[8] 8012636: OCSP validation fails even when public key is trusted
Sean Mullan
sean.mullan at oracle.com
Tue Oct 22 16:06:05 UTC 2013
I am still reviewing, but here are some comments so far:
* X509CertImpl
I would prefer if getSubjectKeyIdentifier returned a KeyIdentifier so
that it is consistent with the getAuthKeyId method. Also, in
OCSPResponse, you can then just call KeyIdentifier.equals instead of
comparing the bytes yourself with Arrays.equals.
* RevocationChecker
RevocationChecker can be re-used for subsequent revocation checks by
calling the init method. So, you need to clear the contents of the
responderCerts list each time init is called. You can add this after
line 323 in the init method
responderCerts.clear();
--Sean
On 10/21/2013 05:36 PM, Vincent Ryan wrote:
> Please review this fix to support key-rollover certs
> (same name, different keys):
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8012636
> Webrev: http://cr.openjdk.java.net/~vinnie/8012636/webrev.00/
>
> This issue arises when an OCSP responder replaces its public key
> but retains its subject name. The OCSP client must be able to
> validate responses signed by both keys.
>
> Thanks.
More information about the security-dev
mailing list