OCSPException when trying to load an OCSP response with empty extensions sequence #1617
Comments
|
The response isn't valid - the extensions block has to contain at least one element. |
|
So there are OCSP responders producing such responses, and even if we manage to make them fix that, we would still have to live with OCSP responses stored in long-term signatures. Therefore it is desirable to have means to load such responses without re-coding the same logic just without that check. |
|
Great... okay, I can see the problem, leave it with me, we'll try and sort something out the next release (unfortunately 1.78 is already in process). |
|
Quick question are you using the Java 8 and later release? I have to do an LTS release next. I can probably deal with this in that. |
|
We are using Java 8 and bc*-jdk18on 1.76. It would be acceptable to wait until 1.79 is out. I wasn't aware of LTS until now. Maybe it would be possible to switch to LTS, though it sounds as a bigger change, and there might be issues because of other libraries depending on non-LTS versions - applications might end up having both sets of libraries because of transitive dependencies, as the Maven artifacts have different identifiers. |
|
The check in the parser for ANS.1 structures will be disabled. We will continue to enforce correct construction. Hope to make a beta for this available soon. |
|
This has been fixed in 1.78.1, which is now appearing on Maven Central and bouncycastle.org |
|
Perfect, thanks! I can confirm the issue is resolved now. |
Changes introduced with #1479 are preventing OCSP responses with empty extensions sequences from loading.
For example, trying to load this SK_OCSP_202404.dmp:
now fails with:
The text was updated successfully, but these errors were encountered: