I tried something like this: private X509Certificate findIssuer(X509Certificate input) {
X509CertSelector selector = new X509CertSelector(); selector.setSubject(input.getIssuerX500Principal()); byte[] issuerIdExtension = input.getExtensionValue("2.5.29.35"); if (issuerIdExtension != null) { try { byte[] issuerId = new AuthorityKeyIdentifierExtension( false, new DerValue(issuerIdExtension).getOctetString()) .getEncodedKeyIdentifier(); selector.setSubjectKeyIdentifier(issuerId); } catch (IOException e) { // ignored. issuerId is still null } } for (X509Certificate cert : allCerts) { if (selector.match(cert)) { return cert; } } return null; } but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen? Thanks Max > On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.w...@oracle.com> wrote: > > I'll take a look. I thought java.security.cert.X509CertSelector is used by > CertPath validators and builders internally and never thought it can be > called directly. > > Thanks, > Max > >> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei....@oracle.com> wrote: >> >> Hi Max, >> >> I did not look into the detailed implementation of findIssuer() yet. Have >> you considered to use java.security.cert.X509CertSelector? >> >> Thanks, >> Xuelei >> >> On 1/9/2019 6:59 AM, Weijun Wang wrote: >>> Please take a review at >>> https://cr.openjdk.java.net/~weijun/8215776/webrev.00/ >>> PKCS12KeyStore now can find certificate issuers more precisely using >>> SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using >>> CertPath builder or checking signatures but those changes are too much. >>> Thanks, >>> Max >