Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3149

OCSP responder support for CertId using SHA256 in OCSP requests

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 4.0.16
    • Fix Version/s: EJBCA 6.2.2
    • Component/s: Protocols
    • Labels:
    • Environment:
      All
    • Issue discovered during:
      Community

      Description

      OCSP responder doesn't work properly when OCSP request contains certid with SHA256 hashed data

      When OCSP responder must satisfy an OCSP request where the certid values IssuerKeyHash and IssuerNameHash are hashed with an hash algorithm different from SHA-1,
      for example SHA-256, the OCSP Servlet is unable to find the certificate of the corresponding CA.
      The error is not present when is used the SHA-1 hash algorithm.

      The error is given by the following line of code in the source OCSPServletBase.java:

      cacert = this.data.m_caCertCache.findByOcspHash(certId);

      because the internal hash table of the current managed CA's by the product has an identifier contsructed with SHA-1 values.

      See RFC6960, http://tools.ietf.org/html/rfc6960

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              scampanella sergio campanella
              Verified by:
              Mike Agrenius Kushner
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: