[8] 7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate
Matthew Hall
mhall at mhcomputing.net
Wed May 29 14:55:21 UTC 2013
Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
--
Sent from my mobile device.
Xuelei Fan <xuelei.fan at oracle.com> wrote:
>What's the key usage of the OCSP responder? I think it is more like a
>problem of Comodo CA. This fix may loosen the checking of the validity
>of the OCSP responder's certificate.
>
>Xuelei
>
>On 5/28/2013 7:30 PM, Vincent Ryan wrote:
>> Please review the fix for:
>http://bugs.sun.com/view_bug.do?bug_id=7174966
>>
>> The problem occurs when validating the signature of an OCSP response
>from the Comodo CA.
>> The Signature class tests for the presence of the digitalSignature
>keyUsage setting when examining
>> a signer's certificate. One solution is for the
>sun.security.provider.certpath.OCSPResponse class to
>> pass the signer's public key rather than the signer's certificate.
>>
>> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/
>>
>> Thanks.
>>
More information about the security-dev
mailing list