[8] 7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate

Matthew Hall mhall at mhcomputing.net
Wed May 29 07:55:21 PDT 2013


Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
-- 
Sent from my mobile device.

Xuelei Fan <xuelei.fan at oracle.com> wrote:

>What's the key usage of the OCSP responder?  I think it is more like a
>problem of Comodo CA.  This fix may loosen the checking of the validity
>of the OCSP responder's certificate.
>
>Xuelei
>
>On 5/28/2013 7:30 PM, Vincent Ryan wrote:
>> Please review the fix for:
>http://bugs.sun.com/view_bug.do?bug_id=7174966
>> 
>> The problem occurs when validating the signature of an OCSP response
>from the Comodo CA.
>> The Signature class tests for the presence of the digitalSignature
>keyUsage setting when examining
>> a signer's certificate. One solution is for the
>sun.security.provider.certpath.OCSPResponse class to
>> pass the signer's public key rather than the signer's certificate.
>> 
>> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/
>> 
>> Thanks.
>> 



More information about the security-dev mailing list