Affects Version/s: None
Fix Version/s: EJBCA 6.14.0
Issue discovered during:Customer
Sprint:EJBCA Sprint 13
I use EJBCA to provide test certificates in German/European eGovernment scenarios.
While testing a new tool for signature verification, I noticed the CertHash extension in EJBCA putting the extension in the responseExtensions field of the OCSP ResponseData element, whereas it should be put inside the singleExtensions field of the OCSP SingleResponse element, according to Common-PKI (see Common PKI Part 9 version 2.0 page 22, table row 4: SingleResponse extension: […] ).
In the attached patch, I implemented generic support for SingleExtensions in the OcspResponseGeneratorSessionBean together with an implementation of the CertHash extension for singleExtension. It shares code with the old extension to prevent code duplication, but it does not change the behavior of the old extension and will become active when configured explicitly in the ocsp.extensionclass property of the conf/ocsp.properties file.
I’d like to contribute the patch to upstream; any feedback or change request is appreciated. Apply the patch with -p1 option in ejbca trunk root.
This work is sponsored by Governikus GmbH & Co. KG.
Governikus GmbH & Co. KG
Am Fallturm 9
28359 Bremen, Germany