-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
5.0
-
sparc
-
solaris_10
FULL PRODUCT VERSION :
java version "1.5.0_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03)
Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
X.509 certificates used in test case are attached seperatly.
A DESCRIPTION OF THE PROBLEM :
Signtrust issues smart card based X.509 certificates for a non-repudiation service. Therefore all EE and OCSP-responder certificates have a critical keyUsage extension which is set to nonRepudiation.
However, when trying to determine the certificate revocation status via OCSP using PKIXCertPathChecker an InvalidKeyException: Wrong key usage is thrown.
The PKIXCertPathChecker implementation should be changed to comply with RFC 3280: OCSP responder certificates with keyUsage=nonRepudiation and extendedKeyUsage=id-kp-OCSPSigning are valid: [RFC 3280, page 41]
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-- Signing OCSP responses
-- Key usage bits that may be consistent: digitalSignature
-- and/or nonRepudiation
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
run test case with
java ValidateCertUseOCSP Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The OCSP response should show that the certificate is valid.
Below are the results of an OCSP check on the same certificated conducted with openssl:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
Serial Number: 8032
Request Extensions:
OCSP Nonce:
0410903DA42F1B4AE7429D6F4106C4ED227F
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = DE, O = Deutsche Post Com GmbH, OU = Signtrust, CN = DIR DP Com 51:PN
Produced At: Nov 20 15:17:48 2006 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
Serial Number: 8032
Cert Status: good
This Update: Nov 20 15:17:48 2006 GMT
Response Single Extensions:
1.3.36.8.3.12:
..20051026173206Z
1.3.36.8.3.13:
0!0...+..............L.c.(R.1......
Response Extensions:
OCSP Nonce:
0410903DA42F1B4AE7429D6F4106C4ED227F
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 42 (0x2a)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Validity
Not Before: Aug 3 15:30:36 2005 GMT
Not After : Dec 31 15:09:23 2007 GMT
Subject: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:88:75:c2:e7:f8:70:ea:b6:0d:73:fe:1c:8a:51:
cb:8d:df:d2:ab:04:b7:e0:b6:a8:81:01:d9:54:57:
22:c9:82:74:fb:98:00:7d:c6:bf:90:b9:cf:12:f3:
94:b9:84:98:35:f6:f6:6a:bd:1e:fe:20:cf:c5:90:
00:11:fa:9f:54:6b:91:4f:d3:da:47:b8:56:bc:f8:
99:50:5a:68:19:c3:6f:c8:e5:71:2a:e3:3d:23:2c:
7f:8b:5c:1a:9f:fc:12:ea:ed:76:40:88:06:05:47:
a4:e6:28:35:f9:34:f0:ba:e3:5c:6a:79:56:91:03:
ee:a1:d1:ec:f8:1a:14:18:73
Exponent: 1073741953 (0x40000081)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
qcStatements:
0
0......F..
Authority Information Access:
OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder
X509v3 Certificate Policies:
Policy: 1.3.36.8.1.1
X509v3 CRL Distribution Points:
URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint
1.3.6.1.4.1.8301.3.5:
0..
+.....m...
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
X509v3 Subject Key Identifier:
C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
Signature Algorithm: ripemd160WithRSA
65:ca:f2:6f:ce:f4:a9:9f:69:9b:80:d4:6c:cc:c9:ab:08:1f:
1f:0b:bb:e5:74:75:af:0d:4d:9c:c0:9a:a0:25:fb:8e:0c:b5:
2e:10:35:c6:5d:b7:1b:03:bc:e7:2a:1c:7b:35:4e:8b:21:f4:
3d:fd:f2:14:86:85:77:7a:82:39:e2:29:6c:4c:2a:f8:cb:f1:
34:0a:bb:df:7d:40:89:fa:60:a2:c2:a3:08:d4:62:9a:7c:bf:
80:7d:5f:c8:cd:6b:db:c9:cb:61:33:a0:f3:81:99:d5:93:97:
98:61:5d:fb:d6:a4:f7:ba:f2:43:7d:cd:a1:26:70:33:be:9b:
ad:07
-----BEGIN CERTIFICATE-----
MIIDoTCCAw2gAwIBAgIBKjAKBgYrJAMDAQIFADA/MQswCQYDVQQGEwJERTEaMBgG
A1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzEwUi1DQSAxOlBOMB4X
DTA1MDgwMzE1MzAzNloXDTA3MTIzMTE1MDkyM1owPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjCB
oDANBgkqhkiG9w0BAQEFAAOBjgAwgYoCgYEAiHXC5/hw6rYNc/4cilHLjd/SqwS3
4LaogQHZVFciyYJ0+5gAfca/kLnPEvOUuYSYNfb2ar0e/iDPxZAAEfqfVGuRT9Pa
R7hWvPiZUFpoGcNvyOVxKuM9Iyx/i1wan/wS6u12QIgGBUek5ig1+TTwuuNcanlW
kQPuodHs+BoUGHMCBEAAAIGjggGwMIIBrDAOBgNVHQ8BAf8EBAMCAgQwGAYIKwYB
BQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGG
Lmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIw
EgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRh
cDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50
dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQF
MAMBAf8wHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0OBBYE
FMPPderAEVNFE/6XZWMAaVMClrlkMAoGBiskAwMBAgUAA4GBAGXK8m/O9KmfaZuA
1GzMyasIHx8Lu+V0da8NTZzAmqAl+44MtS4QNcZdtxsDvOcqHHs1Tosh9D398hSG
hXd6gjniKWxMKvjL8TQKu999QIn6YKLCowjUYpp8v4B9X8jNa9vJy2EzoPOBmdWT
l5hhXfvWpPe68kN9zaEmcDO+m60H
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 164 (0xa4)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Validity
Not Before: Aug 11 07:12:19 2005 GMT
Not After : Dec 31 07:10:15 2007 GMT
Subject: C=DE, O=Deutsche Post Com GmbH, OU=Signtrust, CN=DIR DP Com 51:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:98:c7:ff:c8:b7:52:7b:28:c8:e8:55:6c:87:95:
cb:75:fd:17:a3:dd:d0:2f:78:ff:6b:2e:2e:41:0c:
e3:2b:99:30:d5:d4:d2:4b:23:87:97:72:76:ae:8b:
96:f2:5a:c4:63:1e:76:4b:bf:c3:13:09:66:2f:7b:
0e:f5:f6:d9:f3:09:87:d1:4d:36:8a:93:94:53:bc:
d8:f3:22:6d:36:7f:8a:ca:45:9d:43:f9:94:41:95:
63:c5:81:50:a7:53:27:da:e0:a4:75:97:f7:13:7f:
5e:ad:76:99:05:d8:f4:02:49:1a:aa:f0:c0:bb:5c:
71:33:f8:58:12:51:44:7d:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Non Repudiation
qcStatements:
0
0......F..
Authority Information Access:
OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder
X509v3 Certificate Policies:
Policy: 1.3.36.8.1.1
X509v3 CRL Distribution Points:
URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint
1.3.6.1.4.1.8301.3.5:
0..
+.....m...
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
X509v3 Subject Key Identifier:
B7:89:13:18:9A:A1:0B:CF:CE:FA:E7:0B:06:F0:67:D5:41:52:AD:99
Signature Algorithm: ripemd160WithRSA
83:21:db:a2:20:54:f5:76:a1:04:94:b2:c2:78:cc:78:24:93:
c5:fe:5e:c3:20:b3:25:45:29:88:98:66:08:47:7f:9a:23:6e:
a8:dc:15:50:d3:75:1d:62:fe:15:ca:ab:79:2b:f5:b5:cf:05:
9e:60:b1:d8:30:ac:18:9f:5e:e5:6d:43:12:cf:b3:03:2f:df:
fb:01:2e:94:50:1d:89:2e:57:2b:45:7b:bf:11:f0:6b:42:59:
38:52:e8:03:d2:da:6e:98:22:a4:23:b3:06:e8:ba:87:e4:96:
9d:a1:df:40:40:91:d4:d2:74:e9:77:3c:23:87:d6:a1:39:99:
12:a9
-----BEGIN CERTIFICATE-----
MIID1DCCA0CgAwIBAgICAKQwCgYGKyQDAwECBQAwPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjAe
Fw0wNTA4MTEwNzEyMTlaFw0wNzEyMzEwNzEwMTVaMF0xCzAJBgNVBAYTAkRFMR8w
HQYDVQQKDBZEZXV0c2NoZSBQb3N0IENvbSBHbWJIMRIwEAYDVQQLDAlTaWdudHJ1
c3QxGTAXBgNVBAMMEERJUiBEUCBDb20gNTE6UE4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAJjH/8i3UnsoyOhVbIeVy3X9F6Pd0C94/2suLkEM4yuZMNXU0ksj
h5dydq6LlvJaxGMedku/wxMJZi97DvX22fMJh9FNNoqTlFO82PMibTZ/ispFnUP5
lEGVY8WBUKdTJ9rgpHWX9xN/Xq12mQXY9AJJGqrwwLtccTP4WBJRRH2XAgMBAAGj
ggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYI
KwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUH
MAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25k
ZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGa
bGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFn
ZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
dXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB
/wQFMAMBAQAwHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0O
BBYEFLeJExiaoQvPzvrnCwbwZ9VBUq2ZMAoGBiskAwMBAgUAA4GBAIMh26IgVPV2
oQSUssJ4zHgkk8X+XsMgsyVFKYiYZghHf5ojbqjcFVDTdR1i/hXKq3kr9bXPBZ5g
sdgwrBifXuVtQxLPswMv3/sBLpRQHYkuVytFe78R8GtCWThS6APS2m6YIqQjswbo
uofklp2h30BAkdTSdOl3PCOH1qE5mRKp
-----END CERTIFICATE-----
Response verify OK
Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem: good
This Update: Nov 20 15:17:48 2006 GMT
ACTUAL -
java.security.InvalidKeyException: Wrong key usage
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
at ValidateCertUseOCSP.main(ValidateCertUseOCSP.java:113)
Caused by: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
... 5 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
... 8 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Attached seperately
---------- END SOURCE ----------
java version "1.5.0_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03)
Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
X.509 certificates used in test case are attached seperatly.
A DESCRIPTION OF THE PROBLEM :
Signtrust issues smart card based X.509 certificates for a non-repudiation service. Therefore all EE and OCSP-responder certificates have a critical keyUsage extension which is set to nonRepudiation.
However, when trying to determine the certificate revocation status via OCSP using PKIXCertPathChecker an InvalidKeyException: Wrong key usage is thrown.
The PKIXCertPathChecker implementation should be changed to comply with RFC 3280: OCSP responder certificates with keyUsage=nonRepudiation and extendedKeyUsage=id-kp-OCSPSigning are valid: [RFC 3280, page 41]
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-- Signing OCSP responses
-- Key usage bits that may be consistent: digitalSignature
-- and/or nonRepudiation
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
run test case with
java ValidateCertUseOCSP Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The OCSP response should show that the certificate is valid.
Below are the results of an OCSP check on the same certificated conducted with openssl:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
Serial Number: 8032
Request Extensions:
OCSP Nonce:
0410903DA42F1B4AE7429D6F4106C4ED227F
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = DE, O = Deutsche Post Com GmbH, OU = Signtrust, CN = DIR DP Com 51:PN
Produced At: Nov 20 15:17:48 2006 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
Serial Number: 8032
Cert Status: good
This Update: Nov 20 15:17:48 2006 GMT
Response Single Extensions:
1.3.36.8.3.12:
..20051026173206Z
1.3.36.8.3.13:
0!0...+..............L.c.(R.1......
Response Extensions:
OCSP Nonce:
0410903DA42F1B4AE7429D6F4106C4ED227F
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 42 (0x2a)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Validity
Not Before: Aug 3 15:30:36 2005 GMT
Not After : Dec 31 15:09:23 2007 GMT
Subject: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:88:75:c2:e7:f8:70:ea:b6:0d:73:fe:1c:8a:51:
cb:8d:df:d2:ab:04:b7:e0:b6:a8:81:01:d9:54:57:
22:c9:82:74:fb:98:00:7d:c6:bf:90:b9:cf:12:f3:
94:b9:84:98:35:f6:f6:6a:bd:1e:fe:20:cf:c5:90:
00:11:fa:9f:54:6b:91:4f:d3:da:47:b8:56:bc:f8:
99:50:5a:68:19:c3:6f:c8:e5:71:2a:e3:3d:23:2c:
7f:8b:5c:1a:9f:fc:12:ea:ed:76:40:88:06:05:47:
a4:e6:28:35:f9:34:f0:ba:e3:5c:6a:79:56:91:03:
ee:a1:d1:ec:f8:1a:14:18:73
Exponent: 1073741953 (0x40000081)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
qcStatements:
0
0......F..
Authority Information Access:
OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder
X509v3 Certificate Policies:
Policy: 1.3.36.8.1.1
X509v3 CRL Distribution Points:
URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint
1.3.6.1.4.1.8301.3.5:
0..
+.....m...
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
X509v3 Subject Key Identifier:
C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
Signature Algorithm: ripemd160WithRSA
65:ca:f2:6f:ce:f4:a9:9f:69:9b:80:d4:6c:cc:c9:ab:08:1f:
1f:0b:bb:e5:74:75:af:0d:4d:9c:c0:9a:a0:25:fb:8e:0c:b5:
2e:10:35:c6:5d:b7:1b:03:bc:e7:2a:1c:7b:35:4e:8b:21:f4:
3d:fd:f2:14:86:85:77:7a:82:39:e2:29:6c:4c:2a:f8:cb:f1:
34:0a:bb:df:7d:40:89:fa:60:a2:c2:a3:08:d4:62:9a:7c:bf:
80:7d:5f:c8:cd:6b:db:c9:cb:61:33:a0:f3:81:99:d5:93:97:
98:61:5d:fb:d6:a4:f7:ba:f2:43:7d:cd:a1:26:70:33:be:9b:
ad:07
-----BEGIN CERTIFICATE-----
MIIDoTCCAw2gAwIBAgIBKjAKBgYrJAMDAQIFADA/MQswCQYDVQQGEwJERTEaMBgG
A1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzEwUi1DQSAxOlBOMB4X
DTA1MDgwMzE1MzAzNloXDTA3MTIzMTE1MDkyM1owPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjCB
oDANBgkqhkiG9w0BAQEFAAOBjgAwgYoCgYEAiHXC5/hw6rYNc/4cilHLjd/SqwS3
4LaogQHZVFciyYJ0+5gAfca/kLnPEvOUuYSYNfb2ar0e/iDPxZAAEfqfVGuRT9Pa
R7hWvPiZUFpoGcNvyOVxKuM9Iyx/i1wan/wS6u12QIgGBUek5ig1+TTwuuNcanlW
kQPuodHs+BoUGHMCBEAAAIGjggGwMIIBrDAOBgNVHQ8BAf8EBAMCAgQwGAYIKwYB
BQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGG
Lmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIw
EgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRh
cDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50
dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQF
MAMBAf8wHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0OBBYE
FMPPderAEVNFE/6XZWMAaVMClrlkMAoGBiskAwMBAgUAA4GBAGXK8m/O9KmfaZuA
1GzMyasIHx8Lu+V0da8NTZzAmqAl+44MtS4QNcZdtxsDvOcqHHs1Tosh9D398hSG
hXd6gjniKWxMKvjL8TQKu999QIn6YKLCowjUYpp8v4B9X8jNa9vJy2EzoPOBmdWT
l5hhXfvWpPe68kN9zaEmcDO+m60H
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 164 (0xa4)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
Validity
Not Before: Aug 11 07:12:19 2005 GMT
Not After : Dec 31 07:10:15 2007 GMT
Subject: C=DE, O=Deutsche Post Com GmbH, OU=Signtrust, CN=DIR DP Com 51:PN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:98:c7:ff:c8:b7:52:7b:28:c8:e8:55:6c:87:95:
cb:75:fd:17:a3:dd:d0:2f:78:ff:6b:2e:2e:41:0c:
e3:2b:99:30:d5:d4:d2:4b:23:87:97:72:76:ae:8b:
96:f2:5a:c4:63:1e:76:4b:bf:c3:13:09:66:2f:7b:
0e:f5:f6:d9:f3:09:87:d1:4d:36:8a:93:94:53:bc:
d8:f3:22:6d:36:7f:8a:ca:45:9d:43:f9:94:41:95:
63:c5:81:50:a7:53:27:da:e0:a4:75:97:f7:13:7f:
5e:ad:76:99:05:d8:f4:02:49:1a:aa:f0:c0:bb:5c:
71:33:f8:58:12:51:44:7d:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Non Repudiation
qcStatements:
0
0......F..
Authority Information Access:
OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder
X509v3 Certificate Policies:
Policy: 1.3.36.8.1.1
X509v3 CRL Distribution Points:
URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint
1.3.6.1.4.1.8301.3.5:
0..
+.....m...
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
X509v3 Subject Key Identifier:
B7:89:13:18:9A:A1:0B:CF:CE:FA:E7:0B:06:F0:67:D5:41:52:AD:99
Signature Algorithm: ripemd160WithRSA
83:21:db:a2:20:54:f5:76:a1:04:94:b2:c2:78:cc:78:24:93:
c5:fe:5e:c3:20:b3:25:45:29:88:98:66:08:47:7f:9a:23:6e:
a8:dc:15:50:d3:75:1d:62:fe:15:ca:ab:79:2b:f5:b5:cf:05:
9e:60:b1:d8:30:ac:18:9f:5e:e5:6d:43:12:cf:b3:03:2f:df:
fb:01:2e:94:50:1d:89:2e:57:2b:45:7b:bf:11:f0:6b:42:59:
38:52:e8:03:d2:da:6e:98:22:a4:23:b3:06:e8:ba:87:e4:96:
9d:a1:df:40:40:91:d4:d2:74:e9:77:3c:23:87:d6:a1:39:99:
12:a9
-----BEGIN CERTIFICATE-----
MIID1DCCA0CgAwIBAgICAKQwCgYGKyQDAwECBQAwPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjAe
Fw0wNTA4MTEwNzEyMTlaFw0wNzEyMzEwNzEwMTVaMF0xCzAJBgNVBAYTAkRFMR8w
HQYDVQQKDBZEZXV0c2NoZSBQb3N0IENvbSBHbWJIMRIwEAYDVQQLDAlTaWdudHJ1
c3QxGTAXBgNVBAMMEERJUiBEUCBDb20gNTE6UE4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAJjH/8i3UnsoyOhVbIeVy3X9F6Pd0C94/2suLkEM4yuZMNXU0ksj
h5dydq6LlvJaxGMedku/wxMJZi97DvX22fMJh9FNNoqTlFO82PMibTZ/ispFnUP5
lEGVY8WBUKdTJ9rgpHWX9xN/Xq12mQXY9AJJGqrwwLtccTP4WBJRRH2XAgMBAAGj
ggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYI
KwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUH
MAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25k
ZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGa
bGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFn
ZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
dXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB
/wQFMAMBAQAwHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0O
BBYEFLeJExiaoQvPzvrnCwbwZ9VBUq2ZMAoGBiskAwMBAgUAA4GBAIMh26IgVPV2
oQSUssJ4zHgkk8X+XsMgsyVFKYiYZghHf5ojbqjcFVDTdR1i/hXKq3kr9bXPBZ5g
sdgwrBifXuVtQxLPswMv3/sBLpRQHYkuVytFe78R8GtCWThS6APS2m6YIqQjswbo
uofklp2h30BAkdTSdOl3PCOH1qE5mRKp
-----END CERTIFICATE-----
Response verify OK
Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem: good
This Update: Nov 20 15:17:48 2006 GMT
ACTUAL -
java.security.InvalidKeyException: Wrong key usage
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
at ValidateCertUseOCSP.main(ValidateCertUseOCSP.java:113)
Caused by: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
... 5 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
... 8 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Attached seperately
---------- END SOURCE ----------
- duplicates
-
-
- Closed
-