Open
Description
I am using org.bouncycastle:bcprov-jdk18on:1.80 and org.bouncycastle:bcpkix-jdk18on:1.80 within my Java/Kotlin Application to verify a X509 Certificate with a OCSP Responder.
/* validate a given cert against the OCSP Responder */
fun checkOCSPStatus(cert: X509Certificate) {
// 1. load the java keystore that contains all issuer certs
val keystoreFile= File("<Filepath to keystore file>")
val keystorePassword = "<secret>"
val keystore = KeyStore.getInstance("JKS")
FileInputStream(keystoreFile).use { fis ->
keystore.load(fis, keystorePassword.toCharArray())
}
// 2. configure security provider and Brainpool Algo.
Security.insertProviderAt(BouncyCastleProvider(), 1)
JOSE4JBrainPoolExtension.installExtension()
// 3. validate the cert
val cpv = CertPathValidator.getInstance("PKIX")
val rc = cpv.revocationChecker as PKIXRevocationChecker
rc.ocspResponder = URI("<OCSP Responder URL>")
val params = PKIXBuilderParameters(keystore, X509CertSelector())
params.addCertPathChecker(rc)
val cf = CertificateFactory.getInstance("X.509")
val certPath = cf.generateCertPath(listOf(cert))
cpv.validate(certPath, params) validator.validate(certPath, pkixParams) // this line throws java.security.InvalidKeyException: Wrong key usage
// OCSP validation passed successfull
}
The Certificate returned by the OCSP Responder has set the extendedKeyUsage "id-kp-OCSPSigning" and the keyUsage flag "nonRepudiation" (or nowdays named contentCommitment).
When using this code this validation fails with because the keyUsage expected flag "digitalSigning" is not set.
I checked RFC 6960 and RFC 5280 to verify that this is an invalid keyUsage combination but I found no evidance that this is invalid. Only CA/Browser Forum list the digitalSignature Flag as permitted / required.
My question: Is this a bug in the Bouncy Castle validation?
Metadata
Metadata
Assignees
Labels
No labels