-
Bug
-
Resolution: Fixed
-
P2
-
9
-
b142
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8176536 | 8u152 | Anthony Scarpino | P2 | Resolved | Fixed | b02 |
OCSP certificate with SHA1 signature is not algorithm constrained when jdk.certpath.disabledAlgorithms is set to restrict SHA1.
A setup where certificate path includes all certificates with SHA256 except OCSP, successfully validates certpath when SHA1 is constrained. Since OCSP signer certificate has SHA1 signature, it should be restricted and validation should fail with "Algorithm constraint check failed".
CRL signing should also be checked in the same context.
A setup where certificate path includes all certificates with SHA256 except OCSP, successfully validates certpath when SHA1 is constrained. Since OCSP signer certificate has SHA1 signature, it should be restricted and validation should fail with "Algorithm constraint check failed".
CRL signing should also be checked in the same context.
- backported by
-
JDK-8176536 Improved algorithm constraints checking
-
- Resolved
-
- relates to
-
JDK-8170820 RevocationRestrictions.java test needs to be updated to use cached OCSP responses
-
- Resolved
-
-
JDK-8149555 JEP 288: Disable SHA-1 Certificates
-
- Closed
-