8329213: Better validation for com.sun.security.ocsp.useget option

Reviewed-by: mullan
2025-08-27 14:54:52 +02:00 · 2024-04-01 17:27:00 +00:00 · 2024-04-01 17:27:00 +00:00 · 4a14cba2f1
commit 4a14cba2f1
parent 9f5464ee95
4 changed files with 48 additions and 5 deletions
--- a/src/java.base/share/classes/sun/security/action/GetPropertyAction.java
+++ b/src/java.base/share/classes/sun/security/action/GetPropertyAction.java
@ -224,4 +224,37 @@ public class GetPropertyAction implements PrivilegedAction<String> {
            return def;
        }
    }
+
+    /**
+     * Convenience method for fetching System property values that are booleans.
+     *
+     * @param prop the name of the System property
+     * @param def a default value
+     * @param dbg a Debug object, if null no debug messages will be sent
+     *
+     * @return a boolean value corresponding to the value in the System property.
+     *      If the property value is neither "true" or "false", the default value
+     *      will be returned.
+     */
+    public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {
+        String rawPropVal = privilegedGetProperty(prop, "");
+        if ("".equals(rawPropVal)) {
+            return def;
+        }
+
+        String lower = rawPropVal.toLowerCase(Locale.ROOT);
+        if ("true".equals(lower)) {
+            return true;
+        } else if ("false".equals(lower)) {
+            return false;
+        } else {
+            if (dbg != null) {
+                dbg.println("Warning: Unexpected value for " + prop +
+                            ": " + rawPropVal +
+                            ". Using default value: " + def);
+            }
+            return def;
+        }
+    }
+
 }
--- a/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java
+++ b/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java
@ -105,7 +105,7 @@ public final class OCSP {
     * problems.
     */
    private static final boolean USE_GET = initializeBoolean(
-            "com.sun.security.ocsp.useget", "true");
+            "com.sun.security.ocsp.useget", true);

    /**
     * Initialize the timeout length by getting the OCSP timeout
@ -121,9 +121,9 @@ public final class OCSP {
        return timeoutVal;
    }

-    private static boolean initializeBoolean(String prop, String def) {
-        String flag = GetPropertyAction.privilegedGetProperty(prop, def);
-        boolean value = Boolean.parseBoolean(flag);
+    private static boolean initializeBoolean(String prop, boolean def) {
+        boolean value =
+                GetPropertyAction.privilegedGetBooleanProp(prop, def, debug);
        if (debug != null) {
            debug.println(prop + " set to " + value);
        }