stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID

Browse Source 
Reviewed-by: vinnie, xuelei
This commit is contained in:
Sean Mullan 2014-01-21 10:51:13 -05:00
parent ea1c41f454
commit d82803e3d0
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -446,10 +446,28 @@ public final class OCSPResponse {
}
} else if (responderKeyId != null) {
for (X509CertImpl cert : certs) {
// Match responder's key identifier against the cert's SKID
// This will match if the SKID is encoded using the 160-bit
// SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
} else {
// The certificate does not have a SKID or may have
// been using a different algorithm (ex: see RFC 7093).
// Check if the responder's key identifier matches
// against a newly generated key identifier of the
// cert's public key using the 160-bit SHA-1 method.
try {
certKeyId = new KeyIdentifier(cert.getPublicKey());
} catch (IOException e) {
// ignore
}
if (responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
}
}
}
}