Hi Todd,
This should be fixed in OpenJDK 7. Can you test against JDK 7 to see if it works
and I'll investigate porting the fix to OpenJDK 6?
--Sean
Todd E. Johnson wrote:
Hello,
I posted a bug on this issue at http://bugreport.sun.com/
The Sun provider currently ignores all but the first SingleResponse in
an OCSPResponse object. This leads to an OCSP validation attempt being
discarded when receiving a response from an OCSP responder that provides
1..n SingleRespone in a responses Sequence.
The provider also may allow the encounter of an OCSP extension that is
flagged critical. The provider currently ignores all extensions in the
SingleResponse object. I believe if an extension is flagged critical,
and the provider is not capable of processing the extension, the
response MUST be discarded.
I have created a patch to the JDK6 provider, and a piece of code to
provide an example pre/post patching. It can be retrieved from:
http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
Thanks!
