What's the key usage of the OCSP responder? I think it is more like a problem of Comodo CA. This fix may loosen the checking of the validity of the OCSP responder's certificate.
Xuelei On 5/28/2013 7:30 PM, Vincent Ryan wrote: > Please review the fix for: http://bugs.sun.com/view_bug.do?bug_id=7174966 > > The problem occurs when validating the signature of an OCSP response from the > Comodo CA. > The Signature class tests for the presence of the digitalSignature keyUsage > setting when examining > a signer's certificate. One solution is for the > sun.security.provider.certpath.OCSPResponse class to > pass the signer's public key rather than the signer's certificate. > > Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/ > > Thanks. >
