Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8031825

OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

    Details

    • Subcomponent:
    • Introduced In Build:
      b119
    • Resolved In Build:
      b126
    • Verification:
      Verified

      Backports

        Description

        The OCSP client code tries to match the responderID (in an OCSP response) against the subject key identifier of the responder cert. This works if the subject key id is using the same algorithm as defined in RFC 2560 (160-bit SHA-1 hash of responder's public key), but RFC 5280 allows implementations to use a different algorithm. For example, RFC 7093 defines new methods using stronger SHA-2 algorithms. We fail to find a responder cert in these situations, and throw the following exception:

        java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  12 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: