8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
Reviewed-by: vinnie, xuelei
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Jan 21 13:04:55 2014 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Jan 21 10:51:13 2014 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -446,10 +446,28 @@
}
} else if (responderKeyId != null) {
for (X509CertImpl cert : certs) {
+ // Match responder's key identifier against the cert's SKID
+ // This will match if the SKID is encoded using the 160-bit
+ // SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
+ } else {
+ // The certificate does not have a SKID or may have
+ // been using a different algorithm (ex: see RFC 7093).
+ // Check if the responder's key identifier matches
+ // against a newly generated key identifier of the
+ // cert's public key using the 160-bit SHA-1 method.
+ try {
+ certKeyId = new KeyIdentifier(cert.getPublicKey());
+ } catch (IOException e) {
+ // ignore
+ }
+ if (responderKeyId.equals(certKeyId)) {
+ signerCert = cert;
+ break;
+ }
}
}
}