Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277246

Check for NonRepudiation as well when validating a TSA certificate

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None

      Description

      In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.

      In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: