Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8012642

OCSP signature validation fails always on CA key rollover

    Details

      Description

      The test setup is similar to one described in JDK-7168191. When run with JDK 8, the test always failed to verify OCSP.

      This is what test does:

      1. It has two intermediate CAs, CA1 and CA2, with same subject in as trust anchor
      2. OpenSSL OCSP responder is started with OCSP certificate issued by CA2
      3. Java OCSP client tries to verify EE certificate issued by CA1 against this OCSP

      Test run with:
      java version "1.8.0-ea"
      Java(TM) SE Runtime Environment (build 1.8.0-ea-b85)
      Java HotSpot(TM) 64-Bit Server VM (build 25.0-b26, mixed mode)

      Results seen:
      The validation always fails but exception thrown is not consistent, sometime first exception is returned and sometimes other one. I see two types of exception thrown:

      -------------------------------------------------------------
      Got an exception:
      java.security.cert.CertPathValidatorException: signature check failed

      TEST_RESULT: FAIL
      java.security.cert.CertPathValidatorException: signature check failed
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
              at TestOCSP.run(TestOCSP.java:216)
              at TestOCSP.main(TestOCSP.java:57)
      Caused by: java.security.SignatureException: Signature does not match.
              at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:448)
              at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
              at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)
              ... 6 more
      -------------------------------------------------------------

      and the second one:

      -------------------------------------------------------------
      Got an exception:
      java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature

      TEST_RESULT: FAIL
      java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
              at TestOCSP.run(TestOCSP.java:216)
              at TestOCSP.main(TestOCSP.java:57)
      -------------------------------------------------------------

        Attachments

          Activity

            People

            • Assignee:
              vinnie Vincent Ryan
              Reporter:
              rhalade Rajan Halade
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: