Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this. -- Sent from my mobile device.
Xuelei Fan <xuelei....@oracle.com> wrote: >What's the key usage of the OCSP responder? I think it is more like a >problem of Comodo CA. This fix may loosen the checking of the validity >of the OCSP responder's certificate. > >Xuelei > >On 5/28/2013 7:30 PM, Vincent Ryan wrote: >> Please review the fix for: >http://bugs.sun.com/view_bug.do?bug_id=7174966 >> >> The problem occurs when validating the signature of an OCSP response >from the Comodo CA. >> The Signature class tests for the presence of the digitalSignature >keyUsage setting when examining >> a signer's certificate. One solution is for the >sun.security.provider.certpath.OCSPResponse class to >> pass the signer's public key rather than the signer's certificate. >> >> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/ >> >> Thanks. >>
