Don not use cache if certificate_request_context is present

2026-04-03 19:48:46 +00:00 · 2026-02-04 13:55:53 -05:00 · 2026-02-04 13:55:53 -05:00 · 7cd7ab6a84
commit 7cd7ab6a84
parent 9570cafb4b
3 changed files with 36 additions and 49 deletions
--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
@ -773,14 +773,6 @@ final class CertificateMessage {
            }
        }

-        T13CertificateMessage(HandshakeContext handshakeContext,
-                byte[] requestContext, List<CertificateEntry> certificates) {
-            super(handshakeContext);
-
-            this.requestContext = requestContext.clone();
-            this.certEntries = certificates;
-        }
-
        T13CertificateMessage(HandshakeContext handshakeContext,
                ByteBuffer m) throws IOException {
            super(handshakeContext);
--- a/src/java.base/share/classes/sun/security/ssl/CompressedCertificate.java
+++ b/src/java.base/share/classes/sun/security/ssl/CompressedCertificate.java
@ -160,21 +160,22 @@ final class CompressedCertificate {
            HandshakeOutStream hos = new HandshakeOutStream(null);
            message.send(hos);
            byte[] certMsg = hos.toByteArray();
+            byte[] compressedCertMsg;

-            Cache<CompCertCacheKey, byte[]> cache =
-                    hc.sslContext.getCompCertCache();
-            CompCertCacheKey key = new CompCertCacheKey(
-                    new EqualByteArray(certMsg), hc.certDeflater.getKey());
-            byte[] compressedCertMsg = cache.get(key);
-
-            if (compressedCertMsg == null) {
+            // Don't use cache if certificate_request_context is present.
+            if (certMsg[0] != 0) {
                compressedCertMsg = hc.certDeflater.getValue().apply(certMsg);
+            } else {
+                Cache<CompCertCacheKey, byte[]> cache =
+                        hc.sslContext.getCompCertCache();
+                CompCertCacheKey key = new CompCertCacheKey(
+                        new EqualByteArray(certMsg), hc.certDeflater.getKey());
+                compressedCertMsg = cache.get(key);
+
+                if (compressedCertMsg == null) {
+                    compressedCertMsg =
+                            hc.certDeflater.getValue().apply(certMsg);

-                // Don't cache when in PostHandshakeContext because
-                // certificate_request_context can be randomized (should only
-                // happen during post-handshake authentication and only on the
-                // client side).
-                if (!(hc instanceof PostHandshakeContext)) {
                    if (SSLLogger.isOn() && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("Caching CompressedCertificate message");
                    }
--- a/test/jdk/sun/security/ssl/CertificateCompression/CompressedCertMsgCache.java
+++ b/test/jdk/sun/security/ssl/CertificateCompression/CompressedCertMsgCache.java
@ -67,39 +67,33 @@ public class CompressedCertMsgCache extends SSLSocketTemplate {

    public static void main(String[] args) throws Exception {

-        // Use 2 different SSLContext instances.
-        for (int i = 0; i < 2; i++) {
+        // Complete 3 handshakes with the same SSLContext.
+        String log = runAndGetLog(() -> {
+            try {
+                setupCertificates();
+                serverSslContext = getSSLContext(trustedCert, serverCert,
+                        serverKeys.getPrivate(), "TLSv1.3");
+                clientSslContext = getSSLContext(trustedCert, clientCert,
+                        clientKeys.getPrivate(), "TLSv1.3");

-            // Complete 3 handshakes with the same SSLContext.
-            String log = runAndGetLog(() -> {
-                try {
-                    setupCertificates();
-                    serverSslContext = getSSLContext(
-                            trustedCert, serverCert, serverKeys.getPrivate(),
-                            "TLSv1.3");
-                    clientSslContext = getSSLContext(
-                            trustedCert, clientCert, clientKeys.getPrivate(),
-                            "TLSv1.3");
+                new CompressedCertMsgCache().run();
+                new CompressedCertMsgCache().run();
+                new CompressedCertMsgCache().run();
+            } catch (Exception _) {
+            }
+        });

-                    new CompressedCertMsgCache().run();
-                    new CompressedCertMsgCache().run();
-                    new CompressedCertMsgCache().run();
-                } catch (Exception _) {
-                }
-            });
+        // The same CompressedCertificate message must be cached only once.
+        assertEquals(1, countSubstringOccurrences(log,
+                "Caching CompressedCertificate message"));

-            // The same CompressedCertificate message must be cached only once.
-            assertEquals(1, countSubstringOccurrences(log,
-                    "Caching CompressedCertificate message"));
+        // Make sure CompressedCertificate message is produced 3 times.
+        assertEquals(3, countSubstringOccurrences(log,
+                "Produced CompressedCertificate handshake message"));

-            // Make sure CompressedCertificate message is produced 3 times.
-            assertEquals(3, countSubstringOccurrences(log,
-                    "Produced CompressedCertificate handshake message"));
-
-            // Make sure CompressedCertificate message is consumed 3 times.
-            assertEquals(3, countSubstringOccurrences(log,
-                    "Consuming CompressedCertificate handshake message"));
-        }
+        // Make sure CompressedCertificate message is consumed 3 times.
+        assertEquals(3, countSubstringOccurrences(log,
+                "Consuming CompressedCertificate handshake message"));
    }

    @Override