<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Is there a bug open for
this issue ?<br>
<br>
Regards,<br>
Christophe.<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:519F3377.9000902@yahoo.es" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ricardo_martin_camarero@yahoo.es" photoname="Ricardo
Martin Camarero" src="cid:part1.03030709.08000703@oracle.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:ricardo_martin_camarero@yahoo.es" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ricardo Martin Camarero</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">May 24, 2013 2:31
AM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi everybody,<br><br>I
have been struggling for some months with a weird issue about how Java<br>validates
OCSP responses. Following the RFC2560 standard the responses<br>sent by
the responder should be signed following one of these three<br></div><div><!----><br>In
current java implementation (openjdk 6, 7 and 8) the case (1) and (3)<br>are
considered by default and case (2) can be configured using some<br>properties
("ocsp.responderCertSubjectName" for example). But the<br>problem is
that both configurations are exclusive, if your application<br>accepts
responses for the cases (1) and (3) it fails with the case (2)<br>and
vice-versa.<br><br>I faced an OCSP responder that in some cases it
answered using the case<br>(1) and in others using the case (2). The
case (1) was used to sign<br>responses for their own certificates and
the case (2) was used to sign<br>responses for foreign certificates
(spanish national id certificates<br>specifically). I'm not completely
sure if the standard admits this<br>situation but I haven't read
anything against that. Besides why not to<br>take the configured
certificate ("ocsp.responderCertSubjectName" or any<br>of the other
properties) as a failback and not as the unique valid signer.<br><br>Looking
at the code the problem is that only one certificate is passed<br>as
the valid signer for responses (the one configured via properties or<br>the
issuer cert). Following Andrew advise I have made a little patch<br>against
current openjdk-8 that just considers both of them (OCSPResponse<br>class
receives both certs and this way can check the three cases).<br><br>Thanks
in advance!<br></div></div>
</blockquote>
<br>
<div class="moz-signature">-- <br><span><span class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; "><span
class="Apple-style-span" style="border-collapse: separate; color: rgb(0,
0, 0); font-family: Helvetica; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><font
color="#666666" face="Verdana, Arial, Helvetica, sans-serif" size="2">Christophe
Ravel | Principal Member of Technical Staff | +1.<span
__postbox-detected-content="__postbox-detected-phone"
class="__postbox-detected-content __postbox-detected-phone"
style="display: inline; font-size: inherit; padding: 0pt;">650.506.2162</span><br><font
color="#FF0000">Oracle</font><span class="Apple-converted-space"> </span>Java
SQE - Security<br>4220 Network Circle, Office 2140, Santa Clara, CA
95054</font></span></span> <br>
</span><br>
</div>
</body></html>