<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="">> but it seems it cannot deal with the case where a
cert has the correct subject but no SKID extension. Or do you
think this should never happen?</div>
<p>It could happen, especially for self-signed cert. See also, the
sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.<br>
</p>
<p>Xuelei<br>
</p>
<div class="moz-cite-prefix">On 1/21/2019 2:05 AM, Weijun Wang
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:E8661EAA-7A38-43D0-A69A-E2EBEA760F5C@oracle.com">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
I tried something like this:
<div class=""><br class="">
</div>
<div class="">
<pre style="background-color:#2b2b2b;color:#aeb5bd;font-family:'SF Mono';font-size:9.0pt;" class=""><span style="color:#597cc2;" class="">private </span><span style="color:#a9b7c6;" class="">X509Certificate </span><span style="color:#d9af6c;" class="">findIssuer</span>(<span style="color:#a9b7c6;" class="">X509Certificate </span>input) {
<span style="color:#a9b7c6;" class="">X509CertSelector selector </span>= <span style="color:#597cc2;" class="">new </span>X509CertSelector()<span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class=""> </span><span style="color:#a9b7c6;" class="">selector</span>.setSubject(<span style="color:#a9b7c6;" class="">input</span>.getIssuerX500Principal())<span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class="">
</span><span style="color:#5c7ab8;" class=""> </span><span style="color:#597cc2;" class="">byte</span>[] <span style="color:#a9b7c6;" class="">issuerIdExtension </span>= <span style="color:#a9b7c6;" class="">input</span>.getExtensionValue(<span style="color:#807d6e;font-weight:bold;" class="">"2.5.29.35"</span>)<span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class=""> </span><span style="color:#597cc2;" class="">if </span>(<span style="color:#a9b7c6;" class="">issuerIdExtension </span>!= <span style="color:#597cc2;" class="">null</span>) {
<span style="color:#597cc2;" class="">try </span>{
<span style="color:#597cc2;" class="">byte</span>[] <span style="color:#a9b7c6;" class="">issuerId </span>= <span style="color:#597cc2;" class="">new </span>AuthorityKeyIdentifierExtension(
<span style="color:#597cc2;" class="">false</span><span style="color:#5c7ab8;" class="">,
</span><span style="color:#5c7ab8;" class=""> </span><span style="color:#597cc2;" class="">new </span>DerValue(<span style="color:#a9b7c6;" class="">issuerIdExtension</span>).getOctetString())
.getEncodedKeyIdentifier()<span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class=""> </span><span style="color:#a9b7c6;" class="">selector</span>.setSubjectKeyIdentifier(<span style="color:#a9b7c6;" class="">issuerId</span>)<span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class=""> </span>} <span style="color:#597cc2;" class="">catch </span>(<span style="color:#a9b7c6;" class="">IOException e</span>) {
<span style="color:#7a7a7a;" class="">// ignored. issuerId is still null
</span><span style="color:#7a7a7a;" class=""> </span>}
}
<span style="color:#597cc2;" class="">for </span>(<span style="color:#a9b7c6;" class="">X509Certificate cert </span>: <span style="color:#828eba;" class="">allCerts</span>) {
<span style="color:#597cc2;" class="">if </span>(<span style="color:#a9b7c6;" class="">selector</span>.match(<span style="color:#a9b7c6;" class="">cert</span>)) {
<span style="color:#597cc2;" class="">return </span><span style="color:#a9b7c6;" class="">cert</span><span style="color:#5c7ab8;" class="">;
</span><span style="color:#5c7ab8;" class=""> </span>}
}
<span style="color:#597cc2;" class="">return null</span><span style="color:#5c7ab8;" class="">;
</span>}</pre>
</div>
<div class="">but it seems it cannot deal with the case where a
cert has the correct subject but no SKID extension. Or do you
think this should never happen?</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Max<br class="">
<br class="">
<blockquote type="cite" class="">On Jan 17, 2019, at 11:41 AM,
Weijun Wang <<a href="mailto:weijun.wang@oracle.com"
class="" moz-do-not-send="true">weijun.wang@oracle.com</a>>
wrote:<br class="">
<br class="">
I'll take a look. I thought
java.security.cert.X509CertSelector is used by CertPath
validators and builders internally and never thought it can be
called directly.<br class="">
<br class="">
Thanks,<br class="">
Max<br class="">
<br class="">
<blockquote type="cite" class="">On Jan 17, 2019, at 1:49 AM,
Xuelei Fan <<a href="mailto:xuelei.fan@oracle.com"
class="" moz-do-not-send="true">xuelei.fan@oracle.com</a>>
wrote:<br class="">
<br class="">
Hi Max,<br class="">
<br class="">
I did not look into the detailed implementation of
findIssuer() yet. Have you considered to use
java.security.cert.X509CertSelector?<br class="">
<br class="">
Thanks,<br class="">
Xuelei<br class="">
<br class="">
On 1/9/2019 6:59 AM, Weijun Wang wrote:<br class="">
<blockquote type="cite" class="">Please take a review at<br
class="">
<a
href="https://cr.openjdk.java.net/~weijun/8215776/webrev.00/"
class="" moz-do-not-send="true">https://cr.openjdk.java.net/~weijun/8215776/webrev.00/</a><br
class="">
PKCS12KeyStore now can find certificate issuers more
precisely using SubjectKeyIdentifier and
AuthorityKeyIdentifier. I thought about using CertPath
builder or checking signatures but those changes are too
much.<br class="">
Thanks,<br class="">
Max<br class="">
</blockquote>
</blockquote>
<br class="">
</blockquote>
<br class="">
</div>
</blockquote>
</body>
</html>