[security-dev 01487]: OCSP Issues in JDK6
Todd E. Johnson
tejohnson at yahoo.com
Sun Jan 3 21:00:03 UTC 2010
Hello,
I posted a bug on this issue at http://bugreport.sun.com/
The Sun provider currently ignores all but the first SingleResponse in
an OCSPResponse object. This leads to an OCSP validation attempt being
discarded when receiving a response from an OCSP responder that provides
1..n SingleRespone in a responses Sequence.
The provider also may allow the encounter of an OCSP extension that is
flagged critical. The provider currently ignores all extensions in the
SingleResponse object. I believe if an extension is flagged critical,
and the provider is not capable of processing the extension, the
response MUST be discarded.
I have created a patch to the JDK6 provider, and a piece of code to
provide an example pre/post patching. It can be retrieved from:
http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
Thanks!
--
Regards,
Todd E. Johnson
More information about the security-dev
mailing list