Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8031825

OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

    XMLWordPrintable

    Details

    • Subcomponent:
    • Introduced In Build:
      b119
    • Resolved In Build:
      b126
    • Verification:
      Verified

      Backports

        Description

        The OCSP client code tries to match the responderID (in an OCSP response) against the subject key identifier of the responder cert. This works if the subject key id is using the same algorithm as defined in RFC 2560 (160-bit SHA-1 hash of responder's public key), but RFC 5280 allows implementations to use a different algorithm. For example, RFC 7093 defines new methods using stronger SHA-2 algorithms. We fail to find a responder cert in these situations, and throw the following exception:

        java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature

          Attachments

            Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8032806 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8033096 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8193963 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8032391 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8032665 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8035227 OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

            • P1 - Blocks development and/or testing work, production could not run.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8015571 OCSP validation fails if ocsp.responderCertSubjectName is set

            • P3 - Major loss of function.
            • Resolved

              Activity

                People

                Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                  Dates

                  Due:
                  Created:
                  Updated:
                  Resolved: