RFR 8215776: Keytool importkeystore may mix up certificate chain entries when DNs conflict
Weijun Wang
weijun.wang at oracle.com
Mon Jan 21 10:05:15 UTC 2019
I tried something like this:
private X509Certificate findIssuer(X509Certificate input) {
X509CertSelector selector = new X509CertSelector();
selector.setSubject(input.getIssuerX500Principal());
byte[] issuerIdExtension = input.getExtensionValue("2.5.29.35");
if (issuerIdExtension != null) {
try {
byte[] issuerId = new AuthorityKeyIdentifierExtension(
false,
new DerValue(issuerIdExtension).getOctetString())
.getEncodedKeyIdentifier();
selector.setSubjectKeyIdentifier(issuerId);
} catch (IOException e) {
// ignored. issuerId is still null
}
}
for (X509Certificate cert : allCerts) {
if (selector.match(cert)) {
return cert;
}
}
return null;
}
but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?
Thanks
Max
> On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> I'll take a look. I thought java.security.cert.X509CertSelector is used by CertPath validators and builders internally and never thought it can be called directly.
>
> Thanks,
> Max
>
>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>
>> Hi Max,
>>
>> I did not look into the detailed implementation of findIssuer() yet. Have you considered to use java.security.cert.X509CertSelector?
>>
>> Thanks,
>> Xuelei
>>
>> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>>> Please take a review at
>>> https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>>> PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much.
>>> Thanks,
>>> Max
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190121/98ca2de4/attachment.htm>
More information about the security-dev
mailing list