PATCH: possible bug in OCSP check
Xuelei Fan
xuelei.fan at oracle.com
Wed May 29 00:55:25 UTC 2013
I just open a new bug JDK-8015571 for it.
Thanks,
Xuelei
On 5/29/2013 4:08 AM, Ricardo Martin Camarero wrote:
> Hi Christophe,
>
> I opened one some months ago (it was opened against openjdk 6). I
> received an email saying the the bug has been accepted with the Bug Id:
> 9000381 but the bug was never public.
>
> Regards!
>
>
> On 05/28/2013 08:23 PM, Christophe Ravel wrote:
>> Is there a bug open for this issue ?
>>
>> Regards,
>> Christophe.
>>
>>> Ricardo Martin Camarero <mailto:ricardo_martin_camarero at yahoo.es>
>>> May 24, 2013 2:31 AM
>>> Hi everybody,
>>>
>>> I have been struggling for some months with a weird issue about how Java
>>> validates OCSP responses. Following the RFC2560 standard the responses
>>> sent by the responder should be signed following one of these three
>>>
>>> In current java implementation (openjdk 6, 7 and 8) the case (1) and (3)
>>> are considered by default and case (2) can be configured using some
>>> properties ("ocsp.responderCertSubjectName" for example). But the
>>> problem is that both configurations are exclusive, if your application
>>> accepts responses for the cases (1) and (3) it fails with the case (2)
>>> and vice-versa.
>>>
>>> I faced an OCSP responder that in some cases it answered using the case
>>> (1) and in others using the case (2). The case (1) was used to sign
>>> responses for their own certificates and the case (2) was used to sign
>>> responses for foreign certificates (spanish national id certificates
>>> specifically). I'm not completely sure if the standard admits this
>>> situation but I haven't read anything against that. Besides why not to
>>> take the configured certificate ("ocsp.responderCertSubjectName" or any
>>> of the other properties) as a failback and not as the unique valid
>>> signer.
>>>
>>> Looking at the code the problem is that only one certificate is passed
>>> as the valid signer for responses (the one configured via properties or
>>> the issuer cert). Following Andrew advise I have made a little patch
>>> against current openjdk-8 that just considers both of them (OCSPResponse
>>> class receives both certs and this way can check the three cases).
>>>
>>> Thanks in advance!
>>
>> --
>> Christophe Ravel | Principal Member of Technical Staff | +1.650.506.2162
>> Oracle Java SQE - Security
>> 4220 Network Circle, Office 2140, Santa Clara, CA 95054
>>
More information about the security-dev
mailing list