Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8165274

SHA1 certpath constraint check fails with OCSP certificate

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: 9
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b142
    • Verification:
      Verified

      Backports

        Description

        OCSP certificate with SHA1 signature is not algorithm constrained when jdk.certpath.disabledAlgorithms is set to restrict SHA1.

        A setup where certificate path includes all certificates with SHA256 except OCSP, successfully validates certpath when SHA1 is constrained. Since OCSP signer certificate has SHA1 signature, it should be restricted and validation should fail with "Algorithm constraint check failed".

        CRL signing should also be checked in the same context.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ascarpino Anthony Scarpino
                  Reporter:
                  rhalade Rajan Halade
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: