RFR: 8257497: Key identifier compliance issue [v3]

Weijun Wang weijun at openjdk.java.net
Fri Feb 12 14:52:42 UTC 2021


On Thu, 11 Feb 2021 22:10:55 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1482:
>> 
>>> 1480:         byte[] signerSubjectKeyIdExt = ((X509Certificate)signerCert).getExtensionValue(
>>> 1481:                 KnownOIDs.SubjectKeyID.value());
>>> 1482: 
>> 
>> How about pass in the `KeyIdentifier` instead of `PublicKey akey` into the createV3Extensions method? And you can calculated with
>>         X509CertImpl impl;
>>         if (signerCert instanceof X509CertImpl) {
>>             impl = (X509CertImpl) signerCert;
>>         } else {
>>             impl = new X509CertImpl(signerCert.getEncoded());
>>         }
>>         impl.getSubjectKeyId();
>
> Changed as suggested.

Sorry, I should have been more verbose on my suggestion. I was thinking about passing in **_only_** the `KeyIdentifier` and _**not**_ `akey`. After all both of them are for the same purpose and it's clear to consolidate to only one. If the cert has an SKID then use it, otherwise calculate one using `new KeyIdentifier(akey)`. All these are done inside the `doGenCert)()` method. The `createV3Extensions` just add an AKID if the parameter is not null.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2343


More information about the security-dev mailing list