JDK-6712740 : OCSP Responses not parsed correctly
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P2
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86
  • Submitted: 2008-06-10
  • Updated: 2011-02-16
  • Resolved: 2009-08-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6-poolResolved 7-poolResolved
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) 64-Bit Server VM (build 10.0-b22, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.24 x86_64
Mac OS X 10.5.2
(likely not an OS dependent bug)

A DESCRIPTION OF THE PROBLEM :
An OCPS Response, as defined in RFC 2560, allows there to be multiple "SingleResponse" and the current implementation does not properly search through the returned results.  Some OCSP responders, to help with caching, will respond to a single request with multiple answers, so it is necessary to inspect each SingleResponse until either a matching response is found, or the end of the list is reached. Currently only the first SingleResponse is considered.

The OCSP responder for the Department of Defense will respond with multiple (~20) SingleResponses for a single request. (use http://ocsp.disa.mil)

Due to the very large nature of the DoD PKI system, use of CRL's is bulky, so OCSP is much more efficient.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure the OCSP support as described in http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html and attempt to validate a certificate using an OCSP responder that returns multiple SingleResponses.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected validation to succeed for a known-good certificate.
ACTUAL -
An exception is thrown, indicating the certificate is not valid.

java.security.cert.CertPathValidatorException: Certificate in the OCSP response does not match the certificate supplied in the OCSP request.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: Certificate in the OCSP response does not match the certificate supplied in the OCSP request.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Securty.setProperty("ocsp.enable","true");
Security.setProperty("ocsp.responderURL","http://ocsp.disa.mil:80");
Security.setProperty("ocsp.responderCertSubjectName",ocspCert.getSubjectX500Principal().getName());
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(x509Certificate); //the certificate we wish to check
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); //trustStore contains our CA certs and our OCSP Responder cerrt
params.addCertStore(crlStore); // crlStore contains only CRL's for the CA's
CertPathBuilderResult cpbr = cpb.build(params);
CertPath cp = cpbr.getCertPath();
PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params);

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
As a work around I implemented my own OCSPChecker, and setRevocationEnabled(false).

Comments
EVALUATION Will be addressed as part of CR 6869739.
27-08-2009

EVALUATION Fix parser in OCSPResponse class.
08-08-2008