[8] 7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate

Matthew Hall mhall at mhcomputing.net
Wed May 29 07:55:21 PDT 2013

Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
Sent from my mobile device.

Xuelei Fan <xuelei.fan at oracle.com> wrote:

>What's the key usage of the OCSP responder?  I think it is more like a
>problem of Comodo CA.  This fix may loosen the checking of the validity
>of the OCSP responder's certificate.
>On 5/28/2013 7:30 PM, Vincent Ryan wrote:
>> Please review the fix for:
>> The problem occurs when validating the signature of an OCSP response
>from the Comodo CA.
>> The Signature class tests for the presence of the digitalSignature
>keyUsage setting when examining
>> a signer's certificate. One solution is for the
>sun.security.provider.certpath.OCSPResponse class to
>> pass the signer's public key rather than the signer's certificate.
>> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/
>> Thanks.

More information about the security-dev mailing list