7168191: Signature validation can fail under certain circumstances
Michael StJohns
mstjohns at comcast.net
Tue Jun 19 20:48:49 UTC 2012
Hi - there's two different varieties of authorityKeyIdentifier - you only fixed one.
If the child cert has an akid consisting of the value of the parent skid, then you're good to go. But there's also the akid variant which contains issuerName/serialNumber of its parent where the parent has no skid.
Mike
Sent from my iPad
On Jun 19, 2012, at 15:52, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:
> Hello,
>
> Please review the following changeset for JDK 7u6:
> http://cr.openjdk.java.net/~vinnie/7168191/webrev.01
>
> The bug report is at:
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7168191
>
> This fix addresses a bug in the OCSP client when processing key-rollover
> certs. Typically such certs have the same subject name but different
> keys. Now the OCSP code examines all the matching candidates (not just
> the first one) both when preparing the request and when validating the
> response.
>
> Thanks.
More information about the security-dev
mailing list