changeset 9149:3d86ddd1c9df

8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID Reviewed-by: vinnie, xuelei
author mullan
date Tue, 21 Jan 2014 10:51:13 -0500
parents 2f3b642d94cb
children 9dbb0a185e09
files src/share/classes/sun/security/provider/certpath/OCSPResponse.java
diffstat 1 files changed, 19 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Jan 21 13:04:55 2014 +0100
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Jan 21 10:51:13 2014 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -446,10 +446,28 @@
                 }
             } else if (responderKeyId != null) {
                 for (X509CertImpl cert : certs) {
+                    // Match responder's key identifier against the cert's SKID
+                    // This will match if the SKID is encoded using the 160-bit
+                    // SHA-1 hash method as defined in RFC 5280.
                     KeyIdentifier certKeyId = cert.getSubjectKeyId();
                     if (certKeyId != null && responderKeyId.equals(certKeyId)) {
                         signerCert = cert;
                         break;
+                    } else {
+                        // The certificate does not have a SKID or may have
+                        // been using a different algorithm (ex: see RFC 7093).
+                        // Check if the responder's key identifier matches
+                        // against a newly generated key identifier of the
+                        // cert's public key using the 160-bit SHA-1 method.
+                        try {
+                            certKeyId = new KeyIdentifier(cert.getPublicKey());
+                        } catch (IOException e) {
+                            // ignore
+                        }
+                        if (responderKeyId.equals(certKeyId)) {
+                            signerCert = cert;
+                            break;
+                        }
                     }
                 }
             }