OpenJDK / jdk8u / jdk8u / jdk
changeset 9099:57c26829deb6
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
Reviewed-by: vinnie, xuelei
| author | mullan |
|---|---|
| date | Wed, 22 Jan 2014 19:06:08 -0500 |
| parents | ff56039c4870 |
| children | 68eb0c55a8c0 |
| files | src/share/classes/sun/security/provider/certpath/OCSPResponse.java |
| diffstat | 1 files changed, 19 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Jan 22 12:13:30 2014 +0100 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Jan 22 19:06:08 2014 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -446,10 +446,28 @@ } } else if (responderKeyId != null) { for (X509CertImpl cert : certs) { + // Match responder's key identifier against the cert's SKID + // This will match if the SKID is encoded using the 160-bit + // SHA-1 hash method as defined in RFC 5280. KeyIdentifier certKeyId = cert.getSubjectKeyId(); if (certKeyId != null && responderKeyId.equals(certKeyId)) { signerCert = cert; break; + } else { + // The certificate does not have a SKID or may have + // been using a different algorithm (ex: see RFC 7093). + // Check if the responder's key identifier matches + // against a newly generated key identifier of the + // cert's public key using the 160-bit SHA-1 method. + try { + certKeyId = new KeyIdentifier(cert.getPublicKey()); + } catch (IOException e) { + // ignore + } + if (responderKeyId.equals(certKeyId)) { + signerCert = cert; + break; + } } } }