Check for NonRepudiation as well when validating a TSA certificate

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: P4
    • 18
    • Affects Version/s: None
    • Component/s: security-libs
    • None

      In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.

      In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.

            Assignee:
            Weijun Wang
            Reporter:
            Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: