You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using org.bouncycastle:bcprov-jdk18on:1.80 and org.bouncycastle:bcpkix-jdk18on:1.80 within my Java/Kotlin Application to verify a X509 Certificate with a OCSP Responder.
/* validate a given cert against the OCSP Responder */
fun checkOCSPStatus(cert: X509Certificate) {
// 1. load the java keystore that contains all issuer certs
val keystoreFile= File("<Filepath to keystore file>")
val keystorePassword = "<secret>"
val keystore = KeyStore.getInstance("JKS")
FileInputStream(keystoreFile).use { fis ->
keystore.load(fis, keystorePassword.toCharArray())
}
// 2. configure security provider and Brainpool Algo.
Security.insertProviderAt(BouncyCastleProvider(), 1)
JOSE4JBrainPoolExtension.installExtension()
// 3. validate the cert
val cpv = CertPathValidator.getInstance("PKIX")
val rc = cpv.revocationChecker as PKIXRevocationChecker
rc.ocspResponder = URI("<OCSP Responder URL>")
val params = PKIXBuilderParameters(keystore, X509CertSelector())
params.addCertPathChecker(rc)
val cf = CertificateFactory.getInstance("X.509")
val certPath = cf.generateCertPath(listOf(cert))
cpv.validate(certPath, params) validator.validate(certPath, pkixParams) // this line throws java.security.InvalidKeyException: Wrong key usage
// OCSP validation passed successfull
}
The Certificate returned by the OCSP Responder has set the extendedKeyUsage "id-kp-OCSPSigning" and the keyUsage flag "nonRepudiation" (or nowdays named contentCommitment).
When using this code this validation fails with because the keyUsage expected flag "digitalSigning" is not set.
I checked RFC 6960 and RFC 5280 to verify that this is an invalid keyUsage combination but I found no evidance that this is invalid. Only CA/Browser Forum list the digitalSignature Flag as permitted / required.
My question: Is this a bug in the Bouncy Castle validation?
The text was updated successfully, but these errors were encountered:
I am using org.bouncycastle:bcprov-jdk18on:1.80 and org.bouncycastle:bcpkix-jdk18on:1.80 within my Java/Kotlin Application to verify a X509 Certificate with a OCSP Responder.
The Certificate returned by the OCSP Responder has set the extendedKeyUsage "id-kp-OCSPSigning" and the keyUsage flag "nonRepudiation" (or nowdays named contentCommitment).
When using this code this validation fails with because the keyUsage expected flag "digitalSigning" is not set.
I checked RFC 6960 and RFC 5280 to verify that this is an invalid keyUsage combination but I found no evidance that this is invalid. Only CA/Browser Forum list the digitalSignature Flag as permitted / required.
My question: Is this a bug in the Bouncy Castle validation?
The text was updated successfully, but these errors were encountered: