United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6869739 Cannot check revocation of single certificate without validating the entire chain
JDK-6869739 : Cannot check revocation of single certificate without validating the entire chain

Details
Type:
Bug
Submit Date:
2009-08-07
Status:
Closed
Updated Date:
2012-06-08
Project Name:
JDK
Resolved Date:
2010-01-13
Component:
security-libs
OS:
linux,generic,windows_xp,windows_7
Sub-Component:
java.security
CPU:
x86,generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
5.0,6,6u10
Fixed Versions:
6u18 (b02)

Related Reports
Backport:
Backport:
Backport:
Duplicate:
Duplicate:
Duplicate:
Duplicate:
Relates:
Relates:
Relates:
Relates:

Sub Tasks

Description
Currently, it is not possible to check if a certificate is revoked without validating the entire certificate chain via the CertPath APIs. This is not acceptable especially if you have already validated the certificate chain, as many of the certificate chain validation checks (signature, issuer-name checking) are redundant and only need to be checked once. Additionally, you may only want to check if the end-entity certificate has been revoked, and not all the other certificates in the chain.

We need to implement a revocation checking mechanism that can check if a single certificate has been revoked. Initially we will focus on OCSP and add CRLs later.

                                    

Comments
EVALUATION

Fixed in 6u18 b02. Now we have to enhance the deployment component to use this new
revocation checking mechanism, which will probably be done in a task that is periodically
run by the Java installer. Will be opening a new CR to track that.
                                     
2009-08-28



Hardware and Software, Engineered to Work Together