<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I tried something like this:<div class=""><br class=""></div><div class=""><pre style="background-color:#2b2b2b;color:#aeb5bd;font-family:'SF Mono';font-size:9.0pt;" class=""><span style="color:#597cc2;" class="">private </span><span style="color:#a9b7c6;" class="">X509Certificate </span><span style="color:#d9af6c;" class="">findIssuer</span>(<span style="color:#a9b7c6;" class="">X509Certificate </span>input) {<br class=""><br class="">    <span style="color:#a9b7c6;" class="">X509CertSelector selector </span>= <span style="color:#597cc2;" class="">new </span>X509CertSelector()<span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class="">    </span><span style="color:#a9b7c6;" class="">selector</span>.setSubject(<span style="color:#a9b7c6;" class="">input</span>.getIssuerX500Principal())<span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class=""><br class=""></span><span style="color:#5c7ab8;" class="">    </span><span style="color:#597cc2;" class="">byte</span>[] <span style="color:#a9b7c6;" class="">issuerIdExtension </span>= <span style="color:#a9b7c6;" class="">input</span>.getExtensionValue(<span style="color:#807d6e;font-weight:bold;" class="">"2.5.29.35"</span>)<span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class="">    </span><span style="color:#597cc2;" class="">if </span>(<span style="color:#a9b7c6;" class="">issuerIdExtension </span>!= <span style="color:#597cc2;" class="">null</span>) {<br class="">        <span style="color:#597cc2;" class="">try </span>{<br class="">            <span style="color:#597cc2;" class="">byte</span>[] <span style="color:#a9b7c6;" class="">issuerId </span>= <span style="color:#597cc2;" class="">new </span>AuthorityKeyIdentifierExtension(<br class="">                        <span style="color:#597cc2;" class="">false</span><span style="color:#5c7ab8;" class="">,<br class=""></span><span style="color:#5c7ab8;" class="">                        </span><span style="color:#597cc2;" class="">new </span>DerValue(<span style="color:#a9b7c6;" class="">issuerIdExtension</span>).getOctetString())<br class="">                    .getEncodedKeyIdentifier()<span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class="">            </span><span style="color:#a9b7c6;" class="">selector</span>.setSubjectKeyIdentifier(<span style="color:#a9b7c6;" class="">issuerId</span>)<span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class="">        </span>} <span style="color:#597cc2;" class="">catch </span>(<span style="color:#a9b7c6;" class="">IOException e</span>) {<br class="">            <span style="color:#7a7a7a;" class="">// ignored. issuerId is still null<br class=""></span><span style="color:#7a7a7a;" class="">        </span>}<br class="">    }<br class=""><br class="">    <span style="color:#597cc2;" class="">for </span>(<span style="color:#a9b7c6;" class="">X509Certificate cert </span>: <span style="color:#828eba;" class="">allCerts</span>) {<br class="">        <span style="color:#597cc2;" class="">if </span>(<span style="color:#a9b7c6;" class="">selector</span>.match(<span style="color:#a9b7c6;" class="">cert</span>)) {<br class="">            <span style="color:#597cc2;" class="">return </span><span style="color:#a9b7c6;" class="">cert</span><span style="color:#5c7ab8;" class="">;<br class=""></span><span style="color:#5c7ab8;" class="">        </span>}<br class="">    }<br class="">    <span style="color:#597cc2;" class="">return null</span><span style="color:#5c7ab8;" class="">;<br class=""></span>}</pre></div><div class="">but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?</div><div class=""><br class=""></div><div class="">Thanks</div><div class="">Max<br class=""><br class=""><blockquote type="cite" class="">On Jan 17, 2019, at 11:41 AM, Weijun Wang <<a href="mailto:weijun.wang@oracle.com" class="">weijun.wang@oracle.com</a>> wrote:<br class=""><br class="">I'll take a look. I thought java.security.cert.X509CertSelector is used by CertPath validators and builders internally and never thought it can be called directly.<br class=""><br class="">Thanks,<br class="">Max<br class=""><br class=""><blockquote type="cite" class="">On Jan 17, 2019, at 1:49 AM, Xuelei Fan <<a href="mailto:xuelei.fan@oracle.com" class="">xuelei.fan@oracle.com</a>> wrote:<br class=""><br class="">Hi Max,<br class=""><br class="">I did not look into the detailed implementation of findIssuer() yet. Have you considered to use java.security.cert.X509CertSelector?<br class=""><br class="">Thanks,<br class="">Xuelei<br class=""><br class="">On 1/9/2019 6:59 AM, Weijun Wang wrote:<br class=""><blockquote type="cite" class="">Please take a review at<br class=""> <a href="https://cr.openjdk.java.net/~weijun/8215776/webrev.00/" class="">https://cr.openjdk.java.net/~weijun/8215776/webrev.00/</a><br class="">PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much.<br class="">Thanks,<br class="">Max<br class=""></blockquote></blockquote><br class=""></blockquote><br class=""></div></body></html>