[8] 8012636: OCSP validation fails even when public key is trusted

Vincent Ryan vincent.x.ryan at oracle.com
Wed Oct 23 15:24:10 UTC 2013


Thanks. I've made those recommended changes.


On 22 Oct 2013, at 17:06, Sean Mullan wrote:

> I am still reviewing, but here are some comments so far:
> 
> * X509CertImpl
> 
> I would prefer if getSubjectKeyIdentifier returned a KeyIdentifier so that it is consistent with the getAuthKeyId method. Also, in OCSPResponse, you can then just call KeyIdentifier.equals instead of comparing the bytes yourself with Arrays.equals.
> 
> * RevocationChecker
> 
> RevocationChecker can be re-used for subsequent revocation checks by calling the init method. So, you need to clear the contents of the responderCerts list each time init is called. You can add this after line 323 in the init method
> 
>    responderCerts.clear();
> 
> --Sean
> 
> On 10/21/2013 05:36 PM, Vincent Ryan wrote:
>> Please review this fix to support key-rollover certs
>> (same name, different keys):
>> 
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8012636
>> Webrev: http://cr.openjdk.java.net/~vinnie/8012636/webrev.00/
>> 
>> This issue arises when an OCSP responder replaces its public key
>> but retains its subject name. The OCSP client must be able to
>> validate responses signed by both keys.
>> 
>> Thanks.
> 




More information about the security-dev mailing list