# HG changeset patch # User mullan # Date 1390435568 18000 # Node ID 57c26829deb6c9dbb326aad24de589884b657602 # Parent ff56039c4870c39ccb984982314411d068ed4092 8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID Reviewed-by: vinnie, xuelei diff -r ff56039c4870 -r 57c26829deb6 src/share/classes/sun/security/provider/certpath/OCSPResponse.java --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Jan 22 12:13:30 2014 +0100 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Jan 22 19:06:08 2014 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -446,10 +446,28 @@ } } else if (responderKeyId != null) { for (X509CertImpl cert : certs) { + // Match responder's key identifier against the cert's SKID + // This will match if the SKID is encoded using the 160-bit + // SHA-1 hash method as defined in RFC 5280. KeyIdentifier certKeyId = cert.getSubjectKeyId(); if (certKeyId != null && responderKeyId.equals(certKeyId)) { signerCert = cert; break; + } else { + // The certificate does not have a SKID or may have + // been using a different algorithm (ex: see RFC 7093). + // Check if the responder's key identifier matches + // against a newly generated key identifier of the + // cert's public key using the 160-bit SHA-1 method. + try { + certKeyId = new KeyIdentifier(cert.getPublicKey()); + } catch (IOException e) { + // ignore + } + if (responderKeyId.equals(certKeyId)) { + signerCert = cert; + break; + } } } }