JDK-6869739 : Cannot check revocation of single certificate without validating the entire chain
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0,6,6u10
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,linux,windows_xp,windows_7
  • CPU: generic,x86
  • Submitted: 2009-08-07
  • Updated: 2012-06-08
  • Resolved: 2010-01-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u18 b02Fixed 7Fixed OpenJDK6Fixed
Related Reports
Duplicate :  
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Currently, it is not possible to check if a certificate is revoked without validating the entire certificate chain via the CertPath APIs. This is not acceptable especially if you have already validated the certificate chain, as many of the certificate chain validation checks (signature, issuer-name checking) are redundant and only need to be checked once. Additionally, you may only want to check if the end-entity certificate has been revoked, and not all the other certificates in the chain.

We need to implement a revocation checking mechanism that can check if a single certificate has been revoked. Initially we will focus on OCSP and add CRLs later.

EVALUATION Fixed in 6u18 b02. Now we have to enhance the deployment component to use this new revocation checking mechanism, which will probably be done in a task that is periodically run by the Java installer. Will be opening a new CR to track that.