I have recently received a Notification Email about the acceptance of the Bug report. It says the Bug is accepted and available under: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8274471
Hier is also the JIRA Issue for OpenJDK: https://bugs.openjdk.java.net/browse/JDK-8274471 Thanks for your interest and fast response. Best regards, Can Sean Mullan <sean.mul...@oracle.com>, 29 Eyl 2021 Çar, 22:36 tarihinde şunu yazdı: > Thank you for reporting this issue. As far as I can tell, it looks like > the JDK OCSP implementation has not yet been enhanced to support > RSASSA-PSS signatures. > > We will keep an eye out for the bug report you filed but I think it is > still making its way through our system as I have not seen it yet. > > --Sean > > On 9/28/21 11:17 AM, can comert wrote: > > Hello everyone, > > > > I am trying to verify Certificate Revocation Status by using JDK and the > > preferred way is the OCSP request. I came across certificates provided > > by a certain Certificate Authority (Procilion) which I can not verify > > the Revocation Status by using the JDK (I tried with the latest 11 LTS > > and 16). Openssl on the other hand can verify the OCSP responses. > > > > Here is the call for the openssl library: > > openssl ocsp -CAfile ROOT.cer -issuer INTERMEDIATE.cer -cert > > APPLICATION.cer -text -url http://ocsp.spi-cloud.com/status/ > > <http://ocsp.spi-cloud.com/status/> > > > > which gives results such as: > > APPLICATION.cer: good > > This Update: Sep 21 15:31:32 2021 GMT > > Next Update: Sep 21 16:31:32 2021 GMT > > Response verify OK > > > > With the Wireshark I can also read the OCSP Request and Response and > > Response contains status SUCCESSFUL. > > > > Java runtime throws an exception with message "Parameters required for > > RSASSA-PSS signatures" during trying to verify the signature of the OCSP > > Response. > > > > CA is using a separate certificate with Subject "OCSP Signer" to sign > > the OCSP Response. This certificate is delivered in the OCSP response > > and the signer certificate is signed by the same root as the issuer > > certificate of the certificate under test. Java seems to accept the > > signer certificate but fails to verify the signature. > > Here is the debug output snaps from the Java Program I wrote to test the > > revocation check and executed with flag > > -Djava.security.auth.debug=certpath,ocsp: > > > > start program > > ... > > certpath: KeySizeConstraints.permits(): RSA > > certpath: Responder's certificate includes the extension > > id-pkix-ocsp-nocheck. > > certpath: OCSP response is signed by an Authorized Responder > > ... > > certpath: RevocationChecker.check() java.security.SignatureException: > > Parameters required for RSASSA-PSS signatures > > certpath: RevocationChecker.check() preparing to failover > > ...CRL check also fails due to some other reasons..... > > Parameters required for RSASSA-PSS signatures > > end program > > > > I have also created a Bug Report for the Open JDK with internal review > > id:9071579 since I could not find any related issues on the Bug database. > > > > Root certificate is: procilonGROUPCustomerRootCA02.cer > > Intermediate certificate is: procilonGROUPCustomerCAEDIFACT02.cer > > Both available under https://pki.spi-cloud.com/issuer > > <https://pki.spi-cloud.com/issuer> (packed as p7b) > > > > I can provide the example certificates and the Java program which is > > basically calling CertPathValidator.validate method to validate the > > revocation status if you need to reproduce the issue. > > > > Kind Regards, > > Can Cömert > > >
