Bug ID: JDK-6869739 Cannot check revocation of single certificate without validating the entire chain

JDK-6869739 : Cannot check revocation of single certificate without validating the entire chain

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 5.0,6,6u10

Priority: P2
Status: Closed
Resolution: Fixed
OS: generic,linux,windows_xp,windows_7
CPU: generic,x86

Submitted: 2009-08-07
Updated: 2012-06-08
Resolved: 2010-01-13

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 6	JDK 7	Other
6u18 b02Fixed	7Fixed	OpenJDK6Fixed

Related Reports

Duplicate :	JDK-6712740 - OCSP Responses not parsed correctly
Duplicate :	JDK-6914458 - Multiple OCSP Issues in the SUN provider: No support for 1..n of SingleResponse
Duplicate :	JDK-2165825 - OCSP Responses not parsed correctly
Duplicate :	JDK-6712739 - OCSPChecker throws NPE when OPTIONAL "certs" missing from BasicOCSPResponse.
Relates :	JDK-6945145 - PKIX path validation failed: App won't start when offline when using JOGL/Win7
Relates :	JDK-6888769 - Remove dependency on enums from internal sun.security.provider.certpath.OCSP API
Relates :	JDK-6885667 - CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
Relates :	JDK-6878826 - Add support for Extended Validation certificates

Description

Currently, it is not possible to check if a certificate is revoked without validating the entire certificate chain via the CertPath APIs. This is not acceptable especially if you have already validated the certificate chain, as many of the certificate chain validation checks (signature, issuer-name checking) are redundant and only need to be checked once. Additionally, you may only want to check if the end-entity certificate has been revoked, and not all the other certificates in the chain.

We need to implement a revocation checking mechanism that can check if a single certificate has been revoked. Initially we will focus on OCSP and add CRLs later.

Comments

EVALUATION Fixed in 6u18 b02. Now we have to enhance the deployment component to use this new revocation checking mechanism, which will probably be done in a task that is periodically run by the Java installer. Will be opening a new CR to track that.

28-08-2009