提交 2219b2bc 编写于 作者: M mullan

8031825: OCSP client can't find responder cert if it uses a different subject...

8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
Reviewed-by: vinnie, xuelei
上级 23a4ec5d
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -446,10 +446,28 @@ public final class OCSPResponse {
}
} else if (responderKeyId != null) {
for (X509CertImpl cert : certs) {
// Match responder's key identifier against the cert's SKID
// This will match if the SKID is encoded using the 160-bit
// SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
} else {
// The certificate does not have a SKID or may have
// been using a different algorithm (ex: see RFC 7093).
// Check if the responder's key identifier matches
// against a newly generated key identifier of the
// cert's public key using the 160-bit SHA-1 method.
try {
certKeyId = new KeyIdentifier(cert.getPublicKey());
} catch (IOException e) {
// ignore
}
if (responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
}
}
}
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册