> but it seems it cannot deal with the case where a cert has the
correct subject but no SKID extension. Or do you think this should never
happen?
It could happen, especially for self-signed cert. See also, the
sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.
Xuelei
On 1/21/2019 2:05 AM, Weijun Wang wrote:
I tried something like this:
private X509Certificate findIssuer(X509Certificate input) {
X509CertSelector selector =new X509CertSelector();
selector.setSubject(input.getIssuerX500Principal()); byte[]issuerIdExtension
=input.getExtensionValue("2.5.29.35"); if (issuerIdExtension !=null) {
try {
byte[]issuerId =new AuthorityKeyIdentifierExtension(
false, new
DerValue(issuerIdExtension).getOctetString())
.getEncodedKeyIdentifier();
selector.setSubjectKeyIdentifier(issuerId); }catch (IOException e) {
// ignored. issuerId is still null }
}
for (X509Certificate cert :allCerts) {
if (selector.match(cert)) {
return cert; }
}
return null; }
but it seems it cannot deal with the case where a cert has the correct
subject but no SKID extension. Or do you think this should never happen?
Thanks
Max
On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.w...@oracle.com
<mailto:weijun.w...@oracle.com>> wrote:
I'll take a look. I thought java.security.cert.X509CertSelector is
used by CertPath validators and builders internally and never thought
it can be called directly.
Thanks,
Max
On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei....@oracle.com
<mailto:xuelei....@oracle.com>> wrote:
Hi Max,
I did not look into the detailed implementation of findIssuer() yet.
Have you considered to use java.security.cert.X509CertSelector?
Thanks,
Xuelei
On 1/9/2019 6:59 AM, Weijun Wang wrote:
Please take a review at
https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
PKCS12KeyStore now can find certificate issuers more precisely
using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought
about using CertPath builder or checking signatures but those
changes are too much.
Thanks,
Max
