Merge
authormullan
Tue, 21 Jan 2014 10:52:48 -0500
changeset 22357 bbc7015fe560
parent 22356 dc568020e87e (diff)
parent 22355 006659506061 (current diff)
child 22358 22a10c3cb5f3
child 22561 5ee70f9edbb7
child 22563 2e5b6242e863
Merge
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Mon Jan 20 19:23:22 2014 +0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Jan 21 10:52:48 2014 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -446,10 +446,28 @@
                 }
             } else if (responderKeyId != null) {
                 for (X509CertImpl cert : certs) {
+                    // Match responder's key identifier against the cert's SKID
+                    // This will match if the SKID is encoded using the 160-bit
+                    // SHA-1 hash method as defined in RFC 5280.
                     KeyIdentifier certKeyId = cert.getSubjectKeyId();
                     if (certKeyId != null && responderKeyId.equals(certKeyId)) {
                         signerCert = cert;
                         break;
+                    } else {
+                        // The certificate does not have a SKID or may have
+                        // been using a different algorithm (ex: see RFC 7093).
+                        // Check if the responder's key identifier matches
+                        // against a newly generated key identifier of the
+                        // cert's public key using the 160-bit SHA-1 method.
+                        try {
+                            certKeyId = new KeyIdentifier(cert.getPublicKey());
+                        } catch (IOException e) {
+                            // ignore
+                        }
+                        if (responderKeyId.equals(certKeyId)) {
+                            signerCert = cert;
+                            break;
+                        }
                     }
                 }
             }