[JDK-8277246] Check for NonRepudiation as well when validating a TSA certificate - Java Bug System

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: P4
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 18
Component/s: security-libs
Labels:
None

Subcomponent:
java.security
Resolved In Build:
b25

Description

In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.

In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.

Attachments

Issue Links

links to

Commit openjdk/jdk/262d0700

Review openjdk/jdk/6416

Activity

People

Assignee:: Weijun Wang

Reporter:: Weijun Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-11-16 11:32

Updated:: 2021-11-25 00:25

Resolved:: 2021-11-17 12:04