8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
authormullan
Tue, 21 Jan 2014 10:51:13 -0500
changeset 22356 dc568020e87e
parent 22353 d09e3ff5fd63
child 22357 bbc7015fe560
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID Reviewed-by: vinnie, xuelei
jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Jan 21 13:04:55 2014 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Jan 21 10:51:13 2014 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -446,10 +446,28 @@
                 }
             } else if (responderKeyId != null) {
                 for (X509CertImpl cert : certs) {
+                    // Match responder's key identifier against the cert's SKID
+                    // This will match if the SKID is encoded using the 160-bit
+                    // SHA-1 hash method as defined in RFC 5280.
                     KeyIdentifier certKeyId = cert.getSubjectKeyId();
                     if (certKeyId != null && responderKeyId.equals(certKeyId)) {
                         signerCert = cert;
                         break;
+                    } else {
+                        // The certificate does not have a SKID or may have
+                        // been using a different algorithm (ex: see RFC 7093).
+                        // Check if the responder's key identifier matches
+                        // against a newly generated key identifier of the
+                        // cert's public key using the 160-bit SHA-1 method.
+                        try {
+                            certKeyId = new KeyIdentifier(cert.getPublicKey());
+                        } catch (IOException e) {
+                            // ignore
+                        }
+                        if (responderKeyId.equals(certKeyId)) {
+                            signerCert = cert;
+                            break;
+                        }
                     }
                 }
             }