src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java

rev 14277 : [mq]: 8154947-Send-empty-list-of-authorities-in-CertificateRequest-if-server-has-too-many-of-them

@@ -1674,31 +1674,44 @@
         { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
 
     byte[]                types;               // 1 to 255 types
     DistinguishedName[]   authorities;         // 3 to 2^16 - 1
         // ... "3" because that's the smallest DER-encoded X500 DN
+    boolean authoritiesDropped = false;
 
     // protocol version being established using this CertificateRequest message
     ProtocolVersion protocolVersion;
 
     // supported_signature_algorithms for TLS 1.2 or later
     private Collection<SignatureAndHashAlgorithm> algorithms;
 
     // length of supported_signature_algorithms
     private int algorithmsLen;
 
+
+    private static final boolean allowDropAuthorites =
+            Debug.getBooleanProperty("jdk.tls.allowDropCertReqAuthorites", false);
+
     CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
             Collection<SignatureAndHashAlgorithm> signAlgs,
             ProtocolVersion protocolVersion) throws IOException {
 
         this.protocolVersion = protocolVersion;
 
         // always use X500Principal
         authorities = new DistinguishedName[ca.length];
-        for (int i = 0; i < ca.length; i++) {
+        for (int i = 0, len = 0; i < ca.length; i++) {
             X500Principal x500Principal = ca[i].getSubjectX500Principal();
             authorities[i] = new DistinguishedName(x500Principal);
+            if (allowDropAuthorites) {
+                len += authorities[i].length();
+                if (len >= Record.OVERFLOW_OF_INT16) {
+                    authorities = new DistinguishedName[0];
+                    authoritiesDropped = true;
+                    break;
+                }
+            }
         }
         // we support RSA, DSS, and ECDSA client authentication and they
         // can be used with all ciphersuites. If this changes, the code
         // needs to be adapted to take keyExchange into account.
         // We only request ECDSA client auth if we have ECC crypto available.

@@ -1885,11 +1898,11 @@
                 s.println("Supported Signature Algorithms: " + sb);
             }
 
             s.println("Cert Authorities:");
             if (authorities.length == 0) {
-                s.println("<Empty>");
+                s.println("<Empty>" + (authoritiesDropped ? " (dropped)" : ""));
             } else {
                 for (int i = 0; i < authorities.length; i++) {
                     authorities[i].print(s);
                 }
             }