United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8020940 Valid OCSP responses are rejected for backdated enquiries
JDK-8020940 : Valid OCSP responses are rejected for backdated enquiries

Details
Type:
Bug
Submit Date:
2013-07-19
Status:
Closed
Updated Date:
2013-10-22
Project Name:
JDK
Resolved Date:
2013-07-22
Component:
security-libs
OS:
Sub-Component:
java.security
CPU:
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u40
Fixed Versions:
7u40 (b36)

Related Reports
Backport:
Backport:
Backport:
Relates:

Sub Tasks

Description
PKIX certpath validation is normally performed using the current time. 
It may also be requested to be performed at a specific time. 

OCSP is a network protocol for checking whether a certificate has been revoked.
OCSP responses are returned with a specific validity interval.
The OCSP client examines that validity interval to ensure that the response is still current.
This check is performed incorrectly for backdated OCSP requests.

Specifically, the current time should be used when validating the 
OCSP response's thisUpdate and nextUpdate, rather than the requested time. 

                                    

Comments
7u40-critical-request justification: 

This bug causes a valid OCSP response to be rejected when the request is a backdated one.
SQE certificate revocation interop tests are currently failing and there is no workaround.

SQE test: CertPath/CertPathValidatorTest/OCSP_secom_ssl_valid test.
(see https://jbs.oracle.com/bugs/browse/INTJDK-7604726 )

The error was introduced by 8004846.
A simple 1-line fix corrects the time at which validation of OCSP responses is performed.

This problem does occur in JDK 8 but is being fixed as part of 8010748 (because a different code path is used). 

Code has been reviewed by Sean Mullan and I'm currently seeking a second reviewer.
                                     
2013-07-19
can you add 8-na to this bug Vinnie ?
                                     
2013-07-19
Actually the issue does occur in JDK 8 but is currently being corrected as part of the fix for JDK-8010748.
JDK 8 uses a different code base to JDK 7.
                                     
2013-07-19
I have looked at the bug and fix. It is ok for 7u40.
                                     
2013-07-19
SQE is ok to take the fix in 7u40.
                                     
2013-07-19
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u40-dev/jdk/rev/6cd79e876c2c
User:  vinnie
Date:  2013-07-22 23:52:09 +0000

                                     
2013-07-22
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u40/jdk/rev/6cd79e876c2c
User:  lana
Date:  2013-07-29 16:47:37 +0000

                                     
2013-07-29
Verified on 7u40 b36 by SQE tests that are listed in the following bugs:

INTJDK-7605757: Certificate for CertPath/CertPathValidatorTest/OCSP_secom_ssl_valid test case expired
INTJDK-7605758: DigiCert CertPath/CertPathValidatorTest/OCSP tests fail because of certificate expiration
INTJDK-7605761: CertPath/CertPathValidatorTest/OCSP_t-telesec_root-class2_revoked test fails because of certificate expiration
INTJDK-7605759: CertPath/CertPathValidatorTest/OCSP_globalsign.com fails because certificate expired

Found new JDK-8023352
                                     
2013-08-21



Hardware and Software, Engineered to Work Together