Right. The Comodo cert is certainly valid. I've modified the OCSP client to avoid the strict check.
On 29 May 2013, at 15:55, Matthew Hall wrote: > Comodo used the root cert to sign the responses, which the RFC allows. I > think Java is getting carried away with strictness on this. > -- > Sent from my mobile device. > > Xuelei Fan <xuelei....@oracle.com> wrote: > >> What's the key usage of the OCSP responder? I think it is more like a >> problem of Comodo CA. This fix may loosen the checking of the validity >> of the OCSP responder's certificate. >> >> Xuelei >> >> On 5/28/2013 7:30 PM, Vincent Ryan wrote: >>> Please review the fix for: >> http://bugs.sun.com/view_bug.do?bug_id=7174966 >>> >>> The problem occurs when validating the signature of an OCSP response >> from the Comodo CA. >>> The Signature class tests for the presence of the digitalSignature >> keyUsage setting when examining >>> a signer's certificate. One solution is for the >> sun.security.provider.certpath.OCSPResponse class to >>> pass the signer's public key rather than the signer's certificate. >>> >>> Webrev: http://cr.openjdk.java.net/~vinnie/7174966/webrev.00/ >>> >>> Thanks. >>> >
