-
Bug
-
Resolution: Fixed
-
P2
-
9
-
b142
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8176536 | 8u152 | Anthony Scarpino | P2 | Resolved | Fixed | b02 |
OCSP certificate with SHA1 signature is not algorithm constrained when jdk.certpath.disabledAlgorithms is set to restrict SHA1.
A setup where certificate path includes all certificates with SHA256 except OCSP, successfully validates certpath when SHA1 is constrained. Since OCSP signer certificate has SHA1 signature, it should be restricted and validation should fail with "Algorithm constraint check failed".
CRL signing should also be checked in the same context.
A setup where certificate path includes all certificates with SHA256 except OCSP, successfully validates certpath when SHA1 is constrained. Since OCSP signer certificate has SHA1 signature, it should be restricted and validation should fail with "Algorithm constraint check failed".
CRL signing should also be checked in the same context.
- backported by
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
-
JDK-8149555 JEP 288: Disable SHA-1 Certificates
-
- Closed
-