Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277246

Check for NonRepudiation as well when validating a TSA certificate

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • P4
    • Resolution: Fixed
    • None
    • 18
    • security-libs
    • None

    Description

      In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.

      In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.

      Attachments

        Issue Links

          Activity

            People

              weijun Weijun Wang
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: