I tried something like this:
private X509Certificate findIssuer(X509Certificate input) {
X509CertSelector selector = new X509CertSelector();
selector.setSubject(input.getIssuerX500Principal());
byte[] issuerIdExtension = input.getExtensionValue("2.5.29.35");
if (issuerIdExtension != null) {
try {
byte[] issuerId = new AuthorityKeyIdentifierExtension(
false,
new DerValue(issuerIdExtension).getOctetString())
.getEncodedKeyIdentifier();
selector.setSubjectKeyIdentifier(issuerId);
} catch (IOException e) {
// ignored. issuerId is still null
}
}
for (X509Certificate cert : allCerts) {
if (selector.match(cert)) {
return cert;
}
}
return null;
}
but it seems it cannot deal with the case where a cert has the correct subject
but no SKID extension. Or do you think this should never happen?
Thanks
Max
> On Jan 17, 2019, at 11:41 AM, Weijun Wang <[email protected]> wrote:
>
> I'll take a look. I thought java.security.cert.X509CertSelector is used by
> CertPath validators and builders internally and never thought it can be
> called directly.
>
> Thanks,
> Max
>
>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <[email protected]> wrote:
>>
>> Hi Max,
>>
>> I did not look into the detailed implementation of findIssuer() yet. Have
>> you considered to use java.security.cert.X509CertSelector?
>>
>> Thanks,
>> Xuelei
>>
>> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>>> Please take a review at
>>> https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>>> PKCS12KeyStore now can find certificate issuers more precisely using
>>> SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using
>>> CertPath builder or checking signatures but those changes are too much.
>>> Thanks,
>>> Max
>
