Bug ID: JDK-6500710 PKIXCertPathChecker fails if OCSP responder has keyUsage=nonRepudiation

FULL PRODUCT VERSION :
java version "1.5.0_09"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03)
Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
X.509 certificates used in test case are attached seperatly.

A DESCRIPTION OF THE PROBLEM :
Signtrust issues smart card based X.509 certificates for a non-repudiation service. Therefore all EE and OCSP-responder certificates have a critical keyUsage extension which is set to nonRepudiation.

However, when trying to determine the certificate revocation status via OCSP using PKIXCertPathChecker an InvalidKeyException: Wrong key usage is thrown.

The PKIXCertPathChecker implementation should be changed to comply with RFC 3280: OCSP responder certificates with keyUsage=nonRepudiation and extendedKeyUsage=id-kp-OCSPSigning are valid: [RFC 3280, page 41]

   id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   -- Signing OCSP responses
   -- Key usage bits that may be consistent: digitalSignature
   -- and/or nonRepudiation


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
run test case with
java ValidateCertUseOCSP Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The OCSP response should show that the certificate is valid.

Below are the results of an OCSP check on the same certificated conducted with openssl:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
          Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
          Serial Number: 8032
    Request Extensions:
        OCSP Nonce:
            0410903DA42F1B4AE7429D6F4106C4ED227F
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = DE, O = Deutsche Post Com GmbH, OU = Signtrust, CN = DIR DP Com 51:PN
    Produced At: Nov 20 15:17:48 2006 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 695F99FC4CD165E00B63F22201FD1876B67F1498
      Issuer Key Hash: 22BB2665075715DE06EB101ECC7782A7137974C6
      Serial Number: 8032
    Cert Status: good
    This Update: Nov 20 15:17:48 2006 GMT
        Response Single Extensions:
            1.3.36.8.3.12:
                ..20051026173206Z
            1.3.36.8.3.13:
                0!0...+..............L.c.(R.1......

    Response Extensions:
        OCSP Nonce:
            0410903DA42F1B4AE7429D6F4106C4ED227F
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 42 (0x2a)
        Signature Algorithm: ripemd160WithRSA
        Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
        Validity
            Not Before: Aug  3 15:30:36 2005 GMT
            Not After : Dec 31 15:09:23 2007 GMT
        Subject: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:88:75:c2:e7:f8:70:ea:b6:0d:73:fe:1c:8a:51:
                    cb:8d:df:d2:ab:04:b7:e0:b6:a8:81:01:d9:54:57:
                    22:c9:82:74:fb:98:00:7d:c6:bf:90:b9:cf:12:f3:
                    94:b9:84:98:35:f6:f6:6a:bd:1e:fe:20:cf:c5:90:
                    00:11:fa:9f:54:6b:91:4f:d3:da:47:b8:56:bc:f8:
                    99:50:5a:68:19:c3:6f:c8:e5:71:2a:e3:3d:23:2c:
                    7f:8b:5c:1a:9f:fc:12:ea:ed:76:40:88:06:05:47:
                    a4:e6:28:35:f9:34:f0:ba:e3:5c:6a:79:56:91:03:
                    ee:a1:d1:ec:f8:1a:14:18:73
                Exponent: 1073741953 (0x40000081)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            qcStatements:
                0
0......F..
            Authority Information Access:
                OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder

            X509v3 Certificate Policies:
                Policy: 1.3.36.8.1.1

            X509v3 CRL Distribution Points:
                URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint

            1.3.6.1.4.1.8301.3.5:
                0..
+.....m...
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64

            X509v3 Subject Key Identifier:
                C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64
    Signature Algorithm: ripemd160WithRSA
        65:ca:f2:6f:ce:f4:a9:9f:69:9b:80:d4:6c:cc:c9:ab:08:1f:
        1f:0b:bb:e5:74:75:af:0d:4d:9c:c0:9a:a0:25:fb:8e:0c:b5:
        2e:10:35:c6:5d:b7:1b:03:bc:e7:2a:1c:7b:35:4e:8b:21:f4:
        3d:fd:f2:14:86:85:77:7a:82:39:e2:29:6c:4c:2a:f8:cb:f1:
        34:0a:bb:df:7d:40:89:fa:60:a2:c2:a3:08:d4:62:9a:7c:bf:
        80:7d:5f:c8:cd:6b:db:c9:cb:61:33:a0:f3:81:99:d5:93:97:
        98:61:5d:fb:d6:a4:f7:ba:f2:43:7d:cd:a1:26:70:33:be:9b:
        ad:07
-----BEGIN CERTIFICATE-----
MIIDoTCCAw2gAwIBAgIBKjAKBgYrJAMDAQIFADA/MQswCQYDVQQGEwJERTEaMBgG
A1UECgwRQnVuZGVzbmV0emFnZW50dXIxFDASBgNVBAMMCzEwUi1DQSAxOlBOMB4X
DTA1MDgwMzE1MzAzNloXDTA3MTIzMTE1MDkyM1owPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjCB
oDANBgkqhkiG9w0BAQEFAAOBjgAwgYoCgYEAiHXC5/hw6rYNc/4cilHLjd/SqwS3
4LaogQHZVFciyYJ0+5gAfca/kLnPEvOUuYSYNfb2ar0e/iDPxZAAEfqfVGuRT9Pa
R7hWvPiZUFpoGcNvyOVxKuM9Iyx/i1wan/wS6u12QIgGBUek5ig1+TTwuuNcanlW
kQPuodHs+BoUGHMCBEAAAIGjggGwMIIBrDAOBgNVHQ8BAf8EBAMCAgQwGAYIKwYB
BQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGG
Lmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25kZXIw
EgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGabGRh
cDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFnZW50
dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVSZXZv
Y2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB/wQF
MAMBAf8wHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0OBBYE
FMPPderAEVNFE/6XZWMAaVMClrlkMAoGBiskAwMBAgUAA4GBAGXK8m/O9KmfaZuA
1GzMyasIHx8Lu+V0da8NTZzAmqAl+44MtS4QNcZdtxsDvOcqHHs1Tosh9D398hSG
hXd6gjniKWxMKvjL8TQKu999QIn6YKLCowjUYpp8v4B9X8jNa9vJy2EzoPOBmdWT
l5hhXfvWpPe68kN9zaEmcDO+m60H
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 164 (0xa4)
        Signature Algorithm: ripemd160WithRSA
        Issuer: C=DE, O=Bundesnetzagentur, CN=10R-CA 1:PN
        Validity
            Not Before: Aug 11 07:12:19 2005 GMT
            Not After : Dec 31 07:10:15 2007 GMT
        Subject: C=DE, O=Deutsche Post Com GmbH, OU=Signtrust, CN=DIR DP Com 51:PN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:98:c7:ff:c8:b7:52:7b:28:c8:e8:55:6c:87:95:
                    cb:75:fd:17:a3:dd:d0:2f:78:ff:6b:2e:2e:41:0c:
                    e3:2b:99:30:d5:d4:d2:4b:23:87:97:72:76:ae:8b:
                    96:f2:5a:c4:63:1e:76:4b:bf:c3:13:09:66:2f:7b:
                    0e:f5:f6:d9:f3:09:87:d1:4d:36:8a:93:94:53:bc:
                    d8:f3:22:6d:36:7f:8a:ca:45:9d:43:f9:94:41:95:
                    63:c5:81:50:a7:53:27:da:e0:a4:75:97:f7:13:7f:
                    5e:ad:76:99:05:d8:f4:02:49:1a:aa:f0:c0:bb:5c:
                    71:33:f8:58:12:51:44:7d:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                OCSP Signing
            X509v3 Key Usage: critical
                Non Repudiation
            qcStatements:
                0
0......F..
            Authority Information Access:
                OCSP - URI:http://ocsp.nrca-ds.de:8080/ocsp-ocspresponder

            X509v3 Certificate Policies:
                Policy: 1.3.36.8.1.1

            X509v3 CRL Distribution Points:
                URI:ldap://ldap.nrca-ds.de:389/CN=CRL,O=Bundesnetzagentur,C=DE,dc=ldap,dc=nrca-ds,dc=de?certificateRevocationList;binary?base?objectClass=cRLDistributionPoint

            1.3.6.1.4.1.8301.3.5:
                0..
+.....m...
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:C3:CF:75:EA:C0:11:53:45:13:FE:97:65:63:00:69:53:02:96:B9:64

            X509v3 Subject Key Identifier:
                B7:89:13:18:9A:A1:0B:CF:CE:FA:E7:0B:06:F0:67:D5:41:52:AD:99
    Signature Algorithm: ripemd160WithRSA
        83:21:db:a2:20:54:f5:76:a1:04:94:b2:c2:78:cc:78:24:93:
        c5:fe:5e:c3:20:b3:25:45:29:88:98:66:08:47:7f:9a:23:6e:
        a8:dc:15:50:d3:75:1d:62:fe:15:ca:ab:79:2b:f5:b5:cf:05:
        9e:60:b1:d8:30:ac:18:9f:5e:e5:6d:43:12:cf:b3:03:2f:df:
        fb:01:2e:94:50:1d:89:2e:57:2b:45:7b:bf:11:f0:6b:42:59:
        38:52:e8:03:d2:da:6e:98:22:a4:23:b3:06:e8:ba:87:e4:96:
        9d:a1:df:40:40:91:d4:d2:74:e9:77:3c:23:87:d6:a1:39:99:
        12:a9
-----BEGIN CERTIFICATE-----
MIID1DCCA0CgAwIBAgICAKQwCgYGKyQDAwECBQAwPzELMAkGA1UEBhMCREUxGjAY
BgNVBAoMEUJ1bmRlc25ldHphZ2VudHVyMRQwEgYDVQQDDAsxMFItQ0EgMTpQTjAe
Fw0wNTA4MTEwNzEyMTlaFw0wNzEyMzEwNzEwMTVaMF0xCzAJBgNVBAYTAkRFMR8w
HQYDVQQKDBZEZXV0c2NoZSBQb3N0IENvbSBHbWJIMRIwEAYDVQQLDAlTaWdudHJ1
c3QxGTAXBgNVBAMMEERJUiBEUCBDb20gNTE6UE4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAJjH/8i3UnsoyOhVbIeVy3X9F6Pd0C94/2suLkEM4yuZMNXU0ksj
h5dydq6LlvJaxGMedku/wxMJZi97DvX22fMJh9FNNoqTlFO82PMibTZ/ispFnUP5
lEGVY8WBUKdTJ9rgpHWX9xN/Xq12mQXY9AJJGqrwwLtccTP4WBJRRH2XAgMBAAGj
ggHFMIIBwTATBgNVHSUEDDAKBggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCBkAwGAYI
KwYBBQUHAQMEDDAKMAgGBgQAjkYBATBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUH
MAGGLmh0dHA6Ly9vY3NwLm5yY2EtZHMuZGU6ODA4MC9vY3NwLW9jc3ByZXNwb25k
ZXIwEgYDVR0gBAswCTAHBgUrJAgBATCBsQYDVR0fBIGpMIGmMIGjoIGgoIGdhoGa
bGRhcDovL2xkYXAubnJjYS1kcy5kZTozODkvQ049Q1JMLE89QnVuZGVzbmV0emFn
ZW50dXIsQz1ERSxkYz1sZGFwLGRjPW5yY2EtZHMsZGM9ZGU/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
dXRpb25Qb2ludDAbBgkrBgEEAcBtAwUEDjAMBgorBgEEAcBtAwUBMA8GA1UdEwEB
/wQFMAMBAQAwHwYDVR0jBBgwFoAUw8916sARU0UT/pdlYwBpUwKWuWQwHQYDVR0O
BBYEFLeJExiaoQvPzvrnCwbwZ9VBUq2ZMAoGBiskAwMBAgUAA4GBAIMh26IgVPV2
oQSUssJ4zHgkk8X+XsMgsyVFKYiYZghHf5ojbqjcFVDTdR1i/hXKq3kr9bXPBZ5g
sdgwrBifXuVtQxLPswMv3/sBLpRQHYkuVytFe78R8GtCWThS6APS2m6YIqQjswbo
uofklp2h30BAkdTSdOl3PCOH1qE5mRKp
-----END CERTIFICATE-----
Response verify OK
Testzertifikat_Secunet_05_PNSER_32818_userCertificate.pem: good
        This Update: Nov 20 15:17:48 2006 GMT

ACTUAL -
java.security.InvalidKeyException: Wrong key usage

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	at ValidateCertUseOCSP.main(ValidateCertUseOCSP.java:113)
Caused by: java.security.SignatureException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
	... 5 more
Caused by: java.security.InvalidKeyException: Wrong key usage
	at java.security.Signature.initVerify(Unknown Source)
	... 8 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Attached seperately
---------- END SOURCE ----------