[8] 7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate
Vincent Ryan
vincent.x.ryan at oracle.com
Wed May 29 15:17:56 UTC 2013
Right. The Comodo cert is certainly valid. I've modified the OCSP client to avoid the strict check.
On 29 May 2013, at 15:55, Matthew Hall wrote:
> Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
> --
> Sent from my mobile device.
>
> Xuelei Fan <xuelei.fan at oracle.com> wrote:
>
>> What's the key usage of the OCSP responder? I think it is more like a
>> problem of Comodo CA. This fix may loosen the checking of the validity
>> of the OCSP responder's certificate.
>>
>> Xuelei
>>
>> On 5/28/2013 7:30 PM, Vincent Ryan wrote:
>>> Please review the fix for:
>> http://bugs.sun.com/view_bug.do?bug_id=7174966
>>>
>>> The problem occurs when validating the signature of an OCSP response
>> from the Comodo CA.
>>> The Signature class tests for the presence of the digitalSignature
>> keyUsage setting when examining
>>> a signer's certificate. One solution is for the
>> sun.security.provider.certpath.OCSPResponse class to
>>> pass the signer's public key rather than the signer's certificate.
>>>
>>> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/
>>>
>>> Thanks.
>>>
>
More information about the security-dev
mailing list