JDK-7182500 : OCSP revocation checking fails if OCSP response does not contain certificates
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u6
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2012-07-09
  • Updated: 2014-11-05
  • Resolved: 2012-08-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u6 b22Fixed
CertPathValidatorException is thrown if there are not certificates in OCSP responce:

java.security.cert.CertPathValidatorException: Responder's certificate is not trusted for signing OCSP responses
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
	at TestOCSP.run(TestOCSP.java:211)
	at TestOCSP.main(TestOCSP.java:52)

EVALUATION This error was introduced in my fix to OCSP for CR 7168191 in 7u6. This regression is a showstopper bug and should be fixed in 7u6.

SUGGESTED FIX The issue can be fixed by passing the issuer certificate as default OCSP responder certificate. Please see attached archive.