);
+        if (debug != null) {
+            debug.println(prop + " set to " + value);
+        }
+        return value;
+    }
+
     private OCSP() {}
 
     /**
@@ -186,7 +217,7 @@ public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
             encodedGetReq.append(URLEncoder.encode(
                     Base64.getEncoder().encodeToString(bytes), UTF_8));
 
-            if (encodedGetReq.length() <= 255) {
+            if (USE_GET && encodedGetReq.length() <= 255) {
                 url = new URI(encodedGetReq.toString()).toURL();
                 con = (HttpURLConnection)url.openConnection();
                 con.setConnectTimeout(CONNECT_TIMEOUT);

test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,14 +23,15 @@
 
 /**
  * @test
- * @bug 8179503
+ * @bug 8179503 8328638
  * @summary Java should support GET OCSP calls
  * @library /javax/net/ssl/templates /java/security/testlibrary
  * @build SimpleOCSPServer
  * @modules java.base/sun.security.util
  *          java.base/sun.security.provider.certpath
  *          java.base/sun.security.x509
  * @run main/othervm GetAndPostTests
+ * @run main/othervm -Dcom.sun.security.ocsp.useget=false GetAndPostTests
  */
 
 import java.io.ByteArrayInputStream;