Details
-
Enhancement
-
Resolution: Duplicate
-
P5
-
None
-
6u10
-
x86
-
windows_7
Description
A DESCRIPTION OF THE REQUEST :
The current OCSP functionality does not permit OCSP checking with a service that Provides an OCSP response containing 1..n of SingleResponse. If such a response is received during Path Validation and Construction, it is discarded, and fails over to the use of a CRL.
Finally, if the responder were to encounter an extension within a SingleResponse that is flagged Critical, validation should fail if the Extension can not be processed.
JUSTIFICATION :
Wasting an OCSP check for Certificate validity against a responder which provides multiple responses creates overhead. Adding the capability may yield better performance verses receiving a CRL via LDAP and/or HTTP defined in the crlDistributionPoints extension.
Per: http://www.ietf.org/rfc/rfc2560.txt
"Support for any specific extension is OPTIONAL. The critical flag
SHOULD NOT be set for any of them. Section 4.4 suggests several
useful extensions. Additional extensions MAY be defined in
additional RFCs. Unrecognized extensions MUST be ignored (unless they
have the critical flag set and are not understood)."
Since extensions SHOULD NOT be marked critical, they COULD be in error.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Processing of 1..n of SingleResponse and Failure on extensions flagged critical.
ACTUAL -
OCSP check is discarded since OCSPChecker only pays attention to the first SingleResponse.
OCSP checks that are successful in obtaining the correct SingleResponse, yet encounter a critical extension, continue to process normally.
---------- BEGIN SOURCE ----------
Too complex for a short amount of code. A proposed patch and executable test case may be obtained from:
http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use a different provider.
The current OCSP functionality does not permit OCSP checking with a service that Provides an OCSP response containing 1..n of SingleResponse. If such a response is received during Path Validation and Construction, it is discarded, and fails over to the use of a CRL.
Finally, if the responder were to encounter an extension within a SingleResponse that is flagged Critical, validation should fail if the Extension can not be processed.
JUSTIFICATION :
Wasting an OCSP check for Certificate validity against a responder which provides multiple responses creates overhead. Adding the capability may yield better performance verses receiving a CRL via LDAP and/or HTTP defined in the crlDistributionPoints extension.
Per: http://www.ietf.org/rfc/rfc2560.txt
"Support for any specific extension is OPTIONAL. The critical flag
SHOULD NOT be set for any of them. Section 4.4 suggests several
useful extensions. Additional extensions MAY be defined in
additional RFCs. Unrecognized extensions MUST be ignored (unless they
have the critical flag set and are not understood)."
Since extensions SHOULD NOT be marked critical, they COULD be in error.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Processing of 1..n of SingleResponse and Failure on extensions flagged critical.
ACTUAL -
OCSP check is discarded since OCSPChecker only pays attention to the first SingleResponse.
OCSP checks that are successful in obtaining the correct SingleResponse, yet encounter a critical extension, continue to process normally.
---------- BEGIN SOURCE ----------
Too complex for a short amount of code. A proposed patch and executable test case may be obtained from:
http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use a different provider.
Attachments
Issue Links
- duplicates
-
JDK-6869739 Cannot check revocation of single certificate without validating the entire chain
-
- Closed
-