< prev index next >
src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
Print this page
rev 14277 : [mq]: 8154947-Send-empty-list-of-authorities-in-CertificateRequest-if-server-has-too-many-of-them
@@ -1674,31 +1674,44 @@
{ cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
byte[] types; // 1 to 255 types
DistinguishedName[] authorities; // 3 to 2^16 - 1
// ... "3" because that's the smallest DER-encoded X500 DN
+ boolean authoritiesDropped = false;
// protocol version being established using this CertificateRequest message
ProtocolVersion protocolVersion;
// supported_signature_algorithms for TLS 1.2 or later
private Collection<SignatureAndHashAlgorithm> algorithms;
// length of supported_signature_algorithms
private int algorithmsLen;
+
+ private static final boolean allowDropAuthorites =
+ Debug.getBooleanProperty("jdk.tls.allowDropCertReqAuthorites", false);
+
CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
Collection<SignatureAndHashAlgorithm> signAlgs,
ProtocolVersion protocolVersion) throws IOException {
this.protocolVersion = protocolVersion;
// always use X500Principal
authorities = new DistinguishedName[ca.length];
- for (int i = 0; i < ca.length; i++) {
+ for (int i = 0, len = 0; i < ca.length; i++) {
X500Principal x500Principal = ca[i].getSubjectX500Principal();
authorities[i] = new DistinguishedName(x500Principal);
+ if (allowDropAuthorites) {
+ len += authorities[i].length();
+ if (len >= Record.OVERFLOW_OF_INT16) {
+ authorities = new DistinguishedName[0];
+ authoritiesDropped = true;
+ break;
+ }
+ }
}
// we support RSA, DSS, and ECDSA client authentication and they
// can be used with all ciphersuites. If this changes, the code
// needs to be adapted to take keyExchange into account.
// We only request ECDSA client auth if we have ECC crypto available.
@@ -1885,11 +1898,11 @@
s.println("Supported Signature Algorithms: " + sb);
}
s.println("Cert Authorities:");
if (authorities.length == 0) {
- s.println("<Empty>");
+ s.println("<Empty>" + (authoritiesDropped ? " (dropped)" : ""));
} else {
for (int i = 0; i < authorities.length; i++) {
authorities[i].print(s);
}
}
< prev index next >