Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277246

Check for NonRepudiation as well when validating a TSA certificate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 18
    • None
    • security-libs
    • None

      In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.

      In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.

            weijun Weijun Wang
            weijun Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: