Hi everybody,
I
have been struggling for some months with a weird issue about how Java
validates
OCSP responses. Following the RFC2560 standard the responses
sent by
the responder should be signed following one of these three
In
current java implementation (openjdk 6, 7 and 8) the case (1) and (3)
are
considered by default and case (2) can be configured using some
properties
("ocsp.responderCertSubjectName" for example). But the
problem is
that both configurations are exclusive, if your application
accepts
responses for the cases (1) and (3) it fails with the case (2)
and
vice-versa.
I faced an OCSP responder that in some cases it
answered using the case
(1) and in others using the case (2). The
case (1) was used to sign
responses for their own certificates and
the case (2) was used to sign
responses for foreign certificates
(spanish national id certificates
specifically). I'm not completely
sure if the standard admits this
situation but I haven't read
anything against that. Besides why not to
take the configured
certificate ("ocsp.responderCertSubjectName" or any
of the other
properties) as a failback and not as the unique valid signer.
Looking
at the code the problem is that only one certificate is passed
as
the valid signer for responses (the one configured via properties or
the
issuer cert). Following Andrew advise I have made a little patch
against
current openjdk-8 that just considers both of them (OCSPResponse
class
receives both certs and this way can check the three cases).
Thanks
in advance!
