[8] 8012636: OCSP validation fails even when public key is trusted

Sean Mullan sean.mullan at oracle.com
Tue Oct 22 16:06:05 UTC 2013


I am still reviewing, but here are some comments so far:

* X509CertImpl

I would prefer if getSubjectKeyIdentifier returned a KeyIdentifier so 
that it is consistent with the getAuthKeyId method. Also, in 
OCSPResponse, you can then just call KeyIdentifier.equals instead of 
comparing the bytes yourself with Arrays.equals.

* RevocationChecker

RevocationChecker can be re-used for subsequent revocation checks by 
calling the init method. So, you need to clear the contents of the 
responderCerts list each time init is called. You can add this after 
line 323 in the init method

     responderCerts.clear();

--Sean

On 10/21/2013 05:36 PM, Vincent Ryan wrote:
> Please review this fix to support key-rollover certs
> (same name, different keys):
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8012636
> Webrev: http://cr.openjdk.java.net/~vinnie/8012636/webrev.00/
>
> This issue arises when an OCSP responder replaces its public key
> but retains its subject name. The OCSP client must be able to
> validate responses signed by both keys.
>
> Thanks.




More information about the security-dev mailing list