FULL PRODUCT VERSION :
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) 64-Bit Server VM (build 10.0-b22, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.24 x86_64
Mac OS X 10.5.2
(likely not an OS dependent bug)
A DESCRIPTION OF THE PROBLEM :
An OCPS Response, as defined in RFC 2560, allows there to be multiple "SingleResponse" and the current implementation does not properly search through the returned results. Some OCSP responders, to help with caching, will respond to a single request with multiple answers, so it is necessary to inspect each SingleResponse until either a matching response is found, or the end of the list is reached. Currently only the first SingleResponse is considered.
The OCSP responder for the Department of Defense will respond with multiple (~20) SingleResponses for a single request. (use http://ocsp.disa.mil)
Due to the very large nature of the DoD PKI system, use of CRL's is bulky, so OCSP is much more efficient.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure the OCSP support as described in http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html and attempt to validate a certificate using an OCSP responder that returns multiple SingleResponses.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected validation to succeed for a known-good certificate.
ACTUAL -
An exception is thrown, indicating the certificate is not valid.
java.security.cert.CertPathValidatorException: Certificate in the OCSP response does not match the certificate supplied in the OCSP request.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: Certificate in the OCSP response does not match the certificate supplied in the OCSP request.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Securty.setProperty("ocsp.enable","true");
Security.setProperty("ocsp.responderURL","http://ocsp.disa.mil:80");
Security.setProperty("ocsp.responderCertSubjectName",ocspCert.getSubjectX500Principal().getName());
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(x509Certificate); //the certificate we wish to check
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); //trustStore contains our CA certs and our OCSP Responder cerrt
params.addCertStore(crlStore); // crlStore contains only CRL's for the CA's
CertPathBuilderResult cpbr = cpb.build(params);
CertPath cp = cpbr.getCertPath();
PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
As a work around I implemented my own OCSPChecker, and setRevocationEnabled(false).