APAR status
Closed as program error.
Error description
Error Message: Refer to the stack trace below. . Stack Trace: <OSB>com.ibm.security.cert.BasicOCSPResponse<CSB>: verify(): Missing certificate. Not able to verify signature on BasicOCSPResponse. CERTPATH: OCSPChecker.java: checkOCSPResponse(): The following exception was thrown while trying to verify the BasicOCSPResponse: com.ibm.security.cert.OCSPException: Missing certificate. Not able to verify signature on BasicOCSPResponse. com.ibm.security.cert.OCSPException: Missing certificate. Not able to verify signature on BasicOCSPResponse. at com.ibm.security.cert.BasicOCSPResponse.verify(BasicOCSPResponse .java:329) at com.ibm.security.cert.OCSPChecker.checkResponse(OCSPChecker.java :982) at com.ibm.security.cert.OCSPChecker.internalCheck(OCSPChecker.java :733) at com.ibm.security.cert.OCSPChecker.check(OCSPChecker.java:339) at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(P KIXCertPathValidatorImpl.java:615) at java.security.cert.CertPathValidator.validate(CertPathValidator. java:278) .
Local fix
Adding the certificate of the signer of the OCSP response to a CertStore enables CertPath to verify the signature on the OCSP response.
Problem summary
CertPath for Java 8 fails to validate the signature on an OCSP response (from a responder learned from an AIA extension) unless the cert of the signer of the OCSP response is found locally within a CertStore. CertPath commonly learns about OCSP responders from the AIA extensions of the certs that it is validating. It is impractical for CertPath to demand that the cert of the signer or each OCSP response be present within one of its CertStores before the signature on an OCSP response can be validated. Typically, that cert is carried on the OCSP response itself.
Problem conclusion
CertPath commonly learns about OCSP responders from the AIA extensions of the certs that it is validating. The CertPath code has been removed which required CertPath to have the cert of the signer of each OCSP response present within one of its CertStores, in order to validate the signature on each OCSP response. . This APAR will be fixed in the following Java Releases: 8 SR4 FP5 (8.0.4.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV93535
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-02-17
Closed date
2017-02-22
Last modified date
2017-02-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020