Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8031825

OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

XMLWordPrintable

    • b119
    • b126
    • Verified

        The OCSP client code tries to match the responderID (in an OCSP response) against the subject key identifier of the responder cert. This works if the subject key id is using the same algorithm as defined in RFC 2560 (160-bit SHA-1 hash of responder's public key), but RFC 5280 allows implementations to use a different algorithm. For example, RFC 7093 defines new methods using stronger SHA-2 algorithms. We fail to find a responder cert in these situations, and throw the following exception:

        java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature

              mullan Sean Mullan
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: