United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 7182500 OCSP revocation checking fails if OCSP responce does not contain certificates
7182500 : OCSP revocation checking fails if OCSP responce does not contain certificates

Details
Type:
Bug
Submit Date:
2012-07-09
Status:
Closed
Updated Date:
2012-11-29
Project Name:
JDK
Resolved Date:
2012-08-03
Component:
security-libs
OS:
generic
Sub-Component:
java.security
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u6
Fixed Versions:
7u6

Related Reports
Relates:
JDK-7168191 - Signature validation can fail under certain circumstances

Sub Tasks

Description
CertPathValidatorException is thrown if there are not certificates in OCSP responce:

java.security.cert.CertPathValidatorException: Responder's certificate is not trusted for signing OCSP responses
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
	at TestOCSP.run(TestOCSP.java:211)
	at TestOCSP.main(TestOCSP.java:52)

Comments
EVALUATION

This error was introduced in my fix to OCSP for CR 7168191 in 7u6.
This regression is a showstopper bug and should be fixed in 7u6.
2012-07-10 
SUGGESTED FIX

The issue can be fixed by passing the issuer certificate as default OCSP responder certificate. Please see attached archive.
2012-07-09


Hardware and Software, Engineered to Work Together